From http://www.postfix.org/announcements/postfix-3.2.2.html: > Fixed in all supported releases: > > Security: Berkeley DB versions 2 and later try to read settings from a > file DB_CONFIG in the current directory. This undocumented feature may > introduce undisclosed vulnerabilities resulting in privilege > escalation with Postfix set-gid programs (postdrop, postqueue) before > they chdir to the Postfix queue directory, and with the postmap and > postalias commands depending on whether the user's current directory > is writable by other users. This fix does not change Postfix behavior > for Berkeley DB versions < 3, but it does reduce postmap and > postalias 'create' performance with Berkeley DB versions 3.0 .. 4.6. Additional reference: http://seclists.org/oss-sec/2017/q2/452
@ Arches, please test and mark stable: =mail-mta/postfix-3.1.6
amd64 stable
ia64 stable
x86 stable
Stable on alpha.
ppc stable
ppc64 stable
arm stable
sparc stable
Arches, please finish stabilizing hppa Gentoo Security Padawan ChrisADR
hppa stable. Last arch is done.
New GLSA Request filed. @Maintainers please remove vulnerable versions. Gentoo Security Padawan ChrisADR
This issue was resolved and addressed in GLSA 201709-20 at https://security.gentoo.org/glsa/201709-20 by GLSA coordinator Aaron Bauman (b-man).
re-opened for cleanup