It was found, that Postfix, a Mail Transport Agent (MTA), recognized SMTP commands during plaintex to TLS session switch (by TLS protocol initialization). A remote attacker could use this flaw to insert plaintext SMTP protocol commands into TLS protocol initialization messages, leading to SMTP commands execution during the ciphertext protocol phase, allowing the attacker to steal user credentials and conduct man-in-the-middle (MITM) attacks. http://www.postfix.org/announcements/postfix-2.7.3.html
I'll bump 2.7.3 but I'd rather drop the 2.6.* series from the tree unless someone has a good reason not to.
Just get the non-vulnerable versions in the tree quickly and have them stabilized. Currently, the stable version is vulnerable which is something we should try to avoid. Go with whatever you are comfortable with regarding the number of past versions you want to keep.
2.7.3 is now in CVS and 2.6.* have been removed from the tree.
Thank you. Arches, please test and stabilize =mail-mta/postfix-2.7.3
x86/amd64 ok
Stable for HPPA.
amd64 done. Thanks Agostino
Stable on alpha.
Tested on SPARC, seems t0 work fine as long as you don't use gentoo-sources-2.6.37. Tested by sending emails between two accounts.
x86 stable, thanks Agostino
ppc/ppc64 stable
arm/ia64/s390/sh/sparc stable
Thanks, folks. GLSA vote: yes.
GLSA vote: YES. GLSA request filed.
CVE-2011-0411 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0411): The STARTTLS implementation in Postfix 2.4.x before 2.4.16, 2.5.x before 2.5.12, 2.6.x before 2.6.9, and 2.7.x before 2.7.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack.
Vote: YES. Added to pending GLSA request.
<mail-mta/postfix-2.7.3 no longer in tree.
This issue was resolved and addressed in GLSA 201206-33 at http://security.gentoo.org/glsa/glsa-201206-33.xml by GLSA coordinator Stefan Behte (craig).
