[SECURITY] [DLA 3725-1] postfix security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 3725-1] postfix security update
From: rouca@debian.org
Date: Tue, 30 Jan 2024 12:49:15 +0000
Message-id: <[🔎] aab61417bfdac2d51154f2d9e7dc31d0.rouca@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3725-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien RoucariÃ¨s
January 30, 2024                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : postfix
Version        : 3.4.23-0+deb10u2
CVE ID         : CVE-2023-51764
Debian Bug     : 1059230

Postfix, a popular mail server, 
allowed SMTP smuggling unless configured with
smtpd_data_restrictions=reject_unauth_pipelining
and smtpd_discard_ehlo_keywords=chunking
(or certain other options that exist in recent versions).

Remote attackers can use a published exploitation technique to
inject e-mail messages with a spoofed MAIL FROM address,
allowing bypass of an SPF protection mechanism.

This occurs because Postfix supported <LF>.<CR><LF> but
some other popular e-mail servers do not.

To prevent attack variants (by always disallowing <LF> without <CR>),
a different solution is required, such as setting the backported
configuration option smtpd_forbid_bare_newline=yes

For Debian 10 buster, this problem has been fixed in version
3.4.23-0+deb10u2.

We recommend that you upgrade your postfix packages.

For the detailed security status of postfix please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postfix

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmW48EoACgkQADoaLapB
CF+LQhAAil34Nfsl3v9k4z7/1fAyRbxU6og2+h/h3swadjcwk/LSyiGK9aRtMmS7
nyced5A0sxaVM/CGXfyYN8TIa5lxJaH3nrBhz6mfQzHIT0VJ2+2a/lnKDdE3lmEK
wgmh1gaZQ6BnDXlHzptdUtGx8UBi3Ypux++tppw649rJyk+PpvO2qz/Ri19Guqc3
ieZGCPgeQ1BWjQl89K/uREu9eArRcYmIvsfCpgbT0WxtgxygDXdCt1SC1RAAM5Pp
kOluJ1+OC0QTevx+AxMrnO+3RtsHht1MZm5UNk/ivOLfWSrNOK38issrTueYhFAI
XDZM47sd2KpMWqK+yFBNmi0GPY0AHWILzR5HvqVYXkpaJ1dLeiH+IgWxLEBX+zXd
dtmYirBB8vi2ZBOYudNpH9N3WjzRBpGelmW/ursQWKOVvGH0U6mury8l5iH2Zs2n
t1q9w9afN0CREg+sfviqScWVYClATNZ3o5+S6Lxa8nfE0GyxJfSEgaVm6LTuJnrf
nWYQ8cw1dlE9TRZdWPc7lCtiYdr0zr7/cpPWMbDNc4H/UFSrQqgmpR2dS0ZjELF1
LR0j8+i9/7x3w4C5v4nxZC/lLYpsnkhrwucE6olANUJcbadRwA0b2NDG/ADSQqIp
lP4z1J1/O4MEAAlNooUdCzwhla+GCLgoPZUfTga03lKTrl0mM5w=
=3Tgx
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3724-1] pillow security update
Next by Date: [SECURITY] [DLA 3726-1] bind9 security update
Previous by thread: [SECURITY] [DLA 3724-1] pillow security update
Next by thread: [SECURITY] [DLA 3726-1] bind9 security update
Index(es):
- Date
- Thread