sendmail (8.15.2-22+deb11u3) bullseye; urgency=medium Sendmail was affected by SMTP smuggling (CVE-2023-51765). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because sendmail supports some combinaison of <CR><LF><NUL>. . This particular injection vulnerability has been closed, unfortunately full closure need to reject mail that contain NUL. . This is slighly non conformant with RFC and could be opt-out by setting confREJECT_NUL to 'false' in sendmail.mc file. -- Bastien Roucariès &lt;rouca(a)debian.org&gt; Sun, 12 May 2024 19:38:09 +0000