---------- Forwarded Message ----------
Subject: [USN-74-1] Postfix vulnerability
Date: Sunday 06 February 2005 23:55
From: Wietse Venema <wietse@porcupine.org>
To: Postfix announce <postfix-announce@postfix.org>
Cc: Postfix users <postfix-users@postfix.org>
In a recent announcement on the Full-Disclosure mailing list, Martin
Pitt <martin.pitt@canonical.com> wrote:
> Jean-Samuel Reynaud noticed a programming error in the IPv6 handling
> code of Postfix when /proc/net/if_inet6 is not available (which is the
> case in Ubuntu since Postfix runs in a chroot). If "permit_mx_backup"
> was enabled in the "smtpd_recipient_restrictions", Postfix turned into
> an open relay, i. e. erroneously permitted the delivery of arbitrary
> mail to any MX host which has an IPv6 address.
This is a bug in a third-party IPv6 patch that is not part of
Postfix. The bug affects Linux systems only.
Neither the official Postfix release, nor the work-in-progress
version (which has IPv6 support built-in) are affected by this.
Please do not ask me how to resolve the vulnerability. Contact info
for the third-party IPv6 patch is at http://www.ipnet6.org/postfix/ipv6.html.
Please do not ask me what Linux distributions are affected. Contact
your Linux distributor instead.
It would be nice if Linux distributors could indicate whether a
Postfix problem is part of the software base itself, or due to a
third-party add-on that they included with the base software.
Wietse
-------------------------------------------------------
Hi list!
my short question about the topic are:
Is the recent postfix version of sarge (2.1.5-5) affected and if, when can be
a fixed version expected?
With kind regards, Jan.
--
,,_
If wishes were wings, o" )~ would fly.
''''
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GIT d-- s+: a-- C+++ UL++++ P+ L+++ E- W+++ N+++ o++ K++ w---
O M-- V- PS PE Y++ PGP++ t-- 5 X R tv- b+ DI- D++
G++ e++ h-- r+++ y+++
------END GEEK CODE BLOCK------
Attachment:
pgpkMrTgw5vum.pgp
Description: PGP signature