-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 25 Feb 2020 11:12:06 -0500 Source: opensmtpd Architecture: source Version: 6.0.3p1-5+deb10u4 Distribution: buster-security Urgency: high Maintainer: Ryan Kavanagh <rak@debian.org> Changed-By: Ryan Kavanagh <rak@debian.org> Closes: 952453 Changes: opensmtpd (6.0.3p1-5+deb10u4) buster-security; urgency=high . * Fix LPE and RCE vulnerability (Closes: #952453) (CVE-2020-8794) An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group. OpenBSD 6.6 errata 021: https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/021_smtpd_envelope.patch.sig Checksums-Sha1: 46d2973b2e55a3b6f35e41306352fbb55f934b5b 3082 opensmtpd_6.0.3p1-5+deb10u4.dsc 9aa89eeed7462902903f2e7304173899557aee65 699702 opensmtpd_6.0.3p1.orig.tar.gz 4efdab03aa9afee92b6c4efc1af9d7828a2344e2 32696 opensmtpd_6.0.3p1-5+deb10u4.debian.tar.xz b36850596006e83590f17b2fd6fcdb3e28484908 8561 opensmtpd_6.0.3p1-5+deb10u4_source.buildinfo Checksums-Sha256: af4b8a14da37ab2dd0fdfa90dd5e0bd0323eac7e039dda6515f61b6b19366b01 3082 opensmtpd_6.0.3p1-5+deb10u4.dsc 291881862888655565e8bbe3cfb743310f5dc0edb6fd28a889a9a547ad767a81 699702 opensmtpd_6.0.3p1.orig.tar.gz ea5dd103a8e4ab0087813273eb7395df3f8b102cc2ad3f7c95c7ceac260645b5 32696 opensmtpd_6.0.3p1-5+deb10u4.debian.tar.xz 091235753df594059bf6a4b0be491232bd01346536a68017ff34af572fa2676a 8561 opensmtpd_6.0.3p1-5+deb10u4_source.buildinfo Files: 5d011c1ef3918e2b95311f86584ead27 3082 mail optional opensmtpd_6.0.3p1-5+deb10u4.dsc 66e496bb0f3303d660744f4fa2178765 699702 mail optional opensmtpd_6.0.3p1.orig.tar.gz fb0fe30dc84bf24c38ca8eed7885142c 32696 mail optional opensmtpd_6.0.3p1-5+deb10u4.debian.tar.xz 2a711f83dcce76d1d7e51c05987354c9 8561 mail optional opensmtpd_6.0.3p1-5+deb10u4_source.buildinfo -----BEGIN PGP SIGNATURE----- iQVDBAEBCgAtFiEETkaVGe1ndzQmj72Vj3v4/EoRyXoFAl5Vi7UPHHJha0BkZWJp YW4ub3JnAAoJEI97+PxKEcl6ni8n/0/Ca/chs/24T7iYltyncJ1aXspOSZBn2skK G/eCAZVFp77CRwRfm+thhEuvuD992nURyuIUG3d6pQAUKkxyhHk6VFxNmLeE0oUB hVYj3pGGzLlmrT6e3w64SMrsXvayNIFCDttYzoT5sJTGNOrOcQSRxoAlh5PRFjEu Nzl0rWvYAQuAP2XCzK3E4KE2/AV78sEwzlC5DtI4LwazLHe/bJ455uN/7AG/ytk+ s2wbyonjA/8y9m8PE9+/zAOjjtmIEk9P6B8qqldhoJ2Fj2rtGT9dq/78Fs7UHcEO bnUZuVMQL6YdFGjKuPIYlM11WlldLrZdLcNrmgZGCQS3UyMHqyZ/mn8XCqdPLcdl oJPgt10EIl57a26c/uOUmWE35HC+4lEhAmEjOF61Tn+ESd1cl93POehxQG+jaWpB SkXIqjZ2N3c3XdpUAub7BQEEt0xNUmIbASP9Wb6d9ZDmSk60nxoTqXUJ1sGY1MjS gvJO2AXZdMHMJDdIWVvpbqljXf/47EZeaNs+1+Fu7pdBzLtn5tKUqDPcXjhXh98p T00Qy0FYQ8ouAN6z+3TziJfUPBZctaOnSZZ7UM00fy1k2gsdh1/I4QTL7icH57w1 tRi+1SlzT924GsHXmSLiVIRs29XGkZJUMy5KBaG8Kxm7r79eOUvtTfipUntnjDhp Pn0QIs2vyrpmTSwkTZFNEHspVcvB8V8k79X5kSXQd7dsqGq8G3bY+LIW9tp2yA1K 0J/jVUkQenBb6wuFvjN6WS+nfUrKcwAb2Toodd8ok5qs0wrvmZMgUm4aSHMegao9 c3W/ogctTVFRbTjWe/k5kxhYaUY6c1eFMMnYHjV86tk5fohdhKRS5wBDrjwWAow1 wz9adURSwd35jlbXa/eSu8Jm8rW1XC7Y7N1GZhwc+u98oD8XTsena9Pv+HBxJ8A9 3NlB650zEXMnogJH6LsLgXlKPJGXt2wOhIZAl1rZ6zzZMSaUVwOAggZU3rvKj3UI DnvWBJci06cvOzKijpUIBG+gje7fvgKjxV1V2FxUWiyjZs6aVWFIp7QuvUH7ZZEH pLrS+B0rsLv5gzrqXo2Bplf6WmtFG4xeXKBxEsU2LlxnoN11xFrtt9T4nwhiqPKM OBl83WPb0/QCEwpM4vT/fySubhn2bjROkuB0cJIAqNkW++svVJKGL9NwzoDJIN5g Uoou+fS7s/MiX8lljW+R4fIr/i9Dtww+PzCHwEGKi1KTgdB79LfEnZN7qCWnlNGl +JqdmgjTxXR7k+nqrQsL5NoPAWj1zcAD4wmXf7G4UGAJ5tZEG2cLe4LtGGllHM9m YwCN5+ZQz5J+f75y4yd3oAtAYuXYvoiHUSg7IUs/K1oRkLU6GPg+T3r6RIaIdh6v oy6tBUCuXLPj9sP8DxKuO5BdRWrblOPJeCR7yCHiGmWdrdcX6WDUUq8KdNSkHfOB JIx0n8zukvfV7huuDmzadLIj+wPpz6+h6DqdBBn2TLRmBy8TM45jQceBD/tyYzLB x2YhYVeJKzybl6s448y0nLxejI3sVWUs6fEwi/9mOM8A+3WE8GEAMWb6PTbmQObL QMyHbeLTEASm2Rxzx/GC/UUZSKdSnxtrh73NGL60kPmwjJZDTyevrqFqdzR2J27O 6IeigstpDlmQyWOUuNx2uDWygTaHrzckkuDXSoftT/t9chVUyUHocnZ5K4cPXOwv 1On4b94T =p6yW -----END PGP SIGNATURE-----
