Updated: August 11, 2003
Not Affected
For both Postfix issues: VU#895508 and VU#697508, our Vendor Statement is "Not Vulnerable".
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: August 08, 2003
Affected
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CONECTIVA LINUX SECURITY ANNOUNCEMENT PACKAGE : postfix SUMMARY : Remote denial of service vulnerability DATE : 2003-08-04 17:30:00 ID : CLA-2003:717 RELEVANT RELEASES : 7.0, 8 DESCRIPTION Postfix[1] is a widely used MTA (Mail Transport Agent, sometimes called just an email or SMTP server). This update for Conectiva Linux 7.0 and 8 fixes two vulnerabilities in Postfix reported[4] by Michal Zalewski: 1. Postfix used as a bounce scanner (CAN-2003-0468)[2] By using specially created recipients, it is possible to make Postfix attempt to establish SMTP sessions with arbitrary hosts on arbitrary ports. This could be used to identify open TCP ports on remote machines or to just generate traffic. 2. Remote denial of service (CAN-2003-0540)[3] A malformed address can be used to cause a denial of service condition in two ways: - by locking up the queue manager: the offending message has to be manually removed from the queue in order to restore the service; - by locking up the smtpd listener: when supplied with the malformed address, the listener process will stop responding. Multiple attacks in parallel will hang many smtpd processes, leading to a denial of service. In order to be vulnerable to this issue, the "append_dot_mydomain" paramater would have to be changed from the default value of "on" to "off". Conectiva Linux 9 is not vulnerable to any of these issues since it ships with Postfix 2.0.x. SOLUTION All postfix users should upgrade their packages. The service will be automatically restarted after the upgrade if it was already running. REFERENCES 1.http://www.postfix.org/ 2.http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0468 3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0540 4.http://www.securityfocus.com/archive/1/331713/2003-08-01/2003-08-07/0 UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/postfix-1.1.13-1U70_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/postfix-1.1.13-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/postfix-doc-1.1.13-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/postfix-1.1.13-1U80_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/postfix-1.1.13-1U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/postfix-doc-1.1.13-1U80_1cl.i386.rpm ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en Copyright (c) 2003 Conectiva Inc. http://www.conectiva.com subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE/LsuP42jd0JmAcZARAkSUAKCivRAFCAKjTgB6PgvM39MNhNkgxQCfRKSP jPU9/qm3+LBktPbk8OYk3Jg= =19Fy -----END PGP SIGNATURE-----
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: August 18, 2003
Affected
Both of these vulnerabilities were fixed in DSA-363-1.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: August 08, 2003
Affected
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 | Guardian Digital Security Advisory August 04, 2003 |
| http://www.guardiandigital.com ESA-20030804-019 | | Package: postfix |
| Summary: Remote denial-of-service. EnGarde Secure Linux is an enterprise class Linux platform engineered
to enable corporations to quickly and cost-effectively build a complete
and secure Internet presence while preventing Internet threats. OVERVIEW Michal Zalewski has discovered a vulnerability in the Postfix MTA which
could lead to a remote DoS attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0540 to this issue. Guardian Digital products affected by this issue include: EnGarde Secure Community v1.0.1
EnGarde Secure Community 2
EnGarde Secure Professional v1.1
EnGarde Secure Professional v1.2
EnGarde Secure Professional v1.5 It is recommended that all users apply this update as soon as possible. SOLUTION Guardian Digital Secure Network subscribers may automatically update
affected systems by accessing their account from within the Guardian
Digital WebTool. To modify your GDSN account and contact preferences, please go to: https://www.guardiandigital.com/account/ Below are MD5 sums for the updated EnGarde Secure Linux 1.0.1 packages: SRPMS/postfix-20001121-1.0.21.src.rpm
MD5 Sum: d595e164f2e48766043486fbc71c32b8 i386/postfix-20001121-1.0.21.i386.rpm
MD5 Sum: 4402f4bb441d30c9c631a97ad843700e i686/postfix-20001121-1.0.21.i686.rpm
MD5 Sum: 2750ae2169625dba290e80c13009f258 REFERENCES Guardian Digital's public key: http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY Postfix's Official Web Site: http://www.postfix.org/ Guardian Digital Advisories: http://infocenter.guardiandigital.com/advisories/ Security Contact: security@guardiandigital.com Author: Ryan W. Maple
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: August 08, 2003
Not Affected
The F5 Products, BIG-IP and 3-DNS are not vulnerable.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: August 18, 2003
Not Affected
Fujitsu's UXP/V o.s. is not affected by the problem in VU#895508 & VU#697508 because it does not support the postfix.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: August 08, 2003
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: August 08, 2003
Not Affected
Lotus products are not vulnerable. We do not ship Postfix.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: August 13, 2003
Not Affected
The version of Postfix included in Openwall GNU/*/Linux is not vulnerable to this DoS attack in its default configuration. We will fully address this issue with the next scheduled update of our Postfix package."
