Debian: New postfix packages fix installability problem on i386

    Date19 Aug 2008
    CategoryDebian
    3807
    Posted ByLinuxSecurity Advisories
    Note that only specific configurations are vulnerable; the default Debian installation is not affected. Only a configuration meeting the following requirements is vulnerable: * The mail delivery style is mailbox, with the Postfix built-in local(8) or virtual(8) delivery agents. * The mail spool directory (/var/spool/mail) is user-writeable. * The user can create hardlinks pointing to root-owned symlinks located in other directories.
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1629-2                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                          Thijs Kinkhorst
    August 19, 2008                       http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : postfix
    Vulnerability  : programming error
    Problem type   : local
    Debian-specific: no
    CVE Id(s)      : CVE-2008-2936
    
    Due to a version numbering problem, the Postfix update for DSA 1629 was
    not installable on the i386 (Intel ia32) architecture. This update
    increases the version number to make it installable on i386 aswell.
    For reference the original advisory text is below.
    
    Sebastian Krahmer discovered that Postfix, a mail transfer agent,
    incorrectly checks the ownership of a mailbox. In some configurations,
    this allows for appending data to arbitrary files as root.
    
    Note that only specific configurations are vulnerable; the default
    Debian installation is not affected. Only a configuration meeting
    the following requirements is vulnerable:
     * The mail delivery style is mailbox, with the Postfix built-in
       local(8) or virtual(8) delivery agents.
     * The mail spool directory (/var/spool/mail) is user-writeable.
     * The user can create hardlinks pointing to root-owned symlinks
       located in other directories.
    
    For a detailed treating of the issue, please refer to the upstream
    author's announcement:
    http://article.gmane.org/gmane.mail.postfix.announce/110
    
    For the stable distribution (etch), this problem has been fixed in
    version 2.3.8-2+etch1.
    
    For the testing distribution (lenny), this problem has been fixed in
    version 2.5.2-2lenny1.
    
    For the unstable distribution (sid), this problem has been fixed
    in version 2.5.4-1.
    
    We recommend that you upgrade your postfix package.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1.diff.gz
        Size/MD5 checksum:   187783 06817c1a9ac78db520c4a9856e1f606f
      http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8.orig.tar.gz
        Size/MD5 checksum:  2787761 a6c560657788fc7a5444fa9ea32f5513
      http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1.dsc
        Size/MD5 checksum:     1201 67cfbe6d62f54b03248610decf23430c
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/p/postfix/postfix-doc_2.3.8-2+etch1_all.deb
        Size/MD5 checksum:   784924 be2dfaabc9e4346fb211be9383c6b7b0
      http://security.debian.org/pool/updates/main/p/postfix/postfix-dev_2.3.8-2+etch1_all.deb
        Size/MD5 checksum:   130964 ee83b6a25f458aa3fe785202db29763c
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_amd64.deb
        Size/MD5 checksum:    38398 7a1047488b79e2e02f624d11014eeecf
      http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_amd64.deb
        Size/MD5 checksum:    38426 a016eeaf7033d0ac5eb07b999f2e6af7
      http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_amd64.deb
        Size/MD5 checksum:    36466 e0e5537af489daac95e2d74fdee07a6e
      http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_amd64.deb
        Size/MD5 checksum:  1148900 f631d16e8027a78c47ac6ab2c6503e56
      http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_amd64.deb
        Size/MD5 checksum:    43348 1daae02f16464e366f2386e4b82de1d9
      http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_amd64.deb
        Size/MD5 checksum:    38532 63a6da1adb632be43c7118e48ef6f5a6
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_hppa.deb
        Size/MD5 checksum:    45392 6d5ac13f7d0cd38c4568f5dce3b2de18
      http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_hppa.deb
        Size/MD5 checksum:    39720 89ed20f277270f74b7b6f7e92bb5b2b1
      http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_hppa.deb
        Size/MD5 checksum:    40194 8635fee29c0e8b661ea8cbd3bf6093e9
      http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_hppa.deb
        Size/MD5 checksum:  1174188 fee76ba8167cdffacd22445eca7396b2
      http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_hppa.deb
        Size/MD5 checksum:    37600 c3cddbeefe87b66277dccd6e2bd52f64
      http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_hppa.deb
        Size/MD5 checksum:    39922 572e0d5c09d39a34373d8340c2326b2b
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_i386.deb
        Size/MD5 checksum:  1090008 e38c0784774c29bb313b8b7d77719782
      http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_i386.deb
        Size/MD5 checksum:    36596 88af7c1ebb9d6ef8ff1ae1fe82892ca5
      http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_i386.deb
        Size/MD5 checksum:    38456 3fd5eb9b366ff22b4a8c46b621a216df
      http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_i386.deb
        Size/MD5 checksum:    38772 049c34f8a10e283505978c6be7255a7b
      http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_i386.deb
        Size/MD5 checksum:    38864 440cb71e2a26168a938896ff2af1adc2
      http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_i386.deb
        Size/MD5 checksum:    43250 f5432050f81caf7e58f52cb48c22e7e1
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_ia64.deb
        Size/MD5 checksum:    47956 915c2fab14248e142187e5a613f274c9
      http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_ia64.deb
        Size/MD5 checksum:    38050 4b9c7bda45177283e157153d43633e43
      http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_ia64.deb
        Size/MD5 checksum:    40858 0cdb4f975d9a630f8df58c9cf124fbd1
      http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_ia64.deb
        Size/MD5 checksum:    41164 f0a564de59c461d0e0b667848a18a3f5
      http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_ia64.deb
        Size/MD5 checksum:    40856 3e9ad3317bf31270eaa686f84f7fb8bb
      http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_ia64.deb
        Size/MD5 checksum:  1439632 c341d7a699bbe6b13dc560e6f5b4cbbd
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_powerpc.deb
        Size/MD5 checksum:    44290 4c9c2a9c614643bfe983d13b6423d423
      http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_powerpc.deb
        Size/MD5 checksum:    40060 4804a7f44b861b6dbeb1a7294709c5ed
      http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_powerpc.deb
        Size/MD5 checksum:    37822 11ba1ae93492801dc9de16b6130288d1
      http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_powerpc.deb
        Size/MD5 checksum:  1167796 7a24c4ea8588e62178a5d2a1c4817f85
      http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_powerpc.deb
        Size/MD5 checksum:    39902 363e664c54605ee838c6cf0c8fd9f790
      http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_powerpc.deb
        Size/MD5 checksum:    39758 a33b97afba4cfe193884cdf4a3543e03
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_s390.deb
        Size/MD5 checksum:    43392 1318549e29ce2585850562abb98b07f7
      http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_s390.deb
        Size/MD5 checksum:    38836 a76263d1e6715aa1294307bf581b6424
      http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_s390.deb
        Size/MD5 checksum:    38454 00b3e98eb57590201dfe4d8775ce298b
      http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_s390.deb
        Size/MD5 checksum:    39010 2d3a02a0e7c7a8ddbe9d0619fe4f8c7d
      http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_s390.deb
        Size/MD5 checksum:    36654 82b473e570eff711781cc384e86636e2
      http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_s390.deb
        Size/MD5 checksum:  1154442 64bf33d9dc4f14badb1c6397a74713f4
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":54.35,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":10.87,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"16","type":"x","order":"3","pct":34.78,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.