Package name
Advisory ID
Affected versions
CS2.1 x86_64 , CS2.1 i586 , 8.2 i586 , 9.0 i586 , MNF8.2 i586 , 8.2 i586

Problem description

Two vulnerabilities were discovered in the postfix MTA by Michal Zalewski. Versions prior to 1.1.12 would allow an attacker to bounce- scan private networks or use the daemon as a DDoS (Distributed Denial of Service) tool by forcing the daemon to connect to an arbitrary service at an arbitrary IP address and receiving either a bounce message or by timing. As well, versions prior to 1.1.12 have a bug where a malformed envelope address can cause the queue manager to lock up until an entry is removed from the queue and also lock up the SMTP listener leading to a DoS. Postfix version 1.1.13 corrects these issues. The provided packages have been patched to fix the vulnerabilities.

Updated packages

CS2.1 x86_64

 92a11a97498d15b49800691daccfde79  x86_64/corporate/2.1/RPMS/postfix-1.1.13-1.2mdk.x86_64.rpm
6f340161b82d806f11b9cad2acc36041  x86_64/corporate/2.1/SRPMS/postfix-1.1.13-1.2mdk.src.rpm

CS2.1 i586

 2aad99a13d54ad1639f838b72c541c5c  corporate/2.1/RPMS/postfix-1.1.13-1.1mdk.i586.rpm
435cada8d84f410e4991d8563e6d42a6  corporate/2.1/SRPMS/postfix-1.1.13-1.1mdk.src.rpm

8.2 i586

 3d78e8d0a5c6d841697c055112fa3cc0  8.2/RPMS/postfix-20010228-20.1mdk.i586.rpm
d06d059baad0ab14b09c7612f94c7296  8.2/SRPMS/postfix-20010228-20.1mdk.src.rpm

9.0 i586

 2aad99a13d54ad1639f838b72c541c5c  9.0/RPMS/postfix-1.1.13-1.1mdk.i586.rpm
435cada8d84f410e4991d8563e6d42a6  9.0/SRPMS/postfix-1.1.13-1.1mdk.src.rpm

MNF8.2 i586

 3d78e8d0a5c6d841697c055112fa3cc0  mnf8.2/RPMS/postfix-20010228-20.1mdk.i586.rpm
d06d059baad0ab14b09c7612f94c7296  mnf8.2/SRPMS/postfix-20010228-20.1mdk.src.rpm

8.2 i586

 56162355881b39128f60f94e2992edbb  ppc/8.2/RPMS/postfix-20010228-20.1mdk.ppc.rpm
d06d059baad0ab14b09c7612f94c7296  ppc/8.2/SRPMS/postfix-20010228-20.1mdk.src.rpm