Debian Bug report logs -
#978038
opensmtpd: CVE-2020-35679
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 24 Dec 2020 22:18:02 UTC
Severity: important
Tags: security, upstream
Found in version opensmtpd/6.8.0p1~rc1-1
Fixed in version opensmtpd/6.8.0p2-1
Done: Salvatore Bonaccorso <carnil@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Ryan Kavanagh <rak@debian.org>
:
Bug#978038
; Package src:opensmtpd
.
(Thu, 24 Dec 2020 22:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Ryan Kavanagh <rak@debian.org>
.
(Thu, 24 Dec 2020 22:18:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: opensmtpd
Version: 6.8.0p1~rc1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for opensmtpd.
CVE-2020-35679[0]:
| smtpd/table.c in OpenSMTPD before 6.8.0p1 lacks a certain regfree,
| which might allow attackers to trigger a "very significant" memory
| leak via messages to an instance that performs many regex lookups.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-35679
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35679
[1] https://github.com/openbsd/src/commit/79a034b4aed29e965f45a13409268290c9910043
[2] https://www.mail-archive.com/misc@opensmtpd.org/msg05188.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as fixed in versions opensmtpd/6.8.0p2-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 28 Dec 2020 19:36:02 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 28 Dec 2020 19:36:02 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Mon, 28 Dec 2020 19:36:03 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#978038.
(Mon, 28 Dec 2020 19:36:07 GMT) (full text, mbox, link).
Message #14 received at 978038-submitter@bugs.debian.org (full text, mbox, reply):
close 978038 6.8.0p2-1
close 978039 6.8.0p2-1
thanks
Close manually as they were not with the 6.8.0p2-1 upload to unstable.
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jan 9 12:26:07 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.