Bug#1073231: bullseye-pu: package sendmail/8.15.2-22+deb11u1

[Jonathan Wiltshire <jmw@debian.org>]

Control: tag -1 confirmed

On Fri, Jun 14, 2024 at 09:01:06PM +0000, Bastien Roucariès wrote:
> diff -Nru sendmail-8.15.2/debian/NEWS.Debian sendmail-8.15.2/debian/NEWS.Debian
> --- sendmail-8.15.2/debian/NEWS.Debian	1970-01-01 00:00:00.000000000 +0000
> +++ sendmail-8.15.2/debian/NEWS.Debian	2024-05-13 18:44:56.000000000 +0000
> @@ -0,0 +1,19 @@
> +sendmail (8.18.1-3) unstable; urgency=medium
> +
> +  Sendmail was affected by SMTP smurgling (CVE-2023-51765).
                                      ^
                                   "smuggling"

> +  Remote attackers can use a published exploitation technique
> +  to inject e-mail messages with a spoofed MAIL FROM address,
> +  allowing bypass of an SPF protection mechanism.
> +  This occurs because sendmail supports some combinaison of
> +  <CR><LF><NUL>.
> +  .
> +  This particular injection vulnerability has been closed,
> +  unfortunatly full closure need to reject mail that
> +  contain NUL.
> +  .
> +  This is slighly non conformant with RFC and could
> +  be opt-out by setting confREJECT_NUL to 'false'
> +  in sendmail.mc file.
> +
> + -- Bastien Roucariès <rouca@debian.org>  Sun, 12 May 2024 19:38:09 +0000
> +

Is "slightly non-conformant" really good justification for a pop-up news
item on upgrades? I don't recall the other MTAs doing this.

It's up to you, either way please go ahead.

Thanks,

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1