Zero-friction vulnerability management platform

Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.

Install Now

Available for macOS, Windows, and Linux

App screenshot

Debian Security Advisory DSA 1629-1 (postfix)

Information

Severity

Severity

Medium

Family

Family

Debian Local Security Checks

CVSSv2 Base

CVSSv2 Base

6.2

CVSSv2 Vector

CVSSv2 Vector

AV:L/AC:H/Au:N/C:C/I:C/A:C

Solution Type

Solution Type

Vendor Patch

Created

Created

13 years ago

Modified

Modified

5 years ago

Summary

The remote host is missing an update to postfix announced via advisory DSA 1629-1.

Insight

Insight

Sebastian Krahmer discovered that Postfix, a mail transfer agent, incorrectly checks the ownership of a mailbox. In some configurations, this allows for appending data to arbitrary files as root. The default Debian installation of Postfix is not affected. Only a configuration meeting the following requirements is vulnerable: * The mail delivery style is mailbox, with the Postfix built-in local(8) or virtual(8) delivery agents. * The mail spool directory is user-writeable. * The user can create hardlinks pointing to root-owned symlinks located in other directories. For a detailed treating of this issue, please refer to the upstream author's announcement: http://article.gmane.org/gmane.mail.postfix.announce/110 For the stable distribution (etch), this problem has been fixed in version 2.3.8-2etch1. For the testing distribution (lenny), this problem has been fixed in version 2.5.2-2lenny1. For the unstable distribution (sid), this problem has been fixed in version 2.5.4-1. We recommend that you upgrade your postfix package.

Solution

Solution

https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201629-1

Common Vulnerabilities and Exposures (CVE)