---------- Forwarded Message ---------- Subject: [USN-74-1] Postfix vulnerability Date: Sunday 06 February 2005 23:55 From: Wietse Venema <wietse@porcupine.org> To: Postfix announce <postfix-announce@postfix.org> Cc: Postfix users <postfix-users@postfix.org> In a recent announcement on the Full-Disclosure mailing list, Martin Pitt <martin.pitt@canonical.com> wrote: > Jean-Samuel Reynaud noticed a programming error in the IPv6 handling > code of Postfix when /proc/net/if_inet6 is not available (which is the > case in Ubuntu since Postfix runs in a chroot). If "permit_mx_backup" > was enabled in the "smtpd_recipient_restrictions", Postfix turned into > an open relay, i. e. erroneously permitted the delivery of arbitrary > mail to any MX host which has an IPv6 address. This is a bug in a third-party IPv6 patch that is not part of Postfix. The bug affects Linux systems only. Neither the official Postfix release, nor the work-in-progress version (which has IPv6 support built-in) are affected by this. Please do not ask me how to resolve the vulnerability. Contact info for the third-party IPv6 patch is at http://www.ipnet6.org/postfix/ipv6.html. Please do not ask me what Linux distributions are affected. Contact your Linux distributor instead. It would be nice if Linux distributors could indicate whether a Postfix problem is part of the software base itself, or due to a third-party add-on that they included with the base software. Wietse ------------------------------------------------------- Hi list! my short question about the topic are: Is the recent postfix version of sarge (2.1.5-5) affected and if, when can be a fixed version expected? With kind regards, Jan. -- ,,_ If wishes were wings, o" )~ would fly. '''' -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT d-- s+: a-- C+++ UL++++ P+ L+++ E- W+++ N+++ o++ K++ w--- O M-- V- PS PE Y++ PGP++ t-- 5 X R tv- b+ DI- D++ G++ e++ h-- r+++ y+++ ------END GEEK CODE BLOCK------
Attachment:
pgpkMrTgw5vum.pgp
Description: PGP signature