Bug 457306

Summary: Change: Postfix 2.5 patchlevel 5 released 8/31/08; denial of service + security flaw fixed
Product: [Fedora] Fedora Reporter: Gilbert Sebenste <sebenste>
Component: postfixAssignee: Thomas Woerner <twoerner>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 9CC: sebenste, tuju
Target Milestone: ---Keywords: Rebase, ReleaseNotes, Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.5.5.HISTORY
Whiteboard:
Fixed In Version: Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-10-01 10:23:38 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Gilbert Sebenste 2008-07-30 15:59:11 EDT
Description of problem: Postfix 2.5.1-2 ships with F9. Requesting
a bump to fix bugs.


Version-Release number of selected component (if applicable): 2.5.1-.FC9


How reproducible: Always


Steps to Reproduce:
1. See above 
  
Actual results: See above


Expected results: See above


Additional info: Bumps from 2.5.1 to 2.5.3. No security fixes, just bugs 
swatted. See http://www.postfix.org and downloads for more information.
Comment 1 Gilbert Sebenste 2008-08-15 16:01:36 EDT
Wietse Venema has just released a statement indicating that he found a serious local privilege escalation issue. Furthermore, the statement includes proof-of-concept code to test for yourself. Reference:

http://archives.neohapsis.com/archives/postfix/2008-08/0392.html

I am bumping this to high priority and adding a security tag. Because this is a public notification, hiding this is not necessary. Now I'm requesting not only a rebase, but a patch to this flaw as well.
Comment 2 Gilbert Sebenste 2008-08-15 16:03:55 EDT
Correction: Wietse didn't find the issue, Sebastian Krahmer did (sorry). All other information is valid.
Comment 3 Gilbert Sebenste 2008-08-15 16:42:04 EDT
Patch released 8/15/08; update to patchlevel 4. I can't change my original comment to bump 2.5.1 to 2.5.3; it should now say that I want to see 2.5.1 bumped to 2.5.4.
Comment 4 Gilbert Sebenste 2008-09-03 11:43:43 EDT
Flaw in 2.4X has been fixed with 2.5.5, just released:

ftp://ftp.wl0.org/postfix-release/official/postfix-2.5.5.HISTORY
Updated title and history to show new version and bug description via link to change file.
Comment 5 Gilbert Sebenste 2008-09-30 13:55:29 EDT
Thank you for the updates on F8 and F9 to 2.5.5-1, all works well on F8. +1 to updates, please.
Comment 6 Gilbert Sebenste 2008-09-30 13:56:14 EDT
I should mention that, as of this writing, it is still in Koji. Sorry 'bout that. Anyway, it works well. Thank you again for the update!
Comment 7 Fedora Update System 2008-10-01 06:32:54 EDT
postfix-2.5.5-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/postfix-2.5.5-1.fc9
Comment 8 Fedora Update System 2008-10-09 17:33:06 EDT
postfix-2.5.5-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.