MDVSA-2011:090

Package name

postfix

Date

2011-05-17

Advisory ID

MDVSA-2011:090

Affected versions

2009.0 x86_64 , MES5 i586 , 2010.1 i586 , 2009.0 i586 , CS4.0 i586 , CS4.0 x86_64 , MES5 x86_64 , 2010.1 x86_64

Problem description

A vulnerability has been found and corrected in postfix:

The SMTP server in Postfix before 2.5.13, 2.6.x before 2.6.10,
2.7.x before 2.7.4, and 2.8.x before 2.8.3, when certain Cyrus SASL
authentication methods are enabled, does not create a new server handle
after client authentication fails, which allows remote attackers to
cause a denial of service (heap memory corruption and daemon crash)
or possibly execute arbitrary code via an invalid AUTH command
with one method followed by an AUTH command with a different method
(CVE-2011-1720).

Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct this issue.

Updated packages

2009.0 x86_64

 f83ba1b1f9db1a605fef6ac14ace9c11  2009.0/x86_64/lib64postfix1-2.5.5-4.3mdv2009.0.x86_64.rpm
 b34609798fe6ec9afbf7df1b404ebfd9  2009.0/x86_64/postfix-2.5.5-4.3mdv2009.0.x86_64.rpm
 aa2faee590701df2c52c0c0a397fd328  2009.0/x86_64/postfix-ldap-2.5.5-4.3mdv2009.0.x86_64.rpm
 cec328a0b6fa68067f7a9d0ac93754e4  2009.0/x86_64/postfix-mysql-2.5.5-4.3mdv2009.0.x86_64.rpm
 64934922bb7cbd1601f86b33d9ebb47c  2009.0/x86_64/postfix-pcre-2.5.5-4.3mdv2009.0.x86_64.rpm
 0f615e0db5b697f14cbb365fbf08e257  2009.0/x86_64/postfix-pgsql-2.5.5-4.3mdv2009.0.x86_64.rpm 
 4694f8539dc6c78b5883364643684771  2009.0/SRPMS/postfix-2.5.5-4.3mdv2009.0.src.rpm

MES5 i586

 11f008ad8c89ab4e640a3235649b64db  mes5/i586/libpostfix1-2.5.5-4.3mdvmes5.2.i586.rpm
 b6dee4eeaa6529d6c19e064073ca4bfd  mes5/i586/postfix-2.5.5-4.3mdvmes5.2.i586.rpm
 b629d951af5c059bec8b922f3d48de8b  mes5/i586/postfix-ldap-2.5.5-4.3mdvmes5.2.i586.rpm
 4e23142fa8be0fe036024b6721b86872  mes5/i586/postfix-mysql-2.5.5-4.3mdvmes5.2.i586.rpm
 e51571f2e700148d3bb75ee9236c66ba  mes5/i586/postfix-pcre-2.5.5-4.3mdvmes5.2.i586.rpm
 ccf639ecbcd748e41af6c18fcb83a138  mes5/i586/postfix-pgsql-2.5.5-4.3mdvmes5.2.i586.rpm 
 729ac6d22b6fd88f3aafa16695463e3b  mes5/SRPMS/postfix-2.5.5-4.3mdvmes5.2.src.rpm

2010.1 i586

 5d798d385bbef67b5a9f944656fe8fff  2010.1/i586/libpostfix1-2.7.0-4.2mdv2010.2.i586.rpm
 9145ded79bd413536a3cea86c9e71b9f  2010.1/i586/postfix-2.7.0-4.2mdv2010.2.i586.rpm
 b8dd8213dc4db210faf214cb4c456b2d  2010.1/i586/postfix-cdb-2.7.0-4.2mdv2010.2.i586.rpm
 92c28b8d45d4db5489b6e710959cacc3  2010.1/i586/postfix-ldap-2.7.0-4.2mdv2010.2.i586.rpm
 fe5368cbe79376d793145901804d1092  2010.1/i586/postfix-mysql-2.7.0-4.2mdv2010.2.i586.rpm
 b3e62b3f5a8515b93eb7b5536a52f5fe  2010.1/i586/postfix-pcre-2.7.0-4.2mdv2010.2.i586.rpm
 a7ad1ed4b0307ae6260da4c2b9d822e8  2010.1/i586/postfix-pgsql-2.7.0-4.2mdv2010.2.i586.rpm 
 4681d51e9652432cfebbfd1bf2adcdd6  2010.1/SRPMS/postfix-2.7.0-4.2mdv2010.2.src.rpm

2009.0 i586

 1326a3c6e48e45049fb8f024a92e9327  2009.0/i586/libpostfix1-2.5.5-4.3mdv2009.0.i586.rpm
 db9f9583fe600220a4c3b88e380405a5  2009.0/i586/postfix-2.5.5-4.3mdv2009.0.i586.rpm
 5b56b55f7bd99c75e63ace3f30563d96  2009.0/i586/postfix-ldap-2.5.5-4.3mdv2009.0.i586.rpm
 10427140a4a15a36830829f58b303f62  2009.0/i586/postfix-mysql-2.5.5-4.3mdv2009.0.i586.rpm
 98e66e07460821307d2f70dd4800c838  2009.0/i586/postfix-pcre-2.5.5-4.3mdv2009.0.i586.rpm
 aa53192429b7aed8d4289b51ec4cb09b  2009.0/i586/postfix-pgsql-2.5.5-4.3mdv2009.0.i586.rpm 
 4694f8539dc6c78b5883364643684771  2009.0/SRPMS/postfix-2.5.5-4.3mdv2009.0.src.rpm

