| Package | sendmail |
|---|---|
| Version | 8.15.2-8+deb9u2 (stretch) |
| Related CVEs | CVE-2023-51765 |
sendmail allowed SMTP smuggling in certain configurations.
Remote attackers can use a published exploitation technique to inject e-mail
messages with a spoofed MAIL FROM address, allowing bypass
of an SPF protection mechanism. This occurs because sendmail supports
This particular injection vulnerability has been closed, unfortunatly full closure need to reject mail that contain NUL (0x00 byte).
This is slighly non conformant with RFC and could be opt-out by setting confREJECT_NUL to ‘false’ in sendmail.mc file.
For Debian 9 stretch, these problems have been fixed in version 8.15.2-8+deb9u2.
We recommend that you upgrade your sendmail packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.