Red Hat Bugzilla – Bug 459091
CVE-2008-2936, CVE-2008-2937: Postfix local privilege escalation and mbox ownership problem
Last modified: 2008-08-14 09:23:17 EDT
Description of problem:
Thomas Biege from SuSE/Novell describes with "SUSE Security Announcement:
postfix (SUSE-SA:2008:040)", that they've fixed a security issue (CVE-2008-
2936, CVE-2008-2937: Postfix local privilege escalation and mbox ownership
problem) which seems to apply for all RHEL and Fedora products as well, but
I can't see a Red Hat or Fedora specific update for this; from the e-mail
from SuSE/Novell to all openSUSE, SLES and SLED customers:
--- snipp ---
1) Problem Description and Brief Discussion
Postfix is a well known MTA.
During a source code audit the SuSE Security-Team discovered a local
privilege escalation bug (CVE-2008-2936) as well as a mailbox ownership
problem (CVE-2008-2937) in postfix.
The first bug allowed local users to execute arbitrary commands as root
while the second one allowed local users to read other users mail.
2) Solution or Work-Around
Please install the update package.
--- snapp ---
Version-Release number of selected component (if applicable):
Postfix <= 2.5.1 as it seems.
No update with fix for Red Hat and/or Fedora.
Update with security fix for Red Hat and Fedora.
Looks like bug #456314 and bug #456347 are the corresponding bug reports on
Red Hat Bugzilla for the named CVEs. Unluckily, I only get the message "You
are not authorized" for these bug reports - maybe open it, as it is a public
issue now anyway?!
Date: Thu, 14 Aug 2008 14:39:29 +0200 -- I forgot, this is the date/time
where the mail was sent from SuSE.
*** This bug has been marked as a duplicate of bug 456314 ***