oss-sec mailing list archives
Re: New SMTP smuggling attack
From: Claus Assmann <ml+oss () esmtp org>
Date: Tue, 26 Dec 2023 19:15:28 +0000
On Sun, Dec 24, 2023, Marcus Meissner wrote:
- CVE-2023-51765 sendmail
Can you update the text for this (or point me to the proper way/persons to do this)? 1. "sendmail through at least 8.14.7" -> sendmail up to and including 8.17.2 2. remove the seemingly unrelated reference to "Merge sendmail 8.14.8 to HEAD freebsd/freebsd-src@5dd76dd" 3. Mention that 8.18 fixes the problem: Accept only CR LF . CR LF as end of an SMTP message as required by the RFCs when the new srv_features option 'o' is used. sendmail 8.18.0.2 is available at https://ftp.sendmail.org/snapshots/sendmail.8.18.0.2.tar.gz https://ftp.sendmail.org/snapshots/sendmail.8.18.0.2.tar.gz.sig
Current thread:
- Re: Re: New SMTP smuggling attack, (continued)
- Re: Re: New SMTP smuggling attack Erik Auerswald (Dec 22)
- Re: Re: New SMTP smuggling attack Rodrigo Freire (Dec 22)
- Re: Re: New SMTP smuggling attack Alexander E. Patrakov (Dec 22)
- Re: Re: New SMTP smuggling attack Erik Auerswald (Dec 22)
- Re: Re: New SMTP smuggling attack Stuart D Gathman (Dec 22)
- Re: Re: New SMTP smuggling attack Harry Sintonen (Dec 22)
- Re: Re: New SMTP smuggling attack Bjoern Franke (Dec 22)
- Re: Re: New SMTP smuggling attack Valtteri Vuorikoski (Dec 23)
- Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 24)
- Re: Re: New SMTP smuggling attack kai (Dec 25)
- Re: New SMTP smuggling attack Claus Assmann (Dec 26)
- Re: Re: New SMTP smuggling attack Alan Coopersmith (Dec 29)
- Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 30)
- Re: Re: New SMTP smuggling attack Claus Assmann (Dec 30)