-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 13 May 2024 18:44:56 +0000 Source: sendmail Architecture: source Version: 8.15.2-22+deb11u1 Distribution: bullseye Urgency: medium Maintainer: Debian QA Group <packages@qa.debian.org> Changed-By: Bastien Roucariès <rouca@debian.org> Closes: 1059386 1070190 Changes: sendmail (8.15.2-22+deb11u1) bullseye; urgency=medium . * QA-upload * Fix CVE-2023-51765 (Closes: #1059386): sendmail allowed SMTP smuggling in certain configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because sendmail supports <LF>.<CR><LF> but some other popular e-mail servers do not. This is resolved with 'o' in srv_features. * Enable _FFR_REJECT_NUL_BYTE for rejecting mail that include NUL byte * By default enable rejecting mail that include NUL byte. set confREJECT_NUL to 'true' by default . User could disable by setting confREJECT_NUL to false. (Closes: #1070190). Close a variant of CVE-2023-51765 aka SMTP smuggling. Checksums-Sha1: e8387dc8f69767f775bf200bca982c84b0e3b35b 2583 sendmail_8.15.2-22+deb11u1.dsc 5801d4b06f4e38ef228a5954a44d17636eaa5a16 2207417 sendmail_8.15.2.orig.tar.gz c92f537870c0d7999fba9514d70dc72b1b15b5a4 237992 sendmail_8.15.2-22+deb11u1.debian.tar.xz 91544b74daf90cb88fd5be9e41d57dcfccb4e0be 10852 sendmail_8.15.2-22+deb11u1_amd64.buildinfo Checksums-Sha256: 01209292838448434150f88db19e6b99149cbedf152eb1730c586c01247eb689 2583 sendmail_8.15.2-22+deb11u1.dsc 24f94b5fd76705f15897a78932a5f2439a32b1a2fdc35769bb1a5f5d9b4db439 2207417 sendmail_8.15.2.orig.tar.gz 4a41780cc5257cd2544468b319ab8485f19db0a128516984b539df8b6191c168 237992 sendmail_8.15.2-22+deb11u1.debian.tar.xz fab45feef620621f9568c00a2704b73d8ef3618991c766151e9060f461bdb50e 10852 sendmail_8.15.2-22+deb11u1_amd64.buildinfo Files: bd1354eb43821c1ae25145cac1ad8576 2583 mail optional sendmail_8.15.2-22+deb11u1.dsc a824fa7dea4d3341efb6462ccd816f00 2207417 mail optional sendmail_8.15.2.orig.tar.gz 063725ac14b612541d3894f277cba34e 237992 mail optional sendmail_8.15.2-22+deb11u1.debian.tar.xz ece20853faa7b86f0068b921fc92b5cc 10852 mail optional sendmail_8.15.2-22+deb11u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmZuBQIRHHJvdWNhQGRl Ymlhbi5vcmcACgkQADoaLapBCF9LGg//RTfP04a0TRSgIgn8gcp5Q3hmqcVBMSBX SaqS0o9NHkJR0R5c/Hwldl/yXqrl/NgFneWXZSlflePU1oGS7oCUQi+jlsHRQIU6 ovNJEj3LZQvMxQtihJVnAN6sABv2jEWRquvmbk0Xb2UO1B3kdpP3pmsrgnlBhV1p odcDhbN0LVkUGoHiNhwwUxNkEREhAuVYHEaSzU6L0y2hHsfmzSZn+XP+p9zrPyot SiMuWwtACJEZwniSJ7zn+XKSUR8oQ4usIXTPxVD7YZV8sCRB6+V/QROHkRwTXFCk 6ecqhP2VXAK5hUU4Bu7w2Jcij4N2vRoVvoeP6w8UbSObziHKoDeuyyshQM3Vp3hL Y7+VAB0HGFs8fIAd6qyckoafJw1HBrBrBAUO6/xcfQcfh8rcaNcJyhOnOcZxBQEe ofpaprutBGnlbSijlH1VAkPEFlmSYEvRHsGgDaoCs4rWKALCoVrvQM+SeTaF+vii SpkAdNDnyWcVz5IMIuAfVMRFA2REOdcuxbdfR0vvpeH2spCpIlnzEOK/tca3BsGN F2nk8kPb4QhJLd/TH2AhAX5ot84zZFC5SXwD/54zF5IPrHarCKrgOqB1gcKriZQm aqNIC3iMwqp9t2/qyVyMbG+X0qkP1keNCwv4G6oHL3gxdfX2SueOUe96DRa+CK39 OfxYtVPc7uE= =yh31 -----END PGP SIGNATURE-----