Accepted opensmtpd 6.0.3p1-5+deb10u4 (source) into proposed-updates->stable-new, proposed-updates
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 25 Feb 2020 11:12:06 -0500
Source: opensmtpd
Architecture: source
Version: 6.0.3p1-5+deb10u4
Distribution: buster-security
Urgency: high
Maintainer: Ryan Kavanagh <rak@debian.org>
Changed-By: Ryan Kavanagh <rak@debian.org>
Closes: 952453
Changes:
opensmtpd (6.0.3p1-5+deb10u4) buster-security; urgency=high
.
* Fix LPE and RCE vulnerability (Closes: #952453) (CVE-2020-8794)
An out of bounds read in smtpd allows an attacker to inject arbitrary
commands into the envelope file which are then executed as root.
Separately, missing privilege revocation in smtpctl allows arbitrary
commands to be run with the _smtpq group.
OpenBSD 6.6 errata 021:
https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/021_smtpd_envelope.patch.sig
Checksums-Sha1:
46d2973b2e55a3b6f35e41306352fbb55f934b5b 3082 opensmtpd_6.0.3p1-5+deb10u4.dsc
9aa89eeed7462902903f2e7304173899557aee65 699702 opensmtpd_6.0.3p1.orig.tar.gz
4efdab03aa9afee92b6c4efc1af9d7828a2344e2 32696 opensmtpd_6.0.3p1-5+deb10u4.debian.tar.xz
b36850596006e83590f17b2fd6fcdb3e28484908 8561 opensmtpd_6.0.3p1-5+deb10u4_source.buildinfo
Checksums-Sha256:
af4b8a14da37ab2dd0fdfa90dd5e0bd0323eac7e039dda6515f61b6b19366b01 3082 opensmtpd_6.0.3p1-5+deb10u4.dsc
291881862888655565e8bbe3cfb743310f5dc0edb6fd28a889a9a547ad767a81 699702 opensmtpd_6.0.3p1.orig.tar.gz
ea5dd103a8e4ab0087813273eb7395df3f8b102cc2ad3f7c95c7ceac260645b5 32696 opensmtpd_6.0.3p1-5+deb10u4.debian.tar.xz
091235753df594059bf6a4b0be491232bd01346536a68017ff34af572fa2676a 8561 opensmtpd_6.0.3p1-5+deb10u4_source.buildinfo
Files:
5d011c1ef3918e2b95311f86584ead27 3082 mail optional opensmtpd_6.0.3p1-5+deb10u4.dsc
66e496bb0f3303d660744f4fa2178765 699702 mail optional opensmtpd_6.0.3p1.orig.tar.gz
fb0fe30dc84bf24c38ca8eed7885142c 32696 mail optional opensmtpd_6.0.3p1-5+deb10u4.debian.tar.xz
2a711f83dcce76d1d7e51c05987354c9 8561 mail optional opensmtpd_6.0.3p1-5+deb10u4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQVDBAEBCgAtFiEETkaVGe1ndzQmj72Vj3v4/EoRyXoFAl5Vi7UPHHJha0BkZWJp
YW4ub3JnAAoJEI97+PxKEcl6ni8n/0/Ca/chs/24T7iYltyncJ1aXspOSZBn2skK
G/eCAZVFp77CRwRfm+thhEuvuD992nURyuIUG3d6pQAUKkxyhHk6VFxNmLeE0oUB
hVYj3pGGzLlmrT6e3w64SMrsXvayNIFCDttYzoT5sJTGNOrOcQSRxoAlh5PRFjEu
Nzl0rWvYAQuAP2XCzK3E4KE2/AV78sEwzlC5DtI4LwazLHe/bJ455uN/7AG/ytk+
s2wbyonjA/8y9m8PE9+/zAOjjtmIEk9P6B8qqldhoJ2Fj2rtGT9dq/78Fs7UHcEO
bnUZuVMQL6YdFGjKuPIYlM11WlldLrZdLcNrmgZGCQS3UyMHqyZ/mn8XCqdPLcdl
oJPgt10EIl57a26c/uOUmWE35HC+4lEhAmEjOF61Tn+ESd1cl93POehxQG+jaWpB
SkXIqjZ2N3c3XdpUAub7BQEEt0xNUmIbASP9Wb6d9ZDmSk60nxoTqXUJ1sGY1MjS
gvJO2AXZdMHMJDdIWVvpbqljXf/47EZeaNs+1+Fu7pdBzLtn5tKUqDPcXjhXh98p
T00Qy0FYQ8ouAN6z+3TziJfUPBZctaOnSZZ7UM00fy1k2gsdh1/I4QTL7icH57w1
tRi+1SlzT924GsHXmSLiVIRs29XGkZJUMy5KBaG8Kxm7r79eOUvtTfipUntnjDhp
Pn0QIs2vyrpmTSwkTZFNEHspVcvB8V8k79X5kSXQd7dsqGq8G3bY+LIW9tp2yA1K
0J/jVUkQenBb6wuFvjN6WS+nfUrKcwAb2Toodd8ok5qs0wrvmZMgUm4aSHMegao9
c3W/ogctTVFRbTjWe/k5kxhYaUY6c1eFMMnYHjV86tk5fohdhKRS5wBDrjwWAow1
wz9adURSwd35jlbXa/eSu8Jm8rW1XC7Y7N1GZhwc+u98oD8XTsena9Pv+HBxJ8A9
3NlB650zEXMnogJH6LsLgXlKPJGXt2wOhIZAl1rZ6zzZMSaUVwOAggZU3rvKj3UI
DnvWBJci06cvOzKijpUIBG+gje7fvgKjxV1V2FxUWiyjZs6aVWFIp7QuvUH7ZZEH
pLrS+B0rsLv5gzrqXo2Bplf6WmtFG4xeXKBxEsU2LlxnoN11xFrtt9T4nwhiqPKM
OBl83WPb0/QCEwpM4vT/fySubhn2bjROkuB0cJIAqNkW++svVJKGL9NwzoDJIN5g
Uoou+fS7s/MiX8lljW+R4fIr/i9Dtww+PzCHwEGKi1KTgdB79LfEnZN7qCWnlNGl
+JqdmgjTxXR7k+nqrQsL5NoPAWj1zcAD4wmXf7G4UGAJ5tZEG2cLe4LtGGllHM9m
YwCN5+ZQz5J+f75y4yd3oAtAYuXYvoiHUSg7IUs/K1oRkLU6GPg+T3r6RIaIdh6v
oy6tBUCuXLPj9sP8DxKuO5BdRWrblOPJeCR7yCHiGmWdrdcX6WDUUq8KdNSkHfOB
JIx0n8zukvfV7huuDmzadLIj+wPpz6+h6DqdBBn2TLRmBy8TM45jQceBD/tyYzLB
x2YhYVeJKzybl6s448y0nLxejI3sVWUs6fEwi/9mOM8A+3WE8GEAMWb6PTbmQObL
QMyHbeLTEASm2Rxzx/GC/UUZSKdSnxtrh73NGL60kPmwjJZDTyevrqFqdzR2J27O
6IeigstpDlmQyWOUuNx2uDWygTaHrzckkuDXSoftT/t9chVUyUHocnZ5K4cPXOwv
1On4b94T
=p6yW
-----END PGP SIGNATURE-----