Here is the heads-up: https://www.mail-archive.com/misc@opensmtpd.org/msg04850.html I am working on updating locally and will submit patch when I have it working unless others beat me to it. Sounds like critical issue.
Created attachment 211145 [details] update to v6.6.2p1 I've built and tested this locally on my 12.1-RELEASE system and verified my configuration is working (able to send/receive emails).
A commit references this bug: Author: fluffy Date: Wed Jan 29 02:55:06 UTC 2020 New revision: 524529 URL: https://svnweb.freebsd.org/changeset/ports/524529 Log: mil/opensmtpd: update to 6.6.2p1 relase This update addressed LPE and RCE vulnerabilities in OpenSMTPD (CVE-2020-7247) https://www.openwall.com/lists/oss-security/2020/01/28/3 This vulnerability is exploitable since May 2018 (commit a8e222352f, "switch smtpd to new grammar") and allows an attacker to execute arbitrary shell commands, as root: - either locally, in OpenSMTPD's default configuration (which listens on the loopback interface and only accepts mail from localhost); - or locally and remotely, in OpenSMTPD's "uncommented" default configuration (which listens on all interfaces and accepts external mail). PR: 243686 Reported by: authors via irc MFH: 2020Q1 Relnotes: https://www.mail-archive.com/misc@opensmtpd.org/msg04850.html Changes: head/mail/opensmtpd/Makefile head/mail/opensmtpd/distinfo
Committed, thanks!
^Triage: Re-open pending MFH @Dina Do you have a VuXML entry coming for this?
(In reply to Kubilay Kocak from comment #4) Not yet, busy IRL till evening :( if you can do it faster, ship it!
A commit references this bug: Author: fluffy Date: Thu Jan 30 06:25:48 UTC 2020 New revision: 524633 URL: https://svnweb.freebsd.org/changeset/ports/524633 Log: Document mail/opensmtpd LPE and RCE vulnerabilities PR: 243686 Security: CVE-2020-7247 Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: fluffy Date: Fri Jan 31 09:37:28 UTC 2020 New revision: 524685 URL: https://svnweb.freebsd.org/changeset/ports/524685 Log: MFH: r524529 mail/opensmtpd: update to 6.6.2p1 relase This update addressed LPE and RCE vulnerabilities in OpenSMTPD (CVE-2020-7247) https://www.openwall.com/lists/oss-security/2020/01/28/3 This vulnerability is exploitable since May 2018 (commit a8e222352f, "switch smtpd to new grammar") and allows an attacker to execute arbitrary shell commands, as root: - either locally, in OpenSMTPD's default configuration (which listens on the loopback interface and only accepts mail from localhost); - or locally and remotely, in OpenSMTPD's "uncommented" default configuration (which listens on all interfaces and accepts external mail). PR: 243686 Reported by: authors via irc Relnotes: https://www.mail-archive.com/misc@opensmtpd.org/msg04850.html Security: CVE-2020-7247 Security: 08f5c27d-4326-11ea-af8b-00155d0a0200 Approved by: ports-secteam (blanket, security issue) Changes: _U branches/2020Q1/ branches/2020Q1/mail/opensmtpd/Makefile branches/2020Q1/mail/opensmtpd/distinfo
Merged to quarterly, listed in vuxml