Is trisquel using OpenSMTPD ?
One of my security news feeds just happened to mention a bug in OpenSMTPD:
As I'm getting all manner of unsolicited nasty-looking emails because of
past anti-spam activity, I wonder if I should be extraordinarily
concerned with the state of OpenSMTPD.
George Langford, stunned in SE PA
"using"? Trisquel has a number of MTAs available for people to use, including OpenSMTPD but also Postix and Exim and...
From to the link you posted:
"The patch arrived in OpenSMTPD 6.6.2 (6.6.2p1 if you are using the so-called Portable source code intended for use on operating systems other that OpenBSD itself)."
According to my apt search, the latest version in Trisquel 8.0 LTS Fildasis is 5.7.3p2-1 amd64. If this is what you are using then I would be extraordinarily concerned, just as you say.
In this case, you can either wait for it to be updated for Fildas or do it yourself if you have the ability (I don't myself, but maybe you can find someone who can help you in this forum).
Otherwise, I would suggest installing the Guix package manager (as it already has OpenSMTPD 6.6.2p1: https://guix.gnu.org/packages/opensmtpd-6.6.2p1/) and then use the guix pack utility to create a binary tarball that includes all dependencies built in, or it can make a docker image for you...either of which you can use on your current system (https://guix.gnu.org/manual/en/html_node/Invoking-guix-pack.html#Invoking-guix-pack). For full disclosure, I've never done this before and only know it is an option that should work according to the Guix guys, but honestly, I don't know that this would be any faster than just compiling the new version yourself and making a package for it that will work with apt.
Another thought is to just add a ppa to apt that already has it and install it from there...although I don't know that the dependencies would be the same.
Whichever way you decide to handle it, I would shut down that mail server immediately if it accepts random emails from the internet. You aren't likely to be able to easily recover from any new outgoing spam activity if you already have a history of it. Edit: Of course, if you get rooted through this exploit, outgoing spam will be the least of your concerns.
Best of luck,
Platoxia
"According to my apt search, the latest version in Trisquel 8.0 LTS Fildasis is 5.7.3p2-1 amd64. If this is what you are using then I would be extraordinarily concerned, just as you say."
Comparing distro package version numbers to upstream package version numbers isn't the correct way to determine if a security vulnerability exists within distro packages like this. Assuming that a program contains a security problem they are commonly fixed by backporting only the actual security patch itself and leaving it at the same version.
An example is this here:
https://www.debian.org/security/2020/dsa-4611
Debian fixes it in version 6.0.3p1-5+deb10u3 even though upstream fixes it with 6.6.2p1, because they backported the patch in order to otherwise leave the package version frozen. (Debian policy holds that packages are frozen on release and never changed, except for making the minimum necessary changes to address security problems and bugs. That's why they only make this small change and not pull in 6.6.2p1 into their stable release.)
And so: Someone that only compares version numbers would see "Oh noes - I have 6.0.3p1 which is less than 6.6.2p1 and so I am still vulnerable" when in fact they are not.
Thanks for the schooling, jxself. I'm just an end user so I didn't realize this.