Säkerhetsbulletin från Debian
DSA-1629-2 postfix -- programmeringsfel
- Rapporterat den:
- 2008-08-19
- Berörda paket:
- postfix
- Sårbara:
- Ja
- Referenser i säkerhetsdatabaser:
- I Mitres CVE-förteckning: CVE-2008-2936.
- Ytterligare information:
-
Sebastian Krahmer upptäckte att Postfix, en e-postserverprogramvara, inte kontrollerar ägandeskap av brevlådor korrekt. I vissa konfigurationer gör detta det möjligt att lägga till data till godtyckliga filer som root.
Observera att endast specifika konfigurationer är sårbara, Debians standardinstallation påverkas inte. Endast konfigurationer som uppfyller följande krav är sårbara:
- E-postleveranstypen är brevlåda, med Postfix' inbyggda leveransagenter local(8) eller virtual(8).
- E-postkatalogen (/var/spool/mail) är skrivbar av användare.
- Användaren kan skapa hårda länkar som pekar på root-ägda symboliska länkar i andra kataloger.
För en detaljerad beskrivning av problemet, se uppströmsförfattarens beskrivning.
För den stabila utgåvan (Etch) har detta problem rättats i version 2.3.8-2+etch1.
För uttestningsutgåvan (lenny) har detta problem rättats i version 2.5.2-2lenny1.
För den instabila utgåvan (Sid) har detta problem rättats i version 2.5.4-1.
Vi rekommenderar att ni uppgraderar ert postfix-paket.
- Rättat i:
-
Debian GNU/Linux 4.0 (etch)
- Källkod:
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8.orig.tar.gz
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1.diff.gz
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1.dsc
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1.diff.gz
- Arkitekturoberoende komponent:
- http://security.debian.org/pool/updates/main/p/postfix/postfix-dev_2.3.8-2+etch1_all.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-doc_2.3.8-2+etch1_all.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-doc_2.3.8-2+etch1_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_alpha.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_amd64.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_amd64.deb
- ARM:
- http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_arm.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_arm.deb
- HP Precision:
- http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_hppa.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_hppa.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_i386.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_ia64.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_ia64.deb
- Big-endian MIPS:
- http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_mips.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_mips.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_s390.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_sparc.deb
- http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_sparc.deb
MD5-kontrollsummor för dessa filer finns i originalbulletinen.