Bug 459091 - CVE-2008-2936, CVE-2008-2937: Postfix local privilege escalation and mbox ownership problem
CVE-2008-2936, CVE-2008-2937: Postfix local privilege escalation and mbox own...
Status: CLOSED DUPLICATE of bug 456314
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
Depends On:
  Show dependency treegraph
Reported: 2008-08-14 08:59 EDT by Robert Scheck
Modified: 2008-08-14 09:23 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-08-14 09:23:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Robert Scheck 2008-08-14 08:59:11 EDT
Description of problem:
Thomas Biege from SuSE/Novell describes with "SUSE Security Announcement:
postfix (SUSE-SA:2008:040)", that they've fixed a security issue (CVE-2008-
2936, CVE-2008-2937: Postfix local privilege escalation and mbox ownership 
problem) which seems to apply for all RHEL and Fedora products as well, but
I can't see a Red Hat or Fedora specific update for this; from the e-mail
from SuSE/Novell to all openSUSE, SLES and SLED customers:

--- snipp ---
1) Problem Description and Brief Discussion

   Postfix is a well known MTA.
   During a source code audit the SuSE Security-Team discovered a local
   privilege escalation bug (CVE-2008-2936) as well as a mailbox ownership
   problem (CVE-2008-2937) in postfix.
   The first bug allowed local users to execute arbitrary commands as root
   while the second one allowed local users to read other users mail.

2) Solution or Work-Around

   Please install the update package.
--- snapp ---

Version-Release number of selected component (if applicable):
Postfix <= 2.5.1 as it seems.

Actual results:
No update with fix for Red Hat and/or Fedora.

Expected results:
Update with security fix for Red Hat and Fedora.
Comment 1 Robert Scheck 2008-08-14 09:05:02 EDT
Looks like bug #456314 and bug #456347 are the corresponding bug reports on
Red Hat Bugzilla for the named CVEs. Unluckily, I only get the message "You
are not authorized" for these bug reports - maybe open it, as it is a public
issue now anyway?!
Comment 2 Robert Scheck 2008-08-14 09:06:16 EDT
Date: Thu, 14 Aug 2008 14:39:29 +0200 -- I forgot, this is the date/time
where the mail was sent from SuSE.
Comment 3 Josh Bressers 2008-08-14 09:23:17 EDT

*** This bug has been marked as a duplicate of bug 456314 ***

Note You need to log in before you can comment on or make changes to this bug.