[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Fwd: [USN-74-1] Postfix vulnerability

----------  Forwarded Message  ----------

Subject: [USN-74-1] Postfix vulnerability
Date: Sunday 06 February 2005 23:55
From: Wietse Venema <wietse@porcupine.org>
To: Postfix announce <postfix-announce@postfix.org>
Cc: Postfix users <postfix-users@postfix.org>

In a recent announcement on the Full-Disclosure mailing list, Martin

Pitt <martin.pitt@canonical.com> wrote:
> Jean-Samuel Reynaud noticed a programming error in the IPv6 handling
> code of Postfix when /proc/net/if_inet6 is not available (which is the
> case in Ubuntu since Postfix runs in a chroot). If "permit_mx_backup"
> was enabled in the "smtpd_recipient_restrictions", Postfix turned into
> an open relay, i. e. erroneously permitted the delivery of arbitrary
> mail to any MX host which has an IPv6 address.

This is a bug in a third-party IPv6 patch that is not part of
Postfix. The bug affects Linux systems only.

Neither the official Postfix release, nor the work-in-progress
version (which has IPv6 support built-in) are affected by this.

Please do not ask me how to resolve the vulnerability. Contact info
for the third-party IPv6 patch is at http://www.ipnet6.org/postfix/ipv6.html.

Please do not ask me what Linux distributions are affected.  Contact
your Linux distributor instead.

It would be nice if Linux distributors could indicate whether a
Postfix problem is part of the software base itself, or due to a
third-party add-on that they included with the base software.



Hi list!

my short question about the topic are:

Is the recent postfix version of sarge (2.1.5-5) affected and if, when can be 
a fixed version expected?

With kind regards, Jan.
If wishes were wings,  o"   )~  would fly.
Version: 3.12
GIT d-- s+: a-- C+++ UL++++ P+ L+++ E- W+++ N+++ o++ K++ w---
O M-- V- PS PE Y++ PGP++ t-- 5 X R tv- b+ DI- D++
G++ e++ h-- r+++ y+++

Attachment: pgpR8IIV1zbRg.pgp
Description: PGP signature

Reply to: