Apple Computer Inc. Not Affected

Updated:  August 11, 2003

Status

Not Affected

Vendor Statement

For both Postfix issues: VU#895508 and VU#697508, our Vendor Statement is "Not Vulnerable".

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Conectiva Affected

Updated:  August 08, 2003

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CONECTIVA LINUX SECURITY ANNOUNCEMENT PACKAGE : postfix SUMMARY : Remote denial of service vulnerability DATE : 2003-08-04 17:30:00 ID : CLA-2003:717 RELEVANT RELEASES : 7.0, 8 DESCRIPTION Postfix[1] is a widely used MTA (Mail Transport Agent, sometimes called just an email or SMTP server). This update for Conectiva Linux 7.0 and 8 fixes two vulnerabilities in Postfix reported[4] by Michal Zalewski: 1. Postfix used as a bounce scanner (CAN-2003-0468)[2] By using specially created recipients, it is possible to make Postfix attempt to establish SMTP sessions with arbitrary hosts on arbitrary ports. This could be used to identify open TCP ports on remote machines or to just generate traffic. 2. Remote denial of service (CAN-2003-0540)[3] A malformed address can be used to cause a denial of service condition in two ways: - by locking up the queue manager: the offending message has to be manually removed from the queue in order to restore the service; - by locking up the smtpd listener: when supplied with the malformed address, the listener process will stop responding. Multiple attacks in parallel will hang many smtpd processes, leading to a denial of service. In order to be vulnerable to this issue, the "append_dot_mydomain" paramater would have to be changed from the default value of "on" to "off". Conectiva Linux 9 is not vulnerable to any of these issues since it ships with Postfix 2.0.x. SOLUTION All postfix users should upgrade their packages. The service will be automatically restarted after the upgrade if it was already running. REFERENCES 1.http://www.postfix.org/ 2.http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0468 3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0540 4.http://www.securityfocus.com/archive/1/331713/2003-08-01/2003-08-07/0 UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/postfix-1.1.13-1U70_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/postfix-1.1.13-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/postfix-doc-1.1.13-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/postfix-1.1.13-1U80_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/postfix-1.1.13-1U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/postfix-doc-1.1.13-1U80_1cl.i386.rpm ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en Copyright (c) 2003 Conectiva Inc. http://www.conectiva.com subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE/LsuP42jd0JmAcZARAkSUAKCivRAFCAKjTgB6PgvM39MNhNkgxQCfRKSP jPU9/qm3+LBktPbk8OYk3Jg= =19Fy -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Debian Affected

Updated:  August 18, 2003

Status

Affected

Vendor Statement

Both of these vulnerabilities were fixed in DSA-363-1.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Engarde Affected

Updated:  August 08, 2003

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 | Guardian Digital Security Advisory August 04, 2003 | | http://www.guardiandigital.com ESA-20030804-019 | | Package: postfix | | Summary: Remote denial-of-service. EnGarde Secure Linux is an enterprise class Linux platform engineered to enable corporations to quickly and cost-effectively build a complete and secure Internet presence while preventing Internet threats. OVERVIEW Michal Zalewski has discovered a vulnerability in the Postfix MTA which could lead to a remote DoS attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0540 to this issue. Guardian Digital products affected by this issue include: EnGarde Secure Community v1.0.1 EnGarde Secure Community 2 EnGarde Secure Professional v1.1 EnGarde Secure Professional v1.2 EnGarde Secure Professional v1.5 It is recommended that all users apply this update as soon as possible. SOLUTION Guardian Digital Secure Network subscribers may automatically update affected systems by accessing their account from within the Guardian Digital WebTool. To modify your GDSN account and contact preferences, please go to: https://www.guardiandigital.com/account/ Below are MD5 sums for the updated EnGarde Secure Linux 1.0.1 packages: SRPMS/postfix-20001121-1.0.21.src.rpm MD5 Sum: d595e164f2e48766043486fbc71c32b8 i386/postfix-20001121-1.0.21.i386.rpm MD5 Sum: 4402f4bb441d30c9c631a97ad843700e i686/postfix-20001121-1.0.21.i686.rpm MD5 Sum: 2750ae2169625dba290e80c13009f258 REFERENCES Guardian Digital's public key: http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY Postfix's Official Web Site: http://www.postfix.org/ Guardian Digital Advisories: http://infocenter.guardiandigital.com/advisories/ Security Contact: security@guardiandigital.com Author: Ryan W. Maple Copyright 2003, Guardian Digital, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/Lq7RHD5cqd57fu0RAlOsAJ9k3DyYqp800B2hqsBfQHiKSaOhmQCglIM0 +k8quMhreGMKixrD8WeF8yM= =78Il -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

F5 Networks Not Affected

Updated:  August 08, 2003

Status

Not Affected

Vendor Statement

The F5 Products, BIG-IP and 3-DNS are not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Fujitsu Not Affected

Updated:  August 18, 2003

Status

Not Affected

Vendor Statement

Fujitsu's UXP/V o.s. is not affected by the problem in VU#895508 & VU#697508 because it does not support the postfix.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

IBM Not Affected

Updated:  August 08, 2003

Status

Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Lotus Software Not Affected

Updated:  August 08, 2003

Status

Not Affected

Vendor Statement

Lotus products are not vulnerable. We do not ship Postfix.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Openwall GNU/*/Linux Not Affected

Updated:  August 13, 2003

Status

Not Affected

Vendor Statement

The version of Postfix included in Openwall GNU/*/Linux is not vulnerable to this DoS attack in its default configuration. We will fully address this issue with the next scheduled update of our Postfix package."

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Red Hat Inc. Affected

Updated:  August 08, 2003

Status

Affected

Vendor Statement

Red Hat Linux 7.3, 8.0, and 9 ship with a Postfix package vulnerable to these issues. Updated Postfix packages are available along with our advisory at the URLs below. Users of the Red Hat Network can update their systems using the 'up2date' tool. https://rhn.redhat.com/errata/RHSA-2003-251.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SuSE Inc. Affected

Updated:  August 08, 2003

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- SuSE Security Announcement Package: postfix Announcement-ID: SuSE-SA:2003:033 Date: Mon Aug 4 13:30:00 MEST 2003 Affected products: 7.2, 7.3, 8.0, 8.1 SuSE Linux Database Server SuSE eMail Server III, 3.1 SuSE Linux Enterprise Server 7, 8 SuSE Linux Connectivity Server SuSE Linux Office Server SuSE Linux Openexchange Server UnitedLinux 1.0 SuSE Linux Desktop 1.0 Vulnerability Type: remote Denial of Service (DoS) attack Severity (1-10): 4 SuSE default package: Since SuSE Linux 8.1. Cross References: CAN-2003-0468 CAN-2003-0540 Content of this advisory: 1) security vulnerability resolved: remote DoS in postfix problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - kernel 3) standard appendix (further information) 1) problem description, brief discussion, solution, upgrade information Postfix is a flexible MTA replacement for sendmail. Michal Zalewski has reported problems in postfix which can lead to a remote DoS attack or allow attackers to bounce-scan private networks. These problems have been fixed. Even though not all of our products are vulnerable in their default configurations, the updates should be applied. In order for the update to take effect, you have to restart your MTA by issuing the following command as root: "/sbin/rcpostfix restart" Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. i386 Intel Platform: SuSE-8.1: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/postfix-1.1.12-12.i586.rpm 4b3b65905911440051f869b3e95c2c66 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/postfix-1.1.12-12.i586.patch.rpm e73917624b5adfdbe113909135a50a42 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/postfix-1.1.12-12.src.rpm 0e5bcc6c3cd95f09c423cf00aac0c303 SuSE-8.0: ftp://ftp.suse.com/pub/suse/i386/update/8.0/n4/postfix-1.1.12-13.i386.rpm e0090e0ed051a532a62d787b020ac580 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/n4/postfix-1.1.12-13.i386.patch.rpm 8c156ca92ad4be83588041192efe5b60 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/postfix-1.1.12-13.src.rpm f9389f00de109cea2f0b3b6c27f5a515 SuSE-7.3: ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/postfix-20010228pl08-22.i386.rpm 1f4d3af8d10850096bc0260567caa334 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/postfix-20010228pl08-22.src.rpm 0ccc29a957609b3aeb2c12f3cc85284d SuSE-7.2: ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/postfix-20010228pl03-82.i386.rpm 444f983a8c8f0d18621a1e8b4c3dd260 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/postfix-20010228pl03-82.src.rpm 6d479bd0ed90bc7dc59a4201327ffc05 Sparc Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/postfix-20010228pl08-15.sparc.rpm 83eb074dbcedae2c9947006b4c0411d2 source rpm(s): ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/postfix-20010228pl08-15.src.rpm ec7ae58e31fd2ec63ccd881454372307 PPC Power PC Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/postfix-20010228pl08-36.ppc.rpm f7b331c15b7bf705274afe2665e9e187 source rpm(s): ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/postfix-20010228pl08-36.src.rpm f2e5aa58e24599777a95dce715c3bcad 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - kernel Various bugs inside the kernel have been reported recently. The most important ones are - NFSv3 remote DoS - netfilter DoS - /proc infoleak - race condition in the ELF loader These bugs are fixed. The new kernel packages will be approved as soon as the testing is finished. 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum after you downloaded the file from a SuSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security@suse.de), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig to verify the signature of the package, where is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SuSE in rpm packages for SuSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SuSE Linux distributions version 7.1 and thereafter install the key "build@suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SuSE runs two security mailing lists to which any interested party may subscribe: suse-security@suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to . suse-security-announce@suse.com - SuSE's announce-only mailing list. Only SuSE's security announcements are sent to this list. To subscribe, send an email to . For general information or the frequently asked questions (faq) send mail to: or respectively. SuSE's security contact is or . The public key is listed below. The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text. SuSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iQEVAwUBPy5NNney5gA9JdPZAQGNTwf/ThT8WIpdODuOOS3Ppz7giCzglbLEEinr 3A87mrnRdzumggoPuuXU6yMRTugBdcpBihfS/kHzoHjhx1g0PA3qi3Rer4RaqyDn Kc+LMrX2/u8XtClXfkMuJinZ6YXE9p1Z6xeRkgOgZnlWtlIegZMXlIPcnTFa4jeC c2sgFIHUoeSoTQLtML6xILqpmh2fpGlQSxuuMGfNMChV4s+Khz99vKSnCe9uuFqX HmtzqRzl3CdSMWMWGPpGq+ZlE5KmwC9MYZS1SPKoTs/9CIoj14Yxk3EMW4xVZ/aa xuEBCimOhqinUuIpVKkQinfpvBDU1FFR9CwUBBJNn5JbVtI25/5sZw== =znPh -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Trusix Affected

