Red Hat Bugzilla – Bug 457306
Change: Postfix 2.5 patchlevel 5 released 8/31/08; denial of service + security flaw fixed
Last modified: 2008-10-09 17:33:16 EDT
Description of problem: Postfix 2.5.1-2 ships with F9. Requesting
a bump to fix bugs.
Version-Release number of selected component (if applicable): 2.5.1-.FC9
How reproducible: Always
Steps to Reproduce:
1. See above
Actual results: See above
Expected results: See above
Additional info: Bumps from 2.5.1 to 2.5.3. No security fixes, just bugs
swatted. See http://www.postfix.org and downloads for more information.
Wietse Venema has just released a statement indicating that he found a serious local privilege escalation issue. Furthermore, the statement includes proof-of-concept code to test for yourself. Reference:
I am bumping this to high priority and adding a security tag. Because this is a public notification, hiding this is not necessary. Now I'm requesting not only a rebase, but a patch to this flaw as well.
Correction: Wietse didn't find the issue, Sebastian Krahmer did (sorry). All other information is valid.
Patch released 8/15/08; update to patchlevel 4. I can't change my original comment to bump 2.5.1 to 2.5.3; it should now say that I want to see 2.5.1 bumped to 2.5.4.
Flaw in 2.4X has been fixed with 2.5.5, just released:
Updated title and history to show new version and bug description via link to change file.
Thank you for the updates on F8 and F9 to 2.5.5-1, all works well on F8. +1 to updates, please.
I should mention that, as of this writing, it is still in Koji. Sorry 'bout that. Anyway, it works well. Thank you again for the update!
postfix-2.5.5-1.fc9 has been submitted as an update for Fedora 9.
postfix-2.5.5-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.