tech-security: Re: 2 Postfix vulnerabilities -- Postfix 2.0.6 backport for -rnetbsd-1-6 ?

Subject: Re: 2 Postfix vulnerabilities -- Postfix 2.0.6 backport for -rnetbsd-1-6 ?
To: Brian A. Seklecki <lavalamp@spiritual-machines.org>
From: Perry E. Metzger <perry@piermont.com>
List: tech-security
Date: 08/04/2003 22:38:40

"Brian A. Seklecki" <lavalamp@spiritual-machines.org> writes:
> This might call for a backport of the 2.0.6 upgrades from -current into
> the -rnetbsd-1-6 branch:
> 
> http://cvsweb.netbsd.org/bsdweb.cgi/src/gnu/usr.sbin/postfix/Makefile
> 
> http://www.securityfocus.com/archive/1/331713/2003-08-01/2003-08-07/0
> 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0540
> 
> However I havn't seen a proof-of-concept documented.  I'm going to test
> it now.

There is no point in that.

The fix for 1.1.13 is literally a one line patch. Just get it from
Wietse's site and the releng guys can apply it to the branch.

BTW, the bug is not a break in threat -- just a DoS threat.

Perry


> 
> -lava
> 
> -----Forwarded Message-----
> 
> Security Advisory - RHSA-2003:251-07
> ------------------------------------------------------------------------------
> Summary:
> New postfix packages fix security issues.
> 
> New Postfix packages that fix two potential security issues are now available.
> 
> Description:
> Postfix is a Mail Transport Agent (MTA).
> 
> Two security issues have been found in Postfix that affect the Postfix
> packages in Red Hat Linux 7.3, 8.0, and 9. 
> 
> Postfix versions before 1.1.12 allow an attacker to bounce-scan private
> networks, or use the daemon as a DDoS tool by forcing the daemon to connect
> to an arbitrary service at an arbitrary IP address and receiving either a
> bounce message or by analyzing timing.  The Common Vulnerabilities and
> Exposures project (cve.mitre.org) has assigned the name CAN-2003-0468 to
> this issue.
> 
> Postfix versions from 1.1 up to and including 1.1.12 have a bug where a
> remote attacker could send a malformed envelope address and:
> 
> 1) cause the queue manager to lock up until an entry is removed from the
> queue or,
> 
> 2) lock up the SMTP listener, leading to a DoS.
> 
> The Common Vulnerabilities and Exposures project (cve.mitre.org) has
> assigned the name CAN-2003-0540 to this issue.
> 
> Users of Postfix are advised to upgrade to these erratum packages, which
> contain a version of Postfix 1.1.12 with the addition of a security patch
> and is not vulnerable to either of these issues.
> 
> Red Hat would like to thank Michal Zalewski for discovering and disclosing
> the flaws and to Wietse Venema for providing patches.
> [...snip...]
> 
> 
> 

-- 
Perry E. Metzger		perry@piermont.com