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: August 08, 2003
Affected
Red Hat Linux 7.3, 8.0, and 9 ship with a Postfix package vulnerable to these issues. Updated Postfix packages are available along with our advisory at the URLs below. Users of the Red Hat Network can update their systems using the 'up2date' tool. https://rhn.redhat.com/errata/RHSA-2003-251.html
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: August 08, 2003
Affected
-----BEGIN PGP SIGNED MESSAGE----- SuSE Security Announcement Package: postfix
Announcement-ID: SuSE-SA:2003:033
Date: Mon Aug 4 13:30:00 MEST 2003
Affected products: 7.2, 7.3, 8.0, 8.1
SuSE Linux Database Server
SuSE eMail Server III, 3.1
SuSE Linux Enterprise Server 7, 8
SuSE Linux Connectivity Server
SuSE Linux Office Server
SuSE Linux Openexchange Server
UnitedLinux 1.0
SuSE Linux Desktop 1.0
Vulnerability Type: remote Denial of Service (DoS) attack
Severity (1-10): 4
SuSE default package: Since SuSE Linux 8.1. Cross References: CAN-2003-0468
CAN-2003-0540 Content of this advisory: 1) security vulnerability resolved: remote DoS in postfix
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds: - kernel
3) standard appendix (further information) 1) problem description, brief discussion, solution, upgrade information Postfix is a flexible MTA replacement for sendmail. Michal Zalewski has reported problems in postfix which can lead to
a remote DoS attack or allow attackers to bounce-scan private networks. These problems have been fixed. Even though not all of our products are
vulnerable in their default configurations, the updates should be applied. In order for the update to take effect, you have to restart your MTA
by issuing the following command as root: "/sbin/rcpostfix restart" Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update. Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web. i386 Intel Platform: SuSE-8.1: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/postfix-1.1.12-12.i586.rpm
4b3b65905911440051f869b3e95c2c66
patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/postfix-1.1.12-12.i586.patch.rpm
e73917624b5adfdbe113909135a50a42
source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/postfix-1.1.12-12.src.rpm
0e5bcc6c3cd95f09c423cf00aac0c303 SuSE-8.0: ftp://ftp.suse.com/pub/suse/i386/update/8.0/n4/postfix-1.1.12-13.i386.rpm
e0090e0ed051a532a62d787b020ac580
patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/n4/postfix-1.1.12-13.i386.patch.rpm
8c156ca92ad4be83588041192efe5b60
source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/postfix-1.1.12-13.src.rpm
f9389f00de109cea2f0b3b6c27f5a515 SuSE-7.3: ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/postfix-20010228pl08-22.i386.rpm
1f4d3af8d10850096bc0260567caa334
source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/postfix-20010228pl08-22.src.rpm
0ccc29a957609b3aeb2c12f3cc85284d SuSE-7.2: ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/postfix-20010228pl03-82.i386.rpm
444f983a8c8f0d18621a1e8b4c3dd260
source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/postfix-20010228pl03-82.src.rpm
6d479bd0ed90bc7dc59a4201327ffc05 Sparc Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/postfix-20010228pl08-15.sparc.rpm
83eb074dbcedae2c9947006b4c0411d2
source rpm(s): ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/postfix-20010228pl08-15.src.rpm
ec7ae58e31fd2ec63ccd881454372307 PPC Power PC Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/postfix-20010228pl08-36.ppc.rpm
f7b331c15b7bf705274afe2665e9e187
source rpm(s): ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/postfix-20010228pl08-36.src.rpm
f2e5aa58e24599777a95dce715c3bcad 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - kernel
Various bugs inside the kernel have been reported recently. The most
important ones are
- NFSv3 remote DoS
- netfilter DoS
- /proc infoleak
- race condition in the ELF loader
These bugs are fixed. The new kernel packages will be approved as soon as
the testing is finished. 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command
md5sum
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: August 08, 2003
Affected
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Trustix Secure Linux Security Advisory #2003-0029 Package name: postfix
Summary: Denial of service
Date: 2003-08-04
Affected versions: TSL 1.2, 1.5 Package description: Postfix is an alternative to the sendmail mailer daemon. Postfix attempts
to be fast, easy to administer, and secure, while at the same time being
sendmail compatible enough to not upset existing users. Problem description: From the Postfix 1.1.13 release notes: This patch fixes a denial of service condition in the Postfix smtpd,
qmgr, and other programs that use the trivial-rewrite service. The problem is triggered when an invalid address resolves to an
impossible result. This causes the affected programs to reject the
result and to retry the trivial-rewrite request indefinitely. Action: We recommend that all systems with this package installed be upgraded. Location: All TSL updates are available from
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.