Red Hat Bugzilla – Bug 459091
CVE-2008-2936, CVE-2008-2937: Postfix local privilege escalation and mbox ownership problem
Last modified: 2008-08-14 09:23:17 EDT
Description of problem: Thomas Biege from SuSE/Novell describes with "SUSE Security Announcement: postfix (SUSE-SA:2008:040)", that they've fixed a security issue (CVE-2008- 2936, CVE-2008-2937: Postfix local privilege escalation and mbox ownership problem) which seems to apply for all RHEL and Fedora products as well, but I can't see a Red Hat or Fedora specific update for this; from the e-mail from SuSE/Novell to all openSUSE, SLES and SLED customers: --- snipp --- 1) Problem Description and Brief Discussion Postfix is a well known MTA. During a source code audit the SuSE Security-Team discovered a local privilege escalation bug (CVE-2008-2936) as well as a mailbox ownership problem (CVE-2008-2937) in postfix. The first bug allowed local users to execute arbitrary commands as root while the second one allowed local users to read other users mail. 2) Solution or Work-Around Please install the update package. --- snapp --- Version-Release number of selected component (if applicable): Postfix <= 2.5.1 as it seems. Actual results: No update with fix for Red Hat and/or Fedora. Expected results: Update with security fix for Red Hat and Fedora.
Looks like bug #456314 and bug #456347 are the corresponding bug reports on Red Hat Bugzilla for the named CVEs. Unluckily, I only get the message "You are not authorized" for these bug reports - maybe open it, as it is a public issue now anyway?!
Date: Thu, 14 Aug 2008 14:39:29 +0200 -- I forgot, this is the date/time where the mail was sent from SuSE.
*** This bug has been marked as a duplicate of bug 456314 ***