Currently opensmtpd has a high level remote CVE and several others from the release listed. I have tried to compile the updated version but
1. It is a major upgrade with a different config syntax than what is in EPEL. 2. It requires libressl to compile which we do not ship. 3. It might be possible to fix that one known CVE but there seem to have been others but I do not have any knowledge what is needed to fix all of them.
I would like to remove opensmtpd from EPEL. If someone wants to fix/patch it that would be great also but it might become a long war of attrition.
On Thu, Jan 30, 2020 at 01:49:55PM -0500, Stephen John Smoogen wrote:
Currently opensmtpd has a high level remote CVE and several others from the release listed. I have tried to compile the updated version but […]
According to the oss-security list[1], this vulnerability has been made exploitable in May 2018 - the version in EPEL (and Fedora) is 6.0.3, which was released on Jan 4, 2018[2].
I would like to remove opensmtpd from EPEL. If someone wants to fix/patch it that would be great also but it might become a long war of attrition.
I'd prefer just retiring the epel branch. I'm not using it myself, but as it seems the CVEs I could find for OpenSMTPd do not affect the EPEL version I wouldn't remove/obsolete already installed packages.
In Fedora there seems to be activity in OpenSMTPd (only checked bugzilla[3]), so maybe the Fedora Maintainer is interested in also taking the EPEL branch? (I've cc'ed the Fedora Maintainer, hope that's okay.)
All the best, Astra
[1] https://www.openwall.com/lists/oss-security/2020/01/28/3 [2] https://github.com/OpenSMTPD/OpenSMTPD/releases?after=opensmtpd-6.4.1p1 [3] https://bugzilla.redhat.com/show_bug.cgi?id=1742449
epel-devel@lists.fedoraproject.org
-
David Kaufmann -
Stephen John Smoogen