Wietse Venema | 7 Mar 21:18 2011

Postfix 2.7.3, 2.6.9, 2.5.12 and 2.4.16 available

[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-2.7.3.html]

Postfix legacy releases 2.7.3, 2.6.9, 2.5.12 and 2.4.16 are available.
These releases contain a fix for CVE-2011-0411 which allows plaintext
command injection with SMTP sessions over TLS. This defect was
introduced with Postfix version 2.2. The same flaw exists in other
implementations of the STARTTLS command.

    Note: CVE-2011-0411 is an issue only for the minority of SMTP
    clients that actually verify server certificates. Without server
    certificate verification, clients are always vulnerable to
    man-in-the-middle attacks that allow attackers to inject
    plaintext commands or responses into SMTP sessions, and more.

Postfix 2.8 and 2.9 are not affected.

The following problems were fixed with the Postfix legacy releases:

    * Fix for CVE-2011-0411: discard buffered plaintext input,
      after reading the SMTP "STARTTLS" command or response.  

    * Fix to the local delivery agent: look up the "unextended"
      address in the local aliases database, when that address has
      a malformed address extension.  

    * Fix to virtual alias expansion: report a tempfail error,
      instead of silently ignoring recipients that exceed the
      virtual_alias_expansion_limit or the virtual_alias_recursion_limit.

(Continue reading)

fakessh @ | 8 Mar 18:30 2011
Picon

Re: Postfix 2.7.3, 2.6.9, 2.5.12 and 2.4.16 available

when is it the official rpm. 
Simon Mudd
the new rpms are still not present

Le lundi 07 mars 2011 à 15:18 -0500, Wietse Venema a écrit :
> [An on-line version of this announcement will be available at
> http://www.postfix.org/announcements/postfix-2.7.3.html]
> 
> Postfix legacy releases 2.7.3, 2.6.9, 2.5.12 and 2.4.16 are available.
> These releases contain a fix for CVE-2011-0411 which allows plaintext
> command injection with SMTP sessions over TLS. This defect was
> introduced with Postfix version 2.2. The same flaw exists in other
> implementations of the STARTTLS command.
> 
>     Note: CVE-2011-0411 is an issue only for the minority of SMTP
>     clients that actually verify server certificates. Without server
>     certificate verification, clients are always vulnerable to
>     man-in-the-middle attacks that allow attackers to inject
>     plaintext commands or responses into SMTP sessions, and more.
> 
> Postfix 2.8 and 2.9 are not affected.
> 
> The following problems were fixed with the Postfix legacy releases:
> 
>     * Fix for CVE-2011-0411: discard buffered plaintext input,
>       after reading the SMTP "STARTTLS" command or response.  
> 
>     * Fix to the local delivery agent: look up the "unextended"
>       address in the local aliases database, when that address has
>       a malformed address extension.  
(Continue reading)


Gmane