Search...

Fedora Update for postfix FEDORA-2011-6771

2011-05-23T00:00:00

ID OPENVAS:863097
Type openvas
Reporter Copyright (c) 2011 Greenbone Networks GmbH
Modified 2017-07-10T00:00:00

Description

Check for the Version of postfix

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
#
# Fedora Update for postfix FEDORA-2011-6771
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

include("revisions-lib.inc");
tag_affected = "postfix on Fedora 14";
tag_insight = "Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),
  TLS";
tag_solution = "Please Install the Updated Packages.";


if(description)
{
  script_xref(name : "URL" , value : "http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060216.html");
  script_id(863097);
  script_version("$Revision: 6626 $");
  script_tag(name:"last_modification", value:"$Date: 2017-07-10 08:30:10 +0200 (Mon, 10 Jul 2017) $");
  script_tag(name:"creation_date", value:"2011-05-23 16:55:31 +0200 (Mon, 23 May 2011)");
  script_tag(name:"cvss_base", value:"6.8");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_xref(name: "FEDORA", value: "2011-6771");
  script_cve_id("CVE-2011-1720", "CVE-2011-0411");
  script_name("Fedora Update for postfix FEDORA-2011-6771");

  script_summary("Check for the Version of postfix");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
  script_family("Fedora Local Security Checks");
  script_dependencies("gather-package-list.nasl");
  script_mandatory_keys("ssh/login/fedora", "ssh/login/rpms");
  script_tag(name : "affected" , value : tag_affected);
  script_tag(name : "insight" , value : tag_insight);
  script_tag(name : "solution" , value : tag_solution);
  script_tag(name:"qod_type", value:"package");
  script_tag(name:"solution_type", value:"VendorFix");
  exit(0);
}


include("pkg-lib-rpm.inc");

release = get_kb_item("ssh/login/release");


res = "";
if(release == NULL){
  exit(0);
}

if(release == "FC14")
{

  if ((res = isrpmvuln(pkg:"postfix", rpm:"postfix~2.7.4~1.fc14", rls:"FC14")) != NULL)
  {
    security_message(data:res);
    exit(0);
  }

  if (__pkg_match) exit(99); # Not vulnerable.
  exit(0);
}

JSON Vulners Source

Initial Source

{"bulletinFamily": "scanner", "viewCount": 0, "naslFamily": "Fedora Local Security Checks", "reporter": "Copyright (c) 2011 Greenbone Networks GmbH", "references": ["2011-6771", "http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060216.html"], "description": "Check for the Version of postfix", "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "0bf5c2dc8ae67fff0fbec1c8226c1608"}, {"key": "cvss", "hash": "737e2591b537c46d1ca7ce6f0cea5cb9"}, {"key": "description", "hash": "056fec3075248a5edbfb103f49b274aa"}, {"key": "href", "hash": "05a56bc034d9aa0a8901a702e3ead32b"}, {"key": "modified", "hash": "0d134bf170d66438eb1e01173ee0187f"}, {"key": "naslFamily", "hash": "be931514784f88df80712740ad2723e7"}, {"key": "pluginID", "hash": "d658985446b4501604a814aa2cb4c2ff"}, {"key": "published", "hash": "467d070857059ad241b7b550c7a6d2d7"}, {"key": "references", "hash": "797ad911eb95909acc0beee5005f077c"}, {"key": "reporter", "hash": "5b3e78bf2118fdcf240d0771f3c6039e"}, {"key": "sourceData", "hash": "c1fec7ed59ea40d7b7e9888b83e8e874"}, {"key": "title", "hash": "b3ee2b6dda3c25929b2546aec32e76a1"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "href": "http://plugins.openvas.org/nasl.php?oid=863097", "modified": "2017-07-10T00:00:00", "objectVersion": "1.3", "enchantments": {"score": {"value": 7.7, "vector": "NONE", "modified": "2017-07-25T10:55:23", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-0411", "CVE-2011-1720"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:25899", "SECURITYVULNS:DOC:26327", "SECURITYVULNS:VULN:11661"]}, {"type": "nessus", "idList": ["GENTOO_GLSA-201206-33.NASL", "DEBIAN_DSA-2233.NASL", "POSTFIX_MEMORY_CORRUPTION.NASL", "SUSE_11_POSTFIX-110504.NASL", "FEDORA_2011-6771.NASL", "SUSE_11_2_POSTFIX-110510.NASL", "POSTFIX_MEMORY_CORRUPTION_EXPLOIT.NASL", "FEDORA_2011-6777.NASL", "SUSE_11_4_POSTFIX-110510.NASL", "SUSE9_12707.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310863097", "OPENVAS:863100", "OPENVAS:69733", "OPENVAS:71559", "OPENVAS:1361412562310863100", "OPENVAS:136141256231069733", "OPENVAS:880509", "OPENVAS:136141256231071559", "OPENVAS:1361412562310840658", "OPENVAS:1361412562310902517"]}, {"type": "gentoo", "idList": ["GLSA-201206-33"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2233-1:FE66E"]}, {"type": "suse", "idList": ["SUSE-SA:2011:023"]}, {"type": "centos", "idList": ["CESA-2011:0843"]}, {"type": "freebsd", "idList": ["3EB2C100-738B-11E0-89F4-001E90D46635", "14A6F516-502F-11E0-B448-BBFA2731F9C7"]}, {"type": "cert", "idList": ["VU:727230"]}, {"type": "ubuntu", "idList": ["USN-1131-1"]}, {"type": "nmap", "idList": ["NMAP:SMTP-VULN-CVE2011-1720.NSE"]}, {"type": "oraclelinux", "idList": ["ELSA-2011-0843", "ELSA-2011-0423"]}, {"type": "redhat", "idList": ["RHSA-2011:0843", "RHSA-2011:0423"]}, {"type": "seebug", "idList": ["SSV:20542"]}], "modified": "2017-07-25T10:55:23", "rev": 2}, "vulnersScore": 7.7}, "id": "OPENVAS:863097", "title": "Fedora Update for postfix FEDORA-2011-6771", "hash": "e8cff6c9d6023e4177a00b58fb29f0e4e27ac7b7aa98ee4bae4547254eac4c10", "edition": 2, "published": "2011-05-23T00:00:00", "type": "openvas", "history": [{"lastseen": "2017-07-02T21:13:29", "bulletin": {"hash": "5d9e1468678b5edc4ffc31ab64fee4286c8f3cd6156f4295eeab70876498a540", "viewCount": 0, "reporter": "Copyright (c) 2011 Greenbone Networks GmbH", "references": ["2011-6771", "http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060216.html"], "description": "Check for the Version of postfix", "hashmap": [{"key": "modified", "hash": "6b744f6cc99eb0b6fa467773215c68fb"}, {"key": "cvelist", "hash": "0bf5c2dc8ae67fff0fbec1c8226c1608"}, {"key": "reporter", "hash": "5b3e78bf2118fdcf240d0771f3c6039e"}, {"key": "href", "hash": "05a56bc034d9aa0a8901a702e3ead32b"}, {"key": "references", "hash": "797ad911eb95909acc0beee5005f077c"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}, {"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "title", "hash": "b3ee2b6dda3c25929b2546aec32e76a1"}, {"key": "naslFamily", "hash": "be931514784f88df80712740ad2723e7"}, {"key": "published", "hash": "467d070857059ad241b7b550c7a6d2d7"}, {"key": "cvss", "hash": "737e2591b537c46d1ca7ce6f0cea5cb9"}, {"key": "sourceData", "hash": "7bda5c082faa2d4a902ab8e1b21f1a49"}, {"key": "description", "hash": "056fec3075248a5edbfb103f49b274aa"}, {"key": "pluginID", "hash": "d658985446b4501604a814aa2cb4c2ff"}], "naslFamily": "Fedora Local Security Checks", "modified": "2016-04-15T00:00:00", "objectVersion": "1.3", "href": "http://plugins.openvas.org/nasl.php?oid=863097", "published": "2011-05-23T00:00:00", "enchantments": {}, "id": "OPENVAS:863097", "title": "Fedora Update for postfix FEDORA-2011-6771", "bulletinFamily": "scanner", "edition": 1, "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for postfix FEDORA-2011-6771\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"postfix on Fedora 14\";\ntag_insight = \"Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),\n TLS\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060216.html\");\n script_id(863097);\n script_version(\"$Revision: 3085 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-04-15 15:26:37 +0200 (Fri, 15 Apr 2016) $\");\n script_tag(name:\"creation_date\", value:\"2011-05-23 16:55:31 +0200 (Mon, 23 May 2011)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"FEDORA\", value: \"2011-6771\");\n script_cve_id(\"CVE-2011-1720\", \"CVE-2011-0411\");\n script_name(\"Fedora Update for postfix FEDORA-2011-6771\");\n\n script_summary(\"Check for the Version of postfix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"HostDetails/OS/cpe:/o:fedoraproject:fedora\", \"login/SSH/success\", \"ssh/login/release\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC14\")\n{\n\n if ((res = isrpmvuln(pkg:\"postfix\", rpm:\"postfix~2.7.4~1.fc14\", rls:\"FC14\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "type": "openvas", "history": [], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "cvelist": ["CVE-2011-1720", "CVE-2011-0411"], "lastseen": "2017-07-02T21:13:29", "pluginID": "863097"}, "differentElements": ["modified", "sourceData"], "edition": 1}], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "cvelist": ["CVE-2011-1720", "CVE-2011-0411"], "lastseen": "2017-07-25T10:55:23", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for postfix FEDORA-2011-6771\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"postfix on Fedora 14\";\ntag_insight = \"Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),\n TLS\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060216.html\");\n script_id(863097);\n script_version(\"$Revision: 6626 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:30:10 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-05-23 16:55:31 +0200 (Mon, 23 May 2011)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"FEDORA\", value: \"2011-6771\");\n script_cve_id(\"CVE-2011-1720\", \"CVE-2011-0411\");\n script_name(\"Fedora Update for postfix FEDORA-2011-6771\");\n\n script_summary(\"Check for the Version of postfix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC14\")\n{\n\n if ((res = isrpmvuln(pkg:\"postfix\", rpm:\"postfix~2.7.4~1.fc14\", rls:\"FC14\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "pluginID": "863097"}

