Summary: | <mail-mta/postfix-{2.7.4,2.8.3}: Memory corruption in Cyrus SASL support (CVE-2011-1720) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Michael Orlitzky <mjo> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | alexanderyt, net-mail+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.postfix.org/CVE-2011-1720.html | ||
Whiteboard: | A1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Michael Orlitzky
2011-05-09 15:18:40 UTC
@net-mail, 2.8.3 is fixed and in tree, but would you rather add 2.7.4 and stabilize that? Thank you. Please stabilize =mail-mta/postfix-2.7.4. Thank you. (In reply to comment #2) > Please stabilize =mail-mta/postfix-2.7.4. Thank you. Great, thanks. Arches, please test and mark stable: =mail-mta/postfix-2.7.4 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" amd64 ok x86 stable Stable for HPPA. amd64 done. Thanks Agostino ppc/ppc64 stable alpha/arm/ia64/s390/sh/sparc stable Thanks folks, GLSA request exists. CVE-2011-1720 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1720): The SMTP server in Postfix before 2.5.13, 2.6.x before 2.6.10, 2.7.x before 2.7.4, and 2.8.x before 2.8.3, when certain Cyrus SASL authentication methods are enabled, does not create a new server handle after client authentication fails, which allows remote attackers to cause a denial of service (heap memory corruption and daemon crash) or possibly execute arbitrary code via an invalid AUTH command with one method followed by an AUTH command with a different method. This issue was resolved and addressed in GLSA 201206-33 at http://security.gentoo.org/glsa/glsa-201206-33.xml by GLSA coordinator Stefan Behte (craig). |