Advisories » MGASA-2024-0270

Updated sendmail packages fix security vulnerability

Publication date: 16 Jul 2024
Modification date: 16 Jul 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-51765

Description

sendmail through 8.17.2 allows SMTP smuggling in certain configurations.
Remote attackers can use a published exploitation technique to inject
e-mail messages with a spoofed MAIL FROM address, allowing bypass of an
SPF protection mechanism. This occurs because sendmail supports
<LF>.<CR><LF> but some other popular e-mail servers do not. This is
resolved in 8.18 and later versions with 'o' in srv_features.
(CVE-2023-51765)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=32700
• https://www.openwall.com/lists/oss-security/2023/12/21/6
• https://www.openwall.com/lists/oss-security/2023/12/26/5
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-51765

SRPMS

9/core

• sendmail-8.17.1-4.1.mga9