- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3829-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien Roucariès
June 15, 2024                                 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : sendmail
Version        : 8.15.2-14~deb10u2
CVE ID         : CVE-2023-51765
Debian Bug     : 1059386

sendmail allowed SMTP smuggling in certain configurations.
Remote attackers can use a published exploitation technique to inject e-mail
messages with a spoofed MAIL FROM address, allowing bypass
of an SPF protection mechanism. This occurs because sendmail supports
. but some other popular e-mail servers do not.

This particular injection vulnerability has been closed,
unfortunatly full closure need to reject mail that
contain NUL (0x00 byte).

This is slighly non conformant with RFC and could
be opt-out by setting confREJECT_NUL to 'false'
in sendmail.mc file.

For Debian 10 buster, this problem has been fixed in version
8.15.2-14~deb10u2.

We recommend that you upgrade your sendmail packages.

For the detailed security status of sendmail please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sendmail

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS