<<< Date Index >>>     <<< Thread Index >>>

[ MDVSA-2008:171 ] postfix



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2008:171
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : postfix
 Date    : August 15, 2008
 Affected: 2007.1, 2008.0, 2008.1, Corporate 3.0, Corporate 4.0
 _______________________________________________________________________

 Problem Description:

 Sebastian Krahmer of the SUSE Security Team discovered a flaw in
 the way Postfix dereferenced symbolic links.  If a local user had
 write access to a mail spool directory without a root mailbox file,
 it could be possible for them to append arbitrary data to files that
 root had write permissions to (CVE-2008-2936).
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2936
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2007.1:
 26e470b9c59a7f942865ff4c9a029f33  
2007.1/i586/libpostfix1-2.3.8-1.1mdv2007.1.i586.rpm
 886bae30f28144d5cd12330eadc29beb  
2007.1/i586/postfix-2.3.8-1.1mdv2007.1.i586.rpm
 4490c64a7b39685f04dff74ce114edd1  
2007.1/i586/postfix-ldap-2.3.8-1.1mdv2007.1.i586.rpm
 03bc15e8554bb5519bccc27147dc49c5  
2007.1/i586/postfix-mysql-2.3.8-1.1mdv2007.1.i586.rpm
 4ce6d3583264a3d9a89e99554d8f5334  
2007.1/i586/postfix-pcre-2.3.8-1.1mdv2007.1.i586.rpm
 1fa256a3a7306dc4711d2c1f394e4779  
2007.1/i586/postfix-pgsql-2.3.8-1.1mdv2007.1.i586.rpm 
 585a32ed0e7d643bec4be76ca56e96a3  
2007.1/SRPMS/postfix-2.3.8-1.1mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 c5b9aba41a5f7d4762e07611ab796ba9  
2007.1/x86_64/lib64postfix1-2.3.8-1.1mdv2007.1.x86_64.rpm
 34aaf8a7f5489382ae2fe752239c1ad3  
2007.1/x86_64/postfix-2.3.8-1.1mdv2007.1.x86_64.rpm
 c1bbbc34d1a6951dfea07b479e7546a6  
2007.1/x86_64/postfix-ldap-2.3.8-1.1mdv2007.1.x86_64.rpm
 72c368adfd81383032aee96564edd1dc  
2007.1/x86_64/postfix-mysql-2.3.8-1.1mdv2007.1.x86_64.rpm
 b6e9329425e1e4f6f1b591ca01c07527  
2007.1/x86_64/postfix-pcre-2.3.8-1.1mdv2007.1.x86_64.rpm
 858ac67feca2fae49be70f752a9f5688  
2007.1/x86_64/postfix-pgsql-2.3.8-1.1mdv2007.1.x86_64.rpm 
 585a32ed0e7d643bec4be76ca56e96a3  
2007.1/SRPMS/postfix-2.3.8-1.1mdv2007.1.src.rpm

