Version in base suite: 6.0.3p1-5
Version in overlay suite: 6.0.3p1-5+deb10u1

Base version: opensmtpd_6.0.3p1-5+deb10u1
Target version: opensmtpd_6.0.3p1-5+deb10u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/opensmtpd/opensmtpd_6.0.3p1-5+deb10u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/o/opensmtpd/opensmtpd_6.0.3p1-5+deb10u3.dsc

 changelog                        |   21 ++++++++++++++
 config                           |   10 ++----
 patches/018_smtpd_tls.patch.sig  |   58 +++++++++++++++++++++++++++++++++++++++
 patches/019_smtpd_exec.patch.sig |   53 +++++++++++++++++++++++++++++++++++
 patches/series                   |    2 +
 5 files changed, 138 insertions(+), 6 deletions(-)

diff -Nru opensmtpd-6.0.3p1/debian/changelog opensmtpd-6.0.3p1/debian/changelog
--- opensmtpd-6.0.3p1/debian/changelog	2019-12-21 22:41:55.000000000 +0000
+++ opensmtpd-6.0.3p1/debian/changelog	2020-01-29 00:44:11.000000000 +0000
@@ -1,3 +1,24 @@
+opensmtpd (6.0.3p1-5+deb10u3) buster-security; urgency=high
+
+  * Fix two major security bugs (Closes: #950121) (CVE-2020-7247)
+    1. smtpd can crash on opportunistic TLS downgrade, causing a denial of
+       service. OpenBSD 6.6 errata 018:
+       https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/018_smtpd_tls.patch.sig
+    2. Fix privilege escalation vulnerability: An incorrect check allows an
+       attacker to trick mbox delivery into executing arbitrary commands as
+       root and lmtp delivery into executing arbitrary commands as an
+       unprivileged user. OpenBSD 6.6 errata 019:
+       https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/019_smtpd_exec.patch.sig
+
+ -- Ryan Kavanagh <rak@debian.org>  Tue, 28 Jan 2020 19:44:11 -0500
+
+opensmtpd (6.0.3p1-5+deb10u2) buster; urgency=medium
+
+  * Handle non-zero exit code from hostname during config phase
+    (Closes: #948824)
+
+ -- Ryan Kavanagh <rak@debian.org>  Thu, 23 Jan 2020 16:36:09 -0500
+
 opensmtpd (6.0.3p1-5+deb10u1) buster; urgency=medium
 
