NetBSD Problem Report #59743
From www@netbsd.org Fri Oct 31 17:36:29 2025
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
client-signature RSA-PSS (2048 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 015F71A9239
for <gnats-bugs@gnats.NetBSD.org>; Fri, 31 Oct 2025 17:36:29 +0000 (UTC)
Message-Id: <20251031173627.CC1E91A923C@mollari.NetBSD.org>
Date: Fri, 31 Oct 2025 17:36:27 +0000 (UTC)
From: rbranco@suse.de
Reply-To: rbranco@suse.de
To: gnats-bugs@NetBSD.org
Subject: mail/opensmtpd: CVE-2025-62875: OpenSMTPD: Trivial Local Denial-of-Service via UNIX Domain Socket
X-Send-Pr-Version: www-1.0
>Number: 59743
>Category: pkg
>Synopsis: mail/opensmtpd: CVE-2025-62875: OpenSMTPD: Trivial Local Denial-of-Service via UNIX Domain Socket
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: vins
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Oct 31 17:40:00 +0000 2025
>Closed-Date: Mon Feb 02 04:08:44 +0000 2026
>Last-Modified: Mon Feb 02 04:08:44 +0000 2026
>Originator: Ricardo Branco
>Release: NetBSD 11.99.3
>Organization:
>Environment:
>Description:
OpenSMTPD: Trivial Local Denial-of-Service via UNIX Domain Socket (CVE-2025-62875)
https://security.opensuse.org/2025/10/31/opensmtpd-local-DoS.html
>How-To-Repeat:
>Fix:
https://github.com/OpenSMTPD/OpenSMTPD/commit/653abf00f5283a2d3247eb9aabf8987d1b2f0510
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: pkg-manager->vins
Responsible-Changed-By: wiz@NetBSD.org
Responsible-Changed-When: Sun, 02 Nov 2025 00:17:45 +0000
Responsible-Changed-Why:
Over to maintainer
From: Paolo Vincenzo Olivo <vins@netbsd.org>
To: gnats-bugs@netbsd.org
Cc: pkg-manager@netbsd.org, pkgsrc-bugs@netbsd.org, gnats-admin@netbsd.org,
wiz@NetBSD.org, rbranco@suse.de
Subject: Re: pkg/59743 (mail/opensmtpd: CVE-2025-62875: OpenSMTPD: Trivial
Local Denial-of-Service via UNIX Domain Socket)
Date: Sat, 8 Nov 2025 22:06:13 +0000
On 25/11/02 12:17AM, wiz@NetBSD.org wrote:
> Synopsis: mail/opensmtpd: CVE-2025-62875: OpenSMTPD: Trivial Local Denial-of-Service via UNIX Domain Socket
This is fixed by upstream commit #653abf0: "smtpd(8) can die if a
malformed imsg is sent on the local socket", [0] which is included in
7.8.0.[1], and documented in the initial disclosure [2].
On pkgsrc-trunk, mail/opensmtpd was updated to 7.8.0 on November the 2nd,
[3] and the pkgsrc-vulnerabilities list was updated to reflect the fact
that opensmtpd-7.7.0p0, found in pkgsrc-2025Q3, is the only version
known to be affected by this bug.[4]
[0] https://github.com/OpenSMTPD/OpenSMTPD/commit/653abf00f5283a2d3247eb9aabf8987d1b2f0510
[1] https://github.com/OpenSMTPD/OpenSMTPD/commit/4a44acf179f7ba85dd8341aa8c2f2748bb47f73a
[2] https://www.openwall.com/lists/oss-security/2025/10/31/3
[3] https://mail-index.netbsd.org/pkgsrc-changes/2025/11/02/msg333122.html
[4] https://mail-index.netbsd.org/pkgsrc-changes/2025/11/02/msg333094.html
From: Benny Siegert <bsiegert@netbsd.org>
To: gnats-bugs@netbsd.org
Cc: vins@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org,
rbranco@suse.de
Subject: Re: pkg/59743 (mail/opensmtpd: CVE-2025-62875: OpenSMTPD: Trivial
Local Denial-of-Service via UNIX Domain Socket)
Date: Sun, 9 Nov 2025 10:54:48 +0000 (UTC)
On Sat, 8 Nov 2025, Paolo Vincenzo Olivo via gnats wrote:
> On pkgsrc-trunk, mail/opensmtpd was updated to 7.8.0 on November the 2nd,
> [3] and the pkgsrc-vulnerabilities list was updated to reflect the fact
> that opensmtpd-7.7.0p0, found in pkgsrc-2025Q3, is the only version
> known to be affected by this bug.[4]
So we pull up the 7.8.0 update to fix this
--
Benny
State-Changed-From-To: open->pending-pullups
State-Changed-By: vins@NetBSD.org
State-Changed-When: Sat, 13 Dec 2025 08:16:25 +0000
State-Changed-Why:
pullup request forwarded
State-Changed-From-To: pending-pullups->closed
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Mon, 02 Feb 2026 04:08:44 +0000
State-Changed-Why:
pullup-pkgsrc #7037 https://releng.netbsd.org/cgi-bin/req-pkgsrc.cgi?show=7037 resolved
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2026
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home