[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 3725-1] postfix security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3725-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien Roucariès
January 30, 2024                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : postfix
Version        : 3.4.23-0+deb10u2
CVE ID         : CVE-2023-51764
Debian Bug     : 1059230

Postfix, a popular mail server, 
allowed SMTP smuggling unless configured with
smtpd_data_restrictions=reject_unauth_pipelining
and smtpd_discard_ehlo_keywords=chunking
(or certain other options that exist in recent versions).

Remote attackers can use a published exploitation technique to
inject e-mail messages with a spoofed MAIL FROM address,
allowing bypass of an SPF protection mechanism.

This occurs because Postfix supported <LF>.<CR><LF> but
some other popular e-mail servers do not.

To prevent attack variants (by always disallowing <LF> without <CR>),
a different solution is required, such as setting the backported
configuration option smtpd_forbid_bare_newline=yes

For Debian 10 buster, this problem has been fixed in version
3.4.23-0+deb10u2.

We recommend that you upgrade your postfix packages.

For the detailed security status of postfix please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postfix

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmW48EoACgkQADoaLapB
CF+LQhAAil34Nfsl3v9k4z7/1fAyRbxU6og2+h/h3swadjcwk/LSyiGK9aRtMmS7
nyced5A0sxaVM/CGXfyYN8TIa5lxJaH3nrBhz6mfQzHIT0VJ2+2a/lnKDdE3lmEK
wgmh1gaZQ6BnDXlHzptdUtGx8UBi3Ypux++tppw649rJyk+PpvO2qz/Ri19Guqc3
ieZGCPgeQ1BWjQl89K/uREu9eArRcYmIvsfCpgbT0WxtgxygDXdCt1SC1RAAM5Pp
kOluJ1+OC0QTevx+AxMrnO+3RtsHht1MZm5UNk/ivOLfWSrNOK38issrTueYhFAI
XDZM47sd2KpMWqK+yFBNmi0GPY0AHWILzR5HvqVYXkpaJ1dLeiH+IgWxLEBX+zXd
dtmYirBB8vi2ZBOYudNpH9N3WjzRBpGelmW/ursQWKOVvGH0U6mury8l5iH2Zs2n
t1q9w9afN0CREg+sfviqScWVYClATNZ3o5+S6Lxa8nfE0GyxJfSEgaVm6LTuJnrf
nWYQ8cw1dlE9TRZdWPc7lCtiYdr0zr7/cpPWMbDNc4H/UFSrQqgmpR2dS0ZjELF1
LR0j8+i9/7x3w4C5v4nxZC/lLYpsnkhrwucE6olANUJcbadRwA0b2NDG/ADSQqIp
lP4z1J1/O4MEAAlNooUdCzwhla+GCLgoPZUfTga03lKTrl0mM5w=
=3Tgx
-----END PGP SIGNATURE-----


Reply to: