|Summary:||<mail-mta/postfix-2.7.3: SMTP commands injection during plaintext to TLS session switch (CVE-2011-0411)|
|Product:||Gentoo Security||Reporter:||Paweł Hajdan, Jr. (RETIRED) <phajdan.jr>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Paweł Hajdan, Jr. (RETIRED) 2011-03-09 16:26:27 UTC
It was found, that Postfix, a Mail Transport Agent (MTA), recognized SMTP commands during plaintex to TLS session switch (by TLS protocol initialization). A remote attacker could use this flaw to insert plaintext SMTP protocol commands into TLS protocol initialization messages, leading to SMTP commands execution during the ciphertext protocol phase, allowing the attacker to steal user credentials and conduct man-in-the-middle (MITM) attacks. http://www.postfix.org/announcements/postfix-2.7.3.html
Comment 1 Tim Harder 2011-03-09 20:40:18 UTC
I'll bump 2.7.3 but I'd rather drop the 2.6.* series from the tree unless someone has a good reason not to.
Comment 2 Eray Aslan 2011-03-10 03:27:07 UTC
Just get the non-vulnerable versions in the tree quickly and have them stabilized. Currently, the stable version is vulnerable which is something we should try to avoid. Go with whatever you are comfortable with regarding the number of past versions you want to keep.
Comment 3 Tim Harder 2011-03-10 03:43:40 UTC
2.7.3 is now in CVS and 2.6.* have been removed from the tree.
Comment 4 Paweł Hajdan, Jr. (RETIRED) 2011-03-10 07:59:52 UTC
Thank you. Arches, please test and stabilize =mail-mta/postfix-2.7.3
Comment 5 Agostino Sarubbo 2011-03-10 10:02:09 UTC
Comment 6 Jeroen Roovers (RETIRED) 2011-03-10 18:50:03 UTC
Stable for HPPA.
Comment 7 Markos Chandras (RETIRED) 2011-03-10 19:58:26 UTC
amd64 done. Thanks Agostino
Comment 8 Tobias Klausmann (RETIRED) 2011-03-12 13:59:06 UTC
Stable on alpha.
Comment 9 Alex Buell 2011-03-12 19:27:42 UTC
Tested on SPARC, seems t0 work fine as long as you don't use gentoo-sources-2.6.37. Tested by sending emails between two accounts.
Comment 10 Paweł Hajdan, Jr. (RETIRED) 2011-03-13 09:31:17 UTC
x86 stable, thanks Agostino
Comment 11 Kacper Kowalik (Xarthisius) (RETIRED) 2011-03-13 11:27:57 UTC
Comment 12 Raúl Porcel (RETIRED) 2011-03-18 18:10:03 UTC
Comment 13 Tim Sammut (RETIRED) 2011-03-19 22:43:58 UTC
Thanks, folks. GLSA vote: yes.
Comment 14 Stefan Behte (RETIRED) 2011-05-13 10:38:55 UTC
GLSA vote: YES. GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot 2011-06-24 00:33:22 UTC
CVE-2011-0411 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0411): The STARTTLS implementation in Postfix 2.4.x before 2.4.16, 2.5.x before 2.5.12, 2.6.x before 2.6.9, and 2.7.x before 2.7.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack.
Comment 16 Stefan Behte (RETIRED) 2011-10-08 22:15:34 UTC
Vote: YES. Added to pending GLSA request.
Comment 17 Jaak Ristioja 2012-05-23 07:13:58 UTC
<mail-mta/postfix-2.7.3 no longer in tree.
Comment 18 GLSAMaker/CVETool Bot 2012-06-25 19:11:24 UTC
This issue was resolved and addressed in GLSA 201206-33 at http://security.gentoo.org/glsa/glsa-201206-33.xml by GLSA coordinator Stefan Behte (craig).