Debian Bug report logs -
#617849
postfix STARTTLS affected by CVE-2011-0411
Reported by: Branko Majic <branko@majic.rs>
Date: Fri, 11 Mar 2011 20:18:01 UTC
Severity: normal
Tags: lenny, patch, security, squeeze
Found in version postfix/2.5.5-1.1
Fixed in versions postfix/2.7.1-1+squeeze1, 2.8.0-1
Done: Raphael Geissert <geissert@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#617849; Package postfix.
(Fri, 11 Mar 2011 20:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Branko Majic <branko@majic.rs>:
New Bug report received and forwarded. Copy sent to LaMont Jones <lamont@debian.org>.
(Fri, 11 Mar 2011 20:18:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: postfix
Version: 2.5.5-1.1
Severity: normal
Tags: patch
Wietse Venema has discovered a bypass of STARTTLS command issued by client on
the server side. The full description, together with example on how to exploit
the issue and test if the actual SMTP implementation suffers from this problem
can be found at:
http://www.postfix.org/CVE-2011-0411.html
A new release has been made by Wietse Venema with security patches applied to
correct this issue. These can be obtaind from:
http://postfix.it-austria.net/releases/index.html
The issue affects versions of Postfix prior to 2.8 (which includes the current
oldstable - Lenny, and current stable - Squeeze).
I've also confirmed the issue on my own mail servers by compiling the patched
version of OpenSSL and running it against my own server (as described by
Wietse Venema).
-- System Information:
Debian Release: 5.0.8
APT prefers oldstable
APT policy: (500, 'oldstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-xen-686 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages postfix depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debconf- 1.5.24 Debian configuration management sy
ii dpkg 1.14.31 Debian package management system
ii libc6 2.7-18lenny7 GNU C Library: Shared libraries
ii libdb4.6 4.6.21-11 Berkeley v4.6 Database Libraries [
ii libsasl2-2 2.1.22.dfsg1-23+lenny1 Cyrus SASL - authentication abstra
ii libssl0.9.8 0.9.8g-15+lenny11 SSL shared libraries
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii netbase 4.34 Basic TCP/IP networking system
ii ssl-cert 1.0.23 simple debconf wrapper for OpenSSL
postfix recommends no packages.
Versions of packages postfix suggests:
ii emacs22-nox [mail-reader] 22.2+2-5 The GNU Emacs editor (without X su
pn libsasl2-modules <none> (no description available)
ii mailutils [mail-reader] 1:1.2+dfsg1-4 GNU mailutils utilities for handli
ii mutt [mail-reader] 1.5.18-6 text-based mailreader supporting M
pn postfix-cdb <none> (no description available)
pn postfix-ldap <none> (no description available)
ii postfix-mysql 2.5.5-1.1 MySQL map support for Postfix
pn postfix-pcre <none> (no description available)
pn postfix-pgsql <none> (no description available)
pn procmail <none> (no description available)
pn resolvconf <none> (no description available)
pn sasl2-bin <none> (no description available)
pn ufw <none> (no description available)
-- debconf information excluded
Added tag(s) security.
Request was from Ludovico Cavedon <cavedon@debian.org>
to control@bugs.debian.org.
(Thu, 14 Apr 2011 18:27:06 GMT) (full text, mbox, link).
Marked as fixed in versions 2.8.0-1.
Request was from LaMont Jones <lamont@debian.org>
to control@bugs.debian.org.
(Fri, 13 Apr 2012 02:57:08 GMT) (full text, mbox, link).
Added tag(s) squeeze and lenny.
Request was from LaMont Jones <lamont@debian.org>
to control@bugs.debian.org.
(Fri, 13 Apr 2012 03:15:08 GMT) (full text, mbox, link).
Marked as fixed in versions postfix/2.7.1-1+squeeze1.
Request was from Raphael Geissert <geissert@debian.org>
to control@bugs.debian.org.
(Fri, 05 Oct 2012 22:27:02 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Raphael Geissert <geissert@debian.org>
to control@bugs.debian.org.
(Fri, 05 Oct 2012 22:27:03 GMT) (full text, mbox, link).
Notification sent
to Branko Majic <branko@majic.rs>:
Bug acknowledged by developer.
(Fri, 05 Oct 2012 22:27:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 02 Jun 2013 07:58:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:09:05 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon