Your message dated Tue, 23 May 2017 01:35:12 -0400
with message-id <2438568.pZnVBUnY9F@kitterma-e6430>
and subject line Re: postfix TLS vulnerable to CVE-2012-4929 ?
has caused the Debian Bug report #706505,
regarding postfix TLS vulnerable to CVE-2012-4929 ?
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
706505: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706505
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: postfix
Version: 2.7.1-1+squeeze1
Severity: important
Hi There,
We just had our monthly PCI Scan with Qualys come back with a fail for postfix
(and dovecot, but I'm yet to look at that to see if dovecot has a config option
to fix this..), relating to CVE-2012-4929.
I see that the debian project has had bugs raised and fixed against this CVE
entry for lighttpd, apache, and nginx. But not for much else.
After much googling, and trawling through postfix source, I can't find an
option which disables compression, so decided it was time to lodge a bug to
raise the question/issue to those with far more postfix knowledge than I :)
Is there a configuration option which I'm missing, or is this something for
which I'll need to wait on a patch for?
Thanks,
Damien
-- System Information:
Debian Release: 6.0.7
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages postfix depends on:
ii adduser 3.112+nmu2 add and remove users and groups
ii debconf [debconf-2.0] 1.5.36.1 Debian configuration management sy
ii dpkg 1.15.8.13 Debian package management system
ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib
ii libdb4.8 4.8.30-2 Berkeley v4.8 Database Libraries [
ii libsasl2-2 2.1.23.dfsg1-7 Cyrus SASL - authentication abstra
ii libssl0.9.8 0.9.8o-4squeeze14 SSL shared libraries
ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii netbase 4.45 Basic TCP/IP networking system
ii ssl-cert 1.0.28 simple debconf wrapper for OpenSSL
Versions of packages postfix recommends:
ii python 2.6.6-3+squeeze7 interactive high-level object-orie
Versions of packages postfix suggests:
ii bsd-mailx [mail-re 8.1.2-0.20100314cvs-1 simple mail user agent
ii libsasl2-modules 2.1.23.dfsg1-7 Cyrus SASL - pluggable authenticat
ii mutt [mail-reader] 1.5.20-9+squeeze2 text-based mailreader supporting M
pn postfix-cdb <none> (no description available)
pn postfix-ldap <none> (no description available)
ii postfix-mysql 2.7.1-1+squeeze1 MySQL map support for Postfix
pn postfix-pcre <none> (no description available)
pn postfix-pgsql <none> (no description available)
ii procmail 3.22-19 Versatile e-mail processor
pn resolvconf <none> (no description available)
ii sasl2-bin 2.1.23.dfsg1-7 Cyrus SASL - administration progra
pn ufw <none> (no description available)
-- Configuration Files:
/etc/postfix/main.cf, TLS Parameters:
smtpd_tls_cert_file=/etc/ssl/private/ourcert.pem
smtpd_tls_key_file=/etc/ssl/private/ourcert.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_ciphers = medium
smtpd_tls_protocols=!SSLv2
smtpd_tls_mandatory_ciphers=high
smtpd_tls_exclude_ciphers=aNULL,MD5,DES
-- debconf information:
postfix/root_address:
postfix/rfc1035_violation: false
postfix/mydomain_warning:
postfix/mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
* postfix/mailname: smtp01.iconbusinessgroup.com
postfix/tlsmgr_upgrade_warning:
postfix/recipient_delim: +
* postfix/main_mailer_type: Internet Site
postfix/destinations: smtp01.iconbusinessgroup.com, smtp01,
localhost.localdomain, localhost
postfix/retry_upgrade_warning:
postfix/kernel_version_warning:
postfix/not_configured:
postfix/mailbox_limit: 0
postfix/relayhost:
postfix/procmail: true
postfix/bad_recipient_delimiter:
postfix/protocols: all
postfix/chattr: false
--- End Message ---
--- Begin Message ---
On Wed, 01 May 2013 10:36:37 +1000 Damien Gardner Jnr <[email protected]>
wrote:
> Package: postfix
> Version: 2.7.1-1+squeeze1
> Severity: important
>
>
> Hi There,
>
> We just had our monthly PCI Scan with Qualys come back with a fail for
postfix (and dovecot, but I'm yet to look at that to see if dovecot has a
config option to fix this..), relating to CVE-2012-4929.
>
> I see that the debian project has had bugs raised and fixed against this CVE
entry for lighttpd, apache, and nginx. But not for much else.
>
> After much googling, and trawling through postfix source, I can't find an
option which disables compression, so decided it was time to lodge a bug to
raise the question/issue to those with far more postfix knowledge than I :)
>
> Is there a configuration option which I'm missing, or is this something for
which I'll need to wait on a patch for?
Postfix uses openssl for the relevant functions. The bug has been fixed in
openssl in all supported releases, so this is not an issue:
https://security-tracker.debian.org/tracker/CVE-2012-4929
Scott K
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
