OpenBSD Errata: January 30th, 2020 (smtpd_exec)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

OpenBSD Errata: January 30th, 2020 (smtpd_exec)

T.J. Townsend
Errata patches for OpenSMTPD have been released for OpenBSD 6.5 and 6.6.

An incorrect check allows an attacker to trick mbox delivery into executing
arbitrary commands as root and lmtp delivery into executing arbitrary commands
as an unprivileged user.

Binary updates for the amd64, i386, and arm64 platforms are available via
the syspatch utility. Source code patches can be found on the respective
errata page:

  https://www.openbsd.org/errata65.html
  https://www.openbsd.org/errata66.html

After patching, restart the smtpd service.