From d739a34f9c6736e54be36f326ff0e16fd2b4b602 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 29 Jan 2020 23:01:40 +0100
Subject: Add further note on CVE-2020-7247/opensmtpd

---
 data/CVE/2020.list | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/data/CVE/2020.list b/data/CVE/2020.list
index 4bf70d7fc3..30c32e43a0 100644
--- a/data/CVE/2020.list
+++ b/data/CVE/2020.list
@@ -2397,6 +2397,9 @@ CVE-2020-7247 (smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in Open
 	NOTE: https://www.openwall.com/lists/oss-security/2020/01/28/3
 	NOTE: Fixed by: https://github.com/OpenSMTPD/OpenSMTPD/commit/2afab2297347342f81fa31a75bbbf7dbee614fda
 	NOTE: https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/019_smtpd_exec.patch.sig
+	NOTE: The issue is exploitable after switching "to new grammar", which is included
+	NOTE: in portable sync commit:
+	NOTE: https://github.com/OpenSMTPD/OpenSMTPD/commit/be6ef06cba9484d008d9f057e6b25d863cf278ff (opensmtpd-6.4.0)
 CVE-2020-7246 (A remote code execution (RCE) vulnerability exists in qdPM 9.1 and ear ...)
 	NOT-FOR-US: qdPM
 CVE-2020-7245 (Incorrect username validation in the registration process of CTFd v2.0 ...)
-- 
cgit v1.2.3