Bug 457306

Summary:	Change: Postfix 2.5 patchlevel 5 released 8/31/08; denial of service + security flaw fixed
Product:	[Fedora] Fedora	Reporter:	Gilbert Sebenste <sebenste>
Component:	postfix	Assignee:	Thomas Woerner <twoerner>
Status:	CLOSED NEXTRELEASE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	low
Version:	9	CC:	sebenste, tuju
Target Milestone:	---	Keywords:	Rebase, ReleaseNotes, Security
Target Release:	---
Hardware:	All
OS:	Linux
URL:	ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.5.5.HISTORY
Whiteboard:
Fixed In Version:		Doc Type:	Rebase: Bug Fixes and Enhancements
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2008-10-01 14:23:38 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Gilbert Sebenste 2008-07-30 19:59:11 UTC

Description of problem: Postfix 2.5.1-2 ships with F9. Requesting
a bump to fix bugs.


Version-Release number of selected component (if applicable): 2.5.1-.FC9


How reproducible: Always


Steps to Reproduce:
1. See above 
  
Actual results: See above


Expected results: See above


Additional info: Bumps from 2.5.1 to 2.5.3. No security fixes, just bugs 
swatted. See http://www.postfix.org and downloads for more information.

Comment 1 Gilbert Sebenste 2008-08-15 20:01:36 UTC

Wietse Venema has just released a statement indicating that he found a serious local privilege escalation issue. Furthermore, the statement includes proof-of-concept code to test for yourself. Reference:

http://archives.neohapsis.com/archives/postfix/2008-08/0392.html

I am bumping this to high priority and adding a security tag. Because this is a public notification, hiding this is not necessary. Now I'm requesting not only a rebase, but a patch to this flaw as well.

Comment 2 Gilbert Sebenste 2008-08-15 20:03:55 UTC

Correction: Wietse didn't find the issue, Sebastian Krahmer did (sorry). All other information is valid.

Comment 3 Gilbert Sebenste 2008-08-15 20:42:04 UTC

Patch released 8/15/08; update to patchlevel 4. I can't change my original comment to bump 2.5.1 to 2.5.3; it should now say that I want to see 2.5.1 bumped to 2.5.4.

Comment 4 Gilbert Sebenste 2008-09-03 15:43:43 UTC

Flaw in 2.4X has been fixed with 2.5.5, just released:

ftp://ftp.wl0.org/postfix-release/official/postfix-2.5.5.HISTORY
Updated title and history to show new version and bug description via link to change file.

Comment 5 Gilbert Sebenste 2008-09-30 17:55:29 UTC

Thank you for the updates on F8 and F9 to 2.5.5-1, all works well on F8. +1 to updates, please.

Comment 6 Gilbert Sebenste 2008-09-30 17:56:14 UTC

I should mention that, as of this writing, it is still in Koji. Sorry 'bout that. Anyway, it works well. Thank you again for the update!

Comment 7 Fedora Update System 2008-10-01 10:32:54 UTC

postfix-2.5.5-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/postfix-2.5.5-1.fc9

Comment 8 Fedora Update System 2008-10-09 21:33:06 UTC

postfix-2.5.5-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.