GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Fri Sep 19, 2008 8:26 pm Post subject: [ GLSA 200809-09 ] Postfix: Denial of Service |
 |
|
Gentoo Linux Security Advisory
Title: Postfix: Denial of Service (GLSA 200809-09)
Severity: normal
Exploitable: local
Date: September 19, 2008
Bug(s): #236453
ID: 200809-09
Synopsis
A memory leak in Postfix might allow local users to cause a Denial of Service.
Background
Postfix is Wietse Venema's mailer that attempts to be fast, easy to administer, and secure, as an alternative to the widely-used Sendmail program.
Affected Packages
Package: mail-mta/postfix
Vulnerable: < 2.4.9
Vulnerable: < 2.5.5
Unaffected: >= 2.4.9
Unaffected: >= 2.5.5
Architectures: All supported architectures
Description
It has been discovered than Postfix leaks an epoll file descriptor when executing external commands, e.g. user-controlled $HOME/.forward or $HOME/.procmailrc files. NOTE: This vulnerability only concerns Postfix instances running on Linux 2.6 kernels.
Impact
A local attacker could exploit this vulnerability to reduce the performance of Postfix, and possibly trigger an assertion, resulting in a Denial of Service.
Workaround
Allow only trusted users to control delivery to non-Postfix commands.
Resolution
All Postfix 2.4 users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.4.9" |
All Postfix 2.5 users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.5.5" |
References
CVE-2008-3889 |
|
News & Announcements
