Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 1 articles for you...
91
security advisorydenial of servicegentooGentoo: 202105-12 Low: OpenSMTPD Denial of Service Risks
Multiple vulnerabilities have been found in OpenSMTPD, the worst of which could result in a Denial of Service condition.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: OpenSMTPD: Multiple vulnerabilities Date: May 26, 2021 Bugs: #761945 ID: 202105-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple vulnerabilities have been found in OpenSMTPD, the worst of which could result in a Denial of Service condition. Background ========= OpenSMTPD is a lightweight but featured SMTP daemon from OpenBSD. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 mail-mta/opensmtpd < 6.8.0_p2 > = 6.8.0_p2 Description ========== Multiple vulnerabilities have been discovered in OpenSMTPD. Please review the CVE identifiers referenced below for details. Impact ===== A remote attacker, by connecting to the SMTP listener daemon, could possibly cause a Denial of Service condition. Workaround ========= There is no known workaround at this time. Resolution ========= All OpenSMTPD users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =mail-mta/opensmtpd-6.8.0_p2" References ========= [ 1 ] CVE-2020-35679 https://nvd.nist.gov/vuln/detail/CVE-2020-35679 [ 2 ] CVE-2020-35680 https://nvd.nist.gov/vuln/detail/CVE-2020-35680 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-12 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
May 26, 2021
•Low
Gentoo
89
security advisoryhigh severityfedoraFedora 33: 2021-848fd34b0b High Severity OpenSMTPD Memory Leak Fix
**opensmtpd 6.8.0p2** New Features: - ECDSA privsep engine support for OpenSSL, sponsored by anonymous community member Bug fixes: - Fixed a resolver memory leak as well as a regex table memory leak - Fixed a bug in the filters state machine leading to a possible crash of the daemon - Fixed the logging format which output truncated process names on some systems - Fixed. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2021-848fd34b0b 2021-01-30 01:53:46.555441 --------------------------------------------------------------------------------Name : opensmtpd Product : Fedora 33 Version : 6.8.0p2 Release : 1.fc33 URL : https://www.opensmtpd.org/ Summary : Free implementation of the server-side SMTP protocol as defined by RFC 5321 Description : OpenSMTPD is a FREE implementation of the server-side SMTP protocol as defined by RFC 5321, with some additional standard extensions. It allows ordinary machines to exchange e-mails with other systems speaking the SMTP protocol. Started out of dissatisfaction with other implementations, OpenSMTPD nowadays is a fairly complete SMTP implementation. OpenSMTPD is primarily developed by Gilles Chehade, Eric Faurot and Charles Longeau; with contributions from various OpenBSD hackers. OpenSMTPD is part of the OpenBSD Project. The software is freely usable and re-usable by everyone under an ISC license. This package uses standard "alternatives" mechanism, you may call "/usr/sbin/alternatives --set mta /usr/sbin/sendmail.opensmtpd" if you want to switch to OpenSMTPD MTA immediately after install, and "/usr/sbin/alternatives --set mta /usr/sbin/sendmail.sendmail" to revert back to Sendmail as a default mail daemon. --------------------------------------------------------------------------------Update Information: **opensmtpd 6.8.0p2** New Features: - ECDSA privsep engine support for OpenSSL, sponsored by anonymous community member Bug fixes: - Fixeda resolver memory leak as well as a regex table memory leak - Fixed a bug in the filters state machine leading to a possible crash of the daemon - Fixed the logging format which output truncated process names on some systems - Fixed build on macOS - Various man page improvements --------------------------------------------------------------------------------ChangeLog: * Wed Jan 20 2021 Denis Fateyev - 6.8.0p2-1 - Update to 6.8.0p2 release * Thu Sep 17 2020 Denis Fateyev - 6.7.1p1-3 - Rebuild for libevent soname