Accepted opensmtpd 6.0.2p1-2+deb9u3 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 25 Feb 2020 12:09:37 -0500
Source: opensmtpd
Architecture: source
Version: 6.0.2p1-2+deb9u3
Distribution: stretch-security
Urgency: high
Maintainer: Ryan Kavanagh <rak@debian.org>
Changed-By: Ryan Kavanagh <rak@debian.org>
Closes: 952453
Changes:
opensmtpd (6.0.2p1-2+deb9u3) stretch-security; urgency=high
.
* Fix LPE and RCE vulnerability (Closes: #952453) (CVE-2020-8794)
An out of bounds read in smtpd allows an attacker to inject arbitrary
commands into the envelope file which are then executed as root.
Separately, missing privilege revocation in smtpctl allows arbitrary
commands to be run with the _smtpq group.
OpenBSD 6.6 errata 021:
https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/021_smtpd_envelope.patch.sig
Checksums-Sha1:
c4153737387a170d20ac8a0af12e45e2ab817cf5 3096 opensmtpd_6.0.2p1-2+deb9u3.dsc
386e1115c5cbe91f67ce0854594197846b4bb5d9 695513 opensmtpd_6.0.2p1.orig.tar.gz
25c6492cd4eb8849c2511d6df411af704b0f7d10 29012 opensmtpd_6.0.2p1-2+deb9u3.debian.tar.xz
0a88ba67746bb23ed7de17128723a504fa8d3210 8531 opensmtpd_6.0.2p1-2+deb9u3_source.buildinfo
Checksums-Sha256:
b5e5ab580ae119d0184aeb84f234090b80ebe12be21efd5e0e2e9641e4a4727b 3096 opensmtpd_6.0.2p1-2+deb9u3.dsc
2af9b6d08784c7e546bf124bb61e311a6aa0c9835507710a76f5c242383190ac 695513 opensmtpd_6.0.2p1.orig.tar.gz
0ae9ac6d8bdb8cf821c90cc8d0a61334fa3ac6c064591045f70d2987f6069445 29012 opensmtpd_6.0.2p1-2+deb9u3.debian.tar.xz
e7bb4601d53229a2feb09207dff887991d0458ef0ce3645ba5372ad4b036c301 8531 opensmtpd_6.0.2p1-2+deb9u3_source.buildinfo
Files:
72c58d808957d51f46ae02b9a3e94f14 3096 mail extra opensmtpd_6.0.2p1-2+deb9u3.dsc
1ebc232624f2e2e31010c810ea0a3b88 695513 mail extra opensmtpd_6.0.2p1.orig.tar.gz
b042fe3883a8a8c052b97050367ac25a 29012 mail extra opensmtpd_6.0.2p1-2+deb9u3.debian.tar.xz
5956a013666e14829e2f4d4993c4a582 8531 mail extra opensmtpd_6.0.2p1-2+deb9u3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQVDBAEBCgAtFiEETkaVGe1ndzQmj72Vj3v4/EoRyXoFAl5VizoPHHJha0BkZWJp
YW4ub3JnAAoJEI97+PxKEcl6tG4n/jIHwPf4XiXOKq4qRmSLCZ01EwPWiy73H8pO
xTbnZfdwiK8IipkRE6G5IpJkUI18CQmuX6UrjprJtTUufFtVuq0GJh2vejDTSh3/
Xm3HEuW8vE9ghbBA7b+pbg2DLTKlpH7gIeD6V0ymCKRCK/T9ftU6Vf6XJ5sbHOBf
+8np/ZvGlK7/xfoOfgzwcRifb8HM6fVG8RIC5QW8fOMZVmcLikd5HCTFwxMBHxPt
RnIlubD4TQL/QBRLTE+HOqn+qxwEOU8CHMhRewSQqT30EsB8PBAEdP47b4FVtRE7
6sVbdPYYVpsLAL6+SdFGlYL0QahNh1QqBSyFTWqd0YoOfTLJxJOva3u/fs8IkpLQ
E73axpQw5AmIIZsdH/ekBhMbYXMNzqmvdcT4TwO6aD1ubU9A/lK/wcK5K0F/Sx36
TMhZR+6zCq5zWbv67xfQa8segnddw8sXDHRYXFMzDmHdaLcR3D3NghVDaIOPsQAj
J6Zp7Gs/2QfyBzynWDrQ7EWLaTHvdgS46usba5omA6cexD9ruTa4t6Q12d7++X3W
jTLfzXorfYUemj7lPWFghpXxuL5dk5zstzdjtJA05yPByUZTT/RHdlqOeHsOYOmJ
7uHNMTQvAZnMCoz2JVpRc2/PSq+If5RnNZkF6Z9BLDkSLH7XPeuuC9Zj7nzqJx0C
B4Kq+yd2TLv6C3l/ivI9tHdBoSwI9HX5tseTtFypY6mfs4RCyaQutRLfSbgQbecl
E/RTI333kGnxfJ5M/EpLsirH3NS5L5q9Czrxd6xcxtyOxLwkv8TqCabtyl9EXRP4
ZxPUizFrOmiIt682upA1kbvDMBBfHManHYmKg6OylsKiSHxkoNHKIDyvIyRkA5to
Lak6XBCtAOl5feeAgNqz0AWSvXi4tSF2sVkSh66YXKArl0YuBvK39jptA70b3x3v
BUnKA19ZQfFk7ltcKReQhu6wJE017yUa3vcCs8Xw1UjGzlW0BHllXwWrvCsR8SpT
Uh1ZXaUlPP125U6cqDPjjs40XxX/gYwtnEVdNTxcD+t/5L4HehmWrPZ+3CKHOhc+
wHmMyWsZk66fyGq3UheOPK7YF/uEPYyf2rlTgda6mQp/S62rVgtlU+c2kGK7tz8e
PBJDiO+rZ3TT+l0xVJY78ImydGm5aZ5jUCmPWI9UOvLPajJArpJLbTAOYhXTMFsq
15vhcfryts7LJ7xo7l9th9uVXJ4Lksir2ibjXeUYxSERjYs9EZDgsahuOBlukgQ5
xIrL8B6Djm6eGKuoRq28jaqHKgwnU3S+tgKim/wqcrOat5prRCtaajMqbvtsnjLj
F8odHS76b5m/jVQ8IO/7/GcCEuvXgwaI9HGQZaIWZuc0uR7b6/vU/rxXrBt9y6ka
p3pYp4U7SGkDivDsfXHmFHv5Nr+zebLccVdveikUPCE6a9Ys9dHPwIfDlp6FSgw7
UXx7ItOjAvEpRVbwsvM/IKTL2Gx6gWlawequJo4eMwtkuCvAJCVJeCCQStZ4CUhf
WilpNSlD70XlsM0oTUbwuT9cZ9wHt6f3FFeI9JXnbaTqoDMVX9pdKR832jtePhOd
C19H48Q4lhO6zCiBfkCcb2HX3Pz9RbXOMTLsUtqDsZ1MgIMByxHl83xl374PaOOU
2Yq4PjSn7IRDHGLbIZ4Kn1OtN36GBLeDkAMV9VlZCnwxLC14UAtNSZPTOJrtJ0dL
zQjCOD++
=hV0e
-----END PGP SIGNATURE-----