lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1MhsJd-0000y9-At@titan.mandriva.com>
Date: Sun, 30 Aug 2009 23:52:01 +0200
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2009:224 ] postfix


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:224
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : postfix
 Date    : August 30, 2009
 Affected: 2008.1, Corporate 3.0, Corporate 4.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been found and corrected in postfix:
 
 Postfix 2.5 before 2.5.4 and 2.6 before 2.6-20080814 delivers to a
 mailbox file even when this file is not owned by the recipient, which
 allows local users to read e-mail messages by creating a mailbox file
 corresponding to another user's account name (CVE-2008-2937).
 
 This update provides a solution to this vulnerability.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2937
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.1:
 7140f40e139be1cf8125074cab6e81b4  2008.1/i586/libpostfix1-2.5.1-2.3mdv2008.1.i586.rpm
 f11354454b5e18ab3c95f97aacca6cb1  2008.1/i586/postfix-2.5.1-2.3mdv2008.1.i586.rpm
 b4bea6c762263a307ba52b096e0b477b  2008.1/i586/postfix-ldap-2.5.1-2.3mdv2008.1.i586.rpm
 b4e3859a783b67327039243e502aa157  2008.1/i586/postfix-mysql-2.5.1-2.3mdv2008.1.i586.rpm
 8c7a5ae2e92c1f2527f21290f8c8d1d6  2008.1/i586/postfix-pcre-2.5.1-2.3mdv2008.1.i586.rpm
 4a824e461d20be248d732a0ecee84b17  2008.1/i586/postfix-pgsql-2.5.1-2.3mdv2008.1.i586.rpm 
 2cf1299ed9de757fec29e360dfb24d83  2008.1/SRPMS/postfix-2.5.1-2.3mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 bb834685ec49101148373ce708b5ed45  2008.1/x86_64/lib64postfix1-2.5.1-2.3mdv2008.1.x86_64.rpm
 70fce4a57c601c85bad516b373a88548  2008.1/x86_64/postfix-2.5.1-2.3mdv2008.1.x86_64.rpm
 fbf08c4d8b08fd4140843779bd28399b  2008.1/x86_64/postfix-ldap-2.5.1-2.3mdv2008.1.x86_64.rpm
 cb40d1532368fff8cca7d05ef975b6d5  2008.1/x86_64/postfix-mysql-2.5.1-2.3mdv2008.1.x86_64.rpm
 19a686b12a82ea1fc1baf04fd8246449  2008.1/x86_64/postfix-pcre-2.5.1-2.3mdv2008.1.x86_64.rpm
 6cd370a66e8efe86541e73fd165921c9  2008.1/x86_64/postfix-pgsql-2.5.1-2.3mdv2008.1.x86_64.rpm 
 2cf1299ed9de757fec29e360dfb24d83  2008.1/SRPMS/postfix-2.5.1-2.3mdv2008.1.src.rpm