{"cve": [{"lastseen": "2019-05-29T18:11:10", "bulletinFamily": "NVD", "description": "The SMTP server in Postfix before 2.5.13, 2.6.x before 2.6.10, 2.7.x before 2.7.4, and 2.8.x before 2.8.3, when certain Cyrus SASL authentication methods are enabled, does not create a new server handle after client authentication fails, which allows remote attackers to cause a denial of service (heap memory corruption and daemon crash) or possibly execute arbitrary code via an invalid AUTH command with one method followed by an AUTH command with a different method.", "modified": "2018-10-09T19:31:00", "id": "CVE-2011-1720", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1720", "published": "2011-05-13T17:05:00", "title": "CVE-2011-1720", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:11:05", "bulletinFamily": "NVD", "description": "The STARTTLS implementation in Postfix 2.4.x before 2.4.16, 2.5.x before 2.5.12, 2.6.x before 2.6.9, and 2.7.x before 2.7.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a \"plaintext command injection\" attack.", "modified": "2017-08-17T01:33:00", "id": "CVE-2011-0411", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0411", "published": "2011-03-16T22:55:00", "title": "CVE-2011-0411", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:40", "bulletinFamily": "software", "description": "[On-line version will be at http://www.postfix.org/CVE-2011-1720.html]\r\n\r\nSummary\r\n=======\r\n\r\nThe Postfix SMTP server has a memory corruption error when the Cyrus\r\nSASL library is used with authentication mechanisms other than PLAIN\r\nand LOGIN (the ANONYMOUS mechanism is unaffected but should not be\r\nenabled for different reasons). See below for instructions to\r\ndetermine what systems are affected.\r\n\r\nExamples of affected Cyrus SASL authentication methods are CRAM-MD5,\r\nDIGEST-MD5, EXTERNAL, GSSAPI, KERBEROS_V4, NTLM, OTP, PASSDSS-3DES-1,\r\nand SRP.\r\n\r\nThe error was introduced with the Postfix SASL patch, and is present\r\nin all Postfix versions where the command "postconf mail_release_date"\r\nreports a value of 20000314 (March 14, 2000) or greater.\r\n\r\nThis problem was discovered by Thomas Jarosch of Intra2net AG.\r\n\r\nThe memory corruption is known to result in a program crash (SIGSEV).\r\nRemote code execution cannot be excluded. Such code would execute\r\nas the unprivileged "postfix" user. This user has no control over\r\nprocesses that run with non-postfix privileges including Postfix\r\nprocesses running as root; the impact may be reduced with configurations\r\nthat enable the Postfix chroot feature or that use platform-dependent\r\nprivilege-reducing features.\r\n\r\nThe problem is fixed in Postfix stable releases 2.5.13, 2.6.10,\r\n2.7.4, 2.8.3; in the Postfix 2.9 development release as of May 1,\r\n2011; patches exist for Postfix version 1.1 and later. All this is\r\navailable from Postfix mirrors at http://www.postfix.org/download.html.\r\n\r\nWhat systems are affected\r\n=========================\r\n\r\nThe Postfix SMTP client is not affected.\r\n\r\nAffected are Postfix SMTP server configurations that have SASL\r\nauthentication turned on, and that use Cyrus SASL authentication\r\nmechanisms other than ANONYMOUS, PLAIN and LOGIN. Here,\r\n\r\n * the command "postconf smtpd_sasl_auth_enable" produces as output\r\n "smtpd_sasl_auth_enable = yes";\r\n\r\n * and the command "postconf smtpd_sasl_type" produces as output\r\n "smtpd_sasl_type = cyrus" (or "smtpd_sasl_type: unknown\r\n parameter");\r\n\r\n * and the Postfix SMTP server's reply to the EHLO command shows\r\n AUTH methods other than ANONYMOUS, PLAIN and LOGIN. Examples\r\n of other methods are CRAM-MD5 or DIGEST-MD5.\r\n\r\n Example for the "port 25" service:\r\n\r\n $ telnet server.example.com 25\r\n Connected to server.example.com.\r\n Escape character is '^]'.\r\n 220 server.example.com ESMTP Postfix\r\n ehlo client.example.com\r\n 250-server.example.com\r\n 250-PIPELINING\r\n 250-SIZE 10240000\r\n 250-STARTTLS\r\n 250-AUTH DIGEST-MD5 LOGIN PLAIN CRAM-MD5\r\n 250-AUTH=DIGEST-MD5 LOGIN PLAIN CRAM-MD5\r\n 250-ENHANCEDSTATUSCODES\r\n 250-8BITMIME\r\n 250 DSN\r\n quit\r\n 221 2.0.0 Bye\r\n Connection closed by foreign host.\r\n\r\n Example for the "port 587" (submission) service. This service\r\n is not enabled by default.\r\n\r\n $ openssl s_client -quiet -starttls smtp -connect server.example.com:587\r\n [TLS handshake information deleted]\r\n 250 DSN\r\n ehlo client.example.com\r\n 250-server.example.com\r\n 250-PIPELINING\r\n 250-SIZE 10240000\r\n 250-AUTH DIGEST-MD5 LOGIN PLAIN CRAM-MD5\r\n 250-AUTH=DIGEST-MD5 LOGIN PLAIN CRAM-MD5\r\n 250-ENHANCEDSTATUSCODES\r\n 250-8BITMIME\r\n 250 DSN\r\n quit\r\n 221 2.0.0 Bye\r\n\r\nAlthough it is not affected, the ANONYMOUS authentication mechanism\r\nshould not be enabled as it can make an SMTP server an open relay.\r\n\r\nWhat systems are not affected\r\n=============================\r\n\r\nThe Postfix SMTP client is not affected.\r\n\r\nNot affected are Postfix SMTP server configurations that have SASL\r\nauthentication turned off, including configurations without SASL\r\nsupport compiled in. Here, the command "postconf smtpd_sasl_auth_enable"\r\nproduces as output "smtpd_sasl_auth_enable = no".\r\n\r\nNot affected are Postfix SMTP server configurations that use Dovecot\r\nSASL instead of Cyrus SASL. Here, the command "postconf smtpd_sasl_type"\r\nproduces as output "smtpd_sasl_type = dovecot".\r\n\r\nNot affected are Postfix SMTP server configurations that enable\r\nCyrus SASL support with only the PLAIN or LOGIN methods, or both.\r\nHere,\r\n\r\n * the command "postconf smtpd_sasl_auth_enable" produces as output\r\n "smtpd_sasl_auth_enable = yes";\r\n\r\n * and the command "postconf smtpd_sasl_type" produces as output\r\n "smtpd_sasl_type = cyrus" (or "smtpd_sasl_type: unknown\r\n parameter");\r\n\r\n * and the Postfix SMTP server's reply to the EHLO command shows\r\n only AUTH mechanisms of PLAIN, LOGIN, or both.\r\n\r\n Example for the "port 25" service:\r\n\r\n $ telnet server.example.com 25\r\n Connected to server.example.com.\r\n Escape character is '^]'.\r\n 220 server.example.com ESMTP Postfix\r\n ehlo client.example.com\r\n 250-server.example.com\r\n 250-PIPELINING\r\n 250-SIZE 10240000\r\n 250-STARTTLS\r\n 250-AUTH LOGIN PLAIN\r\n 250-AUTH=LOGIN PLAIN\r\n 250-ENHANCEDSTATUSCODES\r\n 250-8BITMIME\r\n 250 DSN\r\n quit\r\n 221 2.0.0 Bye\r\n Connection closed by foreign host.\r\n\r\n Example for the "port 587" (submission) service. This service\r\n is not enabled by default.\r\n\r\n $ openssl s_client -quiet -starttls smtp -connect server.example.com:587\r\n [TLS handshake information deleted]\r\n 250 DSN\r\n ehlo client.example.com\r\n 250-server.example.com\r\n 250-PIPELINING\r\n 250-SIZE 10240000\r\n 250-AUTH LOGIN PLAIN\r\n 250-AUTH=LOGIN PLAIN\r\n 250-ENHANCEDSTATUSCODES\r\n 250-8BITMIME\r\n 250 DSN\r\n quit\r\n 221 2.0.0 Bye\r\n\r\nNot affected is the ANONYMOUS authentication mechanism, but this\r\nshould not be enabled as it can make an SMTP server an open relay.\r\n\r\nWorkarounds\r\n===========\r\n\r\nDisable Cyrus SASL authentication mechanisms for the Postfix SMTP\r\nserver other than PLAIN and LOGIN. The mechanisms are specified in\r\na Cyrus SASL smtpd.conf configuration file. This file may be found\r\nin /etc/postfix/sasl/, /var/lib/ sasl2/, /etc/sasl2/, /usr/lib/sasl2/\r\nor /usr/local/lib/sasl2/.\r\n\r\nIn this file, update the "mech_list:" entry and remove any methods\r\nother than PLAIN and LOGIN. For example, this configuration is not\r\naffected:\r\n\r\n mech_list: PLAIN LOGIN\r\n\r\nExecute the command "postfix reload" to make the change effective,\r\nthen verify that the "port 25" and "port 587" services no longer\r\nannounce other SASL mechanisms, as shown in the previous section.\r\n\r\nTechnical details\r\n=================\r\n\r\nThe Postfix SMTP server creates a SASL handle for each SMTP session,\r\nwhen SASL authentication is enabled. The Postfix SMTP server will\r\nuse this SASL handle until it closes the SMTP connection (the Postfix\r\nSMTP server may create a new server SASL handle when the client and\r\nserver agree to switch from a plaintext session to a TLS-encrypted\r\nsession, but this does not eliminate the memory corruption problem).\r\n\r\nAccording to a comment in a Cyrus SASL include source file, a server\r\nmust not reuse a Cyrus SASL server handle after client authentication\r\nfailure. Instead, a server must create a new Cyrus SASL server\r\nhandle including mechanism list, before processing another client\r\nauthentication request.\r\n\r\nThe Postfix SMTP server fails to create a new Cyrus SASL server\r\nhandle after authentication failure. This causes memory corruption\r\nwhen, for example, a client requests CRAM-MD5 authentication, fails\r\nto authenticate, and then invokes some other authentication mechanism\r\nexcept PLAIN (or ANONYMOUS if available). The likely outcome is\r\nthat the Postfix SMTP server process crashes with a segmentation\r\nviolation error (SIGSEGV, a.k.a. signal 11).\r\n\r\nIn the following example, S: indicates server output and C: indicates\r\nclient input. Line numbers are prepended for reference in the\r\nbackground discussion in the next section.\r\n\r\n 1 S: 220 server.example.com ESMTP\r\n 2 C: EHLO client.example.com\r\n 3 S: 250-server.example.com\r\n 4 S: ...other server output skipped...\r\n 5 S: 250-AUTH DIGEST-MD5 LOGIN PLAIN CRAM-MD5\r\n 6 S: 250-AUTH=DIGEST-MD5 LOGIN PLAIN CRAM-MD5\r\n 7 S: ...other server output skipped...\r\n 8 C: AUTH CRAM-MD5\r\n 9 S: 334 PDg5ODE0OTI3MS4xMDQyMTg1OUBzZXJ2ZXIuZXhhbXBsZS5jb20+Cg==\r\n 10 C: *\r\n 11 S: 501 5.7.0 Authentication aborted\r\n 12 C: AUTH DIGEST-MD5\r\n 13 Connection closed by foreign host.\r\n\r\nIn the mail logfile, Postfix will log a warning similar to:\r\n\r\n postfix/master[2213]: warning: process /usr/libexec/postfix/smtpd\r\n pid 22585 killed by signal 11\r\n\r\nBackground\r\n==========\r\n\r\nEach Cyrus SASL authentication mechanism is implemented with a) one\r\nstatically-allocated shared data structure containing data and\r\npointers to functions that implement the mechanism, and b)\r\ndynamically-allocated session context data structures with\r\nauthentication state.\r\n\r\nWhen the Postfix SMTP server receives "AUTH CRAM-MD5" (line 8 above),\r\nthe Cyrus SASL CRAM-MD5 method initializes one CRAM-MD5 session\r\ncontext data structure, and generates the "step 1" initial client\r\nchallenge which the Postfix SMTP server sends in line 9 above.\r\n\r\nWhen the SMTP client sends "*" to abort the CRAM-MD5 authentication\r\nrequest (line 10 above), the CRAM-MD5 session context data structure\r\nremains attached to the Cyrus SASL server handle. Postfix fails to\r\ncreate a new Cyrus SASL server handle when the client sends the\r\nsubsequent "AUTH DIGEST-MD5" request (line 12 above); the DIGEST-MD5\r\nmethod will therefore use the "wrong" session context data structure\r\n(which was created after the "AUTH CRAM-MD5" request on line 8),\r\nand will skip its "step 1" challenge.\r\n\r\nEach Cyrus SASL authentication method has a different context data\r\nstructure layout. Because of these differences, the bits from the\r\nCRAM-MD5 method's context data structure will not work as intended\r\nwith the DIGEST-MD5 method. As shown in the stack trace below, the\r\nPostfix SMTP server process crashes in "step 2" of the DIGEST-MD5\r\nauthentication protocol. This happens while attempting to read from\r\na pointer that contains an invalid address.\r\n\r\nIn this particular example, the Postfix SMTP server crashes while\r\nrunning under control of the GDB debugger (see the Postfix master(5)\r\nmanpage discussion of the -D option), while processing the SMTP\r\ncommands shown in the example above.\r\n\r\n(gdb) where\r\n#0 0x884bbedf in clear_reauth_entry (reauth=0x206e6f69, type=SERVER,\r\n utils=0x88534400) at digestmd5.c:1579\r\n#1 0x884be648 in digestmd5_server_mech_step2 (stext=0x88518150,\r\n sparams=0x8850c840, clientin=0x0, clientinlen=0, serverout=0xbfbfe140,\r\n serveroutlen=0xbfbfe144, oparams=0x8855e860) at digestmd5.c:2588\r\n#2 0x884be9c5 in digestmd5_server_mech_step (conn_context=0x88518150,\r\n sparams=0x8850c840, clientin=0x0, clientinlen=0, serverout=0xbfbfe140,\r\n serveroutlen=0xbfbfe144, oparams=0x8855e860) at digestmd5.c:2689\r\n#3 0x882a51e9 in sasl_server_step (conn=0x8855e000, clientin=0x0,\r\n clientinlen=0, serverout=0xbfbfe140, serveroutlen=0xbfbfe144)\r\n at server.c:1430\r\n#4 0x882a5002 in sasl_server_start (conn=0x8855e000, mech=0x8854dc08\r\n "DIGEST-MD5", clientin=0x0, clientinlen=0, serverout=0xbfbfe140,\r\n serveroutlen=0xbfbfe144) at server.c:1362\r\n#5 0x08066bf7 in xsasl_cyrus_server_first (xp=0x8851af18,\r\n sasl_method=0x8854dc08 "DIGEST-MD5", init_response=0x0,\r\n reply=0x8851aee8) at xsasl_cyrus_server.c:529\r\n[Remainder of stack trace omitted for brevity]\r\n\r\nThis stack trace was obtained after informing the GDB debugger of\r\nSASL authentication methods that are linked in at runtime (example:\r\n"add-symbol-file /usr/local/lib/sasl2/libdigestmd5.so.2 0x884b8e50").\r\nWithout that information, GDB reports a corrupted stack, because\r\nit does not know that the program is executing legitimate code.\r\n\r\nImpact analysis\r\n===============\r\n\r\nWhat context data structure bits does the DIGEST-MD5 method inherit\r\nfrom the aborted CRAM-MD5 authentication request? As mentioned\r\nearlier, different Cyrus SASL authentication methods have different\r\nper-session context data structures. In particular, the CRAM-MD5\r\nmethod uses a small structure while DIGEST-MD5 uses a larger one.\r\n\r\nThe DIGEST-MD5 method will therefore access memory outside the block\r\nthat was allocated during the aborted CRAM-MD5 request. That is,\r\nit accesses random memory on the heap. The contents of that memory\r\nwill depend on the malloc implementation and on the program execution\r\nhistory.\r\n\r\nVersion 2.1.23 of the Cyrus SASL library implements 12 authentication\r\nmethods. Of these, 9 methods maintain server session context data\r\nstructures that contain some mix of data and data pointers. When\r\nthese are read from random heap memory, or from a structure that\r\nwas allocated for a different SASL mechanism, all kinds of things\r\ncould happen. This is why remote code execution cannot be excluded.\r\n\r\nWhy the Cyrus SASL PLAIN and LOGIN methods are not affected\r\n===========================================================\r\n\r\nThere is no memory corruption problem with the "AUTH PLAIN" method,\r\nbecause this does not use or create a dynamically-allocated session\r\ncontext data structure. In particular, sending "AUTH LOGIN" after\r\naborting or failing an "AUTH PLAIN" request does not result in\r\nmemory corruption, because the PLAIN authentication method does not\r\nallocate a session context data structure. Also, sending "AUTH\r\nPLAIN" after aborting or failing an "AUTH LOGIN" request does not\r\nresult in memory corruption, because the PLAIN authentication method\r\nignores the per-session context data structure that is created by\r\nthe LOGIN authentication method. Finally, there is no memory\r\ncorruption when the LOGIN authentication method inherits a session\r\ncontext data structure from an aborted or failed "AUTH LOGIN"\r\nrequest.\r\n\r\nIt is for these reasons that Postfix SMTP servers with Cyrus SASL\r\nsupport for only PLAIN and LOGIN are not affected. Fortunately,\r\nPLAIN + LOGIN is the most commonly-used configuration, usually\r\ncombined with TLS encryption to protect passwords on the wire. There\r\nwill be a minor memory leak, but the Postfix SMTP server limits the\r\nnumber of failed requests and thereby limits the leak.\r\n\r\nThere is no memory corruption problem with the "AUTH ANONYMOUS"\r\nmethod, because just like "AUTH PLAIN" this does not create or use\r\na dynamically-allocated session context data structure. However,\r\n"AUTH ANONYMOUS" support should not be enabled as it can make an\r\nSMTP server an open relay.\r\n\r\nTimeline\r\n========\r\n\r\n * April 8, 2011: Thomas Jarosch (Intra2net AG) reported the\r\n problem.\r\n\r\n * April 18, 2011: After completing a detailed analysis of what\r\n configurations are affected, and after testing solutions for\r\n Postfix 1.1 .. 2.9, Wietse asked CERT/CC to notify vendors.\r\n Thank you, CERT/CC.\r\n\r\n * April 20, 2011: Pre-release versions available for Postfix 2.5\r\n .. 2.8 and patches for Postfix 1.1 .. 2.9.\r\n\r\n * Most vendors honored Wietse's request to avoid non-public\r\n information in plaintext email headers or content. The exceptions\r\n were SUSE and Red Hat. Shame on you, SUSE and Red Hat.\r\n\r\n * May 9, 2011: Announcement and public release of fixes.", "modified": "2011-05-10T00:00:00", "published": "2011-05-10T00:00:00", "id": "SECURITYVULNS:DOC:26327", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26327", "title": "Memory corruption in Postfix SMTP server Cyrus SASL support (CVE-2011-1720)", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:42", "bulletinFamily": "software", "description": "Memory corruption if Cyrus SASL library is used for CRAM authentications.", "modified": "2011-05-10T00:00:00", "published": "2011-05-10T00:00:00", "id": "SECURITYVULNS:VULN:11661", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11661", "title": "Postfix memory corruption", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:39", "bulletinFamily": "software", "description": "This is a writeup about a flaw that I found recently, and that\r\nexisted in multiple implementations of SMTP (Simple Mail Transfer\r\nProtocol) over TLS (Transport Layer Security) including my Postfix\r\nopen source mailserver. I give an overview of the problem and its\r\nimpact, how to find out if a server is affected, fixes, and draw\r\nlessons about where we can expect similar problems. A time line\r\nis at the end.\r\n\r\nFor further reading:\r\nhttp://www.kb.cert.org/vuls/id/555316 \r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0411\r\nhttp://www.postfix.org/CVE-2011-0411.html (extended writeup)\r\n\r\n Wietse\r\n\r\nProblem overview and impact\r\n===========================\r\n\r\nThe TLS protocol encrypts communication and protects it against\r\nmodification by other parties. This protection exists only if a)\r\nsoftware is free of flaws, and b) clients verify the server's TLS\r\ncertificate, so that there can be no "man in the middle" (servers\r\nusually don't verify client certificates).\r\n\r\nThe problem discussed in this writeup is caused by a software flaw.\r\nThe flaw allows an attacker to inject client commands into an SMTP\r\nsession during the unprotected plaintext SMTP protocol phase (more\r\non that below), such that the server will execute those commands\r\nduring the SMTP-over-TLS protocol phase when all communication is\r\nsupposed to be protected.\r\n\r\nThe injected commands could be used to steal the victim's email or\r\nSASL (Simple Authentication and Security Layer) username and password.\r\n\r\nThis is not as big a problem as it may appear to be. The reason\r\nis that many SMTP client applications don't verify server TLS\r\ncertificates. These SMTP clients are always vulnerable to command\r\ninjection and other attacks. Their TLS sessions are only encrypted\r\nbut not protected.\r\n\r\nA similar plaintext injection flaw may exist in the way SMTP clients\r\nhandle SMTP-over-TLS server responses, but its impact is less\r\ninteresting than the server-side flaw.\r\n\r\nSMTP is not the only protocol with a mid-session switch from plaintext\r\nto TLS. Other examples are POP3, IMAP, NNTP and FTP. Implementations\r\nof these protocols may be affected by the same flaw as discussed here.\r\n\r\nDemonstration\r\n=============\r\n\r\nThe problem is easy to demonstrate with a one-line change to the\r\nOpenSSL s_client command source code (I would prefer scripting, but\r\nhaving to install Perl CPAN modules and all their dependencies is\r\nmore work than downloading a .tar.gz file from openssl.org, adding\r\neight characters to one line, and doing "./config; make").\r\n\r\nThe OpenSSL s_client command can make a connection to servers that\r\nsupport straight TLS, SMTP over TLS, or a handful other protocols\r\nover TLS. The demonstration with SMTP over TLS involves a one-line\r\nchange in the OpenSSL s_client source code (with OpenSSL 1.0.0, at\r\nline 1129 of file apps/s_client.c).\r\n\r\nOld: BIO_printf(sbio,"STARTTLS\r\n");\r\nNew: BIO_printf(sbio,"STARTTLS\r\nRSET\r\n");\r\n\r\nWith this change, the s_client command sends the plaintext STARTTLS\r\ncommand ("let's turn on TLS") immediately followed by an RSET command\r\n(a relatively harmless protocol "reset"). Both commands are sent\r\nas plaintext in the same TCP/IP packet, and arrive together at the\r\nserver. The "\r\n" are the carriage-return and newline characters;\r\nthese are necessary to terminate an SMTP command.\r\n\r\nWhen an SMTP server has the plaintext injection flaw, it reads the\r\nSTARTTLS command first, switches to SMTP-over-TLS mode, and only\r\nthen the server reads the RSET command. Note, the RSET command was\r\ntransmitted during the plaintext SMTP phase when there is no\r\nprotection, but the server reads the command as if it was received\r\nover the TLS-protected channel.\r\n\r\nThus, when the SMTP server has the flaw, the s_client command output\r\nwill show two "250" SMTP server responses instead of one. The first\r\n"250" response is normal, and is present even when the server is\r\nnot flawed. The second "250" response is for the RSET command, and\r\nindicates that the SMTP server has the plaintext injection flaw.\r\n\r\n $ apps/openssl s_client -quiet -starttls smtp -connect server:port\r\n [some server TLS certificate details omitted]\r\n 250 some text here <=== Normal response, also with "good" server.\r\n 250 more text here <=== RSET response, only with flawed server.\r\n\r\nAnatomy of the flaw: it's all about the plumbing\r\n================================================\r\n\r\nWhether a program may have the plaintext injection flaw depends on\r\nhow it adjusts the plumbing, as it inserts the TLS protocol layer\r\nin-between the SMTP protocol layer and the O/S TCP/IP protocol\r\nlayer. I illustrate this with examples from three open source MTAs:\r\nPostfix, Sendmail and Exim. The diagram below is best viewed with\r\na fixed-width font, for example, from the Courier family.\r\n\r\n Postfix MTA Sendmail MTA Exim MTA\r\n before/after before/after before/after\r\n switch to TLS switch to TLS switch to TLS\r\n\r\n SMTP SMTP SMTP SMTP SMTP SMTP <= SMTP layer\r\n || || || || || ||\r\n stream stream stream stream' || ||\r\n buffers buffers buffers buffers' rw r'w' <= stream layer\r\n rw r'w' rw r'w' || ||\r\n || || || || || ||\r\n || TLS || TLS || TLS <= TLS layer\r\n || || || || || ||\r\n O/S O/S O/S O/S O/S O/S <= TCP/IP layer\r\n\r\nAs shown in the diagram, both Postfix and Sendmail use an application-\r\nlevel stream abstraction, where each stream has properties such as\r\nread/write buffers, read/write functions (indicated with rw), and\r\nother properties that are omitted for brevity.\r\n\r\nWhen Postfix switches to SMTP over TLS, it replaces the plaintext\r\nread/write functions (rw) with the TLS read/write functions (r'w').\r\nPostfix does not modify any of the other stream properties including\r\nthe read/write buffers. A patch for qmail that introduces TLS\r\nsupport uses the same approach. This approach of replacing only\r\nthe stream read/write functions, but not the buffers or other stream\r\nproperties, can introduce the plaintext injection flaw.\r\n\r\nWhen Sendmail switches to SMTP over TLS, it replaces the entire\r\nstream, along with its read/write buffers and read/write functions.\r\nExim, on the other hand, does not seem to have a stream abstraction\r\nlike Postfix, Sendmail or qmail. Instead of replacing streams or\r\nstream properties, Exim replaces plaintext read/write functions\r\nwith TLS read/write functions. Because of their program structure,\r\nSendmail and Exim didn't suffer from the plaintext injection flaw.\r\n\r\nFixing the problem\r\n==================\r\n\r\nThere are two solutions to address the flaw, and both solutions can\r\nbe used together.\r\n\r\n- Report an error when unexpected plaintext is received after the\r\n STARTTLS command. As documented in RFC 3207, STARTTLS must be\r\n the last command in a pipelined group. If plaintext commands are\r\n received after STARTTLS, then that is a protocol violation. \r\n\r\n This measure can also be implemented outside the MTA, for example\r\n in a protocol-aware firewall.\r\n\r\n- If a program uses the same input buffer before and after the\r\n switch to TLS, it should discard the contents of the input buffer,\r\n just like it discards SMTP protocol information that it received\r\n during the plaintext protocol phase.\r\n\r\nConclusion\r\n==========\r\n\r\nThis plaintext injection problem is likely to recur when some\r\ndevelopment moves the plaintext-to-ciphertext switch outside the\r\napplication: for example, into the kernel, into the local hardware,\r\ninto a proxy, or into other infrastructure. This encourages\r\napplications to use the same application-level streams and buffers\r\nand read/write functions before and after the switch to ciphertext.\r\nWhen this migration happens, plaintext injection becomes once more\r\na possibility.\r\n\r\nTime line\r\n=========\r\n\r\nJan 5 2011: While finishing Postfix for its annual release, I found\r\nand fixed this flaw in the SMTP server and client implementations,\r\nwhere it had been sitting ever since TLS support was adopted.\r\n\r\nJan 6-10 2011: As we investigated the scope of the problem, Victor\r\nDuchovni (co-developer) discovered that other implementations were\r\nalso affected including security providers and security appliances.\r\n\r\nJan 11 2011: Contact CERT/CC to help coordinate with the problem's\r\nresolution.\r\n\r\nMar 7 2011: Public announcement, and Postfix legacy release updates.", "modified": "2011-03-10T00:00:00", "published": "2011-03-10T00:00:00", "id": "SECURITYVULNS:DOC:25899", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25899", "title": "Plaintext injection in STARTTLS (multiple implementations)", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2020-07-01T02:09:30", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-201206-33\n(Postfix: Multiple vulnerabilities)\n\n A vulnerability have been discovered in Postfix. Please review the CVE\n identifier referenced below for details.\n \nImpact :\n\n An attacker could perform a man-in-the-middle attack and inject SMTP\n commands during the plaintext to TLS session switch or might execute\n arbitrary code.\n \nWorkaround :\n\n There is no known workaround at this time.", "modified": "2020-07-02T00:00:00", "id": "GENTOO_GLSA-201206-33.NASL", "href": "https://www.tenable.com/plugins/nessus/59706", "published": "2012-06-26T00:00:00", "title": "GLSA-201206-33 : Postfix: Multiple vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201206-33.\n#\n# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(59706);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/07/11 17:09:26\");\n\n script_cve_id(\"CVE-2011-0411\", \"CVE-2011-1720\");\n script_bugtraq_id(46767, 47778);\n script_xref(name:\"GLSA\", value:\"201206-33\");\n\n script_name(english:\"GLSA-201206-33 : Postfix: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201206-33\n(Postfix: Multiple vulnerabilities)\n\n A vulnerability have been discovered in Postfix. Please review the CVE\n identifier referenced below for details.\n \nImpact :\n\n An attacker could perform a man-in-the-middle attack and inject SMTP\n commands during the plaintext to TLS session switch or might execute\n arbitrary code.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201206-33\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Postfix users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=mail-mta/postfix-2.7.4'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:postfix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/06/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/06/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"mail-mta/postfix\", unaffected:make_list(\"ge 2.7.4\"), vulnerable:make_list(\"lt 2.7.4\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Postfix\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-01T04:25:54", "bulletinFamily": "scanner", "description": "The following bugs have been fixed :\n\n - Remote attackers could potentially exploit a memory\n corruption issue in postfix", "modified": "2020-07-02T00:00:00", "id": "SUSE9_12707.NASL", "href": "https://www.tenable.com/plugins/nessus/53868", "published": "2011-05-11T00:00:00", "title": "SuSE9 Security Update : Postfix (YOU Patch Number 12707)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(53868);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/10/25 13:36:40\");\n\n script_cve_id(\"CVE-2011-0411\", \"CVE-2011-1720\");\n\n script_name(english:\"SuSE9 Security Update : Postfix (YOU Patch Number 12707)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 9 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The following bugs have been fixed :\n\n - Remote attackers could potentially exploit a memory\n corruption issue in postfix' SASL implementation to\n execute arbitrary code. (CVE-2011-1720)\n\n - Also Postfix did not clear the receive buffer after the\n STARTTLS command. A man-in-the middle could therefore\n inject commands in the unencrypted stream that get\n interpreted in the encrypted phase after STARTTLS.\n (CVE-2011-0411)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-0411.