On February 24, 2020 the OpenBSD Project released a security bulletin to address a remote code execution (RCE) vulnerability affecting versions 6.6.3p1 and below of its OpenSMTPD e-mail server software. By sending a specially-crafted email to an affected system, a remote actor can execute arbitrary shell commands as Root.
The portable version of OpenSMTPD is also vulnerable to exploitation. This version runs on the following operating systems and has been incorporated into many of them:
It is recommended that you take the necessary precautions by ensuring your products are always updated.
For more information on this update, follow this URL:
OpenSMTPD 6.6.4p1 released: addresses CRITICAL vulnerability: https://email@example.com/msg04888.html
The Guyana National CIRT recommends users and administration to follow these updates and to apply them where necessary.