oss-sec mailing list archives

Re: Re: New SMTP smuggling attack

From: Marcus Meissner <meissner () suse de>
Date: Sun, 24 Dec 2023 10:33:37 +0100

On Sat, Dec 23, 2023 at 02:29:34PM +0200, Valtteri Vuorikoski wrote:

On Fri, Dec 22, 2023 at 11:46:48AM +0100, Marcus Meissner wrote:

Hi,

FWIW as no CVEs were to be found yet, I filed a CVE request for Postfix now.

Not sure if we need it for others like sendmail too, as that is also
referenced by the security researchers.


Looks like exim opened a bug on this yesterday too, no sign of CVE yet:
<https://bugs.exim.org/show_bug.cgi?id=3063>


CVEs are assigned now for:

- CVE-2023-51764 postfix
- CVE-2023-51765 sendmail
- CVE-2023-51766 exim

Ciao, Marcus

Current thread:

Re: Re: New SMTP smuggling attack, (continued)
- - - Re: Re: New SMTP smuggling attack Stuart Henderson (Dec 22)
    - Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 22)
    - Re: Re: New SMTP smuggling attack Erik Auerswald (Dec 22)
    - Re: Re: New SMTP smuggling attack Rodrigo Freire (Dec 22)
    - Re: Re: New SMTP smuggling attack Alexander E. Patrakov (Dec 22)
    - Re: Re: New SMTP smuggling attack Erik Auerswald (Dec 22)
    - Re: Re: New SMTP smuggling attack Stuart D Gathman (Dec 22)
    - Re: Re: New SMTP smuggling attack Harry Sintonen (Dec 22)
    - Re: Re: New SMTP smuggling attack Bjoern Franke (Dec 22)
    - Re: Re: New SMTP smuggling attack Valtteri Vuorikoski (Dec 23)
    - Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 24)
    - Re: Re: New SMTP smuggling attack kai (Dec 25)
    - Re: New SMTP smuggling attack Claus Assmann (Dec 26)
    - Re: Re: New SMTP smuggling attack Alan Coopersmith (Dec 29)
    - Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 30)
    - Re: Re: New SMTP smuggling attack Claus Assmann (Dec 30)
- Re: New SMTP smuggling attack Hanno Böck (Dec 22)