oss-sec mailing list archives

Re: New SMTP smuggling attack

From: Claus Assmann <ml+oss () esmtp org>
Date: Tue, 26 Dec 2023 19:15:28 +0000

On Sun, Dec 24, 2023, Marcus Meissner wrote:

- CVE-2023-51765 sendmail


Can you update the text for this (or point me to the proper way/persons
to do this)?

1.
"sendmail through at least 8.14.7"
->
sendmail up to and including 8.17.2

2.
remove the seemingly unrelated reference to
"Merge sendmail 8.14.8 to HEAD  freebsd/freebsd-src@5dd76dd"

3.
Mention that 8.18 fixes the problem:
        Accept only CR LF . CR LF as end of an SMTP message as
                required by the RFCs when the new srv_features
                option 'o' is used.

sendmail 8.18.0.2 is available at
https://ftp.sendmail.org/snapshots/sendmail.8.18.0.2.tar.gz
https://ftp.sendmail.org/snapshots/sendmail.8.18.0.2.tar.gz.sig

Current thread:

Re: Re: New SMTP smuggling attack, (continued)
- - - Re: Re: New SMTP smuggling attack Erik Auerswald (Dec 22)
    - Re: Re: New SMTP smuggling attack Rodrigo Freire (Dec 22)
    - Re: Re: New SMTP smuggling attack Alexander E. Patrakov (Dec 22)
    - Re: Re: New SMTP smuggling attack Erik Auerswald (Dec 22)
    - Re: Re: New SMTP smuggling attack Stuart D Gathman (Dec 22)
    - Re: Re: New SMTP smuggling attack Harry Sintonen (Dec 22)
    - Re: Re: New SMTP smuggling attack Bjoern Franke (Dec 22)
    - Re: Re: New SMTP smuggling attack Valtteri Vuorikoski (Dec 23)
    - Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 24)
    - Re: Re: New SMTP smuggling attack kai (Dec 25)
    - Re: New SMTP smuggling attack Claus Assmann (Dec 26)
    - Re: Re: New SMTP smuggling attack Alan Coopersmith (Dec 29)
    - Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 30)
    - Re: Re: New SMTP smuggling attack Claus Assmann (Dec 30)
- Re: New SMTP smuggling attack Hanno Böck (Dec 22)