Debians sikkerhedsbulletin
DSA-1629-2 postfix -- programmeringsfejl
- Rapporteret den:
- 19. aug 2008
- Berørte pakker:
- postfix
- Sårbar:
- Ja
- Referencer i sikkerhedsdatabaser:
- I Mitres CVE-ordbog: CVE-2008-2936.
- Yderligere oplysninger:
-
Sebastian Krahmer opdagede at Postfix, et mailoverførselsprogram, på ukorrekt vis kontrollerede ejerskabet af en mailbox. Ved nogle opsætninger var det dermed muligt som root at tilføje data til vilkårlige filer.
Bemærk at kun speficikke opsætninger er sårbare; Debians standardinstallation er ikke påvirket. Kun hvis opsætningen lever op til følgende forudsætninger, er den sårbar:
- Mailleveringsmetoden er mailbox, med anvendelse af de i Postfix indbyggede leveringsprogrmamer local(8) eller virtual(8).
- Mailspoolmappen (/var/spool/mail) er skrivbar for brugere.
- Brugeren kan oprette hardlinks pegende på root-ejede symlinks, placeret i andre mapper.
For en detaljeret gennemgang at problemet, se opstrømsforfatterens gennemgang.
I den stabile distribution (etch), er dette problem rettet i version 2.3.8-2+etch1.
I distributionen testing (lenny), er dette problem rettet i version 2.5.2-2lenny1.
I den ustabile distribution (sid), er dette problem rettet i version 2.5.4-1.
Vi anbefaler at du opgraderer din postfix-pakke.
- Rettet i:
-
Debian GNU/Linux 4.0 (etch)
- Kildekode:
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8.orig.tar.gz
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1.diff.gz
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1.dsc
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1.diff.gz
- Arkitekturuafhængig komponent:
- http://security.debian.org/pool/updates/main/p/postfix/postfix-dev_2.3.8-2+etch1_all.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-doc_2.3.8-2+etch1_all.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-doc_2.3.8-2+etch1_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_amd64.deb
- ARM:
- http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_arm.deb
- HP Precision:
- http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_hppa.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_ia64.deb
- Big-endian MIPS:
- http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_mips.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_sparc.deb
MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.