oss-sec mailing list archives

Re: Re: New SMTP smuggling attack

From: Marcus Meissner <meissner () suse de>
Date: Fri, 22 Dec 2023 11:46:48 +0100

Hi,

FWIW as no CVEs were to be found yet, I filed a CVE request for Postfix now.

Not sure if we need it for others like sendmail too, as that is also
referenced by the security researchers.

Ciao, Marcus
On Thu, Dec 21, 2023 at 02:46:56PM +0000, Claus Assmann wrote:

Just for completeness:
sendmail 8.18.0.2 has options to handle this too, e.g.,
      Accept only CR LF . CR LF as end of an SMTP message as
              required by the RFCs when the new srv_features
              option 'o' is used.

And for those who read the source code there's also an FFR:
      /* enable checking for "bare LF" in message */
      "_FFR_BARE_LF",

Current thread:

New SMTP smuggling attack Marcus Meissner (Dec 21)
- Re: New SMTP smuggling attack Claus Assmann (Dec 21)
  - Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 22)
    - Re: Re: New SMTP smuggling attack Stuart Henderson (Dec 22)
    - Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 22)
    - Re: Re: New SMTP smuggling attack Erik Auerswald (Dec 22)
    - Re: Re: New SMTP smuggling attack Rodrigo Freire (Dec 22)
    - Re: Re: New SMTP smuggling attack Alexander E. Patrakov (Dec 22)
    - Re: Re: New SMTP smuggling attack Erik Auerswald (Dec 22)
    - Re: Re: New SMTP smuggling attack Stuart D Gathman (Dec 22)
    - Re: Re: New SMTP smuggling attack Harry Sintonen (Dec 22)
    - Re: Re: New SMTP smuggling attack Bjoern Franke (Dec 22)
    - Re: Re: New SMTP smuggling attack Valtteri Vuorikoski (Dec 23)

(Thread continues...)