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1720.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply YOU patch number 12707.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/05/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 9 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SUSE9\", reference:\"postfix-2.1.1-1.26\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-17T23:00:25", "bulletinFamily": "scanner", "description": "Several vulnerabilities were discovered in Postfix, a mail transfer\nagent. The Common Vulnerabilities and Exposures project identifies the\nfollowing problems :\n\n - CVE-2009-2939\n The postinst script grants the postfix user write access\n to /var/spool/postfix/pid, which might allow local users\n to conduct symlink attacks that overwrite arbitrary\n files.\n\n - CVE-2011-0411\n The STARTTLS implementation does not properly restrict\n I/O buffering, which allows man-in-the-middle attackers\n to insert commands into encrypted SMTP sessions by\n sending a cleartext command that is processed after TLS\n is in place.\n\n - CVE-2011-1720\n A heap-based read-only buffer overflow allows malicious\n clients to crash the smtpd server process using a\n crafted SASL authentication request.", "modified": "2011-05-11T00:00:00", "id": "DEBIAN_DSA-2233.NASL", "href": "https://www.tenable.com/plugins/nessus/53860", "published": "2011-05-11T00:00:00", "title": "Debian DSA-2233-1 : postfix - several vulnerabilities", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2233. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(53860);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");\n\n script_cve_id(\"CVE-2009-2939\", \"CVE-2011-0411\", \"CVE-2011-1720\");\n script_bugtraq_id(36469, 46767, 47778);\n script_xref(name:\"DSA\", value:\"2233\");\n\n script_name(english:\"Debian DSA-2233-1 : postfix - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities were discovered in Postfix, a mail transfer\nagent. The Common Vulnerabilities and Exposures project identifies the\nfollowing problems :\n\n - CVE-2009-2939\n The postinst script grants the postfix user write access\n to /var/spool/postfix/pid, which might allow local users\n to conduct symlink attacks that overwrite arbitrary\n files.\n\n - CVE-2011-0411\n The STARTTLS implementation does not properly restrict\n I/O buffering, which allows man-in-the-middle attackers\n to insert commands into encrypted SMTP sessions by\n sending a cleartext command that is processed after TLS\n is in place.\n\n - CVE-2011-1720\n A heap-based read-only buffer overflow allows malicious\n clients to crash the smtpd server process using a\n crafted SASL authentication request.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2009-2939\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-0411\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-1720\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/postfix\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2011/dsa-2233\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the postfix packages.\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 2.5.5-1.1+lenny1.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 2.7.1-1+squeeze1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(59);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:postfix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:5.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/05/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"5.0\", prefix:\"postfix\", reference:\"2.5.5-1.1+lenny1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"postfix\", reference:\"2.7.1-1+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"postfix-cdb\", reference:\"2.7.1-1+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"postfix-dev\", reference:\"2.7.1-1+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"postfix-doc\", reference:\"2.7.1-1+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"postfix-ldap\", reference:\"2.7.1-1+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"postfix-mysql\", reference:\"2.7.1-1+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"postfix-pcre\", reference:\"2.7.1-1+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"postfix-pgsql\", reference:\"2.7.1-1+squeeze1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-01T01:25:07", "bulletinFamily": "scanner", "description": "This is an update that fixes memory corruption in Postfix SMTP server\nCyrus SASL support (CVE-2011-1720). For original upstream announcement\nsee: http://archives.neohapsis.com/archives/postfix/2011-05/0208.html\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-07-02T00:00:00", "id": "FEDORA_2011-6777.NASL", "href": "https://www.tenable.com/plugins/nessus/54294", "published": "2011-05-18T00:00:00", "title": "Fedora 13 : postfix-2.7.4-1.fc13 (2011-6777)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2011-6777.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(54294);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2019/08/02 13:32:35\");\n\n script_xref(name:\"FEDORA\", value:\"2011-6777\");\n\n script_name(english:\"Fedora 13 : postfix-2.7.4-1.fc13 (2011-6777)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This is an update that fixes memory corruption in Postfix SMTP server\nCyrus SASL support (CVE-2011-1720). For original upstream announcement\nsee: http://archives.neohapsis.com/archives/postfix/2011-05/0208.html\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://archives.neohapsis.com/archives/postfix/2011-05/0208.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?17ceb8e4\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-May/060215.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7d228cd8\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected postfix package.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:postfix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:13\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/05/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^13([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 13.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC13\", reference:\"postfix-2.7.4-1.fc13\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"postfix\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-01T01:25:07", "bulletinFamily": "scanner", "description": "This is an update that fixes memory corruption in Postfix SMTP server\nCyrus SASL support (CVE-2011-1720). For original upstream announcement\nsee: http://archives.neohapsis.com/archives/postfix/2011-05/0208.html\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-07-02T00:00:00", "id": "FEDORA_2011-6771.NASL", "href": "https://www.tenable.com/plugins/nessus/54292", "published": "2011-05-18T00:00:00", "title": "Fedora 14 : postfix-2.7.4-1.fc14 (2011-6771)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2011-6771.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(54292);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2019/08/02 13:32:35\");\n\n script_xref(name:\"FEDORA\", value:\"2011-6771\");\n\n script_name(english:\"Fedora 14 : postfix-2.7.4-1.fc14 (2011-6771)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This is an update that fixes memory corruption in Postfix SMTP server\nCyrus SASL support (CVE-2011-1720). For original upstream announcement\nsee: http://archives.neohapsis.com/archives/postfix/2011-05/0208.html\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://archives.neohapsis.com/archives/postfix/2011-05/0208.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?17ceb8e4\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-May/060216.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a36aa2b5\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected postfix package.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:postfix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:14\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/05/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^14([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 14.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC14\", reference:\"postfix-2.7.4-1.fc14\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"postfix\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-01T04:26:31", "bulletinFamily": "scanner", "description": "Remote attackers could potentially exploit a memory corruption issue\nin postfix", "modified": "2020-07-02T00:00:00", "id": "SUSE_11_4_POSTFIX-110510.NASL", "href": "https://www.tenable.com/plugins/nessus/75997", "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : postfix (openSUSE-SU-2011:0476-1)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update postfix-4524.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(75997);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/10/25 13:36:42\");\n\n script_cve_id(\"CVE-2011-1720\");\n\n script_name(english:\"openSUSE Security Update : postfix (openSUSE-SU-2011:0476-1)\");\n script_summary(english:\"Check for the postfix-4524 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Remote attackers could potentially exploit a memory corruption issue\nin postfix' SASL implementation to execute arbitrary code\n(CVE-2011-1720).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=689021\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2011-05/msg00023.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected postfix packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:postfix\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:postfix-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:postfix-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:postfix-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:postfix-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:postfix-mysql-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:postfix-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:postfix-postgresql-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.4)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.4\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.4\", reference:\"postfix-2.7.2-13.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"postfix-debuginfo-2.7.2-13.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"postfix-debugsource-2.7.2-13.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"postfix-devel-2.7.2-13.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"postfix-mysql-2.7.2-13.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"postfix-mysql-debuginfo-2.7.2-13.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"postfix-postgresql-2.7.2-13.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"postfix-postgresql-debuginfo-2.7.2-13.16.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"postfix\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-01T03:51:38", "bulletinFamily": "scanner", "description": "According to its banner, the version of the Postfix mail server\nlistening on this port is earlier than 2.5.13, 2.6.19, 2.7.4, or\n2.8.3. Such versions may be vulnerable to a memory corruption attack\nif they have Cyrus SASL enabled and are allowing authentication\nmethods other than ANONYMOUS, LOGIN, and PLAIN. Code execution as the\nunprivileged postfix user may also be possible. \n\nNote that Nessus did not test whether the remote server was using\nCyrus specifically, as opposed to another SASL library such as\nDovecot.", "modified": "2020-07-02T00:00:00", "id": "POSTFIX_MEMORY_CORRUPTION.NASL", "href": "https://www.tenable.com/plugins/nessus/54583", "published": "2011-05-19T00:00:00", "title": "Postfix Cyrus SASL Authentication Context Data Reuse Memory Corruption", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(54583);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/11/15 20:50:24\");\n\n script_cve_id(\"CVE-2011-1720\");\n script_bugtraq_id(47778);\n script_xref(name:\"CERT\", value:\"727230\");\n script_xref(name:\"Secunia\", value:\"44500\");\n\n script_name(english:\"Postfix Cyrus SASL Authentication Context Data Reuse Memory Corruption\");\n script_summary(english:\"Checks version of SMTP banner and SASL auth modes\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote mail server is potentially affected by a memory corruption\nvulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"According to its banner, the version of the Postfix mail server\nlistening on this port is earlier than 2.5.13, 2.6.19, 2.7.4, or\n2.8.3. Such versions may be vulnerable to a memory corruption attack\nif they have Cyrus SASL enabled and are allowing authentication\nmethods other than ANONYMOUS, LOGIN, and PLAIN. Code execution as the\nunprivileged postfix user may also be possible. \n\nNote that Nessus did not test whether the remote server was using\nCyrus specifically, as opposed to another SASL library such as\nDovecot.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.postfix.org/CVE-2011-1720.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://seclists.org/bugtraq/2011/May/64\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade to Postfix 2.5.13 / 2.6.19 / 2.7.4 / 2.8.3 or later.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/05/19\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:postfix:postfix\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SMTP problems\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smtp_authentication.nasl\");\n script_require_ports(\"Services/smtp\", 25);\n script_require_keys(\"Settings/ParanoidReport\", \"SMTP/postfix\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smtp_func.inc\");\n\nif (report_paranoia < 2)\n exit(1, \"This plugin only runs if 'Report paranoia' is set to 'Paranoid'.\");\n\nport = get_service(svc:\"smtp\", default:25, exit_on_fail:TRUE);\n\n# Get the service's banner.\nbanner = chomp(get_smtp_banner(port:port));\nif (isnull(banner))\n exit(1, \"Failed to retrieve the banner from the SMTP server listening on port \" + port + \".\");\nif (\"Postfix\" >!< banner)\n exit(0, \"The banner from the SMTP server listening on port \" + port + \" is not from Postfix.\");\n\n# Get authentication methods.\nmethods = make_list();\nlist = get_kb_list(\"smtp/\" + port + \"/auth\");\nif (!isnull(list))\n methods = make_list(methods, list);\nlist = get_kb_list(\"smtp/\" + port + \"/auth_tls\");\nif (!isnull(list))\n methods = make_list(methods, list);\nif (!max_index(methods))\n exit(0, \"Postfix on port \" + port + \" doesn't support authentication.\");\n\n# Only three methods are unaffected, per the advisory.\naffected = FALSE;\nauth_methods = '';\nforeach method (methods)\n{\n auth_methods += ', ' + method;\n if (method != \"ANONYMOUS\" && method != \"LOGIN\" && method != \"PLAIN\")\n {\n affected = TRUE;\n break;\n }\n}\nif (!affected)\n exit(0, \"Postfix on port \" + port + \" does not have any of the affected SASL methods enabled.