Bug 457306 - Change: Postfix 2.5 patchlevel 5 released 8/31/08; denial of service + security flaw fixed
Change: Postfix 2.5 patchlevel 5 released 8/31/08; denial of service + securi...
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: postfix (Show other bugs)
9
All Linux
low Severity high
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
ftp://ftp.porcupine.org/mirrors/postf...
: Rebase, ReleaseNotes, Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-30 15:59 EDT by Gilbert Sebenste
Modified: 2008-10-09 17:33 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-10-01 10:23:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Gilbert Sebenste 2008-07-30 15:59:11 EDT
Description of problem: Postfix 2.5.1-2 ships with F9. Requesting
a bump to fix bugs.


Version-Release number of selected component (if applicable): 2.5.1-.FC9


How reproducible: Always


Steps to Reproduce:
1. See above 
  
Actual results: See above


Expected results: See above


Additional info: Bumps from 2.5.1 to 2.5.3. No security fixes, just bugs 
swatted. See http://www.postfix.org and downloads for more information.
Comment 1 Gilbert Sebenste 2008-08-15 16:01:36 EDT
Wietse Venema has just released a statement indicating that he found a serious local privilege escalation issue. Furthermore, the statement includes proof-of-concept code to test for yourself. Reference:

http://archives.neohapsis.com/archives/postfix/2008-08/0392.html

I am bumping this to high priority and adding a security tag. Because this is a public notification, hiding this is not necessary. Now I'm requesting not only a rebase, but a patch to this flaw as well.
Comment 2 Gilbert Sebenste 2008-08-15 16:03:55 EDT
Correction: Wietse didn't find the issue, Sebastian Krahmer did (sorry). All other information is valid.
Comment 3 Gilbert Sebenste 2008-08-15 16:42:04 EDT
Patch released 8/15/08; update to patchlevel 4. I can't change my original comment to bump 2.5.1 to 2.5.3; it should now say that I want to see 2.5.1 bumped to 2.5.4.
Comment 4 Gilbert Sebenste 2008-09-03 11:43:43 EDT
Flaw in 2.4X has been fixed with 2.5.5, just released:

ftp://ftp.wl0.org/postfix-release/official/postfix-2.5.5.HISTORY
Updated title and history to show new version and bug description via link to change file.
Comment 5 Gilbert Sebenste 2008-09-30 13:55:29 EDT
Thank you for the updates on F8 and F9 to 2.5.5-1, all works well on F8. +1 to updates, please.
Comment 6 Gilbert Sebenste 2008-09-30 13:56:14 EDT
I should mention that, as of this writing, it is still in Koji. Sorry 'bout that. Anyway, it works well. Thank you again for the update!
Comment 7 Fedora Update System 2008-10-01 06:32:54 EDT
postfix-2.5.5-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/postfix-2.5.5-1.fc9
Comment 8 Fedora Update System 2008-10-09 17:33:06 EDT
postfix-2.5.5-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.