lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1KU69Q-0005TT-Rg@titan.mandriva.com>
Date: Fri, 15 Aug 2008 14:44:00 -0600
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2008:171 ] postfix


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2008:171
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : postfix
 Date    : August 15, 2008
 Affected: 2007.1, 2008.0, 2008.1, Corporate 3.0, Corporate 4.0
 _______________________________________________________________________

 Problem Description:

 Sebastian Krahmer of the SUSE Security Team discovered a flaw in
 the way Postfix dereferenced symbolic links.  If a local user had
 write access to a mail spool directory without a root mailbox file,
 it could be possible for them to append arbitrary data to files that
 root had write permissions to (CVE-2008-2936).
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2936
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2007.1:
 26e470b9c59a7f942865ff4c9a029f33  2007.1/i586/libpostfix1-2.3.8-1.1mdv2007.1.i586.rpm
 886bae30f28144d5cd12330eadc29beb  2007.1/i586/postfix-2.3.8-1.1mdv2007.1.i586.rpm
 4490c64a7b39685f04dff74ce114edd1  2007.1/i586/postfix-ldap-2.3.8-1.1mdv2007.1.i586.rpm
 03bc15e8554bb5519bccc27147dc49c5  2007.1/i586/postfix-mysql-2.3.8-1.1mdv2007.1.i586.rpm
 4ce6d3583264a3d9a89e99554d8f5334  2007.1/i586/postfix-pcre-2.3.8-1.1mdv2007.1.i586.rpm
 1fa256a3a7306dc4711d2c1f394e4779  2007.1/i586/postfix-pgsql-2.3.8-1.1mdv2007.1.i586.rpm 
 585a32ed0e7d643bec4be76ca56e96a3  2007.1/SRPMS/postfix-2.3.8-1.1mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 c5b9aba41a5f7d4762e07611ab796ba9  2007.1/x86_64/lib64postfix1-2.3.8-1.1mdv2007.1.x86_64.rpm
 34aaf8a7f5489382ae2fe752239c1ad3  2007.1/x86_64/postfix-2.3.8-1.1mdv2007.1.x86_64.rpm
 c1bbbc34d1a6951dfea07b479e7546a6  2007.1/x86_64/postfix-ldap-2.3.8-1.1mdv2007.1.x86_64.rpm
 72c368adfd81383032aee96564edd1dc  2007.1/x86_64/postfix-mysql-2.3.8-1.1mdv2007.1.x86_64.rpm
 b6e9329425e1e4f6f1b591ca01c07527  2007.1/x86_64/postfix-pcre-2.3.8-1.1mdv2007.1.x86_64.rpm
 858ac67feca2fae49be70f752a9f5688  2007.1/x86_64/postfix-pgsql-2.3.8-1.1mdv2007.1.x86_64.rpm 
 585a32ed0e7d643bec4be76ca56e96a3  2007.1/SRPMS/postfix-2.3.8-1.1mdv2007.1.src.rpm

