Re: Fwd: [USN-74-1] Postfix vulnerability

To: debian-security@lists.debian.org
Subject: Re: Fwd: [USN-74-1] Postfix vulnerability
From: Matthijs Mohlmann <matthijs@cacholong.nl>
Date: Mon, 07 Feb 2005 12:14:31 +0100
Message-id: <[🔎] 42074D97.1070905@cacholong.nl>
In-reply-to: <[🔎] 200502071017.23824.waja@gmx.de>
References: <[🔎] 200502071017.23824.waja@gmx.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Already read this link:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=267837

Jan Wagner wrote:
| ----------  Forwarded Message  ----------
|
| Subject: [USN-74-1] Postfix vulnerability
| Date: Sunday 06 February 2005 23:55
| From: Wietse Venema <wietse@porcupine.org>
| To: Postfix announce <postfix-announce@postfix.org>
| Cc: Postfix users <postfix-users@postfix.org>
|
| In a recent announcement on the Full-Disclosure mailing list, Martin
|
| Pitt <martin.pitt@canonical.com> wrote:
|
|>Jean-Samuel Reynaud noticed a programming error in the IPv6 handling
|>code of Postfix when /proc/net/if_inet6 is not available (which is the
|>case in Ubuntu since Postfix runs in a chroot). If "permit_mx_backup"
|>was enabled in the "smtpd_recipient_restrictions", Postfix turned into
|>an open relay, i. e. erroneously permitted the delivery of arbitrary
|>mail to any MX host which has an IPv6 address.
|
|
| This is a bug in a third-party IPv6 patch that is not part of
| Postfix. The bug affects Linux systems only.
|
| Neither the official Postfix release, nor the work-in-progress
| version (which has IPv6 support built-in) are affected by this.
|
| Please do not ask me how to resolve the vulnerability. Contact info
| for the third-party IPv6 patch is at
http://www.ipnet6.org/postfix/ipv6.html.
|
| Please do not ask me what Linux distributions are affected.  Contact
| your Linux distributor instead.
|
| It would be nice if Linux distributors could indicate whether a
| Postfix problem is part of the software base itself, or due to a
| third-party add-on that they included with the base software.
|
|  Wietse
|
| -------------------------------------------------------
|
| Hi list!
|
| my short question about the topic are:
|
| Is the recent postfix version of sarge (2.1.5-5) affected and if, when
can be
| a fixed version expected?
|
| With kind regards, Jan.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCB02X2n1ROIkXqbARAoElAKCVO3GXkBmzKXA1EhMpIuJe5xPwSACdGIur
SfCSk7hih3jhl2ux3IcoodQ=
=eTtP
-----END PGP SIGNATURE-----

Reply to:

References:
- Fwd: [USN-74-1] Postfix vulnerability
  - From: Jan Wagner <waja@gmx.de>

Prev by Date: Fwd: [USN-74-1] Postfix vulnerability
Next by Date: Re: Compromised system - still ok?
Previous by thread: Fwd: [USN-74-1] Postfix vulnerability
Next by thread: Grsecurity patches on Debian
Index(es):
- Date
- Thread