Debian Bug report logs -
#800787
opensmtpd: CVE-2015-7687 (and other issues without CVE yet)
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 3 Oct 2015 15:36:01 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in version opensmtpd/5.4.2p1-4
Fixed in version opensmtpd/5.7.3p1-1
Done: Ryan Kavanagh <rak@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ryan Kavanagh <rak@debian.org>:
Bug#800787; Package src:opensmtpd.
(Sat, 03 Oct 2015 15:36:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ryan Kavanagh <rak@debian.org>.
(Sat, 03 Oct 2015 15:36:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: opensmtpd
Version: 5.4.2p1-4
Severity: grave
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for opensmtpd.
CVE-2015-7687[0]:
use-after-free issue in OpenSMTPD
Actually there were even more issues fixed in the latest release
(5.7.2), which do not have (yet) a CVE. See [1] for details.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-7687
[1] http://www.openwall.com/lists/oss-security/2015/10/02/8
[2] https://www.opensmtpd.org/announces/release-5.7.2.txt
Regards,
Salvatore
Added tag(s) pending.
Request was from Ryan Kavanagh <rak@debian.org>
to control@bugs.debian.org.
(Mon, 02 Nov 2015 02:18:04 GMT) (full text, mbox, link).
Reply sent
to Ryan Kavanagh <rak@debian.org>:
You have taken responsibility.
(Mon, 02 Nov 2015 13:21:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 02 Nov 2015 13:21:11 GMT) (full text, mbox, link).
Message #12 received at 800787-close@bugs.debian.org (full text, mbox, reply):
Source: opensmtpd
Source-Version: 5.7.3p1-1
We believe that the bug you reported is fixed in the latest version of
opensmtpd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 800787@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ryan Kavanagh <rak@debian.org> (supplier of updated opensmtpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 01 Nov 2015 20:56:47 -0500
Source: opensmtpd
Binary: opensmtpd
Architecture: source amd64
Version: 5.7.3p1-1
Distribution: unstable
Urgency: high
Maintainer: Ryan Kavanagh <rak@debian.org>
Changed-By: Ryan Kavanagh <rak@debian.org>
Description:
opensmtpd - secure, reliable, lean, and easy-to configure SMTP server
Closes: 749810 800787
Changes:
opensmtpd (5.7.3p1-1) unstable; urgency=high
.
* New upstream release
+ Fixes security issues (Closes: #800787, CVE-2015-7687). This point
release also features fixes to security issues that weren't part of the
Qualsys audit.
+ No longer have conflicting declarations of fatal in source
(Closes: #749810)
* Drop 02_hyphen_as_minus_sign.diff, 06_man_cleanup.diff,
11_compile_warnings.diff, 12_ssl_check.diff. All applied upstream
* Updated 07_automake_missing_options.diff to reflect changes to upstream
source
* Fix typo in manpage, 11_smtpd.conf.5_typo.diff
* Update the copyright file
* Drop our local copy of the upstream changelog
* Recommend opensmtpd-extras: the tables and filters have been forked off
into a separate project upstream
* (Build-)Depend on libasr: this library has also forked off into a
stand-alone project
* Drop useless build-dependencies on autoconf/automake/libtool: these are
already brought in by dh-autoreconf
* Update lintian overrides: we drop overrides for filters moved to
