Package: postfix Version: 2.5.5-1.1 Severity: normal Tags: patch Wietse Venema has discovered a bypass of STARTTLS command issued by client on the server side. The full description, together with example on how to exploit the issue and test if the actual SMTP implementation suffers from this problem can be found at:
http://www.postfix.org/CVE-2011-0411.html A new release has been made by Wietse Venema with security patches applied to correct this issue. These can be obtaind from: http://postfix.it-austria.net/releases/index.html The issue affects versions of Postfix prior to 2.8 (which includes the current oldstable - Lenny, and current stable - Squeeze). I've also confirmed the issue on my own mail servers by compiling the patched version of OpenSSL and running it against my own server (as described by Wietse Venema). -- System Information: Debian Release: 5.0.8 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-xen-686 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages postfix depends on: ii adduser 3.110 add and remove users and groups ii debconf [debconf- 1.5.24 Debian configuration management sy ii dpkg 1.14.31 Debian package management system ii libc6 2.7-18lenny7 GNU C Library: Shared libraries ii libdb4.6 4.6.21-11 Berkeley v4.6 Database Libraries [ ii libsasl2-2 2.1.22.dfsg1-23+lenny1 Cyrus SASL - authentication abstra ii libssl0.9.8 0.9.8g-15+lenny11 SSL shared libraries ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip ii netbase 4.34 Basic TCP/IP networking system ii ssl-cert 1.0.23 simple debconf wrapper for OpenSSL postfix recommends no packages. Versions of packages postfix suggests: ii emacs22-nox [mail-reader] 22.2+2-5 The GNU Emacs editor (without X su pn libsasl2-modules <none> (no description available) ii mailutils [mail-reader] 1:1.2+dfsg1-4 GNU mailutils utilities for handli ii mutt [mail-reader] 1.5.18-6 text-based mailreader supporting M pn postfix-cdb <none> (no description available) pn postfix-ldap <none> (no description available) ii postfix-mysql 2.5.5-1.1 MySQL map support for Postfix pn postfix-pcre <none> (no description available) pn postfix-pgsql <none> (no description available) pn procmail <none> (no description available) pn resolvconf <none> (no description available) pn sasl2-bin <none> (no description available) pn ufw <none> (no description available) -- debconf information excluded -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