change --------------------------------------------------------------------------------References: [ 1 ] Bug #1910343 - opensmtpd-6.8.0p2 is available https://bugzilla.redhat.com/show_bug.cgi?id=1910343 [ 2 ] Bug #1911290 - CVE-2020-35679 opensmtpd: memory leak via messages to an instance that performs many regex lookups due to a missing regfree call [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1911290 [ 3 ] Bug #1911294 - CVE-2020-35680 opensmtpd: NULL pointer dereference via a crafted pattern of client activity [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1911294 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2021-848fd34b0b' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Jan 29, 2021
Fedora
198
security advisorydenial of servicehigh severityArch Linux: ASA-202101-18 High Severity: OpenSMTPD Denial Of Service
The package opensmtpd before version 6.8.0p2-1 is vulnerable to multiple issues including information disclosure and denial of service. . Arch Linux Security Advisory ASA-202101-18 ========================================= Severity: High Date : 2021-01-12 CVE-ID : CVE-2020-35679 CVE-2020-35680 Package : opensmtpd Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1381 Summary ====== The package opensmtpd before version 6.8.0p2-1 is vulnerable to multiple issues including information disclosure and denial of service. Resolution ========= Upgrade to 6.8.0p2-1. # pacman -Syu "opensmtpd> =6.8.0p2-1" The problems have been fixed upstream in version 6.8.0p2. Workaround ========= None. Description ========== - CVE-2020-35679 (information disclosure) smtpd/table.c in OpenSMTPD before 6.8.0p1 lacks a certain regfree, which might allow attackers to trigger a "very significant" memory leak via messages to an instance that performs many regex lookups. - CVE-2020-35680 (denial of service) smtpd/lka_filter.c in OpenSMTPD before 6.8.0p1, in certain configurations, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted pattern of client activity, because the filter state machine does not properly maintain the I/O channel between the SMTP engine and the filters layer. Impact ===== A malicious remote user might read memory or crash the service. References ========= https://github.com/openbsd/src/commit/79a034b4aed29e965f45a13409268290c9910043 https://github.com/openbsd/src/commit/6c3220444ed06b5796dedfd53a0f4becd903c0d1 https://security.archlinux.org/CVE-2020-35679 https://security.archlinux.org/CVE-2020-35680 . Several vulnerabilities discovered in opensmtpd prior to version 6.8.0p2-1 on Arch Linux may cause potential information exposure and service interruptions.. OpenSMTPD Issues, Arch Linux Security Advisory, High Severity Security. . Severity: Important. LinuxSecurity.com Team
Jan 15, 2021
•Important
ArchLinux
198
security advisoryremote attackcritical severityArch Linux: 202002-13 Critical: OpenSMTPD Arbitrary Command Execution
The package opensmtpd before version 6.6.4p1-1 is vulnerable to arbitrary command execution. . Arch Linux Security Advisory ASA-202002-13 ========================================= Severity: Critical Date : 2020-02-29 CVE-ID : CVE-2020-8794 Package : opensmtpd Type : arbitrary command execution Remote : Yes Link : https://security.archlinux.org/AVG-1105 Summary ====== The package opensmtpd before version 6.6.4p1-1 is vulnerable to arbitrary command execution. Resolution ========= Upgrade to 6.6.4p1-1. # pacman -Syu "opensmtpd> =6.6.4p1-1" The problem has been fixed upstream in version 6.6.4p1. Workaround ========= None. Description ========== An out-of-bounds read vulnerability has been found in the client-side code of OpenSMTPD
Mar 05, 2020
•Critical
ArchLinux
172
security advisorylocal attackubuntuUbuntu 19.10 & 18.04 LTS: USN-4294-1 Critical OpenSMTPD Threats
