Säkerhetsbulletin från Debian

DSA-1629-2 postfix -- programmeringsfel

Rapporterat den:

2008-08-19

Berörda paket:

postfix

Sårbara:

Referenser i säkerhetsdatabaser:

I Mitres CVE-förteckning: CVE-2008-2936.

Ytterligare information:

Sebastian Krahmer upptäckte att Postfix, en e-postserverprogramvara, inte kontrollerar ägandeskap av brevlådor korrekt. I vissa konfigurationer gör detta det möjligt att lägga till data till godtyckliga filer som root.

Observera att endast specifika konfigurationer är sårbara, Debians standardinstallation påverkas inte. Endast konfigurationer som uppfyller följande krav är sårbara:

E-postleveranstypen är brevlåda, med Postfix' inbyggda leveransagenter local(8) eller virtual(8).
E-postkatalogen (/var/spool/mail) är skrivbar av användare.
Användaren kan skapa hårda länkar som pekar på root-ägda symboliska länkar i andra kataloger.

För en detaljerad beskrivning av problemet, se uppströmsförfattarens beskrivning.

För den stabila utgåvan (Etch) har detta problem rättats i version 2.3.8-2+etch1.

För uttestningsutgåvan (lenny) har detta problem rättats i version 2.5.2-2lenny1.

För den instabila utgåvan (Sid) har detta problem rättats i version 2.5.4-1.

Vi rekommenderar att ni uppgraderar ert postfix-paket.

Rättat i:

Debian GNU/Linux 4.0 (etch)

Källkod:: http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8.orig.tar.gz; http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1.diff.gz; http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1.dsc
Arkitekturoberoende komponent:: http://security.debian.org/pool/updates/main/p/postfix/postfix-dev_2.3.8-2+etch1_all.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-doc_2.3.8-2+etch1_all.deb
Alpha:: http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_alpha.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_alpha.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_alpha.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_alpha.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_alpha.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_amd64.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_amd64.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_amd64.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_amd64.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_amd64.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_arm.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_arm.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_arm.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_arm.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_arm.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_arm.deb
HP Precision:: http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_hppa.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_hppa.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_hppa.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_hppa.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_hppa.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_hppa.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_i386.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_i386.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_i386.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_i386.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_i386.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_ia64.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_ia64.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_ia64.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_ia64.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_ia64.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_ia64.deb
Big-endian MIPS:: http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_mips.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_mips.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_mips.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_mips.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_mips.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_mips.deb
PowerPC:: http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_powerpc.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_powerpc.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_powerpc.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_powerpc.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_powerpc.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_s390.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_s390.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_s390.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_s390.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_s390.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_sparc.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_sparc.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_sparc.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_sparc.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_sparc.deb; http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_sparc.deb

MD5-kontrollsummor för dessa filer finns i originalbulletinen.