 Mandriva Linux 2008.0:
 28f80755d3e08a050a3294f15bcdf0b0  
2008.0/i586/libpostfix1-2.4.5-2.1mdv2008.0.i586.rpm
 8e5a684b87309c502f34d76104e7291f  
2008.0/i586/postfix-2.4.5-2.1mdv2008.0.i586.rpm
 fd4bd15f398bb8f9a90e59216b4a01dc  
2008.0/i586/postfix-ldap-2.4.5-2.1mdv2008.0.i586.rpm
 63e5be0f5c1dc8b28f173726c1648831  
2008.0/i586/postfix-mysql-2.4.5-2.1mdv2008.0.i586.rpm
 75e6b126fd04ce8cbef1d024a8d4af94  
2008.0/i586/postfix-pcre-2.4.5-2.1mdv2008.0.i586.rpm
 3eb0a04a986f20d4771b774b0707d5ff  
2008.0/i586/postfix-pgsql-2.4.5-2.1mdv2008.0.i586.rpm 
 d18e696ddd9948b311e84c1df3b4edfa  
2008.0/SRPMS/postfix-2.4.5-2.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 25c8159e3a2b78ab281dcf6c7b5886d1  
2008.0/x86_64/lib64postfix1-2.4.5-2.1mdv2008.0.x86_64.rpm
 56bc517d9bb1cf9221ce8d35999ac7de  
2008.0/x86_64/postfix-2.4.5-2.1mdv2008.0.x86_64.rpm
 08af0c3454a642e57252180f6f8b8b1c  
2008.0/x86_64/postfix-ldap-2.4.5-2.1mdv2008.0.x86_64.rpm
 c8777d4816b661a2853df44228c97e26  
2008.0/x86_64/postfix-mysql-2.4.5-2.1mdv2008.0.x86_64.rpm
 08579717946ec5c32df7674286f9f45a  
2008.0/x86_64/postfix-pcre-2.4.5-2.1mdv2008.0.x86_64.rpm
 fda669add03041fa744d5738c7457c3a  
2008.0/x86_64/postfix-pgsql-2.4.5-2.1mdv2008.0.x86_64.rpm 
 d18e696ddd9948b311e84c1df3b4edfa  
2008.0/SRPMS/postfix-2.4.5-2.1mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 5a3804f2c3effc218f5c2e2e3df27564  
2008.1/i586/libpostfix1-2.5.1-2.1mdv2008.1.i586.rpm
 506d51b49e9c8c0e439fc8bc4c63ba29  
2008.1/i586/postfix-2.5.1-2.1mdv2008.1.i586.rpm
 34ef86dd70c956f2a99bdfac81183e09  
2008.1/i586/postfix-ldap-2.5.1-2.1mdv2008.1.i586.rpm
 1d07b91d48c60906f28b8a2eba99ca1c  
2008.1/i586/postfix-mysql-2.5.1-2.1mdv2008.1.i586.rpm
 70ba3c286521579fc49a54bba84472dd  
2008.1/i586/postfix-pcre-2.5.1-2.1mdv2008.1.i586.rpm
 dca57a1b0579a8418ad10aac03322b2e  
2008.1/i586/postfix-pgsql-2.5.1-2.1mdv2008.1.i586.rpm 
 0f3cb76c3893354103745ee331942f0d  
2008.1/SRPMS/postfix-2.5.1-2.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 16d38a5b0b47edb0fc3395c63511bd6c  
2008.1/x86_64/lib64postfix1-2.5.1-2.1mdv2008.1.x86_64.rpm
 546f25ac9ea5aa167b9282bd8d4f537a  
2008.1/x86_64/postfix-2.5.1-2.1mdv2008.1.x86_64.rpm
 f1a917d26a5366044e570f6571c2fb10  
2008.1/x86_64/postfix-ldap-2.5.1-2.1mdv2008.1.x86_64.rpm
 4b2f2a4d53ef97dbd2c609afc9e61c77  
2008.1/x86_64/postfix-mysql-2.5.1-2.1mdv2008.1.x86_64.rpm
 266433d35cd238e9132b6225bc5d1258  
2008.1/x86_64/postfix-pcre-2.5.1-2.1mdv2008.1.x86_64.rpm
 78f8df45bf1c009701112a60294ccdeb  
2008.1/x86_64/postfix-pgsql-2.5.1-2.1mdv2008.1.x86_64.rpm 
 0f3cb76c3893354103745ee331942f0d  
2008.1/SRPMS/postfix-2.5.1-2.1mdv2008.1.src.rpm

