diff options
author | Dima Panov <fluffy@FreeBSD.org> | 2020-02-25 03:07:17 +0000 |
---|---|---|
committer | Dima Panov <fluffy@FreeBSD.org> | 2020-02-25 03:07:17 +0000 |
commit | a803ccb03c1077884caa15f7530e2e76104a75d5 (patch) | |
tree | 38fbfc212178ab17c00c3be120a29cbb2a3f196a /security | |
parent | f7a33bfb4cde701e25a88fc9c74146d9a5a81aa3 (diff) | |
download | ports-a803ccb03c1077884caa15f7530e2e76104a75d5.tar.gz ports-a803ccb03c1077884caa15f7530e2e76104a75d5.zip |
Document OpenSMTPd vulnerability
LPE and RCE in OpenSMTPD's default install
Security: CVE-2020-8793, CVE-2020-8794
Notes
Notes:
svn path=/head/; revision=527060
Diffstat (limited to 'security')
-rw-r--r-- | security/vuxml/vuln.xml | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index c9abd15bbe9c..229f2dd8d062 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -58,6 +58,37 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="f0683976-5779-11ea-8a77-1c872ccb1e42"> + <topic>LPE and RCE in OpenSMTPD's default install</topic> + <affects> + <package> + <name>opensmtpd</name> + <range><lt>6.6.4,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>OpenSMTPD developersreports:</p> + <blockquote cite="https://opensmtpd.org/security.html"> + <p>An out of bounds read in smtpd allows an attacker to inject arbitrary + commands into the envelope file which are then executed as root. + Separately, missing privilege revocation in smtpctl allows arbitrary + commands to be run with the _smtpq group.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2020-8793</cvename> + <url>https://www.openwall.com/lists/oss-security/2020/02/24/4</url> + <cvename>CVE-2020-8794</cvename> + <url>https://www.openwall.com/lists/oss-security/2020/02/24/5</url> + </references> + <dates> + <discovery>2020-02-22</discovery> + <entry>2020-02-24</entry> + </dates> + </vuln> + <vuln vid="40c75597-574a-11ea-bff8-c85b76ce9b5a"> <topic>OpenSMTPd -- LPE and RCE in OpenSMTPD's default install</topic> <affects> |