[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: [USN-74-1] Postfix vulnerability

Hash: SHA1

Already read this link:

Jan Wagner wrote:
| ----------  Forwarded Message  ----------
| Subject: [USN-74-1] Postfix vulnerability
| Date: Sunday 06 February 2005 23:55
| From: Wietse Venema <wietse@porcupine.org>
| To: Postfix announce <postfix-announce@postfix.org>
| Cc: Postfix users <postfix-users@postfix.org>
| In a recent announcement on the Full-Disclosure mailing list, Martin
| Pitt <martin.pitt@canonical.com> wrote:
|>Jean-Samuel Reynaud noticed a programming error in the IPv6 handling
|>code of Postfix when /proc/net/if_inet6 is not available (which is the
|>case in Ubuntu since Postfix runs in a chroot). If "permit_mx_backup"
|>was enabled in the "smtpd_recipient_restrictions", Postfix turned into
|>an open relay, i. e. erroneously permitted the delivery of arbitrary
|>mail to any MX host which has an IPv6 address.
| This is a bug in a third-party IPv6 patch that is not part of
| Postfix. The bug affects Linux systems only.
| Neither the official Postfix release, nor the work-in-progress
| version (which has IPv6 support built-in) are affected by this.
| Please do not ask me how to resolve the vulnerability. Contact info
| for the third-party IPv6 patch is at
| Please do not ask me what Linux distributions are affected.  Contact
| your Linux distributor instead.
| It would be nice if Linux distributors could indicate whether a
| Postfix problem is part of the software base itself, or due to a
| third-party add-on that they included with the base software.
|  Wietse
| -------------------------------------------------------
| Hi list!
| my short question about the topic are:
| Is the recent postfix version of sarge (2.1.5-5) affected and if, when
can be
| a fixed version expected?
| With kind regards, Jan.

Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


Reply to: