Hi,

The following vulnerability was published for sendmail.

https://alpaca-attack.com/ affects sendmail. It was fixed in
the latest 3.16.1 release:
https://marc.info/?l=sendmail-announce&m=159394546814125&w=2

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-3618
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3618

Please adjust the affected versions in the BTS as needed.

Control: fixed -1 8.16.1-1
Control: tag -1 + help

Huzaifa S. Sidhpurwala 2021-06-29 05:11:36 UTC

Sendmail:

"Sendmail only detects HTTP requests at the very start of a connection.
If STARTTLS is used, the first command inside the connection can bensent
by the attacker, bypassing the detection"
Sendmail fixed a bug to detect HTTP requests when STARTTLS is used in 8.16

As per the release notes:

	SECURITY: If sendmail tried to reuse an SMTP session which had
		already been closed by the server, then the connection
		cache could have invalid information about the session.
		One possible consequence was that STARTTLS was not
		used even if offered.  This problem has been fixed
		by clearing out all relevant status information
		when a closed session is encountered.

(there are no specific references since sendmail 8.16.1 was released in
July 2020, long before alpaca-attack got disclosed to interested parties:
2020-10-20: Initial contact with [...] author of TLS standard [...]
...
2021-02-20: Initial contact with all affected application servers (FTP,
Email).
...
2021-06-09: Public disclosure.)

+help: I'm hoping that someone backports this fix to 8.15.x, possibly
https://bugzilla.redhat.com/show_bug.cgi?id=1975650


Andreas