BugTraq
[USN-1113-1] Postfix vulnerabilities Apr 18 2011 05:09PM
Marc Deslauriers (marc deslauriers canonical com)
========================================================================
==
Ubuntu Security Notice USN-1113-1
April 18, 2011

postfix vulnerabilities
========================================================================
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 9.10
- Ubuntu 8.04 LTS
- Ubuntu 6.06 LTS

Summary:

An attacker could send crafted input to Postfix and cause it to reveal
confidential information.

Software Description:
- postfix: High-performance mail transport agent

Details:

It was discovered that the Postfix package incorrectly granted write access
on the PID directory to the postfix user. A local attacker could use this
flaw to possibly conduct a symlink attack and overwrite arbitrary files.
This issue only affected Ubuntu 6.06 LTS and 8.04 LTS. (CVE-2009-2939)

Wietse Venema discovered that Postfix incorrectly handled cleartext
commands after TLS is in place. A remote attacker could exploit this to
inject cleartext commands into TLS sessions, and possibly obtain
confidential information such as passwords. (CVE-2011-0411)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.10:
postfix 2.7.1-1ubuntu0.1

Ubuntu 10.04 LTS:
postfix 2.7.0-1ubuntu0.1

Ubuntu 9.10:
postfix 2.6.5-3ubuntu0.1

Ubuntu 8.04 LTS:
postfix 2.5.1-2ubuntu1.3

Ubuntu 6.06 LTS:
postfix 2.2.10-1ubuntu0.3

In general, a standard system update will make all the necessary changes.

References:
CVE-2009-2939, CVE-2011-0411

Package Information:
https://launchpad.net/ubuntu/+source/postfix/2.7.1-1ubuntu0.1
https://launchpad.net/ubuntu/+source/postfix/2.7.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/postfix/2.6.5-3ubuntu0.1
https://launchpad.net/ubuntu/+source/postfix/2.5.1-2ubuntu1.3
https://launchpad.net/ubuntu/+source/postfix/2.2.10-1ubuntu0.3

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAABCgAGBQJNrHA2AAoJEGVp2FWnRL6TJwoQAI4w//g7xB1cUqciUu56SOgQ
KC4G3CphMBQmNGn93rn7tk6xss3M9w4m6y9ff25w9GU91r+rB9WJ6C3K+HF4PGcN
fWmXRaCBVUBwri90M7maFlzysIHCKMcWjMDHOF8AZF2jnCAPWej4Tcvt7O7Ff+MW
CAgTvmxx9RQYAy2X4fddJsYksqIyXn/5g3YZJmfiylzp27hF7CmHEFWGjXhpVVS/
t2r8xYsOJihx6b4X5Fd5X2/mJKRc42QoindNRL1VuyqrynvjQfj8fIXJ3EOeHmLN
cGquPl5YdRf/fFDa96hSR7gXnqdBHNR1KMUjRlEXGPuUC0qjveBmdoV0g7WhMTAI
ijodScVwPIgYPZ8uE6zc3+hcGIlq/Qh7JYmOOME0DgMisMuEsgQeX8+hsQn/1mk/
VsnJOVjv0wP/iuE5HnJd9Scn8s6fpTlsmQ4VkceNR+q83XdBN6pZBYBuMLYh5zCi
fSfAzosDva43LcHkkjhXRwzH8FTWb600euUUtI+1lrK5vOwXqi0RrWDYtlXuxe0h
2WUz0uGYrQl61LdZrtZgx/dp39jkJQ5a5wTEv8QQESxXEs6x6h1s1vI/2N0dI58u
A/UUBda0zvT5ZsQiDEC18BVp8eWyJtkvdpJaUMcuZcBjphTHqOz2u0pxh6ECq9aY
yzGF6QLxZGN1TbPAedh2
=Z2x8
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus