sendmail (8.15.2-22+deb11u3) bullseye; urgency=medium

  Sendmail was affected by SMTP smuggling (CVE-2023-51765).
  Remote attackers can use a published exploitation technique
  to inject e-mail messages with a spoofed MAIL FROM address,
  allowing bypass of an SPF protection mechanism.
  This occurs because sendmail supports some combinaison of
  <CR><LF><NUL>.
  .
  This particular injection vulnerability has been closed,
  unfortunately full closure need to reject mail that
  contain NUL.
  .
  This is slighly non conformant with RFC and could
  be opt-out by setting confREJECT_NUL to 'false'
  in sendmail.mc file.

 -- Bastien Roucariès <rouca@debian.org>  Sun, 12 May 2024 19:38:09 +0000