Several security issues were fixed in opensmtpd.. =========================================================================Ubuntu Security Notice USN-4294-1 March 02, 2020 OpenSMTPD vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 19.10 - Ubuntu 18.04 LTS Summary: Several security issues were fixed in opensmtpd. Software Description: - opensmtpd: secure, reliable, lean, and easy-to configure SMTP server Details: It was discovered that OpenSMTPD mishandled certain input. A remote, unauthenticated attacker could use this vulnerability to execute arbitrary shell commands as any non-root user. (CVE-2020-8794) It was discovered that OpenSMTPD did not properly handle hardlinks under certain conditions. An unprivileged local attacker could read the first line of any file on the filesystem. (CVE-2020-8793) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 19.10: opensmtpd 6.0.3p1-6ubuntu0.2 Ubuntu 18.04 LTS: opensmtpd 6.0.3p1-1ubuntu0.2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-4294-1 CVE-2020-8793, CVE-2020-8794 Package Information: https://launchpad.net/ubuntu/+source/opensmtpd/6.0.3p1-6ubuntu0.2 https://launchpad.net/ubuntu/+source/opensmtpd/6.0.3p1-1ubuntu0.2 . Multiple vulnerabilities resolved in OpenSMTPD for Ubuntu versions 18.04 and 19.10. Enhanced security measures implemented to mitigate remote exploitation threats.. OpenSMTPD Security, Ubuntu Update, Remote Command Execution. . Severity: Critical. LinuxSecurity.com Team
Mar 02, 2020
•Critical
Ubuntu
89
security advisoryupdatecriticalFedora 31: FEDORA-2020-A861033A4D Critical Update for libasr and OpenSMTPD
libasr-1.0.4, opensmtpd-6.6.2p1 update. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-a861033a4d 2020-02-09 01:31:24.825632 --------------------------------------------------------------------------------Name : libasr Product : Fedora 31 Version : 1.0.4 Release : 1.fc31 URL : https://github.com/OpenSMTPD/libasr Summary : Free, simple and portable asynchronous resolver library Description : Libasr allows to run DNS queries and perform hostname resolutions in a fully asynchronous fashion. The implementation is thread-less, fork-less, and does not make use of signals or other "tricks" that might get in the developer's way. The API was initially developed for the OpenBSD operating system, where it is natively supported. This library is intended to bring this interface to other systems. It is originally provided as a support library for the portable version of the OpenSMTPD daemon, but it can be used in any other contexts. --------------------------------------------------------------------------------Update Information: libasr-1.0.4, opensmtpd-6.6.2p1 update --------------------------------------------------------------------------------ChangeLog: * Thu Jan 30 2020 Denis Fateyev - 1.0.4-1 - Update to 1.0.4 release * Wed Jan 29 2020 Fedora Release Engineering - 1.0.2-12 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild * Wed Aug 28 2019 Denis Fateyev - 1.0.2-11 - Spec cleanup from deprecated items --------------------------------------------------------------------------------References: [ 1 ] Bug #1765905 - libasr-1.0.4 is available https://bugzilla.redhat.com/show_bug.cgi?id=1765905 [ 2 ] Bug #1778424 - OpenSMTPD Does not deliver offline messages https://bugzilla.redhat.com/show_bug.cgi?id=1778424 [ 3 ] Bug #1742449 - opensmtpd-6.6.2p1 is available https://bugzilla.redhat.com/show_bug.cgi?id=1742449 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-a861033a4d' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Feb 08, 2020
•Critical
Fedora
89
security advisoryFedoraupdate notificationFedora 30 OpenSMTPD Update FEDORA-2020-270ef80e9e: Email Service Fix
libasr-1.0.4, opensmtpd-6.6.2p1 update. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-270ef80e9e 2020-02-09 01:03:44.873108 --------------------------------------------------------------------------------Name : opensmtpd Product : Fedora 30 Version : 6.6.2p1 Release : 1.fc30 URL : https://www.opensmtpd.org/ Summary : Free implementation of the server-side SMTP protocol as defined by RFC 5321 Description : OpenSMTPD is a FREE implementation of the server-side SMTP protocol as defined by RFC 5321, with some additional standard extensions. It allows ordinary machines to exchange e-mails with other systems speaking the SMTP protocol. Started out of