(RHSA-2011:0843) Moderate: postfix security update

2011-05-3100:00:00

access.redhat.com

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.887 High

EPSS

Percentile

98.4%

JSON

Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),
and TLS.

A heap-based buffer over-read flaw was found in the way Postfix performed
SASL handlers management for SMTP sessions, when Cyrus SASL authentication
was enabled. A remote attacker could use this flaw to cause the Postfix
smtpd server to crash via a specially-crafted SASL authentication request.
The smtpd process was automatically restarted by the postfix master process
after the time configured with service_throttle_time elapsed.
(CVE-2011-1720)

Note: Cyrus SASL authentication for Postfix is not enabled by default.

Red Hat would like to thank the CERT/CC for reporting this issue. Upstream
acknowledges Thomas Jarosch of Intra2net AG as the original reporter.

Users of Postfix are advised to upgrade to these updated packages, which
contain a backported patch to resolve this issue. After installing this
update, the postfix service will be restarted automatically.

OSVersionArchitecturePackageVersionFilename
RedHat5ppcpostfix< 2.3.3-2.3.el5_6postfix-2.3.3-2.3.el5_6.ppc.rpm
RedHat6i686postfix-debuginfo< 2.6.6-2.2.el6_1postfix-debuginfo-2.6.6-2.2.el6_1.i686.rpm
RedHat6s390xpostfix-debuginfo< 2.6.6-2.2.el6_1postfix-debuginfo-2.6.6-2.2.el6_1.s390x.rpm
RedHat4ia64postfix-pflogsumm< 2.2.10-1.5.el4postfix-pflogsumm-2.2.10-1.5.el4.ia64.rpm
RedHat4s390postfix-pflogsumm< 2.2.10-1.5.el4postfix-pflogsumm-2.2.10-1.5.el4.s390.rpm
RedHat6ppc64postfix-perl-scripts< 2.6.6-2.2.el6_1postfix-perl-scripts-2.6.6-2.2.el6_1.ppc64.rpm
RedHat4ppcpostfix< 2.2.10-1.5.el4postfix-2.2.10-1.5.el4.ppc.rpm
RedHat5i386postfix< 2.3.3-2.3.el5_6postfix-2.3.3-2.3.el5_6.i386.rpm
RedHat4ppcpostfix-pflogsumm< 2.2.10-1.5.el4postfix-pflogsumm-2.2.10-1.5.el4.ppc.rpm
RedHat6x86_64postfix-perl-scripts< 2.6.6-2.2.el6_1postfix-perl-scripts-2.6.6-2.2.el6_1.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
RedHat	5	ppc	postfix	< 2.3.3-2.3.el5_6	postfix-2.3.3-2.3.el5_6.ppc.rpm
RedHat	6	i686	postfix-debuginfo	< 2.6.6-2.2.el6_1	postfix-debuginfo-2.6.6-2.2.el6_1.i686.rpm
RedHat	6	s390x	postfix-debuginfo	< 2.6.6-2.2.el6_1	postfix-debuginfo-2.6.6-2.2.el6_1.s390x.rpm
RedHat	4	ia64	postfix-pflogsumm	< 2.2.10-1.5.el4	postfix-pflogsumm-2.2.10-1.5.el4.ia64.rpm
RedHat	4	s390	postfix-pflogsumm	< 2.2.10-1.5.el4	postfix-pflogsumm-2.2.10-1.5.el4.s390.rpm
RedHat	6	ppc64	postfix-perl-scripts	< 2.6.6-2.2.el6_1	postfix-perl-scripts-2.6.6-2.2.el6_1.ppc64.rpm
RedHat	4	ppc	postfix	< 2.2.10-1.5.el4	postfix-2.2.10-1.5.el4.ppc.rpm
RedHat	5	i386	postfix	< 2.3.3-2.3.el5_6	postfix-2.3.3-2.3.el5_6.i386.rpm
RedHat	4	ppc	postfix-pflogsumm	< 2.2.10-1.5.el4	postfix-pflogsumm-2.2.10-1.5.el4.ppc.rpm
RedHat	6	x86_64	postfix-perl-scripts	< 2.6.6-2.2.el6_1	postfix-perl-scripts-2.6.6-2.2.el6_1.x86_64.rpm