opensmtpd: 6.6.3p1 -> 6.6.4p1 #80978
Conversation
Release notes aren't available at this time [1] it is likely to be related to a recent mail to oss-security (either [2] or [3]). [1] https://www.mail-archive.com/misc@opensmtpd.org/msg04888.html [2] https://www.openwall.com/lists/oss-security/2020/02/24/5 [3] https://www.openwall.com/lists/oss-security/2020/02/24/4
|
Looks like my internet connection got beaten by your ability to run |
|
We still have to backport some version of those fixes to 19.09 and 20.03. As at least one of them provides some kind of remote code execution this has rather high severity. Thoughts? @Ekleog |
|
Right, that thought left my mind when I noticed there was already a PR…
For 20.03, it's currently on 6.6.2p1, so backporting should hopefully
not be a problem, I'll let you do it if you agree with me.
19.09, OTOH, is on 6.4.2p1. I'm inquiring whether someone already has a
patch for it. If not, despite it being a change probably bigger than
what we would like it to, its changelog doesn't mention any removal or
change of semantics of configuration, and thus shouldn't be a
backwards-compatibility hazard should we decide to just bump it to
6.6.4p1.
Andreas Rammhold <notifications@github.com> writes:
… We still have to backport some version of those fixes to 19.09 and 20.03. As at least one of them provides some kind of remote code execution this has rather high severity.
Thoughts? @Ekleog
--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
#80978 (comment)
|
|
On 14:43 24.02.20, Léo Gaspard wrote:
Right, that thought left my mind when I noticed there was already a PR…
For 20.03, it's currently on 6.6.2p1, so backporting should hopefully
not be a problem, I'll let you do it if you agree with me.
PR is #80993
19.09, OTOH, is on 6.4.2p1. I'm inquiring whether someone already has a
patch for it. If not, despite it being a change probably bigger than
what we would like it to, its changelog doesn't mention any removal or
change of semantics of configuration, and thus shouldn't be a
backwards-compatibility hazard should we decide to just bump it to
6.6.4p1.
IIRC those changes were very isolated. Can you see if you can spot the
right commits? I am happy to review it.
|
|
Continuing discussion on #80993 As for 19.09, I've looked quickly, and OpenSMTPD/OpenSMTPD@b8a9e92 looks like the most likely culprit to me, though all commits from today will probably be needed to get something that actually works, given how they look from a cursory glance. Unfortunately, I won't be able to look more into it before two or three days have elapsed, but I would guess that backporting this series of commits would probably work, though I clearly haven't looked enough into it to be confident that it would actually solve the issue -- my question on opensmtpd's IRC is also yet without answer, and I'll try to report the answer here should one arise before 2-3 days, though I'm not sure I'll have access to a computer before then. |
|
Correction: the diff that would need backporting is OpenSMTPD/OpenSMTPD@6.6.3p1...6.6.4p1 ; don't know why I wasn't able to find the 6.6.4p1 tag before |
|
Looks to me like backport to 19.09 never happened leaving servers exposed to RCE ?!? :-( |
This reverts commit 4f69f2c. We backported the latest opensmtpd version.
Motivation for this change
Release notes aren't available at this time [1] it is likely to be
related to a recent mail to oss-security (either [2] or [3]).
[1] https://www.mail-archive.com/misc@opensmtpd.org/msg04888.html
[2] https://www.openwall.com/lists/oss-security/2020/02/24/5
[3] https://www.openwall.com/lists/oss-security/2020/02/24/4
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)