Bug 459091 - CVE-2008-2936, CVE-2008-2937: Postfix local privilege escalation and mbox ownership problem
Summary: CVE-2008-2936, CVE-2008-2937: Postfix local privilege escalation and mbox own...
Keywords:
Status: CLOSED DUPLICATE of bug 456314
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://lists.opensuse.org/opensuse-se...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-08-14 12:59 UTC by Robert Scheck
Modified: 2008-08-14 13:23 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-08-14 13:23:17 UTC
Embargoed:


Attachments (Terms of Use)

Description Robert Scheck 2008-08-14 12:59:11 UTC
Description of problem:
Thomas Biege from SuSE/Novell describes with "SUSE Security Announcement:
postfix (SUSE-SA:2008:040)", that they've fixed a security issue (CVE-2008-
2936, CVE-2008-2937: Postfix local privilege escalation and mbox ownership 
problem) which seems to apply for all RHEL and Fedora products as well, but
I can't see a Red Hat or Fedora specific update for this; from the e-mail
from SuSE/Novell to all openSUSE, SLES and SLED customers:

--- snipp ---
1) Problem Description and Brief Discussion

   Postfix is a well known MTA.
   During a source code audit the SuSE Security-Team discovered a local
   privilege escalation bug (CVE-2008-2936) as well as a mailbox ownership
   problem (CVE-2008-2937) in postfix.
   The first bug allowed local users to execute arbitrary commands as root
   while the second one allowed local users to read other users mail.

2) Solution or Work-Around

   Please install the update package.
--- snapp ---

Version-Release number of selected component (if applicable):
Postfix <= 2.5.1 as it seems.

Actual results:
No update with fix for Red Hat and/or Fedora.

Expected results:
Update with security fix for Red Hat and Fedora.

Comment 1 Robert Scheck 2008-08-14 13:05:02 UTC
Looks like bug #456314 and bug #456347 are the corresponding bug reports on
Red Hat Bugzilla for the named CVEs. Unluckily, I only get the message "You
are not authorized" for these bug reports - maybe open it, as it is a public
issue now anyway?!

Comment 2 Robert Scheck 2008-08-14 13:06:16 UTC
Date: Thu, 14 Aug 2008 14:39:29 +0200 -- I forgot, this is the date/time
where the mail was sent from SuSE.

Comment 3 Josh Bressers 2008-08-14 13:23:17 UTC

*** This bug has been marked as a duplicate of bug 456314 ***


Note You need to log in before you can comment on or make changes to this bug.