Kukuvadzwa (CVE-2026-41113) kwakawanikwa mu qmail fork yepurojekiti yeSagredo. Kukuvadzwa uku kunobvumira kuitwa kwemirairo isina kurongeka paseva nekodzero dzemushandisi weqmailr. Kukuvadzwa uku kunokonzerwa nekushaikwa kwemavara akakosha mu hostname anodzoserwa neDNS server pakusarudza MX gateway, pamwe chete nekupfuudzwa kwe hostname inobuda kumurairo wepopen pasina kupatsanurwa kwakakodzera uye kusefa pakushandisa shell. Kukuvadzwa uku kwakagadziriswa mukuburitswa kwa2026.04.07. Chishandiso chekushandisa kukuvadzwa uku chakaburitswa.
Muna Gumiguru 2024, Sagredo yakachinja qmail-remote utility iyo yakawedzera basa rekuti "notlhosts_auto", iro rinoyeuka mahost ane maitirwo eTLS protocol asina kururama ayo asingakwanise kugadziriswa TLS connection, kudzivirira marobhoti ekutumira tsamba kune mahost akadaro achitadza nemaune.
Dambudziko raive rekuti kuchengetedza hostname kwakaitwa nekuburitsa command shell uchishandisa popen() function nepfungwa yekuti "/bin/touch %s/control/notlhosts/'%s'" umo MX hostname yakadzoserwa neDNS server yakatsiviwa. Munhu anorwisa anogona kuburitsa DNS server yake, achidzosera zita refomu rekuti "x'`id>/tmp/pwned`'y.evil.com" mumarekodhi eDNS, uye oshandisa kodhi yakatsiviwa nekugadzira mamiriro ekudaidza name-preserving function yemail server isina kunaka. server.
Source: opennet.ru
