Summary: | <mail-mta/opensmtpd-5.7.3_p1: Multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://seclists.org/oss-sec/2015/q4/25 | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Kristian Fiskerstrand (RETIRED)
2015-10-05 10:32:46 UTC
Adding to existing GLSA Updating this bug to reflect the further security issues announced today as well From http://seclists.org/oss-sec/2015/q4/34: OpenSMTPD 5.7.3 was released with fixes, and the release notes follow below. There may be other vulnerabilities also fixed by this release. A full diff follows for analysis and additional CVE assignment, in case that is necessary. Thanks, Jason [1] http://seclists.org/oss-sec/2015/q4/25 ---------- Forwarded message ---------- From: Gilles Chehade <gilles () poolp org> Date: Mon, Oct 5, 2015 at 3:30 PM Subject: Announce: OpenSMTPD 5.7.3 released To: misc () opensmtpd org [snipped] Issues fixed in this release (since 5.7.2): =========================================== - fix an mda buffer truncation bug which allows a user to create forward files that pass session checks but fail delivery later down the chain, within the user mda [0] - fix remote buffer overflow in unprivileged pony process [1] - reworked offline enqueue to better protect against hardlink attacks [2] [0] reported by Holger Jahn [1] reported by Jason A. Donenfeld [2] reported by Qualys Security CVE Requested - http://seclists.org/oss-sec/2015/q4/34 This issue was resolved and addressed in GLSA 201601-04 at https://security.gentoo.org/glsa/201601-04 by GLSA coordinator Sergey Popov (pinkbyte). |