Updated:  August 08, 2003

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Trustix Secure Linux Security Advisory #2003-0029 Package name: postfix Summary: Denial of service Date: 2003-08-04 Affected versions: TSL 1.2, 1.5 Package description: Postfix is an alternative to the sendmail mailer daemon. Postfix attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. Problem description: From the Postfix 1.1.13 release notes: This patch fixes a denial of service condition in the Postfix smtpd, qmgr, and other programs that use the trivial-rewrite service. The problem is triggered when an invalid address resolves to an impossible result. This causes the affected programs to reject the result and to retry the trivial-rewrite request indefinitely. Action: We recommend that all systems with this package installed be upgraded. Location: All TSL updates are available from About Trustix Secure Linux: Trustix Secure Linux is a small Linux distribution for servers. With focus on security and stability, the system is painlessly kept safe and up to date from day one using swup, the automated software updater. Automatic updates: Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'. Users of TSL 1.2 can get SWUP from: (In later versions of TSL, SWUP is included in the default installation.) Public testing: These packages have been available for public testing for some time. If you want to contribute by testing the various packages in the testing tree, please feel free to share your findings on the tsl-discuss mailinglist. The testing tree is located at Questions? Check out our mailing lists: Verification: This advisory along with all TSL packages are signed with the TSL sign key. This key is available from: The advisory itself is available from the errata pages at , and or directly at MD5sums of the packages: 26387f7f959eacb1620f42cbace8e162 ./1.2/SRPMS/postfix-19991231_pl13-4tr.src.rpm 1f87c828b670cc05edac720cdbc12959 ./1.2/RPMS/postfix-19991231_pl13-4tr.i586.rpm 98beb1be7bb4ccff74be305535fad7b7 ./1.5/RPMS/postfix-0.0.20010228.pl08-4tr.i586.rpm 7ace98a742facf4dfaeea8f7dcfd18c5 ./1.5/SRPMS/postfix-0.0.20010228.pl08-4tr.src.rpm Trustix Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/MjftwRTcg4BxxS0RAvwZAJ9PLVQHsNMSteq1/2x0Zm3zq/sMhwCfQU2S BdJzXDV9UVVXgqclGceJeNM= =JJRt -----END PGP SIGNATURE----- tsl-announce mailing list tsl-announce@trustix.org http://www.trustix.org/mailman/listinfo/tsl-announce

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

View all 12 vendors View less vendors