 Mandriva Linux 2008.0:
 28f80755d3e08a050a3294f15bcdf0b0  2008.0/i586/libpostfix1-2.4.5-2.1mdv2008.0.i586.rpm
 8e5a684b87309c502f34d76104e7291f  2008.0/i586/postfix-2.4.5-2.1mdv2008.0.i586.rpm
 fd4bd15f398bb8f9a90e59216b4a01dc  2008.0/i586/postfix-ldap-2.4.5-2.1mdv2008.0.i586.rpm
 63e5be0f5c1dc8b28f173726c1648831  2008.0/i586/postfix-mysql-2.4.5-2.1mdv2008.0.i586.rpm
 75e6b126fd04ce8cbef1d024a8d4af94  2008.0/i586/postfix-pcre-2.4.5-2.1mdv2008.0.i586.rpm
 3eb0a04a986f20d4771b774b0707d5ff  2008.0/i586/postfix-pgsql-2.4.5-2.1mdv2008.0.i586.rpm 
 d18e696ddd9948b311e84c1df3b4edfa  2008.0/SRPMS/postfix-2.4.5-2.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 25c8159e3a2b78ab281dcf6c7b5886d1  2008.0/x86_64/lib64postfix1-2.4.5-2.1mdv2008.0.x86_64.rpm
 56bc517d9bb1cf9221ce8d35999ac7de  2008.0/x86_64/postfix-2.4.5-2.1mdv2008.0.x86_64.rpm
 08af0c3454a642e57252180f6f8b8b1c  2008.0/x86_64/postfix-ldap-2.4.5-2.1mdv2008.0.x86_64.rpm
 c8777d4816b661a2853df44228c97e26  2008.0/x86_64/postfix-mysql-2.4.5-2.1mdv2008.0.x86_64.rpm
 08579717946ec5c32df7674286f9f45a  2008.0/x86_64/postfix-pcre-2.4.5-2.1mdv2008.0.x86_64.rpm
 fda669add03041fa744d5738c7457c3a  2008.0/x86_64/postfix-pgsql-2.4.5-2.1mdv2008.0.x86_64.rpm 
 d18e696ddd9948b311e84c1df3b4edfa  2008.0/SRPMS/postfix-2.4.5-2.1mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 5a3804f2c3effc218f5c2e2e3df27564  2008.1/i586/libpostfix1-2.5.1-2.1mdv2008.1.i586.rpm
 506d51b49e9c8c0e439fc8bc4c63ba29  2008.1/i586/postfix-2.5.1-2.1mdv2008.1.i586.rpm
 34ef86dd70c956f2a99bdfac81183e09  2008.1/i586/postfix-ldap-2.5.1-2.1mdv2008.1.i586.rpm
 1d07b91d48c60906f28b8a2eba99ca1c  2008.1/i586/postfix-mysql-2.5.1-2.1mdv2008.1.i586.rpm
 70ba3c286521579fc49a54bba84472dd  2008.1/i586/postfix-pcre-2.5.1-2.1mdv2008.1.i586.rpm
 dca57a1b0579a8418ad10aac03322b2e  2008.1/i586/postfix-pgsql-2.5.1-2.1mdv2008.1.i586.rpm 
 0f3cb76c3893354103745ee331942f0d  2008.1/SRPMS/postfix-2.5.1-2.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 16d38a5b0b47edb0fc3395c63511bd6c  2008.1/x86_64/lib64postfix1-2.5.1-2.1mdv2008.1.x86_64.rpm
 546f25ac9ea5aa167b9282bd8d4f537a  2008.1/x86_64/postfix-2.5.1-2.1mdv2008.1.x86_64.rpm
 f1a917d26a5366044e570f6571c2fb10  2008.1/x86_64/postfix-ldap-2.5.1-2.1mdv2008.1.x86_64.rpm
 4b2f2a4d53ef97dbd2c609afc9e61c77  2008.1/x86_64/postfix-mysql-2.5.1-2.1mdv2008.1.x86_64.rpm
 266433d35cd238e9132b6225bc5d1258  2008.1/x86_64/postfix-pcre-2.5.1-2.1mdv2008.1.x86_64.rpm
 78f8df45bf1c009701112a60294ccdeb  2008.1/x86_64/postfix-pgsql-2.5.1-2.1mdv2008.1.x86_64.rpm 
 0f3cb76c3893354103745ee331942f0d  2008.1/SRPMS/postfix-2.5.1-2.1mdv2008.1.src.rpm

