Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 565
Alerts This Week
Warning Icon 1 565

Ubuntu: USN-1113-1 Critical: Postfix Confidentiality Exposure

ubuntu
Calendar Grey April 18, 2011
Scroller Ubuntu
Safeguard privacy risks in Postfix by applying these critical patches detailed in the Ubuntu Security Advisory USN-1114-1.
An attacker could send crafted input to Postfix and cause it to reveal confidential information.

Summary

An attacker could send crafted input to Postfix and cause it to reveal

confidential information.

Software Description:

- postfix: High-performance mail transport agent

Details:

It was discovered that the Postfix package incorrectly granted write access

on the PID directory to the postfix user. A local attacker could use this

flaw to possibly conduct a symlink attack and overwrite arbitrary files.

This issue only affected Ubuntu 6.06 LTS and 8.04 LTS. (CVE-2009-2939)

Wietse Venema discovered that Postfix incorrectly handled cleartext

commands after TLS is in place. A remote attacker could exploit this to

inject cleartext commands into TLS sessions, and possibly obtain

confidential information such as passwords. (CVE-2011-0411)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.10:
  postfix                         2.7.1-1ubuntu0.1

Ubuntu 10.04 LTS:
  postfix                         2.7.0-1ubuntu0.1

Ubuntu 9.10:
  postfix                         2.6.5-3ubuntu0.1

Ubuntu 8.04 LTS:
  postfix                         2.5.1-2ubuntu1.3

Ubuntu 6.06 LTS:
  postfix                         2.2.10-1ubuntu0.3

In general, a standard system update will make all the necessary changes.

References

CVE-2009-2939, CVE-2011-0411

Severity
critical
Lowest
Low
Medium
High
Critical

April 18, 2011

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.