\");\nauth_methods = substr(auth_methods, 2);\n\n# Parse the version number from the banner.\n#\n# nb: the pattern here extracts the version in two parts potentially -\n# one that's entirely numeric and suitable for use in 'ver_compare()',\n# a second that may have non-numeric parts but is not used in the version checks.\nmatches = eregmatch(pattern:\"220.*Postfix \$([0-9\\.]+)(-(RC)?[0-9]+)?\$\", string:banner);\nif (isnull(matches))\n exit(1, \"Failed to determine the version of Postfix based on the banner from the SMTP server listening on port \" + port + \".\");\nversion = matches[1];\n\n# Check if the version is vulnerable.\nif (version =~ \"^([0-1]\\.|2\\.[0-5]($|[^0-9]))\")\n{\n fixed = \"2.5.13\";\n vuln = ver_compare(ver:version, fix:fixed, strict:FALSE);\n}\nelse if (version =~ \"^2\\.6\")\n{\n fixed = \"2.6.19\";\n vuln = ver_compare(ver:version, fix:fixed, strict:FALSE);\n}\nelse if (version =~ \"^2\\.7\")\n{\n fixed = \"2.7.4\";\n vuln = ver_compare(ver:version, fix:fixed, strict:FALSE);\n}\nelse if (version =~ \"^2\\.8\")\n{\n fixed = \"2.8.3\";\n vuln = ver_compare(ver:version, fix:fixed, strict:FALSE);\n}\nelse\n{\n # Any later versions will include the fix for this issue.\n vuln = 1;\n}\n\nif (vuln >= 0)\n exit(0, \"Postfix version \" + version + \" is running on the port \" + port + \" and not affected.\");\n\nif (report_verbosity > 0)\n{\n report =\n '\\n Banner : ' + banner +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed +\n '\\n Supported SASL auth methods : ' + auth_methods +\n '\\n';\n security_warning(port:port, extra:report);\n}\nelse security_warning(port);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-01T03:51:38", "bulletinFamily": "scanner", "description": "The Postfix mail server listening on this port appears vulnerable to\na memory corruption attack as Nessus was able to crash an SMTP session\nwith this host by using two different authentication methods in one\nsession. \n\nNote that code execution as the unprivileged postfix user may also be\npossible.", "modified": "2020-07-02T00:00:00", "id": "POSTFIX_MEMORY_CORRUPTION_EXPLOIT.NASL", "href": "https://www.tenable.com/plugins/nessus/54584", "published": "2011-05-19T00:00:00", "title": "Postfix Cyrus SASL Authentication Context Data Reuse Memory Corruption (exploit)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(54584);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/11/15 20:50:24\");\n\n script_cve_id(\"CVE-2011-1720\");\n script_bugtraq_id(47778);\n script_xref(name:\"CERT\", value:\"727230\");\n script_xref(name:\"Secunia\", value:\"44500\");\n\n script_name(english:\"Postfix Cyrus SASL Authentication Context Data Reuse Memory Corruption (exploit)\");\n script_summary(english:\"Tries to crash SMTP session.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote mail server is affected by a memory corruption\nvulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The Postfix mail server listening on this port appears vulnerable to\na memory corruption attack as Nessus was able to crash an SMTP session\nwith this host by using two different authentication methods in one\nsession. \n\nNote that code execution as the unprivileged postfix user may also be\npossible.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.postfix.org/CVE-2011-1720.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://seclists.org/bugtraq/2011/May/64\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade to Postfix 2.5.13 / 2.6.19 / 2.7.4 / 2.8.3 or later.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/05/19\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:postfix:postfix\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"SMTP problems\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smtp_authentication.nasl\");\n script_require_ports(\"Services/smtp\", 25);\n script_require_keys(\"SMTP/postfix\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smtp_func.inc\");\n\nport = get_service(svc:\"smtp\", default:25, exit_on_fail:TRUE);\n\nfunction exploit(methods, port, starttls)\n{\n local_var cmd, cmds, i, last, log, res, sock;\n\n # Connect to the service.\n sock = smtp_open(port:port);\n if (!sock) exit(1, \"Failed to open socket on port \" + port + \".\");\n\n # Negotiate a StartTLS connection if supported.\n if (starttls)\n {\n sock = smtp_starttls(socket:sock, encaps:ENCAPS_TLSv1);\n if (!sock) exit(1, \"StartTLS failed for socket on port \" + port + \".\");\n }\n\n # Initialize the SMTP session.\n send(socket:sock, data:'EHLO nessus\\r\\n');\n res = smtp_recv_line(socket:sock, code:250);\n if (isnull(res))\n exit(1, \"The SMTP server on port \" + port + \" didn't respond to 'EHLO'.\");\n\n # Send commands that should trigger a crash if vulnerable.\n log = make_list();\n cmds = make_list(\n \"AUTH \" + methods[0],\n \"*\",\n \"AUTH \" + methods[1]\n );\n\n for (i = 0; i < max_index(cmds); i++)\n {\n # Determine if this is the final iteration.\n last = (i == max_index(cmds) - 1);\n\n # Interact with the server.\n cmd = cmds[i];\n send(socket:sock, data:cmd + '\\r\\n');\n res = smtp_recv_line(socket:sock);\n if (isnull(res))\n {\n if (!last)\n exit(1, \"The SMTP server on port \"+port+\" failed to respond to '\" + cmd + \"'.\");\n res = \"*CRASH*\";\n }\n else if (last)\n {\n return NULL;\n }\n\n # Record the interaction.\n log = make_list(\n log,\n \"C: \" + cmd,\n \"S: \" + chomp(res)\n );\n }\n\n close(sock);\n\n return log;\n}\n\n# Make sure the banner says that this is a Postfix server. If we're\n# being completely paranoid, ignore the banner and try the exploit\n# anyways.\nif (report_paranoia < 2)\n{\n banner = chomp(get_smtp_banner(port:port));\n if (isnull(banner))\n exit(1, \"Failed to retrieve the banner from the SMTP server listening on port \" + port + \".\");\n if (\"Postfix\" >!< banner)\n exit(0, \"The banner from the SMTP server listening on port \" + port + \" is not from Postfix.\");\n}\n\n# Determine whether to do this using an encrypted or an unencrypted\n# channel.\nlog = NULL;\nrequired_methods = FALSE;\nforeach key (make_list(\"auth\", \"auth_tls\"))\n{\n # Get list of supported authentication methods.\n list = get_kb_list(\"smtp/\" + port + \"/\" + key);\n if (isnull(list)) continue;\n\n # Remove unaffected methods. Sort the methods because CRAM-MD5 and\n # DIGEST-MD5 are the ones that trigger the issue most reliably.\n methods = make_list();\n foreach method (sort(list))\n {\n if (method == \"ANONYMOUS\" || method == \"LOGIN\" || method == \"PLAIN\")\n continue;\n methods = make_list(methods, method);\n }\n\n # Need at least two methods to perform the exploit.\n if (max_index(methods) < 2) continue;\n required_methods = TRUE;\n\n # Attempt to exploit the vulnerability.\n starttls = (key == \"auth_tls\");\n log = exploit(port:port, starttls:starttls, methods:methods);\n if (!isnull(log)) break;\n}\n\nif (isnull(log))\n{\n if (required_methods) exit(0, \"The Postfix server on port \" + port + \" does not appear to be affected.\");\n else exit(1, \"The Postfix server on port \" + port + \" does not support at least two affected authentication methods.\");\n}\n\nif (report_verbosity > 0)\n{\n report =\n '\\nThe remote Postfix installation was exploited as follows : ' +\n '\\n';\n foreach line (log)\n report += ' ' + line + '\\n';\n security_warning(port:port, extra:report);\n}\nelse security_warning(port);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-01T04:26:13", "bulletinFamily": "scanner", "description": "Remote attackers could potentially exploit a memory corruption issue\nin postfix", "modified": "2020-07-02T00:00:00", "id": "SUSE_11_2_POSTFIX-110510.NASL", "href": "https://www.tenable.com/plugins/nessus/53875", "published": "2011-05-12T00:00:00", "title": "openSUSE Security Update : postfix (openSUSE-SU-2011:0476-1)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update postfix-4524.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(53875);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/10/25 13:36:41\");\n\n script_cve_id(\"CVE-2011-1720\");\n\n script_name(english:\"openSUSE Security Update : postfix (openSUSE-SU-2011:0476-1)\");\n script_summary(english:\"Check for the postfix-4524 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Remote attackers could potentially exploit a memory corruption issue\nin postfix' SASL implementation to execute arbitrary code\n(CVE-2011-1720).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=689021\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2011-05/msg00023.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected postfix packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:postfix\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:postfix-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:postfix-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:postfix-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/05/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.2\", reference:\"postfix-2.6.1-2.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"postfix-devel-2.6.1-2.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"postfix-mysql-2.6.1-2.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"postfix-postgresql-2.6.1-2.10.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"postfix\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-01T01:25:07", "bulletinFamily": "scanner", "description": "This is an update that fixes memory corruption in Postfix SMTP server\nCyrus SASL support (CVE-2011-1720). For original upstream announcement\nsee: http://archives.neohapsis.com/archives/postfix/2011-05/0208.html\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-07-02T00:00:00", "id": "FEDORA_2011-6784.NASL", "href": "https://www.tenable.com/plugins/nessus/54573", "published": "2011-05-19T00:00:00", "title": "Fedora 15 : postfix-2.8.3-1.fc15 (2011-6784)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2011-6784.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(54573);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2019/08/02 13:32:35\");\n\n script_bugtraq_id(47778);\n script_xref(name:\"FEDORA\", value:\"2011-6784\");\n\n script_name(english:\"Fedora 15 : postfix-2.8.3-1.fc15 (2011-6784)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This is an update that fixes memory corruption in Postfix SMTP server\nCyrus SASL support (CVE-2011-1720). For original upstream announcement\nsee: http://archives.neohapsis.com/archives/postfix/2011-05/0208.html\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://archives.neohapsis.com/archives/postfix/2011-05/0208.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?17ceb8e4\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-May/060256.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f19797ea\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected postfix package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:postfix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:15\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/05/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^15([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 15.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC15\", reference:\"postfix-2.8.3-1.fc15\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"postfix\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:38:39", "bulletinFamily": "scanner", "description": "The remote host is missing updates announced in\nadvisory GLSA 201206-33.", "modified": "2018-10-12T00:00:00", "published": "2012-08-10T00:00:00", "id": "OPENVAS:136141256231071559", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231071559", "title": "Gentoo Security Advisory GLSA 201206-33 (Postfix)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa_201206_33.nasl 11859 2018-10-12 08:53:01Z cfischer $\n#\n# Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.71559\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2011-0411\", \"CVE-2011-1720\");\n script_version(\"$Revision: 11859 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 10:53:01 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-10 03:22:54 -0400 (Fri, 10 Aug 2012)\");\n script_name(\"Gentoo Security Advisory GLSA 201206-33 (Postfix)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name:\"insight\", value:\"A vulnerability has been found in Postfix, the worst of which\npossibly allowing remote code execution.\");\n script_tag(name:\"solution\", value:\"All Postfix users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=mail-mta/postfix-2.7.4'\");\n\n script_xref(name:\"URL\", value:\"http://www.securityspace.com/smysecure/catid.html?in=GLSA%20201206-33\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=358085\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=366605\");\n script_tag(name:\"summary\", value:\"The remote host is missing updates announced in\nadvisory GLSA 201206-33.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"pkg-lib-gentoo.inc\");\ninclude(\"revisions-lib.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = ispkgvuln(pkg:\"mail-mta/postfix\", unaffected: make_list(\"ge 2.7.4\"), vulnerable: make_list(\"lt 2.7.4\"))) != NULL ) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:39:31", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2011-05-23T00:00:00", "id": "OPENVAS:1361412562310863100", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310863100", "title": "Fedora Update for postfix FEDORA-2011-6777", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for postfix FEDORA-2011-6777\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060215.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.863100\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-05-23 16:55:31 +0200 (Mon, 23 May 2011)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"FEDORA\", value:\"2011-6777\");\n script_cve_id(\"CVE-2011-1720\", \"CVE-2011-0411\");\n script_name(\"Fedora Update for postfix FEDORA-2011-6777\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'postfix'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC13\");\n script_tag(name:\"affected\", value:\"postfix on Fedora 13\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC13\")\n{\n\n if ((res = isrpmvuln(pkg:\"postfix\", rpm:\"postfix~2.7.4~1.fc13\", rls:\"FC13\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-25T10:55:31", "bulletinFamily": "scanner", "description": "Check for the Version of postfix", "modified": "2017-07-10T00:00:00", "published": "2011-05-23T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=863100", "id": "OPENVAS:863100", "title": "Fedora Update for postfix FEDORA-2011-6777", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for postfix FEDORA-2011-6777\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"postfix on Fedora 13\";\ntag_insight = \"Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),\n TLS\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060215.html\");\n script_id(863100);\n script_version(\"$Revision: 6626 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:30:10 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-05-23 16:55:31 +0200 (Mon, 23 May 2011)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"FEDORA\", value: \"2011-6777\");\n script_cve_id(\"CVE-2011-1720\", \"CVE-2011-0411\");\n script_name(\"Fedora Update for postfix FEDORA-2011-6777\");\n\n script_summary(\"Check for the Version of postfix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC13\")\n{\n\n if ((res = isrpmvuln(pkg:\"postfix\", rpm:\"postfix~2.7.4~1.fc13\", rls:\"FC13\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:39:47", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2011-05-23T00:00:00", "id": "OPENVAS:1361412562310863097", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310863097", "title": "Fedora Update for postfix FEDORA-2011-6771", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for postfix FEDORA-2011-6771\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060216.