Summary: | <mail-mta/postfix-2.7.3: SMTP commands injection during plaintext to TLS session switch (CVE-2011-0411) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Paweł Hajdan, Jr. (RETIRED) <phajdan.jr> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | jaak, net-mail+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.postfix.org/announcements/postfix-2.7.3.html | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Paweł Hajdan, Jr. (RETIRED)
2011-03-09 16:26:27 UTC
I'll bump 2.7.3 but I'd rather drop the 2.6.* series from the tree unless someone has a good reason not to. Just get the non-vulnerable versions in the tree quickly and have them stabilized. Currently, the stable version is vulnerable which is something we should try to avoid. Go with whatever you are comfortable with regarding the number of past versions you want to keep. 2.7.3 is now in CVS and 2.6.* have been removed from the tree. Thank you. Arches, please test and stabilize =mail-mta/postfix-2.7.3 x86/amd64 ok Stable for HPPA. amd64 done. Thanks Agostino Stable on alpha. Tested on SPARC, seems t0 work fine as long as you don't use gentoo-sources-2.6.37. Tested by sending emails between two accounts. x86 stable, thanks Agostino ppc/ppc64 stable arm/ia64/s390/sh/sparc stable Thanks, folks. GLSA vote: yes. GLSA vote: YES. GLSA request filed. CVE-2011-0411 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0411): The STARTTLS implementation in Postfix 2.4.x before 2.4.16, 2.5.x before 2.5.12, 2.6.x before 2.6.9, and 2.7.x before 2.7.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack. Vote: YES. Added to pending GLSA request. <mail-mta/postfix-2.7.3 no longer in tree. This issue was resolved and addressed in GLSA 201206-33 at http://security.gentoo.org/glsa/glsa-201206-33.xml by GLSA coordinator Stefan Behte (craig). |