-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 25 Feb 2020 12:09:37 -0500 Source: opensmtpd Architecture: source Version: 6.0.2p1-2+deb9u3 Distribution: stretch-security Urgency: high Maintainer: Ryan Kavanagh <rak@debian.org> Changed-By: Ryan Kavanagh <rak@debian.org> Closes: 952453 Changes: opensmtpd (6.0.2p1-2+deb9u3) stretch-security; urgency=high . * Fix LPE and RCE vulnerability (Closes: #952453) (CVE-2020-8794) An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group. OpenBSD 6.6 errata 021: https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/021_smtpd_envelope.patch.sig Checksums-Sha1: c4153737387a170d20ac8a0af12e45e2ab817cf5 3096 opensmtpd_6.0.2p1-2+deb9u3.dsc 386e1115c5cbe91f67ce0854594197846b4bb5d9 695513 opensmtpd_6.0.2p1.orig.tar.gz 25c6492cd4eb8849c2511d6df411af704b0f7d10 29012 opensmtpd_6.0.2p1-2+deb9u3.debian.tar.xz 0a88ba67746bb23ed7de17128723a504fa8d3210 8531 opensmtpd_6.0.2p1-2+deb9u3_source.buildinfo Checksums-Sha256: b5e5ab580ae119d0184aeb84f234090b80ebe12be21efd5e0e2e9641e4a4727b 3096 opensmtpd_6.0.2p1-2+deb9u3.dsc 2af9b6d08784c7e546bf124bb61e311a6aa0c9835507710a76f5c242383190ac 695513 opensmtpd_6.0.2p1.orig.tar.gz 0ae9ac6d8bdb8cf821c90cc8d0a61334fa3ac6c064591045f70d2987f6069445 29012 opensmtpd_6.0.2p1-2+deb9u3.debian.tar.xz e7bb4601d53229a2feb09207dff887991d0458ef0ce3645ba5372ad4b036c301 8531 opensmtpd_6.0.2p1-2+deb9u3_source.buildinfo Files: 72c58d808957d51f46ae02b9a3e94f14 3096 mail extra opensmtpd_6.0.2p1-2+deb9u3.dsc 1ebc232624f2e2e31010c810ea0a3b88 695513 mail extra opensmtpd_6.0.2p1.orig.tar.gz b042fe3883a8a8c052b97050367ac25a 29012 mail extra opensmtpd_6.0.2p1-2+deb9u3.debian.tar.xz 5956a013666e14829e2f4d4993c4a582 8531 mail extra opensmtpd_6.0.2p1-2+deb9u3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQVDBAEBCgAtFiEETkaVGe1ndzQmj72Vj3v4/EoRyXoFAl5VizoPHHJha0BkZWJp YW4ub3JnAAoJEI97+PxKEcl6tG4n/jIHwPf4XiXOKq4qRmSLCZ01EwPWiy73H8pO xTbnZfdwiK8IipkRE6G5IpJkUI18CQmuX6UrjprJtTUufFtVuq0GJh2vejDTSh3/ Xm3HEuW8vE9ghbBA7b+pbg2DLTKlpH7gIeD6V0ymCKRCK/T9ftU6Vf6XJ5sbHOBf +8np/ZvGlK7/xfoOfgzwcRifb8HM6fVG8RIC5QW8fOMZVmcLikd5HCTFwxMBHxPt RnIlubD4TQL/QBRLTE+HOqn+qxwEOU8CHMhRewSQqT30EsB8PBAEdP47b4FVtRE7 6sVbdPYYVpsLAL6+SdFGlYL0QahNh1QqBSyFTWqd0YoOfTLJxJOva3u/fs8IkpLQ E73axpQw5AmIIZsdH/ekBhMbYXMNzqmvdcT4TwO6aD1ubU9A/lK/wcK5K0F/Sx36 TMhZR+6zCq5zWbv67xfQa8segnddw8sXDHRYXFMzDmHdaLcR3D3NghVDaIOPsQAj J6Zp7Gs/2QfyBzynWDrQ7EWLaTHvdgS46usba5omA6cexD9ruTa4t6Q12d7++X3W jTLfzXorfYUemj7lPWFghpXxuL5dk5zstzdjtJA05yPByUZTT/RHdlqOeHsOYOmJ 7uHNMTQvAZnMCoz2JVpRc2/PSq+If5RnNZkF6Z9BLDkSLH7XPeuuC9Zj7nzqJx0C B4Kq+yd2TLv6C3l/ivI9tHdBoSwI9HX5tseTtFypY6mfs4RCyaQutRLfSbgQbecl E/RTI333kGnxfJ5M/EpLsirH3NS5L5q9Czrxd6xcxtyOxLwkv8TqCabtyl9EXRP4 ZxPUizFrOmiIt682upA1kbvDMBBfHManHYmKg6OylsKiSHxkoNHKIDyvIyRkA5to Lak6XBCtAOl5feeAgNqz0AWSvXi4tSF2sVkSh66YXKArl0YuBvK39jptA70b3x3v BUnKA19ZQfFk7ltcKReQhu6wJE017yUa3vcCs8Xw1UjGzlW0BHllXwWrvCsR8SpT Uh1ZXaUlPP125U6cqDPjjs40XxX/gYwtnEVdNTxcD+t/5L4HehmWrPZ+3CKHOhc+ wHmMyWsZk66fyGq3UheOPK7YF/uEPYyf2rlTgda6mQp/S62rVgtlU+c2kGK7tz8e PBJDiO+rZ3TT+l0xVJY78ImydGm5aZ5jUCmPWI9UOvLPajJArpJLbTAOYhXTMFsq 15vhcfryts7LJ7xo7l9th9uVXJ4Lksir2ibjXeUYxSERjYs9EZDgsahuOBlukgQ5 xIrL8B6Djm6eGKuoRq28jaqHKgwnU3S+tgKim/wqcrOat5prRCtaajMqbvtsnjLj F8odHS76b5m/jVQ8IO/7/GcCEuvXgwaI9HGQZaIWZuc0uR7b6/vU/rxXrBt9y6ka p3pYp4U7SGkDivDsfXHmFHv5Nr+zebLccVdveikUPCE6a9Ys9dHPwIfDlp6FSgw7 UXx7ItOjAvEpRVbwsvM/IKTL2Gx6gWlawequJo4eMwtkuCvAJCVJeCCQStZ4CUhf WilpNSlD70XlsM0oTUbwuT9cZ9wHt6f3FFeI9JXnbaTqoDMVX9pdKR832jtePhOd C19H48Q4lhO6zCiBfkCcb2HX3Pz9RbXOMTLsUtqDsZ1MgIMByxHl83xl374PaOOU 2Yq4PjSn7IRDHGLbIZ4Kn1OtN36GBLeDkAMV9VlZCnwxLC14UAtNSZPTOJrtJ0dL zQjCOD++ =hV0e -----END PGP SIGNATURE-----