CS4.0 i586

 c536b52f1378cb4a55971d82454d262b  corporate/4.0/i586/libpostfix1-2.3.5-0.5.20060mlcs4.i586.rpm
 02f8482473caae37dfae8cb968edaaa3  corporate/4.0/i586/postfix-2.3.5-0.5.20060mlcs4.i586.rpm
 39122dc26c31878a108cf72a87c12991  corporate/4.0/i586/postfix-ldap-2.3.5-0.5.20060mlcs4.i586.rpm
 d6fed1d55e5b2d2c90cb648cc22931e1  corporate/4.0/i586/postfix-mysql-2.3.5-0.5.20060mlcs4.i586.rpm
 23b476ccb4b5200b21d3dc7bcb1e6914  corporate/4.0/i586/postfix-pcre-2.3.5-0.5.20060mlcs4.i586.rpm
 8c8df6325509f7caa9268775a419c378  corporate/4.0/i586/postfix-pgsql-2.3.5-0.5.20060mlcs4.i586.rpm 
 e3379355ff572716b5b9bf2164df418d  corporate/4.0/SRPMS/postfix-2.3.5-0.5.20060mlcs4.src.rpm

CS4.0 x86_64

 7a1c56854f3030fcc78d34810764057c  corporate/4.0/x86_64/lib64postfix1-2.3.5-0.5.20060mlcs4.x86_64.rpm
 64d01272c055acc5268aa12ff0f8a10b  corporate/4.0/x86_64/postfix-2.3.5-0.5.20060mlcs4.x86_64.rpm
 00a4250ce0d4c56c85387dcca95fa19b  corporate/4.0/x86_64/postfix-ldap-2.3.5-0.5.20060mlcs4.x86_64.rpm
 04cca803fb70f5be040020d3d4681012  corporate/4.0/x86_64/postfix-mysql-2.3.5-0.5.20060mlcs4.x86_64.rpm
 ed0b8a4b2f760e276682f6f7cc95099d  corporate/4.0/x86_64/postfix-pcre-2.3.5-0.5.20060mlcs4.x86_64.rpm
 37c324de6183e06b7f60794067be77b2  corporate/4.0/x86_64/postfix-pgsql-2.3.5-0.5.20060mlcs4.x86_64.rpm 
 e3379355ff572716b5b9bf2164df418d  corporate/4.0/SRPMS/postfix-2.3.5-0.5.20060mlcs4.src.rpm

MES5 x86_64

 752c0e249967550d1caa6e81ec755baa  mes5/x86_64/lib64postfix1-2.5.5-4.3mdvmes5.2.x86_64.rpm
 46aa5ec4e7bf18bcac028599294445d4  mes5/x86_64/postfix-2.5.5-4.3mdvmes5.2.x86_64.rpm
 2f4cf634db305c1dda1a2ac278861ee8  mes5/x86_64/postfix-ldap-2.5.5-4.3mdvmes5.2.x86_64.rpm
 959b62c6e4d198768d29bfc92540859e  mes5/x86_64/postfix-mysql-2.5.5-4.3mdvmes5.2.x86_64.rpm
 9e80f154a3a83c1c1585bb70c1657332  mes5/x86_64/postfix-pcre-2.5.5-4.3mdvmes5.2.x86_64.rpm
 738de86208f0979e091c24352ca4d818  mes5/x86_64/postfix-pgsql-2.5.5-4.3mdvmes5.2.x86_64.rpm 
 729ac6d22b6fd88f3aafa16695463e3b  mes5/SRPMS/postfix-2.5.5-4.3mdvmes5.2.src.rpm

2010.1 x86_64

 f42fbb3f8144f31f2eba7eabbe6d8ad5  2010.1/x86_64/lib64postfix1-2.7.0-4.2mdv2010.2.x86_64.rpm
 7c92c86b7b4f975541e3f68afb2e2cf9  2010.1/x86_64/postfix-2.7.0-4.2mdv2010.2.x86_64.rpm
 73a46012559559677e38508107c2f21a  2010.1/x86_64/postfix-cdb-2.7.0-4.2mdv2010.2.x86_64.rpm
 f1f12686d4f173f586d7d12014c34cbd  2010.1/x86_64/postfix-ldap-2.7.0-4.2mdv2010.2.x86_64.rpm
 5e56411242773b0253f94cedc9feff42  2010.1/x86_64/postfix-mysql-2.7.0-4.2mdv2010.2.x86_64.rpm
 8d23a994589f508b4e602d8038d217cf  2010.1/x86_64/postfix-pcre-2.7.0-4.2mdv2010.2.x86_64.rpm
 17b5cb9a10eeb4159d4d490e949bb425  2010.1/x86_64/postfix-pgsql-2.7.0-4.2mdv2010.2.x86_64.rpm 
 4681d51e9652432cfebbfd1bf2adcdd6  2010.1/SRPMS/postfix-2.7.0-4.2mdv2010.2.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1720