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.863097\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-05-23 16:55:31 +0200 (Mon, 23 May 2011)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"FEDORA\", value:\"2011-6771\");\n script_cve_id(\"CVE-2011-1720\", \"CVE-2011-0411\");\n script_name(\"Fedora Update for postfix FEDORA-2011-6771\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'postfix'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC14\");\n script_tag(name:\"affected\", value:\"postfix on Fedora 14\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC14\")\n{\n\n if ((res = isrpmvuln(pkg:\"postfix\", rpm:\"postfix~2.7.4~1.fc14\", rls:\"FC14\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-24T12:51:19", "bulletinFamily": "scanner", "description": "The remote host is missing updates announced in\nadvisory GLSA 201206-33.", "modified": "2017-07-07T00:00:00", "published": "2012-08-10T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=71559", "id": "OPENVAS:71559", "title": "Gentoo Security Advisory GLSA 201206-33 (Postfix)", "type": "openvas", "sourceData": "#\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A vulnerability has been found in Postfix, the worst of which\npossibly allowing remote code execution.\";\ntag_solution = \"All Postfix users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=mail-mta/postfix-2.7.4'\n \n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20201206-33\nhttp://bugs.gentoo.org/show_bug.cgi?id=358085\nhttp://bugs.gentoo.org/show_bug.cgi?id=366605\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 201206-33.\";\n\n \n \nif(description)\n{\n script_id(71559);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2011-0411\", \"CVE-2011-1720\");\n script_version(\"$Revision: 6589 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 10:27:50 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-10 03:22:54 -0400 (Fri, 10 Aug 2012)\");\n script_name(\"Gentoo Security Advisory GLSA 201206-33 (Postfix)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\nres = \"\";\nreport = \"\";\nif((res = ispkgvuln(pkg:\"mail-mta/postfix\", unaffected: make_list(\"ge 2.7.4\"), vulnerable: make_list(\"lt 2.7.4\"))) != NULL ) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:55:48", "bulletinFamily": "scanner", "description": "The remote host is missing an update to postfix\nannounced via advisory DSA 2233-1.", "modified": "2017-07-07T00:00:00", "published": "2011-08-03T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=69733", "id": "OPENVAS:69733", "title": "Debian Security Advisory DSA 2233-1 (postfix)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2233_1.nasl 6613 2017-07-07 12:08:40Z cfischer $\n# Description: Auto-generated from advisory DSA 2233-1 (postfix)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Several vulnerabilities were discovered in Postfix, a mail transfer\nagent. The Common Vulnerabilities and Exposures project identifies\nthe following problems:\n\nCVE-2009-2939\nThe postinst script grants the postfix user write access to\n/var/spool/postfix/pid, which might allow local users to\nconduct symlink attacks that overwrite arbitrary files.\n\nCVE-2011-0411\nThe STARTTLS implementation does not properly restrict I/O\nbuffering, which allows man-in-the-middle attackers to insert\ncommands into encrypted SMTP sessions by sending a cleartext\ncommand that is processed after TLS is in place.\n\nCVE-2011-1720\nA heap-based read-only buffer overflow allows malicious\nclients to crash the smtpd server process using a crafted SASL\nauthentication request.\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 2.5.5-1.1+lenny1.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 2.7.1-1+squeeze1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.8.0-1.\n\nWe recommend that you upgrade your postfix packages.\";\ntag_summary = \"The remote host is missing an update to postfix\nannounced via advisory DSA 2233-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202233-1\";\n\n\nif(description)\n{\n script_id(69733);\n script_version(\"$Revision: 6613 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:08:40 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-08-03 04:36:20 +0200 (Wed, 03 Aug 2011)\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2009-2939\", \"CVE-2011-0411\", \"CVE-2011-1720\");\n script_name(\"Debian Security Advisory DSA 2233-1 (postfix)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"postfix\", ver:\"2.5.5-1.1+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-cdb\", ver:\"2.5.5-1.1+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-dev\", ver:\"2.5.5-1.1+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-doc\", ver:\"2.5.5-1.1+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-ldap\", ver:\"2.5.5-1.1+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-mysql\", ver:\"2.5.5-1.1+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-pcre\", ver:\"2.5.5-1.1+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-pgsql\", ver:\"2.5.5-1.1+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix\", ver:\"2.7.1-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-cdb\", ver:\"2.7.1-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-dev\", ver:\"2.7.1-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-doc\", ver:\"2.7.1-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-ldap\", ver:\"2.7.1-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-mysql\", ver:\"2.7.1-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-pcre\", ver:\"2.7.1-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-pgsql\", ver:\"2.7.1-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:39:41", "bulletinFamily": "scanner", "description": "The remote host is missing an update to postfix\nannounced via advisory DSA 2233-1.", "modified": "2019-03-18T00:00:00", "published": "2011-08-03T00:00:00", "id": "OPENVAS:136141256231069733", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231069733", "title": "Debian Security Advisory DSA 2233-1 (postfix)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2233_1.nasl 14275 2019-03-18 14:39:45Z cfischer $\n# Description: Auto-generated from advisory DSA 2233-1 (postfix)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.69733\");\n script_version(\"$Revision: 14275 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:39:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-08-03 04:36:20 +0200 (Wed, 03 Aug 2011)\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2009-2939\", \"CVE-2011-0411\", \"CVE-2011-1720\");\n script_name(\"Debian Security Advisory DSA 2233-1 (postfix)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(5|6)\");\n script_xref(name:\"URL\", value:\"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202233-1\");\n script_tag(name:\"insight\", value:\"Several vulnerabilities were discovered in Postfix, a mail transfer\nagent. The Common Vulnerabilities and Exposures project identifies\nthe following problems:\n\nCVE-2009-2939\nThe postinst script grants the postfix user write access to\n/var/spool/postfix/pid, which might allow local users to\nconduct symlink attacks that overwrite arbitrary files.\n\nCVE-2011-0411\nThe STARTTLS implementation does not properly restrict I/O\nbuffering, which allows man-in-the-middle attackers to insert\ncommands into encrypted SMTP sessions by sending a cleartext\ncommand that is processed after TLS is in place.\n\nCVE-2011-1720\nA heap-based read-only buffer overflow allows malicious\nclients to crash the smtpd server process using a crafted SASL\nauthentication request.\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 2.5.5-1.1+lenny1.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 2.7.1-1+squeeze1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.8.0-1.\");\n\n script_tag(name:\"solution\", value:\"We recommend that you upgrade your postfix packages.\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update to postfix\nannounced via advisory DSA 2233-1.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"postfix\", ver:\"2.5.5-1.1+lenny1\", rls:\"DEB5\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"postfix-cdb\", ver:\"2.5.5-1.1+lenny1\", rls:\"DEB5\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"postfix-dev\", ver:\"2.5.5-1.1+lenny1\", rls:\"DEB5\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"postfix-doc\", ver:\"2.5.5-1.1+lenny1\", rls:\"DEB5\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"postfix-ldap\", ver:\"2.5.5-1.1+lenny1\", rls:\"DEB5\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"postfix-mysql\", ver:\"2.5.5-1.1+lenny1\", rls:\"DEB5\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"postfix-pcre\", ver:\"2.5.5-1.1+lenny1\", rls:\"DEB5\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"postfix-pgsql\", ver:\"2.5.5-1.1+lenny1\", rls:\"DEB5\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"postfix\", ver:\"2.7.1-1+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"postfix-cdb\", ver:\"2.7.1-1+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"postfix-dev\", ver:\"2.7.1-1+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"postfix-doc\", ver:\"2.7.1-1+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"postfix-ldap\", ver:\"2.7.1-1+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"postfix-mysql\", ver:\"2.7.1-1+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"postfix-pcre\", ver:\"2.7.1-1+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"postfix-pgsql\", ver:\"2.7.1-1+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:54", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2012-07-30T00:00:00", "id": "OPENVAS:1361412562310881293", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881293", "title": "CentOS Update for postfix CESA-2011:0843 centos4 x86_64", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for postfix CESA-2011:0843 centos4 x86_64\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2011-June/017606.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.881293\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 17:18:59 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2011-1720\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"CESA\", value:\"2011:0843\");\n script_name(\"CentOS Update for postfix CESA-2011:0843 centos4 x86_64\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'postfix'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS4\");\n script_tag(name:\"affected\", value:\"postfix on CentOS 4\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"insight\", value:\"Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),\n and TLS.\n\n A heap-based buffer over-read flaw was found in the way Postfix performed\n SASL handlers management for SMTP sessions, when Cyrus SASL authentication\n was enabled. A remote attacker could use this flaw to cause the Postfix\n smtpd server to crash via a specially-crafted SASL authentication request.\n The smtpd process was automatically restarted by the postfix master process\n after the time configured with service_throttle_time elapsed.\n (CVE-2011-1720)\n\n Note: Cyrus SASL authentication for Postfix is not enabled by default.\n\n Red Hat would like to thank the CERT/CC for reporting this issue. Upstream\n acknowledges Thomas Jarosch of Intra2net AG as the original reporter.\n\n Users of Postfix are advised to upgrade to these updated packages, which\n contain a backported patch to resolve this issue. After installing this\n update, the postfix service will be restarted automatically.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS4\")\n{\n\n if ((res = isrpmvuln(pkg:\"postfix\", rpm:\"postfix~2.2.10~1.5.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-pflogsumm\", rpm:\"postfix-pflogsumm~2.2.10~1.5.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-25T10:55:23", "bulletinFamily": "scanner", "description": "Check for the Version of postfix", "modified": "2017-07-10T00:00:00", "published": "2011-08-09T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=880509", "id": "OPENVAS:880509", "title": "CentOS Update for postfix CESA-2011:0843 centos5 i386", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for postfix CESA-2011:0843 centos5 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),\n and TLS.\n\n A heap-based buffer over-read flaw was found in the way Postfix performed\n SASL handlers management for SMTP sessions, when Cyrus SASL authentication\n was enabled. A remote attacker could use this flaw to cause the Postfix\n smtpd server to crash via a specially-crafted SASL authentication request.\n The smtpd process was automatically restarted by the postfix master process\n after the time configured with service_throttle_time elapsed.\n (CVE-2011-1720)\n \n Note: Cyrus SASL authentication for Postfix is not enabled by default.\n \n Red Hat would like to thank the CERT/CC for reporting this issue. Upstream\n acknowledges Thomas Jarosch of Intra2net AG as the original reporter.\n \n Users of Postfix are advised to upgrade to these updated packages, which\n contain a backported patch to resolve this issue. After installing this\n update, the postfix service will be restarted automatically.