SB2012062501 - Gentoo update for Postfix
Published: June 25, 2012 Updated: June 8, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Man-in-the-Middle (MitM) attack (CVE-ID: CVE-2011-0411)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to incorrect implementation of STARTTLS command that does not properly restrict I/O buffering, which allows man-in-the-middle
attackers to insert commands into encrypted SMTP sessions by sending a
cleartext command that is processed after TLS is in place, related to a
"plaintext command injection" attack.
2) Buffer overflow (CVE-ID: CVE-2011-1720)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The SMTP server in Postfix before 2.5.13, 2.6.x before 2.6.10, 2.7.x before 2.7.4, and 2.8.x before 2.8.3, when certain Cyrus SASL authentication methods are enabled, does not create a new server handle after client authentication fails, which allows remote attackers to cause a denial of service (heap memory corruption and daemon crash) or possibly execute arbitrary code via an invalid AUTH command with one method followed by an AUTH command with a different method.
Remediation
Install update from vendor's website.