dissatisfaction with other implementations, OpenSMTPD nowadays is a fairly complete SMTP implementation. OpenSMTPD is primarily developed by Gilles Chehade, Eric Faurot and Charles Longeau; with contributions from various OpenBSD hackers. OpenSMTPD is part of the OpenBSD Project. The software is freely usable and re-usable by everyone under an ISC license. This package uses standard "alternatives" mechanism, you may call "/usr/sbin/alternatives --set mta /usr/sbin/sendmail.opensmtpd" if you want to switch to OpenSMTPD MTA immediately after install, and "/usr/sbin/alternatives --set mta /usr/sbin/sendmail.sendmail" to revert back to Sendmail as a default mail daemon. --------------------------------------------------------------------------------Update Information: libasr-1.0.4, opensmtpd-6.6.2p1 update --------------------------------------------------------------------------------ChangeLog: * Thu Jan 30 2020 Denis Fateyev - 6.6.2p1-1 - Update to 6.6.2p1 release - Remove obsolete patch and spec cleanup * Wed Jan 29 2020 Fedora Release Engineering - 6.0.3p1-9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild * Thu Jul 25 2019 Fedora Release Engineering - 6.0.3p1-8 - Rebuilt forhttps://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild --------------------------------------------------------------------------------References: [ 1 ] Bug #1765905 - libasr-1.0.4 is available https://bugzilla.redhat.com/show_bug.cgi?id=1765905 [ 2 ] Bug #1778424 - OpenSMTPD Does not deliver offline messages https://bugzilla.redhat.com/show_bug.cgi?id=1778424 [ 3 ] Bug #1742449 - opensmtpd-6.6.2p1 is available https://bugzilla.redhat.com/show_bug.cgi?id=1742449 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-270ef80e9e' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Feb 08, 2020
•Important
Fedora
89
security advisoryupdateFedoraFedora 30: Update for libasr-1.0.4 with FEDORA-2020-270ef80e9e
libasr-1.0.4, opensmtpd-6.6.2p1 update. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-270ef80e9e 2020-02-09 01:03:44.873108 --------------------------------------------------------------------------------Name : libasr Product : Fedora 30 Version : 1.0.4 Release : 1.fc30 URL : https://github.com/OpenSMTPD/libasr Summary : Free, simple and portable asynchronous resolver library Description : Libasr allows to run DNS queries and perform hostname resolutions in a fully asynchronous fashion. The implementation is thread-less, fork-less, and does not make use of signals or other "tricks" that might get in the developer's way. The API was initially developed for the OpenBSD operating system, where it is natively supported. This library is intended to bring this interface to other systems. It is originally provided as a support library for the portable version of the OpenSMTPD daemon, but it can be used in any other contexts. --------------------------------------------------------------------------------Update Information: libasr-1.0.4, opensmtpd-6.6.2p1 update --------------------------------------------------------------------------------ChangeLog: * Thu Jan 30 2020 Denis Fateyev - 1.0.4-1 - Update to 1.0.4 release * Wed Jan 29 2020 Fedora Release Engineering - 1.0.2-12 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild * Wed Aug 28 2019 Denis Fateyev - 1.0.2-11 - Spec cleanup from deprecated items * Thu Jul 25 2019 Fedora Release Engineering - 1.0.2-10 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild --------------------------------------------------------------------------------References: [ 1 ] Bug #1765905 - libasr-1.0.4 is available https://bugzilla.redhat.com/show_bug.cgi?id=1765905 [ 2 ] Bug #1778424 - OpenSMTPD Does not deliver offline messages https://bugzilla.redhat.com/show_bug.cgi?id=1778424 [3 ] Bug #1742449 - opensmtpd-6.6.2p1 is available https://bugzilla.redhat.com/show_bug.cgi?id=1742449 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-270ef80e9e' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Feb 08, 2020
•Critical
Fedora
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!