Your submission was sent successfully! Close

CVE-2020-8793

Published: 25 February 2020

OpenSMTPD before 6.6.4 allows local users to read arbitrary files (e.g., on some Linux distributions) because of a combination of an untrusted search path in makemap.c and race conditions in the offline functionality in smtpd.c.

Mitigation

Ubuntu ships with /proc/sys/fs/protected_hardlinks enabled by default,
making this vulnerability not exploitable.
Priority

Low

CVSS 3 base score: 4.7

Status

Package Release Status
opensmtpd
Launchpad, Ubuntu, Debian
bionic
Released (6.0.3p1-1ubuntu0.2)
eoan
Released (6.0.3p1-6ubuntu0.2)
focal
Released (6.6.4p1-1)
groovy
Released (6.6.4p1-1)
hirsute
Released (6.6.4p1-1)
impish
Released (6.6.4p1-1)
jammy
Released (6.6.4p1-1)
precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support, was needed)
This vulnerability is mitigated in part by the use of hardlink restrictions in Ubuntu.