oss-sec mailing list archives
Re: Re: New SMTP smuggling attack
From: Marcus Meissner <meissner () suse de>
Date: Fri, 22 Dec 2023 11:46:48 +0100
Hi, FWIW as no CVEs were to be found yet, I filed a CVE request for Postfix now. Not sure if we need it for others like sendmail too, as that is also referenced by the security researchers. Ciao, Marcus On Thu, Dec 21, 2023 at 02:46:56PM +0000, Claus Assmann wrote:
Just for completeness: sendmail 8.18.0.2 has options to handle this too, e.g., Accept only CR LF . CR LF as end of an SMTP message as required by the RFCs when the new srv_features option 'o' is used. And for those who read the source code there's also an FFR: /* enable checking for "bare LF" in message */ "_FFR_BARE_LF",
Current thread:
- New SMTP smuggling attack Marcus Meissner (Dec 21)
- Re: New SMTP smuggling attack Claus Assmann (Dec 21)
- Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 22)
- Re: Re: New SMTP smuggling attack Stuart Henderson (Dec 22)
- Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 22)
- Re: Re: New SMTP smuggling attack Erik Auerswald (Dec 22)
- Re: Re: New SMTP smuggling attack Rodrigo Freire (Dec 22)
- Re: Re: New SMTP smuggling attack Alexander E. Patrakov (Dec 22)
- Re: Re: New SMTP smuggling attack Erik Auerswald (Dec 22)
- Re: Re: New SMTP smuggling attack Stuart D Gathman (Dec 22)
- Re: Re: New SMTP smuggling attack Harry Sintonen (Dec 22)
- Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 22)
- Re: New SMTP smuggling attack Claus Assmann (Dec 21)
- Re: Re: New SMTP smuggling attack Bjoern Franke (Dec 22)
- Re: Re: New SMTP smuggling attack Valtteri Vuorikoski (Dec 23)