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"postfix on CentOS 5\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2011-May/017595.html\");\n script_id(880509);\n script_version(\"$Revision: 6653 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:46:53 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-08-09 08:20:34 +0200 (Tue, 09 Aug 2011)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"CESA\", value: \"2011:0843\");\n script_cve_id(\"CVE-2011-1720\");\n script_name(\"CentOS Update for postfix CESA-2011:0843 centos5 i386\");\n\n script_summary(\"Check for the Version of postfix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"postfix\", rpm:\"postfix~2.3.3~2.3.el5_6\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-pflogsumm\", rpm:\"postfix-pflogsumm~2.3.3~2.3.el5_6\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-06T13:06:54", "bulletinFamily": "scanner", "description": "Check for the Version of postfix", "modified": "2018-01-04T00:00:00", "published": "2012-07-30T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=881293", "id": "OPENVAS:881293", "title": "CentOS Update for postfix CESA-2011:0843 centos4 x86_64", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for postfix CESA-2011:0843 centos4 x86_64\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),\n and TLS.\n\n A heap-based buffer over-read flaw was found in the way Postfix performed\n SASL handlers management for SMTP sessions, when Cyrus SASL authentication\n was enabled. A remote attacker could use this flaw to cause the Postfix\n smtpd server to crash via a specially-crafted SASL authentication request.\n The smtpd process was automatically restarted by the postfix master process\n after the time configured with service_throttle_time elapsed.\n (CVE-2011-1720)\n \n Note: Cyrus SASL authentication for Postfix is not enabled by default.\n \n Red Hat would like to thank the CERT/CC for reporting this issue. Upstream\n acknowledges Thomas Jarosch of Intra2net AG as the original reporter.\n \n Users of Postfix are advised to upgrade to these updated packages, which\n contain a backported patch to resolve this issue. After installing this\n update, the postfix service will be restarted automatically.\";\n\ntag_affected = \"postfix on CentOS 4\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2011-June/017606.html\");\n script_id(881293);\n script_version(\"$Revision: 8285 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-04 07:29:16 +0100 (Thu, 04 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 17:18:59 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2011-1720\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"CESA\", value: \"2011:0843\");\n script_name(\"CentOS Update for postfix CESA-2011:0843 centos4 x86_64\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of postfix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS4\")\n{\n\n if ((res = isrpmvuln(pkg:\"postfix\", rpm:\"postfix~2.2.10~1.5.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-pflogsumm\", rpm:\"postfix-pflogsumm~2.2.10~1.5.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:32", "bulletinFamily": "unix", "description": "### Background\n\nPostfix is Wietse Venema\u2019s mailer that attempts to be fast, easy to administer, and secure, as an alternative to the widely-used Sendmail program. \n\n### Description\n\nA vulnerability have been discovered in Postfix. Please review the CVE identifier referenced below for details. \n\n### Impact\n\nAn attacker could perform a man-in-the-middle attack and inject SMTP commands during the plaintext to TLS session switch or might execute arbitrary code. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Postfix users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=mail-mta/postfix-2.7.4\"", "modified": "2012-06-25T00:00:00", "published": "2012-06-25T00:00:00", "id": "GLSA-201206-33", "href": "https://security.gentoo.org/glsa/201206-33", "type": "gentoo", "title": "Postfix: Multiple vulnerabilities", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "debian": [{"lastseen": "2019-05-30T02:21:53", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2233-1 security@debian.org\nhttp://www.debian.org/security/ Florian Weimer\nMay 10, 2011 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : postfix\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2009-2939 CVE-2011-0411 CVE-2011-1720\n\nSeveral vulnerabilities were discovered in Postfix, a mail transfer\nagent. The Common Vulnerabilities and Exposures project identifies\nthe following problems:\n\nCVE-2009-2939\n The postinst script grants the postfix user write access to\n /var/spool/postfix/pid, which might allow local users to\n conduct symlink attacks that overwrite arbitrary files.\n\nCVE-2011-0411\n The STARTTLS implementation does not properly restrict I/O\n buffering, which allows man-in-the-middle attackers to insert\n commands into encrypted SMTP sessions by sending a cleartext\n command that is processed after TLS is in place.\n\nCVE-2011-1720\n A heap-based read-only buffer overflow allows malicious\n clients to crash the smtpd server process using a crafted SASL\n authentication request.\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 2.5.5-1.1+lenny1.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 2.7.1-1+squeeze1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.8.0-1.\n\nWe recommend that you upgrade your postfix packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2011-05-10T17:58:13", "published": "2011-05-10T17:58:13", "id": "DEBIAN:DSA-2233-1:FE66E", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2011/msg00102.html", "title": "[SECURITY] [DSA 2233-1] postfix security update", "type": "debian", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-09-04T12:10:59", "bulletinFamily": "unix", "description": "A security problem in the Postfix mail transport agent was fixed that could potentially be used by remote attackers to exploit a memory corruption issue in postfix SASL implementation to execute arbitrary code (CVE-2011-1720).\n#### Solution\nThere is no known workaround, please install the update packages.", "modified": "2011-05-11T11:23:15", "published": "2011-05-11T11:23:15", "id": "SUSE-SA:2011:023", "href": "http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00002.html", "title": "remote code execution in postfix", "type": "suse", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "centos": [{"lastseen": "2019-12-20T18:24:39", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2011:0843\n\n\nPostfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),\nand TLS.\n\nA heap-based buffer over-read flaw was found in the way Postfix performed\nSASL handlers management for SMTP sessions, when Cyrus SASL authentication\nwas enabled. A remote attacker could use this flaw to cause the Postfix\nsmtpd server to crash via a specially-crafted SASL authentication request.\nThe smtpd process was automatically restarted by the postfix master process\nafter the time configured with service_throttle_time elapsed.\n(CVE-2011-1720)\n\nNote: Cyrus SASL authentication for Postfix is not enabled by default.\n\nRed Hat would like to thank the CERT/CC for reporting this issue. Upstream\nacknowledges Thomas Jarosch of Intra2net AG as the original reporter.\n\nUsers of Postfix are advised to upgrade to these updated packages, which\ncontain a backported patch to resolve this issue. After installing this\nupdate, the postfix service will be restarted automatically.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2011-June/029643.html\nhttp://lists.centos.org/pipermail/centos-announce/2011-June/029644.html\nhttp://lists.centos.org/pipermail/centos-announce/2011-May/029633.html\nhttp://lists.centos.org/pipermail/centos-announce/2011-May/029634.html\n\n**Affected packages:**\npostfix\npostfix-pflogsumm\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2011-0843.html", "modified": "2011-06-01T12:28:58", "published": "2011-05-31T16:58:29", "href": "http://lists.centos.org/pipermail/centos-announce/2011-May/029633.html", "id": "CESA-2011:0843", "title": "postfix security update", "type": "centos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:47:12", "bulletinFamily": "unix", "description": "Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),\nand TLS.\n\nA heap-based buffer over-read flaw was found in the way Postfix performed\nSASL handlers management for SMTP sessions, when Cyrus SASL authentication\nwas enabled. A remote attacker could use this flaw to cause the Postfix\nsmtpd server to crash via a specially-crafted SASL authentication request.\nThe smtpd process was automatically restarted by the postfix master process\nafter the time configured with service_throttle_time elapsed.\n(CVE-2011-1720)\n\nNote: Cyrus SASL authentication for Postfix is not enabled by default.\n\nRed Hat would like to thank the CERT/CC for reporting this issue. Upstream\nacknowledges Thomas Jarosch of Intra2net AG as the original reporter.\n\nUsers of Postfix are advised to upgrade to these updated packages, which\ncontain a backported patch to resolve this issue. After installing this\nupdate, the postfix service will be restarted automatically.\n", "modified": "2018-06-06T20:24:08", "published": "2011-05-31T04:00:00", "id": "RHSA-2011:0843", "href": "https://access.redhat.com/errata/RHSA-2011:0843", "type": "redhat", "title": "(RHSA-2011:0843) Moderate: postfix security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:21", "bulletinFamily": "unix", "description": "Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),\nand TLS.\n\nIt was discovered that Postfix did not flush the received SMTP commands\nbuffer after switching to TLS encryption for an SMTP session. A\nman-in-the-middle attacker could use this flaw to inject SMTP commands into\na victim's session during the plain text phase. This would lead to those\ncommands being processed by Postfix after TLS encryption is enabled,\npossibly allowing the attacker to steal the victim's mail or authentication\ncredentials. (CVE-2011-0411)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2011-0411. The\nCERT/CC acknowledges Wietse Venema as the original reporter.\n\nUsers of Postfix are advised to upgrade to these updated packages, which\ncontain a backported patch to resolve this issue. After installing this\nupdate, the postfix service will be restarted automatically.\n", "modified": "2018-06-06T20:24:37", "published": "2011-04-06T04:00:00", "id": "RHSA-2011:0423", "href": "https://access.redhat.com/errata/RHSA-2011:0423", "type": "redhat", "title": "(RHSA-2011:0423) Moderate: postfix security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:39:25", "bulletinFamily": "unix", "description": " \n[2:2.6.6-2.2]\r\n- fix CVE-2011-1720 (#704136)\r\n Resolves: rhbz#704136", "modified": "2011-05-31T00:00:00", "published": "2011-05-31T00:00:00", "id": "ELSA-2011-0843", "href": "http://linux.oracle.com/errata/ELSA-2011-0843.html", "title": "postfix security update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:47", "bulletinFamily": "unix", "description": "[2:2.6.6-2.1]\n- fix CVE-2011-0411 (#682978)", "modified": "2011-04-06T00:00:00", "published": "2011-04-06T00:00:00", "id": "ELSA-2011-0423", "href": "http://linux.oracle.com/errata/ELSA-2011-0423.html", "title": "postfix security update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T18:03:47", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 47778\r\nCVE ID: CVE-2011-1720\r\n\r\nPostfix\u662fUnix\u7c7b\u64cd\u4f5c\u7cfb\u7edf\u4e2d\u6240\u4f7f\u7528\u7684\u90ae\u4ef6\u4f20\u8f93\u4ee3\u7406\u3002\r\n\r\nPostfix SMTP Server\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728Cyrus SASL\u652f\u6301\u5185\u5b58\u7834\u574f\u6f0f\u6d1e\uff0c\u5728\u542f\u7528\u4e86Cyrus SASL\u652f\u6301\u65f6\u53ef\u5f71\u54cdSMTP\u670d\u52a1\u5668\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u4ee3\u7801\u6216\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002\r\n\r\n\u542f\u7528\u4e86SASL\u9a8c\u8bc1\u65f6\uff0cPostfix SMTP Server\u4e3a\u6bcf\u4e2aSMTP\u4f1a\u8bdd\u521b\u5efa\u4e86\u4e00\u4e2aSASL\u53e5\u67c4\uff0c\u5728\u5173\u95edSMTP\u8fde\u63a5\u524d\u4f1a\u4e00\u76f4\u4f7f\u7528\u6b64\u53e5\u67c4\u3002\u6839\u636eCyrus SASL include\u6e90\u6587\u4ef6\u7684\u6ce8\u91ca\uff0c\u670d\u52a1\u5668\u5728\u5ba2\u6237\u7aef\u9a8c\u8bc1\u5931\u8d25\u540e\u4e0d\u5e94\u91cd\u65b0\u4f7f\u7528Cyrus SASL\u670d\u52a1\u5668\uff0c\u800c\u5e94\u521b\u5efa\u5305\u542b\u673a\u5236\u5217\u8868\u7684\u65b0Cyrus SASL\u670d\u52a1\u5668\u53e5\u67c4\u3002\u4f46Postfix SMTP Server\u5728\u9a8c\u8bc1\u5931\u8d25\u540e\u6ca1\u6709\u65b0\u5efaCyrus SASL\u670d\u52a1\u5668\u53e5\u67c4\uff0c\u7ed3\u679c\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002\n\nWietse Venema Postfix 2.x\r\nUbuntu Linux 8.x\r\nUbuntu Linux 6.x\r\nUbuntu Linux 11.x\r\nUbuntu Linux 10.x\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0cNSFOCUS\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n* \u7981\u7528Postfix SMTP\u7684Cyrus SASL\u8eab\u4efd\u9a8c\u8bc1\u673a\u5236\uff0c\u800c\u975e\u7981\u7528PLAIN\u548cLOGIN\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nWietse Venema\r\n-------------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://www.postfix.org/", "modified": "2011-05-13T00:00:00", "published": "2011-05-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-20542", "id": "SSV:20542", "title": "Postfix SMTP Server Cyrus SASL\u652f\u6301\u5185\u5b58\u7834\u574f\u6f0f\u6d1e", "type": "seebug", "sourceData": "", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}], "cert": [{"lastseen": "2020-07-02T15:58:52", "bulletinFamily": "info", "description": "### Overview \n\nThe Postfix SMTP server has a memory corruption error when the Cyrus SASL library is used with authentication mechanisms other than PLAIN and LOGIN.\n\n### Description \n\nThe [Postfix Advisory for CVE-2011-1720](<http://www.postfix.org/CVE-2011-1720.html>) states:\n\n_\"The Postfix SMTP server fails to create a new Cyrus SASL server handle after authentication failure. This causes memory corruption when, for example, a client requests CRAM-MD5 authentication, fails to authenticate, and then invokes some other authentication mechanism except PLAIN (or ANONYMOUS if available). The likely outcome is that the Postfix SMTP server process crashes with a segmentation violation error (SIGSEGV, a.k.a. signal 11).\"_ \n_..._ \n_\"The memory corruption is known to result in a program crash (SIGSEV). Remote code execution cannot be excluded. Such code would execute as the unprivileged \"postfix\" user. This user has no control over processes that run with non-postfix privileges including Postfix processes running as root; the impact may be reduced with configurations that enable the Postfix chroot feature or that use platform-dependent privilege-reducing features.