From 35d1ac893ec3bad68a73619114396525c07f32d7 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 29 Jan 2020 23:01:40 +0100
Subject: Add further note on CVE-2020-7247/opensmtpd

---
 data/CVE/list | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'data')

diff --git a/data/CVE/list b/data/CVE/list
index d82d0e7b92..63394c293e 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -2548,6 +2548,9 @@ CVE-2020-7247 (smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in Open
 	NOTE: https://www.openwall.com/lists/oss-security/2020/01/28/3
 	NOTE: Fixed by: https://github.com/OpenSMTPD/OpenSMTPD/commit/2afab2297347342f81fa31a75bbbf7dbee614fda
 	NOTE: https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/019_smtpd_exec.patch.sig
+	NOTE: The issue is exploitable after switching "to new grammar", which is included
+	NOTE: in portable sync commit:
+	NOTE: https://github.com/OpenSMTPD/OpenSMTPD/commit/be6ef06cba9484d008d9f057e6b25d863cf278ff (opensmtpd-6.4.0)
 CVE-2020-7246 (A remote code execution (RCE) vulnerability exists in qdPM 9.1 and ear ...)
 	NOT-FOR-US: qdPM
 CVE-2020-7245 (Incorrect username validation in the registration process of CTFd v2.0 ...)
-- 
cgit v1.2.3