   * Warn users of change of smtpd.conf syntax (Closes: #944268)
diff -Nru opensmtpd-6.0.3p1/debian/config opensmtpd-6.0.3p1/debian/config
--- opensmtpd-6.0.3p1/debian/config	2019-12-21 20:27:41.000000000 +0000
+++ opensmtpd-6.0.3p1/debian/config	2020-01-29 00:44:11.000000000 +0000
@@ -28,12 +28,10 @@
     else
         # Otherwise, default to our FQDN
         # /etc/mailname and opensmtpd/mailname are both empty
-        # Default to the FQDN
-        MAILNAME=`hostname --fqdn 2> /dev/null`
-        # Something when wrong; resort to localdomain
-        if [ $? -ne 0 ]; then
-            MAILNAME="localdomain"
-        fi
+        # Default to the FQDN. hostname will exit with a non-zero
+        # exit code if something goes wrong, in which case we resort
+        # to the value localdomain.
+        MAILNAME=`hostname --fqdn 2> /dev/null || echo "localdomain"`
         # Update our DB with this default for when we prompt the user
         db_set opensmtpd/mailname "${MAILNAME}"
     fi
diff -Nru opensmtpd-6.0.3p1/debian/patches/018_smtpd_tls.patch.sig opensmtpd-6.0.3p1/debian/patches/018_smtpd_tls.patch.sig
--- opensmtpd-6.0.3p1/debian/patches/018_smtpd_tls.patch.sig	1970-01-01 00:00:00.000000000 +0000
+++ opensmtpd-6.0.3p1/debian/patches/018_smtpd_tls.patch.sig	2020-01-29 00:44:11.000000000 +0000
@@ -0,0 +1,58 @@
+Description: fix denial of service attack
+ OpenBSD 6.6 errata 018, January 30, 2020:
+ .
+ smtpd can crash on opportunistic TLS downgrade, causing a denial of service.
+Origin: https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/018_smtpd_tls.patch.sig
+Bug-Debian: https://bugs.debian.org/950121
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: opensmtpd/smtpd/mta_session.c
+===================================================================
+--- opensmtpd.orig/smtpd/mta_session.c	2020-01-28 17:56:07.336180890 -0500
++++ opensmtpd/smtpd/mta_session.c	2020-01-28 17:56:07.336180890 -0500
+@@ -1292,40 +1292,20 @@
+ 		break;
+ 
+ 	case IO_ERROR:
++	case IO_TLSERROR:
+ 		log_debug("debug: mta: %p: IO error: %s", s, io_error(io));
+-		if (!s->ready) {
+-			mta_error(s, "IO Error: %s", io_error(io));
+-			mta_connect(s);
+-			break;
+-		}
+-		else if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) {
+-			/* error in non-strict SSL negotiation, downgrade to plain */
+-			if (s->flags & MTA_TLS) {
+-				log_info("smtp-out: Error on session %016"PRIx64
+-				    ": opportunistic TLS failed, "
+-				    "downgrading to plain", s->id);
+-				s->flags &= ~MTA_TLS;
+-				s->flags |= MTA_DOWNGRADE_PLAIN;
+-				mta_connect(s);
+-				break;
+-			}
+-		}
+-		mta_error(s, "IO Error: %s", io_error(io));
+-		mta_free(s);
+-		break;
+ 
+-	case IO_TLSERROR:
+-		log_debug("debug: mta: %p: TLS IO error: %s", s, io_error(io));
+-		if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) {
++		if (s->state == MTA_STARTTLS && s->use_smtp_tls) {
+ 			/* error in non-strict SSL negotiation, downgrade to plain */
+-			log_info("smtp-out: TLS Error on session %016"PRIx64
+-			    ": TLS failed, "
++			log_info("smtp-out: Error on session %016"PRIx64
++			    ": opportunistic TLS failed, "
+ 			    "downgrading to plain", s->id);
+ 			s->flags &= ~MTA_TLS;
+ 			s->flags |= MTA_DOWNGRADE_PLAIN;
+ 			mta_connect(s);
+ 			break;
+ 		}
++
+ 		mta_error(s, "IO Error: %s", io_error(io));
+ 		mta_free(s);
+ 		break;
diff -Nru opensmtpd-6.0.3p1/debian/patches/019_smtpd_exec.patch.sig opensmtpd-6.0.3p1/debian/patches/019_smtpd_exec.patch.sig
--- opensmtpd-6.0.3p1/debian/patches/019_smtpd_exec.patch.sig	1970-01-01 00:00:00.000000000 +0000
+++ opensmtpd-6.0.3p1/debian/patches/019_smtpd_exec.patch.sig	2020-01-29 00:44:11.000000000 +0000
@@ -0,0 +1,53 @@
+Description: fix privilege escalation bug
+ OpenBSD 6.6 errata 019, January 30, 2020:
+ .
+ An incorrect check allows an attacker to trick mbox delivery into executing
+ arbitrary commands as root and lmtp delivery into executing arbitrary commands
+ as an unprivileged user.
+Origin: https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/019_smtpd_exec.patch.sig
+Bug-Debian: https://bugs.debian.org/950121
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: opensmtpd/smtpd/smtp_session.c
+===================================================================
+--- opensmtpd.orig/smtpd/smtp_session.c	2020-01-28 17:56:24.026693606 -0500
++++ opensmtpd/smtpd/smtp_session.c	2020-01-28 17:56:24.022693963 -0500
+@@ -2006,25 +2006,23 @@
+ 		memmove(maddr->user, p, strlen(p) + 1);
+ 	}
+ 
+-	if (!valid_localpart(maddr->user) ||
+-	    !valid_domainpart(maddr->domain)) {
+-		/* accept empty return-path in MAIL FROM, required for bounces */
+-		if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
+-			return (1);
++	/* accept empty return-path in MAIL FROM, required for bounces */
++	if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
++		return (1);
+ 
+-		/* no user-part, reject */
+-		if (maddr->user[0] == '\0')
+-			return (0);
+-
+-		/* no domain, local user */
+-		if (maddr->domain[0] == '\0') {
+-			(void)strlcpy(maddr->domain, domain,
+-			    sizeof(maddr->domain));
+-			return (1);
+-		}
++	/* no or invalid user-part, reject */
++	if (maddr->user[0] == '\0' || !valid_localpart(maddr->user))
+ 		return (0);
++
++	/* no domain part, local user */
++	if (maddr->domain[0] == '\0') {
++		(void)strlcpy(maddr->domain, domain,
++			sizeof(maddr->domain));
+ 	}
+ 
++	if (!valid_domainpart(maddr->domain))
++		return (0);
++
+ 	return (1);
+ }
+ 
diff -Nru opensmtpd-6.0.3p1/debian/patches/series opensmtpd-6.0.3p1/debian/patches/series
--- opensmtpd-6.0.3p1/debian/patches/series	2019-12-21 22:41:55.000000000 +0000
+++ opensmtpd-6.0.3p1/debian/patches/series	2020-01-29 00:44:11.000000000 +0000
@@ -1,3 +1,5 @@
 07_automake_missing_options.diff
 10_smtpd.conf.diff
 11_ssl_1.1.diff
+018_smtpd_tls.patch.sig
+019_smtpd_exec.patch.sig