====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN096
_____________________________________________________________________

DATE                : 26/02/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):Systems running OpenSMTPD versions prior to 6.6.4p1.

=====================================================================
https://www.mail-archive.com/misc@opensmtpd.org/msg04888.html
_____________________________________________________________________


OpenSMTPD 6.6.4p1 released: addresses CRITICAL vulnerability

gilles Mon, 24 Feb 2020 08:54:01 -0800

Hello misc@,

Qualys has found another critical vulnerability in OpenSMTPD.


It is very important that you upgrade your setups AS SOON AS POSSIBLE.

I can't comment yet as I was not involved in the bug fixing this time,
and didn't see the advisory, just the resulting bug fix diff.

I'll comment and do an analysis of the issue in a few days.


On OpenBSD:
---

Binary patches are available through syspatch.

Just run the syspatch command and make sure that your OpenSMTPD was
restarted:

$ doas syspatch

On other systems
---

I have released version 6.6.4p1 of OpenSMTPD which addresses the
vulnerability.

It is available from our website:

https://www.opensmtpd.org/archives/opensmtpd-6.6.4p1.tar.gz
https://www.opensmtpd.org/archives/opensmtpd-6.6.4p1.sum.sig

It is also available from Github:

https://github.com/OpenSMTPD/OpenSMTPD/releases/download/6.6.4p1/opensmtpd-6.6.4p1.tar.gz
https://github.com/OpenSMTPD/OpenSMTPD/releases/download/6.6.4p1/opensmtpd-6.6.4p1.sum.sig

Or using the `6.6.4p1` tag if you're building from source.



=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================