Announced on the mailing list this morning: The Postfix SMTP server has a memory corruption error when the Cyrus SASL library is used with authentication mechanisms other than PLAIN and LOGIN (the ANONYMOUS mechanism is unaffected but should not be enabled for different reasons). See below for instructions to determine what systems are affected. ... The problem is fixed in Postfix stable releases 2.5.13, 2.6.10, 2.7.4, 2.8.3; in the Postfix 2.9 development release as of May 1, 2011; patches exist for Postfix version 1.1 and later. All this is available from Postfix mirrors at http://www.postfix.org/download.html. The full summary is supposed to be online at, http://www.postfix.org/CVE-2011-1720.html but doesn't appear to have been posted yet. In the meantime, you can reference, http://article.gmane.org/gmane.mail.postfix.announce/127
@net-mail, 2.8.3 is fixed and in tree, but would you rather add 2.7.4 and stabilize that? Thank you.
Please stabilize =mail-mta/postfix-2.7.4. Thank you.
(In reply to comment #2) > Please stabilize =mail-mta/postfix-2.7.4. Thank you. Great, thanks. Arches, please test and mark stable: =mail-mta/postfix-2.7.4 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
amd64 ok
x86 stable
Stable for HPPA.
amd64 done. Thanks Agostino
ppc/ppc64 stable
alpha/arm/ia64/s390/sh/sparc stable
Thanks folks, GLSA request exists.
CVE-2011-1720 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1720): The SMTP server in Postfix before 2.5.13, 2.6.x before 2.6.10, 2.7.x before 2.7.4, and 2.8.x before 2.8.3, when certain Cyrus SASL authentication methods are enabled, does not create a new server handle after client authentication fails, which allows remote attackers to cause a denial of service (heap memory corruption and daemon crash) or possibly execute arbitrary code via an invalid AUTH command with one method followed by an AUTH command with a different method.
This issue was resolved and addressed in GLSA 201206-33 at http://security.gentoo.org/glsa/glsa-201206-33.xml by GLSA coordinator Stefan Behte (craig).