Ausführen beliebiger Kommandos in opensmtpd
ID: | FEDORA-2020-283dc7f094 |
Distribution: | Fedora |
Plattformen: | Fedora 31 |
Datum: | Mi, 4. März 2020, 23:41 |
Referenzen: | https://bugzilla.redhat.com/show_bug.cgi?id=1801477 |
Applikationen: | OpenSMTPD |
Originalnachricht |
|
-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2020-283dc7f094 2020-03-04 21:30:39.637199 -------------------------------------------------------------------------------- Name : opensmtpd Product : Fedora 31 Version : 6.6.4p1 Release : 1.fc31 URL : http://www.opensmtpd.org/ Summary : Free implementation of the server-side SMTP protocol as defined by RFC 5321 Description : OpenSMTPD is a FREE implementation of the server-side SMTP protocol as defined by RFC 5321, with some additional standard extensions. It allows ordinary machines to exchange e-mails with other systems speaking the SMTP protocol. Started out of dissatisfaction with other implementations, OpenSMTPD nowadays is a fairly complete SMTP implementation. OpenSMTPD is primarily developed by Gilles Chehade, Eric Faurot and Charles Longeau; with contributions from various OpenBSD hackers. OpenSMTPD is part of the OpenBSD Project. The software is freely usable and re-usable by everyone under an ISC license. This package uses standard "alternatives" mechanism, you may call "/usr/sbin/alternatives --set mta /usr/sbin/sendmail.opensmtpd" if you want to switch to OpenSMTPD MTA immediately after install, and "/usr/sbin/alternatives --set mta /usr/sbin/sendmail.sendmail" to revert back to Sendmail as a default mail daemon. -------------------------------------------------------------------------------- Update Information: Release 6.6.4p1 (2020-02-24) --- - An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group. Release 6.6.3p1 (2020-02-10) --- - Following the 6.6.2p1 release, various improvements were done in OpenBSD -current to mitigate the risk of similar bugs. -------------------------------------------------------------------------------- ChangeLog: * Mon Feb 24 2020 Denis Fateyev |