It was found, that Postfix, a Mail Transport Agent (MTA), recognized
SMTP commands during plaintex to TLS session switch (by TLS protocol
initialization). A remote attacker could use this flaw to insert
plaintext SMTP protocol commands into TLS protocol initialization
messages, leading to SMTP commands execution during the ciphertext
protocol phase, allowing the attacker to steal user credentials
and conduct man-in-the-middle (MITM) attacks.
I'll bump 2.7.3 but I'd rather drop the 2.6.* series from the tree unless someone has a good reason not to.
Just get the non-vulnerable versions in the tree quickly and have them stabilized. Currently, the stable version is vulnerable which is something we should try to avoid.
Go with whatever you are comfortable with regarding the number of past versions you want to keep.
2.7.3 is now in CVS and 2.6.* have been removed from the tree.
Thank you. Arches, please test and stabilize =mail-mta/postfix-2.7.3
Stable for HPPA.
amd64 done. Thanks Agostino
Stable on alpha.
Tested on SPARC, seems t0 work fine as long as you don't use gentoo-sources-2.6.37. Tested by sending emails between two accounts.
x86 stable, thanks Agostino
Thanks, folks. GLSA vote: yes.
GLSA vote: YES. GLSA request filed.
The STARTTLS implementation in Postfix 2.4.x before 2.4.16, 2.5.x before
2.5.12, 2.6.x before 2.6.9, and 2.7.x before 2.7.3 does not properly
restrict I/O buffering, which allows man-in-the-middle attackers to insert
commands into encrypted SMTP sessions by sending a cleartext command that is
processed after TLS is in place, related to a "plaintext command injection"
Vote: YES. Added to pending GLSA request.
<mail-mta/postfix-2.7.3 no longer in tree.
This issue was resolved and addressed in
GLSA 201206-33 at http://security.gentoo.org/glsa/glsa-201206-33.xml
by GLSA coordinator Stefan Behte (craig).