 Corporate 3.0:
 c31b8d0d1b7cfeffc4114a08c590394b  corporate/3.0/i586/libpostfix1-2.1.1-0.5.C30mdk.i586.rpm
 522a1d6583d13161f9048b922ef6cf98  corporate/3.0/i586/postfix-2.1.1-0.5.C30mdk.i586.rpm
 e5a0cf0f5ebb3a67a53e1d437fc4048e  corporate/3.0/i586/postfix-ldap-2.1.1-0.5.C30mdk.i586.rpm
 5751e5109eda7b406214a9439dda8baf  corporate/3.0/i586/postfix-mysql-2.1.1-0.5.C30mdk.i586.rpm
 7641b8ed287b7a710dc9465702918154  corporate/3.0/i586/postfix-pcre-2.1.1-0.5.C30mdk.i586.rpm
 cf61094ca95d221df9bdbb24e3adbef6  corporate/3.0/i586/postfix-pgsql-2.1.1-0.5.C30mdk.i586.rpm 
 b36ec66c7a2e93e6e203f1858478bad7  corporate/3.0/SRPMS/postfix-2.1.1-0.5.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 df9a2254b1450fc898668b7f22a06a6a  corporate/3.0/x86_64/lib64postfix1-2.1.1-0.5.C30mdk.x86_64.rpm
 ffbfb3a2c9f95842c5214c69e74cf0cf  corporate/3.0/x86_64/postfix-2.1.1-0.5.C30mdk.x86_64.rpm
 0948f13bb6c5978cb033e33a79604c45  corporate/3.0/x86_64/postfix-ldap-2.1.1-0.5.C30mdk.x86_64.rpm
 a6cd459457454d854bd73de328c7489f  corporate/3.0/x86_64/postfix-mysql-2.1.1-0.5.C30mdk.x86_64.rpm
 aa6c2cec11d17d77e928ee124e1e29d9  corporate/3.0/x86_64/postfix-pcre-2.1.1-0.5.C30mdk.x86_64.rpm
 ec8fce55884bb814e84b2891d9be1cce  corporate/3.0/x86_64/postfix-pgsql-2.1.1-0.5.C30mdk.x86_64.rpm 
 b36ec66c7a2e93e6e203f1858478bad7  corporate/3.0/SRPMS/postfix-2.1.1-0.5.C30mdk.src.rpm

 Corporate 4.0:
 23bf5745a5b5f7457e4d7c346c6bcbb9  corporate/4.0/i586/libpostfix1-2.3.5-0.3.20060mlcs4.i586.rpm
 d4ae172e884ce5388edd7808f2371717  corporate/4.0/i586/postfix-2.3.5-0.3.20060mlcs4.i586.rpm
 81d27bf78511b84bb31ec4da82d2f8dd  corporate/4.0/i586/postfix-ldap-2.3.5-0.3.20060mlcs4.i586.rpm
 b438d4b45642c94756b0d74638328322  corporate/4.0/i586/postfix-mysql-2.3.5-0.3.20060mlcs4.i586.rpm
 ba4c2a8d4126c10a1640a83098d4c4b9  corporate/4.0/i586/postfix-pcre-2.3.5-0.3.20060mlcs4.i586.rpm
 c8a3c2cfbb1f9cea2117d6e0c25f9b4e  corporate/4.0/i586/postfix-pgsql-2.3.5-0.3.20060mlcs4.i586.rpm 
 782004a450a90bbcaa94837c36eb07dd  corporate/4.0/SRPMS/postfix-2.3.5-0.3.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 26a2a20d5b6a8f3f56640667ebabe810  corporate/4.0/x86_64/lib64postfix1-2.3.5-0.3.20060mlcs4.x86_64.rpm
 85b91925447997c52c15fdc8e4bafbd9  corporate/4.0/x86_64/postfix-2.3.5-0.3.20060mlcs4.x86_64.rpm
 7fbac100a9c73446b73c7a1ac5115509  corporate/4.0/x86_64/postfix-ldap-2.3.5-0.3.20060mlcs4.x86_64.rpm
 ecbaa69125310c3e1bc6682135b39d61  corporate/4.0/x86_64/postfix-mysql-2.3.5-0.3.20060mlcs4.x86_64.rpm
 a194d65c69e642307a54960f0df99294  corporate/4.0/x86_64/postfix-pcre-2.3.5-0.3.20060mlcs4.x86_64.rpm
 bf10b2360063f21bf61280fd36ff68eb  corporate/4.0/x86_64/postfix-pgsql-2.3.5-0.3.20060mlcs4.x86_64.rpm 
 782004a450a90bbcaa94837c36eb07dd  corporate/4.0/SRPMS/postfix-2.3.5-0.3.20060mlcs4.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKmsg4mqjQ0CJFipgRAiPcAKDeYjyMPZqfjGw2jz9nDMkfl+WyVwCggbiA
+4owaopmdcKSZ60jJ9vbb0k=
=DMHj
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