=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2011/VULN219
_____________________________________________________________________

DATE                      : 11/03/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       :  Systems running Postfix legacy releases
                               versions prior to 2.7.3, 2.6.9, 2.5.12, 2.4.16.

======================================================================
http://www.postfix.org/announcements/postfix-2.7.3.html
______________________________________________________________________

  Postfix legacy releases 2.7.3, 2.6.9, 2.5.12 and 2.4.16

[An on-line version of this announcement will be available at 
http://www.postfix.org/announcements/postfix-2.7.3.html]

Postfix legacy releases 2.7.3, 2.6.9, 2.5.12 and 2.4.16 are available.
These releases contain a fix for CVE-2011-0411 which allows plaintext
command injection with SMTP sessions over TLS. This defect was introduced
with Postfix version 2.2.

     Note: CVE-2011-0411 is an issue only for the minority of SMTP clients
that actually verify server certificates. Without server certificate
verification, clients are always vulnerable to man-in-the-middle attacks
that allow attackers to inject plaintext commands or responses into SMTP
sessions, and more.

     For more details see:
     http://www.postfix.org/CVE-2011-0411.html
     http://www.kb.cert.org/vuls/id/555316.

Postfix 2.8 and 2.9 are not affected.

The following problems were fixed with the Postfix legacy releases:

     * Fix for CVE-2011-0411: discard buffered plaintext input, after
reading the SMTP "STARTTLS" command or response.
     * Fix to the local delivery agent: look up the "unextended" address
in the local aliases database, when that address has a malformed address
extension.
     * Fix to virtual alias expansion: report a tempfail error, instead of
silently ignoring recipients that exceed the virtual_alias_expansion_limit
or the virtual_alias_recursion_limit.
     * Fix for Solaris: the Postfix event engine was deaf for SIGHUP and
SIGALRM signals after the switch from select() to /dev/poll. Symptoms were
delayed "postfix reload" response, and killed processes with watchdog timeout
values under 100 seconds.
     * Fix for HP-UX: the Postfix event engine was deaf for SIGALRM signals.
Symptoms were killed processes with watchdog timeout values under 100 seconds.
     * Fix for BSD-ish mkdir() to prevent maildir directories from inheriting
their group ownership from the parent directory.
     * Fix to the SMTP client: missing support for mail to [ipv6:ipv6addr]
address literal destinations.
     * FreeBSD back-ported closefrom() from FreeBSD 8x to 7x, breaking Postfix
builds retroactively.

Historical note:

     Wietse Venema discovered the problem two weeks before the Postfix 2.8 release,
and silently fixed it pending further investigation. While investigating the
problem's scope and impact, Victor Duchovni found that many other TLS applications
were also affected. At that point, CERT/CC was asked to coordinate with the
problem's resolution.

You can find the updated Postfix source code at the mirrors listed at
http://www.postfix.org/.

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================