Red Hat Bugzilla – Full Text Bug Listing
|Summary:||Change: Postfix 2.5 patchlevel 5 released 8/31/08; denial of service + security flaw fixed|
|Product:||[Fedora] Fedora||Reporter:||Gilbert Sebenste <sebenste>|
|Component:||postfix||Assignee:||Thomas Woerner <twoerner>|
|Status:||CLOSED NEXTRELEASE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Target Milestone:||---||Keywords:||Rebase, ReleaseNotes, Security|
|Fixed In Version:||Doc Type:||Rebase: Bug Fixes and Enhancements|
|Doc Text:||Story Points:||---|
|Last Closed:||2008-10-01 10:23:38 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Gilbert Sebenste 2008-07-30 15:59:11 EDT
Description of problem: Postfix 2.5.1-2 ships with F9. Requesting a bump to fix bugs. Version-Release number of selected component (if applicable): 2.5.1-.FC9 How reproducible: Always Steps to Reproduce: 1. See above Actual results: See above Expected results: See above Additional info: Bumps from 2.5.1 to 2.5.3. No security fixes, just bugs swatted. See http://www.postfix.org and downloads for more information.
Comment 1 Gilbert Sebenste 2008-08-15 16:01:36 EDT
Wietse Venema has just released a statement indicating that he found a serious local privilege escalation issue. Furthermore, the statement includes proof-of-concept code to test for yourself. Reference: http://archives.neohapsis.com/archives/postfix/2008-08/0392.html I am bumping this to high priority and adding a security tag. Because this is a public notification, hiding this is not necessary. Now I'm requesting not only a rebase, but a patch to this flaw as well.
Comment 2 Gilbert Sebenste 2008-08-15 16:03:55 EDT
Correction: Wietse didn't find the issue, Sebastian Krahmer did (sorry). All other information is valid.
Comment 3 Gilbert Sebenste 2008-08-15 16:42:04 EDT
Patch released 8/15/08; update to patchlevel 4. I can't change my original comment to bump 2.5.1 to 2.5.3; it should now say that I want to see 2.5.1 bumped to 2.5.4.
Comment 4 Gilbert Sebenste 2008-09-03 11:43:43 EDT
Flaw in 2.4X has been fixed with 2.5.5, just released: ftp://ftp.wl0.org/postfix-release/official/postfix-2.5.5.HISTORY Updated title and history to show new version and bug description via link to change file.
Comment 5 Gilbert Sebenste 2008-09-30 13:55:29 EDT
Thank you for the updates on F8 and F9 to 2.5.5-1, all works well on F8. +1 to updates, please.
Comment 6 Gilbert Sebenste 2008-09-30 13:56:14 EDT
I should mention that, as of this writing, it is still in Koji. Sorry 'bout that. Anyway, it works well. Thank you again for the update!
Comment 7 Fedora Update System 2008-10-01 06:32:54 EDT
postfix-2.5.5-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/postfix-2.5.5-1.fc9
Comment 8 Fedora Update System 2008-10-09 17:33:06 EDT
postfix-2.5.5-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.