Bug 674814 (CVE-2011-0411)
| Summary: | CVE-2011-0411 postfix: SMTP commands injection during plaintext to TLS session switch | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | jskarvad, mlichvar, psklenar, security-response-team, vdanen |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 15:30:43 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 682978, 683168, 683386, 683387, 683389, 683392, 833971 | ||
| Bug Blocks: | 735401 | ||
|
Description
Jan Lieskovsky
2011-02-03 13:03:59 UTC
This issue affects the versions of the postfix package, as shipped with Red Hat Enterprise Linux 4, 5, and 6. -- This issue affects the versions of the postfix package, as shipped with Fedora release of 13 and 14. This is public now: http://www.kb.cert.org/vuls/id/555316 It indicates that Postfix 2.7.3, 2.6.9, 2.5.12, and 2.4.16 have been released to correct the flaw. Postfix 2.8 and 2.9 are not affected. http://www.postfix.org/announcements/postfix-2.7.3.html Other postfix-related references: http://www.kb.cert.org/vuls/id/MORO-8ELH6Z http://www.postfix.org/announcements/postfix-2.7.3.html http://www.postfix.org/CVE-2011-0411.html (not yet available) This issue did NOT affect the versions of the exim package, as shipped with Red Hat Enterprise Linux 4 and 5. -- This issue did NOT affect the versions of the exim package, as present within EPEL-6 repository. -- This issue did NOT affect the versions of the exim package, as shipped with Fedora release of 13 and 14. This issue did NOT affect the versions of the sendmail package, as shipped with Red Hat Enterprise Linux 3, 4, 5, or 6. -- This issue did NOT affect the versions of the sendmail package, as shipped with Fedora release of 13 and 14. Created postfix tracking bugs for this issue Affects: fedora-all [bug 683168] This issue affects more than just MTAs. See bug #683221 for a similar flaw in pure-ftpd. Statement: This issue affected postfix packages in Red Hat Enterprise Linux 4, 5, and 6. It was corrected via RHSA-2011:0422 and RHSA-2011:0423. This issue did not affect the versions of sendmail as shipped with Red Hat Enterprise Linux 3, 4, 5, or 6, and the versions of exim as shipped with Red Hat Enterprise Linux 4 and 5. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Via RHSA-2011:0422 https://rhn.redhat.com/errata/RHSA-2011-0422.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0423 https://rhn.redhat.com/errata/RHSA-2011-0423.html Acknowledgements: Red Hat would like to thank the CERT/CC for reporting CVE-2011-0411. The CERT/CC acknowledges Wietse Venema as the original reporter. |