\"_ \n \n--- \n \n### Impact \n\nA remote attacker can cause a denial of service or possibly execute arbitrary code. \n \n--- \n \n### Solution \n\n**Apply an Update** \nThis vulnerability has been fixed in Postfix stable versions 2.5.13, 2.6.10, 2.7.4, 2.8.3. Patches for Postfix version 1.1 and later can be obtained from the [Postfix Download Site](<http://www.postfix.org/download.html>). \n \n--- \n \n**Workarounds**\n\n \nThe following workaround is provided in the [Postfix Advisory for CVE-2011-1720](<http://www.postfix.org/CVE-2011-1720.html>): \n \nDisable Cyrus SASL authentication mechanisms for the Postfix SMTP server other than PLAIN and LOGIN. The mechanisms are specified in a Cyrus SASL smtpd.conf configuration file. This file may be found in /etc/postfix/sasl/, /var/lib/sasl2/, /etc/sasl2/, /usr/lib/sasl2/ or /usr/local/lib/sasl2/. \n \nIn this file, update the \"mech_list:\" entry and remove any methods other than PLAIN and LOGIN. For example, this configuration is not affected: \n \nmech_list: PLAIN LOGIN \n \nExecute the command \"postfix reload\" to make the change effective, then verify that the \"port 25\" and \"port 587\" services no longer announce other SASL mechanisms, as shown in the previous section. \n \n--- \n \n### Vendor Information\n\n727230\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Debian GNU/Linux Affected\n\nNotified: April 20, 2011 Updated: May 11, 2011 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://www.debian.org/security/2011/dsa-2233>\n\n### Mandriva S. A. Affected\n\nNotified: April 20, 2011 Updated: May 17, 2011 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * [http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2011:090](<http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2011:090>)\n\n### Red Hat, Inc. Affected\n\nNotified: April 20, 2011 Updated: May 11, 2011 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://bugzilla.redhat.com/show_bug.cgi?id=699035>\n\n### SUSE Linux Affected\n\nNotified: April 20, 2011 Updated: May 11, 2011 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Ubuntu Affected\n\nNotified: April 20, 2011 Updated: May 11, 2011 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://www.ubuntu.com/usn/usn-1131-1/>\n\n### Apple Inc. Unknown\n\nNotified: April 20, 2011 Updated: April 20, 2011 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### CentOS Unknown\n\nNotified: April 22, 2011 Updated: April 22, 2011 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### FreeBSD Project Unknown\n\nNotified: April 20, 2011 Updated: April 20, 2011 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Gentoo Linux Unknown\n\nNotified: April 20, 2011 Updated: April 20, 2011 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### NetBSD Unknown\n\nNotified: April 20, 2011 Updated: April 20, 2011 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### OpenBSD Unknown\n\nNotified: April 20, 2011 Updated: April 20, 2011 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Oracle Corporation Unknown\n\nNotified: April 20, 2011 Updated: April 20, 2011 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Slackware Linux Inc. Unknown\n\nNotified: April 20, 2011 Updated: April 20, 2011 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Symantec Unknown\n\nNotified: April 20, 2011 Updated: April 20, 2011 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\nView all 14 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://www.postfix.org/announcements/postfix-2.8.3.html>\n * <http://www.postfix.org/CVE-2011-1720.html>\n * <http://www.postfix.org/download.html>\n\n### Acknowledgements\n\nThanks to Thomas Jarosch of Intra2net AG for reporting this vulnerability.\n\nThis document was written by Jared Allar.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2011-1720](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1720>) \n---|--- \n**Severity Metric:** | 1.87 \n**Date Public:** | 2011-05-09 \n**Date First Published:** | 2011-05-11 \n**Date Last Updated: ** | 2011-05-17 11:52 UTC \n**Document Revision: ** | 17 \n", "modified": "2011-05-17T11:52:00", "published": "2011-05-11T00:00:00", "id": "VU:727230", "href": "https://www.kb.cert.org/vuls/id/727230", "type": "cert", "title": "Postfix SMTP server Cyrus SASL support contains a memory corruption vulnerability", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2020-07-09T00:24:32", "bulletinFamily": "unix", "description": "Thomas Jarosch discovered that Postfix incorrectly handled authentication \nmechanisms other than PLAIN and LOGIN when the Cyrus SASL library is used. \nA remote attacker could use this to cause Postfix to crash, leading to a \ndenial of service, or possibly execute arbitrary code as the postfix user.", "modified": "2011-05-11T00:00:00", "published": "2011-05-11T00:00:00", "id": "USN-1131-1", "href": "https://ubuntu.com/security/notices/USN-1131-1", "title": "Postfix vulnerability", "type": "ubuntu", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nmap": [{"lastseen": "2019-05-30T17:05:57", "bulletinFamily": "scanner", "description": "Checks for a memory corruption in the Postfix SMTP server when it uses Cyrus SASL library authentication mechanisms (CVE-2011-1720). This vulnerability can allow denial of service and possibly remote code execution. \n\nReference: \n\n * http://www.postfix.org/CVE-2011-1720.html\n\n## Script Arguments \n\n#### smtp.domain \n\nSee the documentation for the smtp library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the vulns library. \n\n## Example Usage \n \n \n nmap --script=smtp-vuln-cve2011-1720 --script-args='smtp.domain=<domain>' -pT:25,465,587 <host>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 25/tcp open smtp\n | smtp-vuln-cve2011-1720:\n | VULNERABLE:\n | Postfix SMTP server Cyrus SASL Memory Corruption\n | State: VULNERABLE\n | IDs: CVE:CVE-2011-1720 BID:47778\n | Description:\n | The Postfix SMTP server is vulnerable to a memory corruption vulnerability\n | when the Cyrus SASL library is used with authentication mechanisms other\n | than PLAIN and LOGIN.\n | Disclosure date: 2011-05-08\n | Check results:\n | AUTH tests: CRAM-MD5 NTLM\n | Extra information:\n | Available AUTH MECHANISMS: CRAM-MD5 DIGEST-MD5 NTLM PLAIN LOGIN\n | References:\n | http://www.postfix.org/CVE-2011-1720.html\n | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1720\n |_ https://www.securityfocus.com/bid/47778\n\n## Requires \n\n * shortport\n * smtp\n * stdnse\n * string\n * stringaux\n * table\n * vulns\n\n* * *\n", "modified": "2019-04-02T16:51:36", "published": "2011-05-19T18:19:56", "id": "NMAP:SMTP-VULN-CVE2011-1720.NSE", "href": "https://nmap.org/nsedoc/scripts/smtp-vuln-cve2011-1720.html", "title": "smtp-vuln-cve2011-1720 NSE Script", "type": "nmap", "sourceData": "local shortport = require \"shortport\"\nlocal smtp = require \"smtp\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal stringaux = require \"stringaux\"\nlocal table = require \"table\"\nlocal vulns = require \"vulns\"\n\ndescription = [[\nChecks for a memory corruption in the Postfix SMTP server when it uses\nCyrus SASL library authentication mechanisms (CVE-2011-1720). This\nvulnerability can allow denial of service and possibly remote code\nexecution.\n\nReference:\n* http://www.postfix.org/CVE-2011-1720.html\n]]\n\n---\n-- @usage\n-- nmap --script=smtp-vuln-cve2011-1720 --script-args='smtp.domain=<domain>' -pT:25,465,587 <host>\n--\n-- @output\n-- PORT STATE SERVICE\n-- 25/tcp open smtp\n-- | smtp-vuln-cve2011-1720:\n-- | VULNERABLE:\n-- | Postfix SMTP server Cyrus SASL Memory Corruption\n-- | State: VULNERABLE\n-- | IDs: CVE:CVE-2011-1720 BID:47778\n-- | Description:\n-- | The Postfix SMTP server is vulnerable to a memory corruption vulnerability\n-- | when the Cyrus SASL library is used with authentication mechanisms other\n-- | than PLAIN and LOGIN.\n-- | Disclosure date: 2011-05-08\n-- | Check results:\n-- | AUTH tests: CRAM-MD5 NTLM\n-- | Extra information:\n-- | Available AUTH MECHANISMS: CRAM-MD5 DIGEST-MD5 NTLM PLAIN LOGIN\n-- | References:\n-- | http://www.postfix.org/CVE-2011-1720.html\n-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1720\n-- |_ https://www.securityfocus.com/bid/47778\n\nauthor = \"Djalal Harouni\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\", \"vuln\"}\n\n\nportrule = shortport.port_or_service({25, 465, 587},\n {\"smtp\", \"smtps\", \"submission\"})\n\nlocal AUTH_VULN = {\n -- AUTH MECHANISM\n -- killby: a table of mechanisms that can corrupt and\n -- overwrite the AUTH MECHANISM data structure.\n -- probe: max number of probes for each test\n [\"CRAM-MD5\"] = {\n killby = {[\"DIGEST-MD5\"] = {probe = 1}}\n },\n [\"DIGEST-MD5\"] = {\n killby = {}\n },\n [\"EXTERNAL\"] = {\n killby = {}\n },\n [\"GSSAPI\"] = {\n killby = {}\n },\n [\"KERBEROS_V4\"] = {\n killby = {}\n },\n [\"NTLM\"] = {\n killby = {[\"DIGEST-MD5\"] = {probe = 2}}\n },\n [\"OTP\"] = {\n killby = {}\n },\n [\"PASSDSS-3DES-1\"] = {\n killby = {}\n },\n [\"SRP\"] = {\n killby = {}\n },\n}\n\n-- parse and check the authentication mechanisms.\n-- This function will save the vulnerable auth mechanisms in\n-- the auth_mlist table, and returns all the available auth\n-- mechanisms as a string.\nlocal function chk_auth_mechanisms(ehlo_res, auth_mlist)\n local mlist = smtp.get_auth_mech(ehlo_res)\n\n if mlist then\n for _, mech in ipairs(mlist) do\n if AUTH_VULN[mech] then\n auth_mlist[mech] = mech\n end\n end\n return table.concat(mlist, \" \")\n end\n return \"\"\nend\n\n-- Close any remaining connection\nlocal function smtp_finish(socket, status, err)\n if socket then\n smtp.quit(socket)\n end\n return status, err\nend\n\n-- Tries to kill the smtpd server\n-- Returns true, true if the smtpd was killed\nlocal function kill_smtpd(socket, mech, mkill)\n local killed, ret = false\n local status, response = smtp.query(socket, \"AUTH\",\n string.format(\"%s\", mech))\n if not status then\n return status, response\n end\n\n status, ret = smtp.check_reply(\"AUTH\", response)\n if not status then\n return smtp_finish(socket, status, ret)\n end\n\n -- abort authentication\n smtp.query(socket, \"*\")\n\n status, response = smtp.query(socket, \"AUTH\",\n string.format(\"%s\", mkill))\n if status then\n -- abort the last AUTH command.\n status, response = smtp.query(socket, \"*\")\n end\n\n if not status then\n if string.match(response, \"connection closed\") then\n killed = true\n else\n return status, response\n end\n end\n\n return true, killed\nend\n\n-- Checks if the SMTP server is vulnerable to CVE-2011-1720\n-- Postfix Cyrus SASL authentication memory corruption\n-- http://www.postfix.org/CVE-2011-1720.html\nlocal function check_smtpd(smtp_opts)\n local socket, ret = smtp.connect(smtp_opts.host,\n smtp_opts.port,\n {ssl = false,\n recv_before = true,\n lines = 1})\n\n if not socket then\n return socket, ret\n end\n\n local status, response = smtp.ehlo(socket, smtp_opts.domain)\n if not status then\n return status, response\n end\n\n local starttls = false\n local auth_mech_list, auth_mech_str = {}, \"\"\n\n -- parse server response\n for _, line in pairs(stringaux.strsplit(\"\\r?\\n\", response)) do\n if not next(auth_mech_list) then\n auth_mech_str = chk_auth_mechanisms(line, auth_mech_list)\n end\n\n if not starttls then\n starttls = line:match(\"STARTTLS\")\n end\n end\n\n -- fallback to STARTTLS to get the auth mechanisms\n if not next(auth_mech_list) and smtp_opts.port.number ~= 25 and\n starttls then\n\n status, response = smtp.starttls(socket)\n if not status then\n return status, response\n end\n\n status, response = smtp.ehlo(socket, smtp_opts.domain)\n if not status then\n return status, response\n end\n\n for _, line in pairs(stringaux.strsplit(\"\\r?\\n\", response)) do\n if not next(auth_mech_list) then\n auth_mech_str = chk_auth_mechanisms(line, auth_mech_list)\n end\n end\n end\n\n local vuln = smtp_opts.vuln\n vuln.check_results = {}\n if (#auth_mech_str > 0) then\n vuln.extra_info = {}\n table.insert(vuln.extra_info,\n string.format(\"Available AUTH MECHANISMS: %s\", auth_mech_str))\n\n -- maybe vulnerable\n if next(auth_mech_list) then\n local auth_tests = {}\n\n for mech in pairs(auth_mech_list) do\n for mkill in pairs(AUTH_VULN[mech].killby) do\n\n if auth_mech_list[mkill] then\n auth_tests[#auth_tests+1] = mech\n\n local probe = AUTH_VULN[mech].killby[mkill].probe\n\n for p = 1, probe do\n status, ret = kill_smtpd(socket, mech, mkill)\n if not status then\n return smtp_finish(nil, status, ret)\n end\n\n if ret then\n vuln.state = vulns.STATE.VULN\n table.insert(vuln.check_results,\n string.format(\"AUTH tests: %s\", table.concat(auth_tests, \" \")))\n table.insert(vuln.check_results,\n string.format(\"VULNERABLE (%s => %s)\", mech, mkill))\n return smtp_finish(nil, true)\n end\n\n end\n\n end\n\n end\n end\n\n table.insert(vuln.check_results, string.format(\"AUTH tests: %s\",\n table.concat(auth_tests, \" \")))\n end\n else\n stdnse.debug2(\"Authentication is not available\")\n table.insert(vuln.check_results, \"Authentication is not available\")\n end\n\n vuln.state = vulns.STATE.NOT_VULN\n return smtp_finish(socket, true)\nend\n\naction = function(host, port)\n local smtp_opts = {\n host = host,\n port = port,\n domain = stdnse.get_script_args('smtp-vuln-cve2011-1720.domain') or\n smtp.get_domain(host),\n vuln = {\n title = 'Postfix SMTP server Cyrus SASL Memory Corruption',\n IDS = {CVE = 'CVE-2011-1720', BID = '47778'},\n description = [[\nThe Postfix SMTP server is vulnerable to a memory corruption vulnerability\nwhen the Cyrus SASL library is used with authentication mechanisms other\nthan PLAIN and LOGIN.]],\n references = {\n 'http://www.postfix.org/CVE-2011-1720.html',\n },\n dates = {\n disclosure = {year = '2011', month = '05', day = '08'},\n },\n },\n }\n\n local report = vulns.Report:new(SCRIPT_NAME, host, port)\n local status, err = check_smtpd(smtp_opts)\n if not status then\n stdnse.debug1(\"%s\", err)\n return nil\n end\n return report:make_output(smtp_opts.vuln)\nend\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:59", "bulletinFamily": "unix", "description": "\nThe Postfix SMTP server has a memory corruption error, when the\n\t Cyrus SASL library is used with authentication mechanisms other\n\t than PLAIN and LOGIN (ANONYMOUS is not affected, but should not\n\t be used for other reasons). This memory corruption is known to\n\t result in a program crash (SIGSEV).\n", "modified": "2011-05-09T00:00:00", "published": "2011-05-09T00:00:00", "id": "3EB2C100-738B-11E0-89F4-001E90D46635", "href": "https://vuxml.freebsd.org/freebsd/3eb2c100-738b-11e0-89f4-001e90d46635.html", "title": "Postfix -- memory corruption vulnerability", "type": "freebsd", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:00", "bulletinFamily": "unix", "description": "\nWietse Venema has discovered a software flaw that allows\n\t an attacker to inject client commands into an SMTP session\n\t during the unprotected plaintext SMTP protocol phase, such\n\t that the server will execute those commands during the SMTP-\n\t over-TLS protocol phase when all communication is supposed\n\t to be protected.\n", "modified": "2011-03-07T00:00:00", "published": "2011-03-07T00:00:00", "id": "14A6F516-502F-11E0-B448-BBFA2731F9C7", "href": "https://vuxml.freebsd.org/freebsd/14a6f516-502f-11e0-b448-bbfa2731f9c7.html", "title": "postfix -- plaintext command injection with SMTP over TLS", "type": "freebsd", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}