OpenPKG ssmtp Format String Vulnerability Advisory (CAN-2004-0156)

From the webpage screenshot, the key vulnerability information is as follows: List: bugtraq Subject: [OpenPKG-SA-2004.020] OpenPKG Security Advisory (ssmtp) From: OpenPKG Date: 2004-05-07 20:01:55 Message-ID: OpenPKG-SA-2004.020 ------BEGIN PGP SIGNED MESSAGE------ Hash: SHA1 --- OpenPKG Security Advisory http://www.openpkg.org/security.html The OpenPKG Project http://www.openpkg.org openpkg-security@openpkg.org OpenPKG-SA-2004.020 openpkg@openpkg.org 07-May-2004 --- Package: ssmtp Vulnerability: denial of service, code execution OpenPKG Specific: no Affected Releases: OpenPKG CURRENT OpenPKG 2.0 OpenPKG 1.3 Affected Packages: = ssmtp-2.60.8-20040507 OpenPKG CURRENT: >= ssmtp-2.48-2.0.1 OpenPKG 1.3: >= ssmtp-2.48-1.3.1 Dependent Packages: none Description: Two format string bugs were discovered in sSMTP, a simple sending-only Mail Transport Agent (MTA). Untrusted values in the functions die() and log_event() were passed to printf(3)-like functions as format strings. These vulnerabilities could potentially allow remote mail relays to cause a Denial of Service (DoS) and possibly execute arbitrary code. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0156 to the problem. Solution: Select the updated source RPM appropriate for your OpenPKG release, fetch it from the OpenPKG FTP service or a mirror location, verify its integrity, build a corresponding binary RPM from it and update your OpenPKG installation by applying the binary RPM. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem. Adjust accordingly for other releases. References: [1] ftp://ftp.debian.org/debian/pool/main/s/ssmtp/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0156 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.3/UPD/ssmtp-2.48-1.3.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/ssmtp-2.48-2.0.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.3/UPD/ [8] ftp://ftp.openpkg.org/release/2.0/UPD/ [9] http://www.openpkg.org/security.html#signature For security reasons, this advisory was digitally signed with the OpenPKG public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from and hkp://pgp.openpkg.org. Follow the instructions on for details on how to verify the integrity of this advisory.

Goal Reached Thanks to every supporter — we hit 100%!

OpenPKG ssmtp Format String Vulnerability Advisory (CAN-2004-0156)