oss-sec mailing list archives

Re: Re: New SMTP smuggling attack

From: kai <kai () hostland ru>
Date: Mon, 25 Dec 2023 21:27:37 +0300

Happy christmas list!

If anyone needs patch for postfix's 3.3.0-1ubuntu0.4smtpd_forbid_bare_newline feature it has been attached to this message


On 24/12/2023 12.33, Marcus Meissner wrote:

On Sat, Dec 23, 2023 at 02:29:34PM +0200, Valtteri Vuorikoski wrote:

On Fri, Dec 22, 2023 at 11:46:48AM +0100, Marcus Meissner wrote:

Hi,

FWIW as no CVEs were to be found yet, I filed a CVE request for Postfix now.

Not sure if we need it for others like sendmail too, as that is also
referenced by the security researchers.

Looks like exim opened a bug on this yesterday too, no sign of CVE yet:
<https://bugs.exim.org/show_bug.cgi?id=3063>

CVEs are assigned now for:

- CVE-2023-51764 postfix
- CVE-2023-51765 sendmail
- CVE-2023-51766 exim

Ciao, Marcus

Attachment: smtp-smuggling33.patch
Description:

Current thread:

Re: Re: New SMTP smuggling attack, (continued)
- - - Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 22)
    - Re: Re: New SMTP smuggling attack Erik Auerswald (Dec 22)
    - Re: Re: New SMTP smuggling attack Rodrigo Freire (Dec 22)
    - Re: Re: New SMTP smuggling attack Alexander E. Patrakov (Dec 22)
    - Re: Re: New SMTP smuggling attack Erik Auerswald (Dec 22)
    - Re: Re: New SMTP smuggling attack Stuart D Gathman (Dec 22)
    - Re: Re: New SMTP smuggling attack Harry Sintonen (Dec 22)
    - Re: Re: New SMTP smuggling attack Bjoern Franke (Dec 22)
    - Re: Re: New SMTP smuggling attack Valtteri Vuorikoski (Dec 23)
    - Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 24)
    - Re: Re: New SMTP smuggling attack kai (Dec 25)
    - Re: New SMTP smuggling attack Claus Assmann (Dec 26)
    - Re: Re: New SMTP smuggling attack Alan Coopersmith (Dec 29)
    - Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 30)
    - Re: Re: New SMTP smuggling attack Claus Assmann (Dec 30)
- Re: New SMTP smuggling attack Hanno Böck (Dec 22)