 Corporate 3.0:
 7d6dc0a422fa43c691a6819a9954d29c  
corporate/3.0/i586/libpostfix1-2.1.1-0.4.C30mdk.i586.rpm
 6c90a40a69bcd261d1fff8124d087d48  
corporate/3.0/i586/postfix-2.1.1-0.4.C30mdk.i586.rpm
 9e3468e37e512a5207a982ba606d8fb8  
corporate/3.0/i586/postfix-ldap-2.1.1-0.4.C30mdk.i586.rpm
 8018f6af47a5659396a3d903c27b33d4  
corporate/3.0/i586/postfix-mysql-2.1.1-0.4.C30mdk.i586.rpm
 ac40a515260bd75fe00c5e1610b11e7b  
corporate/3.0/i586/postfix-pcre-2.1.1-0.4.C30mdk.i586.rpm
 f8675212bf047f8373846efe438d6e34  
corporate/3.0/i586/postfix-pgsql-2.1.1-0.4.C30mdk.i586.rpm 
 0b9d6b89f64cf5c5ba64d4234ba958d3  
corporate/3.0/SRPMS/postfix-2.1.1-0.4.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 f695f71cf4e3cff94b76ffaa79e79276  
corporate/3.0/x86_64/lib64postfix1-2.1.1-0.4.C30mdk.x86_64.rpm
 479831782b7e851ee64b8686e5435742  
corporate/3.0/x86_64/postfix-2.1.1-0.4.C30mdk.x86_64.rpm
 a52bf688f3f842c8062ca1e43748a442  
corporate/3.0/x86_64/postfix-ldap-2.1.1-0.4.C30mdk.x86_64.rpm
 e286020374420577f7372bf98b3145f0  
corporate/3.0/x86_64/postfix-mysql-2.1.1-0.4.C30mdk.x86_64.rpm
 7c4d75cb5df1951918a3baf56aff0dcd  
corporate/3.0/x86_64/postfix-pcre-2.1.1-0.4.C30mdk.x86_64.rpm
 e1b6ff7a49ab9dbd1cc8559ec9a747fe  
corporate/3.0/x86_64/postfix-pgsql-2.1.1-0.4.C30mdk.x86_64.rpm 
 0b9d6b89f64cf5c5ba64d4234ba958d3  
corporate/3.0/SRPMS/postfix-2.1.1-0.4.C30mdk.src.rpm

 Corporate 4.0:
 c7e11fa492370b389f507fc3ae2b1d4a  
corporate/4.0/i586/libpostfix1-2.3.5-0.2.20060mlcs4.i586.rpm
 f78b08147813d142dbebccfa3f2d1fc1  
corporate/4.0/i586/postfix-2.3.5-0.2.20060mlcs4.i586.rpm
 982fb6adba17ab2acfd477323a55db4c  
corporate/4.0/i586/postfix-ldap-2.3.5-0.2.20060mlcs4.i586.rpm
 163b41ad32263b2a319720144153f5af  
corporate/4.0/i586/postfix-mysql-2.3.5-0.2.20060mlcs4.i586.rpm
 7be21bfdc0f6e70d6da173d5005516f8  
corporate/4.0/i586/postfix-pcre-2.3.5-0.2.20060mlcs4.i586.rpm
 26c0b02352463bd5c33b67c146330701  
corporate/4.0/i586/postfix-pgsql-2.3.5-0.2.20060mlcs4.i586.rpm 
 f9251f61013674ae03a5122d8c5cfd25  
corporate/4.0/SRPMS/postfix-2.3.5-0.2.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 91d8789d61bc41409d96b0442ffb8d13  
corporate/4.0/x86_64/lib64postfix1-2.3.5-0.2.20060mlcs4.x86_64.rpm
 db6e1d07cd48fd215db13b6c0812629f  
corporate/4.0/x86_64/postfix-2.3.5-0.2.20060mlcs4.x86_64.rpm
 6d57adb992f1903344a12c213116e2d9  
corporate/4.0/x86_64/postfix-ldap-2.3.5-0.2.20060mlcs4.x86_64.rpm
 c3217315a710dddef6addc566542dbef  
corporate/4.0/x86_64/postfix-mysql-2.3.5-0.2.20060mlcs4.x86_64.rpm
 21db2224670acce491ff87269f21ec5e  
corporate/4.0/x86_64/postfix-pcre-2.3.5-0.2.20060mlcs4.x86_64.rpm
 89d5796c4d94bb6ab1ef26de400d032f  
corporate/4.0/x86_64/postfix-pgsql-2.3.5-0.2.20060mlcs4.x86_64.rpm 
 f9251f61013674ae03a5122d8c5cfd25  
corporate/4.0/SRPMS/postfix-2.3.5-0.2.20060mlcs4.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIpbu8mqjQ0CJFipgRApsdAJ0XV7YMQObXpiNScy6r/ct8BPjTIACg0mow
TLWvKH+6JSz18dJfpEjIxFw=
=rHfX
-----END PGP SIGNATURE-----