Debian Security Advisory DSA 1629-1 (postfix)

The remote host is missing an update to postfix announced via advisory DSA 1629-1.

Sebastian Krahmer discovered that Postfix, a mail transfer agent, incorrectly checks the ownership of a mailbox. In some configurations, this allows for appending data to arbitrary files as root. The default Debian installation of Postfix is not affected. Only a configuration meeting the following requirements is vulnerable: * The mail delivery style is mailbox, with the Postfix built-in local(8) or virtual(8) delivery agents. * The mail spool directory is user-writeable. * The user can create hardlinks pointing to root-owned symlinks located in other directories. For a detailed treating of this issue, please refer to the upstream author's announcement: http://article.gmane.org/gmane.mail.postfix.announce/110 For the stable distribution (etch), this problem has been fixed in version 2.3.8-2etch1. For the testing distribution (lenny), this problem has been fixed in version 2.5.2-2lenny1. For the unstable distribution (sid), this problem has been fixed in version 2.5.4-1. We recommend that you upgrade your postfix package.

https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201629-1