 Corporate 3.0:
 7d6dc0a422fa43c691a6819a9954d29c  corporate/3.0/i586/libpostfix1-2.1.1-0.4.C30mdk.i586.rpm
 6c90a40a69bcd261d1fff8124d087d48  corporate/3.0/i586/postfix-2.1.1-0.4.C30mdk.i586.rpm
 9e3468e37e512a5207a982ba606d8fb8  corporate/3.0/i586/postfix-ldap-2.1.1-0.4.C30mdk.i586.rpm
 8018f6af47a5659396a3d903c27b33d4  corporate/3.0/i586/postfix-mysql-2.1.1-0.4.C30mdk.i586.rpm
 ac40a515260bd75fe00c5e1610b11e7b  corporate/3.0/i586/postfix-pcre-2.1.1-0.4.C30mdk.i586.rpm
 f8675212bf047f8373846efe438d6e34  corporate/3.0/i586/postfix-pgsql-2.1.1-0.4.C30mdk.i586.rpm 
 0b9d6b89f64cf5c5ba64d4234ba958d3  corporate/3.0/SRPMS/postfix-2.1.1-0.4.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 f695f71cf4e3cff94b76ffaa79e79276  corporate/3.0/x86_64/lib64postfix1-2.1.1-0.4.C30mdk.x86_64.rpm
 479831782b7e851ee64b8686e5435742  corporate/3.0/x86_64/postfix-2.1.1-0.4.C30mdk.x86_64.rpm
 a52bf688f3f842c8062ca1e43748a442  corporate/3.0/x86_64/postfix-ldap-2.1.1-0.4.C30mdk.x86_64.rpm
 e286020374420577f7372bf98b3145f0  corporate/3.0/x86_64/postfix-mysql-2.1.1-0.4.C30mdk.x86_64.rpm
 7c4d75cb5df1951918a3baf56aff0dcd  corporate/3.0/x86_64/postfix-pcre-2.1.1-0.4.C30mdk.x86_64.rpm
 e1b6ff7a49ab9dbd1cc8559ec9a747fe  corporate/3.0/x86_64/postfix-pgsql-2.1.1-0.4.C30mdk.x86_64.rpm 
 0b9d6b89f64cf5c5ba64d4234ba958d3  corporate/3.0/SRPMS/postfix-2.1.1-0.4.C30mdk.src.rpm

 Corporate 4.0:
 c7e11fa492370b389f507fc3ae2b1d4a  corporate/4.0/i586/libpostfix1-2.3.5-0.2.20060mlcs4.i586.rpm
 f78b08147813d142dbebccfa3f2d1fc1  corporate/4.0/i586/postfix-2.3.5-0.2.20060mlcs4.i586.rpm
 982fb6adba17ab2acfd477323a55db4c  corporate/4.0/i586/postfix-ldap-2.3.5-0.2.20060mlcs4.i586.rpm
 163b41ad32263b2a319720144153f5af  corporate/4.0/i586/postfix-mysql-2.3.5-0.2.20060mlcs4.i586.rpm
 7be21bfdc0f6e70d6da173d5005516f8  corporate/4.0/i586/postfix-pcre-2.3.5-0.2.20060mlcs4.i586.rpm
 26c0b02352463bd5c33b67c146330701  corporate/4.0/i586/postfix-pgsql-2.3.5-0.2.20060mlcs4.i586.rpm 
 f9251f61013674ae03a5122d8c5cfd25  corporate/4.0/SRPMS/postfix-2.3.5-0.2.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 91d8789d61bc41409d96b0442ffb8d13  corporate/4.0/x86_64/lib64postfix1-2.3.5-0.2.20060mlcs4.x86_64.rpm
 db6e1d07cd48fd215db13b6c0812629f  corporate/4.0/x86_64/postfix-2.3.5-0.2.20060mlcs4.x86_64.rpm
 6d57adb992f1903344a12c213116e2d9  corporate/4.0/x86_64/postfix-ldap-2.3.5-0.2.20060mlcs4.x86_64.rpm
 c3217315a710dddef6addc566542dbef  corporate/4.0/x86_64/postfix-mysql-2.3.5-0.2.20060mlcs4.x86_64.rpm
 21db2224670acce491ff87269f21ec5e  corporate/4.0/x86_64/postfix-pcre-2.3.5-0.2.20060mlcs4.x86_64.rpm
 89d5796c4d94bb6ab1ef26de400d032f  corporate/4.0/x86_64/postfix-pgsql-2.3.5-0.2.20060mlcs4.x86_64.rpm 
 f9251f61013674ae03a5122d8c5cfd25  corporate/4.0/SRPMS/postfix-2.3.5-0.2.20060mlcs4.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIpbu8mqjQ0CJFipgRApsdAJ0XV7YMQObXpiNScy6r/ct8BPjTIACg0mow
TLWvKH+6JSz18dJfpEjIxFw=
=rHfX
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