An attacker could send crafted input to Postfix and cause it to reveal
confidential information.
Software Description:
- postfix: High-performance mail transport agent
Details:
It was discovered that the Postfix package incorrectly granted write access
on the PID directory to the postfix user. A local attacker could use this
flaw to possibly conduct a symlink attack and overwrite arbitrary files.
This issue only affected Ubuntu 6.06 LTS and 8.04 LTS. (CVE-2009-2939)
Wietse Venema discovered that Postfix incorrectly handled cleartext
commands after TLS is in place. A remote attacker could exploit this to
inject cleartext commands into TLS sessions, and possibly obtain
confidential information such as passwords. (CVE-2011-0411)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.10:
postfix 2.7.1-1ubuntu0.1
Ubuntu 10.04 LTS:
postfix 2.7.0-1ubuntu0.1
Ubuntu 9.10:
postfix 2.6.5-3ubuntu0.1
Ubuntu 8.04 LTS:
postfix 2.5.1-2ubuntu1.3
Ubuntu 6.06 LTS:
postfix 2.2.10-1ubuntu0.3
In general, a standard system update will make all the necessary changes.
==
Ubuntu Security Notice USN-1113-1
April 18, 2011
postfix vulnerabilities
========================================================================
==
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 9.10
- Ubuntu 8.04 LTS
- Ubuntu 6.06 LTS
Summary:
An attacker could send crafted input to Postfix and cause it to reveal
confidential information.
Software Description:
- postfix: High-performance mail transport agent
Details:
It was discovered that the Postfix package incorrectly granted write access
on the PID directory to the postfix user. A local attacker could use this
flaw to possibly conduct a symlink attack and overwrite arbitrary files.
This issue only affected Ubuntu 6.06 LTS and 8.04 LTS. (CVE-2009-2939)
Wietse Venema discovered that Postfix incorrectly handled cleartext
commands after TLS is in place. A remote attacker could exploit this to
inject cleartext commands into TLS sessions, and possibly obtain
confidential information such as passwords. (CVE-2011-0411)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.10:
postfix 2.7.1-1ubuntu0.1
Ubuntu 10.04 LTS:
postfix 2.7.0-1ubuntu0.1
Ubuntu 9.10:
postfix 2.6.5-3ubuntu0.1
Ubuntu 8.04 LTS:
postfix 2.5.1-2ubuntu1.3
Ubuntu 6.06 LTS:
postfix 2.2.10-1ubuntu0.3
In general, a standard system update will make all the necessary changes.
References:
CVE-2009-2939, CVE-2011-0411
Package Information:
https://launchpad.net/ubuntu/+source/postfix/2.7.1-1ubuntu0.1
https://launchpad.net/ubuntu/+source/postfix/2.7.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/postfix/2.6.5-3ubuntu0.1
https://launchpad.net/ubuntu/+source/postfix/2.5.1-2ubuntu1.3
https://launchpad.net/ubuntu/+source/postfix/2.2.10-1ubuntu0.3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABCgAGBQJNrHA2AAoJEGVp2FWnRL6TJwoQAI4w//g7xB1cUqciUu56SOgQ
KC4G3CphMBQmNGn93rn7tk6xss3M9w4m6y9ff25w9GU91r+rB9WJ6C3K+HF4PGcN
fWmXRaCBVUBwri90M7maFlzysIHCKMcWjMDHOF8AZF2jnCAPWej4Tcvt7O7Ff+MW
CAgTvmxx9RQYAy2X4fddJsYksqIyXn/5g3YZJmfiylzp27hF7CmHEFWGjXhpVVS/
t2r8xYsOJihx6b4X5Fd5X2/mJKRc42QoindNRL1VuyqrynvjQfj8fIXJ3EOeHmLN
cGquPl5YdRf/fFDa96hSR7gXnqdBHNR1KMUjRlEXGPuUC0qjveBmdoV0g7WhMTAI
ijodScVwPIgYPZ8uE6zc3+hcGIlq/Qh7JYmOOME0DgMisMuEsgQeX8+hsQn/1mk/
VsnJOVjv0wP/iuE5HnJd9Scn8s6fpTlsmQ4VkceNR+q83XdBN6pZBYBuMLYh5zCi
fSfAzosDva43LcHkkjhXRwzH8FTWb600euUUtI+1lrK5vOwXqi0RrWDYtlXuxe0h
2WUz0uGYrQl61LdZrtZgx/dp39jkJQ5a5wTEv8QQESxXEs6x6h1s1vI/2N0dI58u
A/UUBda0zvT5ZsQiDEC18BVp8eWyJtkvdpJaUMcuZcBjphTHqOz2u0pxh6ECq9aY
yzGF6QLxZGN1TbPAedh2
=Z2x8
-----END PGP SIGNATURE-----
[ reply ]