ELA-1124-1 sendmail security update

SMTP smuggling

2024-07-05
Packagesendmail
Version8.15.2-8+deb9u2 (stretch)
Related CVEs CVE-2023-51765


sendmail allowed SMTP smuggling in certain configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because sendmail supports . but some other popular e-mail servers do not.

This particular injection vulnerability has been closed, unfortunatly full closure need to reject mail that contain NUL (0x00 byte).

This is slighly non conformant with RFC and could be opt-out by setting confREJECT_NUL to ‘false’ in sendmail.mc file.



For Debian 9 stretch, these problems have been fixed in version 8.15.2-8+deb9u2.

We recommend that you upgrade your sendmail packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.