opensmtpd-extras, add overrides due to a broken dep5 check, and
override spelling-error-in-copyright (the error is in the license text)
* Update configure options in rules to continue building the db table and
makemap
Checksums-Sha1:
57936a5851264dc6c9f2ee8aa128df80d0a8b367 3037 opensmtpd_5.7.3p1-1.dsc
226d51b3295ee0ff47298e59490c588cf55936d0 709178 opensmtpd_5.7.3p1.orig.tar.gz
64607b6ff25283e41b7b44021f3e03ccdf03eab7 24920 opensmtpd_5.7.3p1-1.debian.tar.xz
a5e24ded102a9ff56799b43ca491abe70317991e 264168 opensmtpd_5.7.3p1-1_amd64.deb
Checksums-Sha256:
c0390a266645553f1978390edf0ab448bb783ea2186f56d22aaecc95e2d6e02d 3037 opensmtpd_5.7.3p1-1.dsc
848a3c72dd22b216bb924b69dc356fc297e8b3671ec30856978950208cba74dd 709178 opensmtpd_5.7.3p1.orig.tar.gz
440cabf8d60b16893c42963e5545d9a49cdd19a2ed152170724c5dfa70c04490 24920 opensmtpd_5.7.3p1-1.debian.tar.xz
24fcb7bb0037b77ce0430801563f0a20eda92e3607de78a3599890d7bcdd16bb 264168 opensmtpd_5.7.3p1-1_amd64.deb
Files:
231a9e26373c26d4828d14e3542028f0 3037 mail extra opensmtpd_5.7.3p1-1.dsc
754abb7f08c094273f098d761c8c2221 709178 mail extra opensmtpd_5.7.3p1.orig.tar.gz
8af4d8f2efe8d2bdc9e2e5178d3fc98c 24920 mail extra opensmtpd_5.7.3p1-1.debian.tar.xz
e4c0ab733551e8b06ef3e0a8cbf51e7c 264168 mail extra opensmtpd_5.7.3p1-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQUcBAEBCgAGBQJWN10kAAoJEI97+PxKEcl66MUn/11A8/N/ID6YZVdwGu1lwcdY
0iTKK69DOGe3pXYiY4Y0K5NOTnPLIra0lBCmbCjWqNN1ZoE6tIybJMb/lE2O3Ff5
nY8g0jvWJhuuvzuxCvUr2ummjZ2ctvQaCr62eRt59/YK+UtBHqY1fN5grBvDuPnH
A1XVyWmEDtJnvvHGB6EkA+maQZezXW9o2G7nKTbnSsnzrbaLK8TRCK+jor5jLXaA
m2cvGUvmRjh+Eyh4f0wn6KFdUg4Aa+avAWf1bgBm8LbLd7cDGN5o0xnr0rX5iRHv
aRGeoXp0hzpuyC2WbDK9lv0OhFiyB+W2Y5K2MPWNZ8LAKe6gcP6Q6gNg/S/lA84Y
013CXtwO146btCJk48FXdT71y29vxaHFZNJ5/xC5lUH85ClhKxC+nlr4L+Rq055K
NHuUPGmWwdbUGs83kmGUTKqmPorjq3D1fYKn21hw4gts6c9nDRwz+9/TFU/WDJT9
2lUXOj/5quEw/w+wxok6xllPLpbgFgJAfjftYaSh7TGfkvjmhygCUaETnUZblVWW
r/XkxHdqchM9IIRiD2IOxVaVUPfJW7IzepTzl6n1ZntkJa+Qh4ReLjAaqW4qkdls
iDcINZ3+PLgTOGU/r5Ho+9lfSlcQWWa4B/H6x631paTsaOtgoiPPAKsV6MTJysuV
e6YrdCcTHEVVgFdhU87HLPy62XDfMd+a5Rma47pIDYPHgPIAYKb1lZU1aXkYhm5Q
GwdHUkv+UFsBR3fsz2vonOuYrlkCLWn89qIgIzruK3AczI/T5/hAbdO73i2Xt6Gm
HduT+7gF2d6YgO5WKV+1XpZqMT81y+nv9kVvNA06+Vh7G75LSjRIKNg4QBO6MODC
qm1cIIEzFbfJAmFlYdbWuNSgmqcjIHWKTDP7iyTirnfuCAAsv/BZ+z8T5yRGGFHu
iEcLFjDVnEX+pTPGdbyF2rk57Oe6uCyvaIyyKoKJP4mmsF3QhEzSfLZ+DjKywqVt
Y9LDIb3XGnz/ETJ0O1wq32RLyIz2J9MmYZNNNR1nhutm0CD4ZQGrB0zB2zMfIDfs
BYt+FgE5D79TF7rCCAiLeBUGhS++Usk4Je/Ihj/tiNJpNzaNBUsbOPBNoAPoTS2p
WMkEbW1qC/p5szss/zasTbfhh4Cc52JbnUWYfFIC2xEevNBIKckJ0IdEDMIPtYL4
M6mBGdvBB5TXQEDPd6lkzk/E0hqdlAWBfRqlGK402xmwy9MIMBhfIGFIYTwY3mRC
dpfCl84DWPtWaR6h0vjcoE2pRDJJidGwW59GEd3rrnkmdsErAaMgfGATK0I2CDCw
cI8nJqcFUV1/lntTmMYT14BmEaDdDCVd69qZ3SFM+vlTpaJEt6BLnbj7gLznA8sF
rhLrK/5fO12BR8re4+ZP/jHk/GNaF/uCg2Yhd/7ZmDhkO0ZgKJYrX5Sknnls8+Rt
5q+m5ivAPtYFPJoAUFCdnNBAldcKtUZHdeXxsZPTHFjcRVHbPYxAsjgVF2z91LVS
zyisM2FAWBWdM7NrnVQ95m0Mm2U+nbJFy/io5xkACsod0onF9tlA88ZGrPenJyUy
Y0eEh0WCwVyCkUZ9XxBcIEKJKPjsbPVsGfxYRPu7Wj/sdfq2NpNOZQhVc8239koy
A7zGd9SSUckvRhoe3+pFhp9gC+B1AoIh4n8QmbqBC/fkxUWoAVUIDGlGJ+P2dCmu
hgFkFnxBPF6989zCQX5q
=Ad4Z
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 05 Dec 2015 07:37:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:57:04 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon