SuSE Security Announcement: postfix (SuSE-SA:2003:033)
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: postfix
Announcement-ID: SuSE-SA:2003:033
Date: Mon Aug 4 13:30:00 MEST 2003
Affected products: 7.2, 7.3, 8.0, 8.1
SuSE Linux Database Server
SuSE eMail Server III, 3.1
SuSE Linux Enterprise Server 7, 8
SuSE Linux Connectivity Server
SuSE Linux Office Server
SuSE Linux Openexchange Server
UnitedLinux 1.0
SuSE Linux Desktop 1.0
Vulnerability Type: remote Denial of Service (DoS) attack
Severity (1-10): 4
SuSE default package: Since SuSE Linux 8.1.
Cross References: CAN-2003-0468
CAN-2003-0540
Content of this advisory:
1) security vulnerability resolved: remote DoS in postfix
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds:
- kernel
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
Postfix is a flexible MTA replacement for sendmail.
Michal Zalewski has reported problems in postfix which can lead to
a remote DoS attack or allow attackers to bounce-scan private networks.
These problems have been fixed. Even though not all of our products are
vulnerable in their default configurations, the updates should be applied.
In order for the update to take effect, you have to restart your MTA
by issuing the following command as root:
"/sbin/rcpostfix restart"
Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.
i386 Intel Platform:
SuSE-8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/postfix-1.1.12-12.i586.rpm
4b3b65905911440051f869b3e95c2c66
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/postfix-1.1.12-12.i586.patch.rpm
e73917624b5adfdbe113909135a50a42
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/postfix-1.1.12-12.src.rpm
0e5bcc6c3cd95f09c423cf00aac0c303
SuSE-8.0:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n4/postfix-1.1.12-13.i386.rpm
e0090e0ed051a532a62d787b020ac580
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n4/postfix-1.1.12-13.i386.patch.rpm
8c156ca92ad4be83588041192efe5b60
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/postfix-1.1.12-13.src.rpm
f9389f00de109cea2f0b3b6c27f5a515
SuSE-7.3:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/postfix-20010228pl08-22.i386.rpm
1f4d3af8d10850096bc0260567caa334
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/postfix-20010228pl08-22.src.rpm
0ccc29a957609b3aeb2c12f3cc85284d
SuSE-7.2:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/postfix-20010228pl03-82.i386.rpm
444f983a8c8f0d18621a1e8b4c3dd260
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/postfix-20010228pl03-82.src.rpm
6d479bd0ed90bc7dc59a4201327ffc05
Sparc Platform:
SuSE-7.3:
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/postfix-20010228pl08-15.sparc.rpm
83eb074dbcedae2c9947006b4c0411d2
source rpm(s):
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/postfix-20010228pl08-15.src.rpm
ec7ae58e31fd2ec63ccd881454372307
PPC Power PC Platform:
SuSE-7.3:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/postfix-20010228pl08-36.ppc.rpm
f7b331c15b7bf705274afe2665e9e187
source rpm(s):
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/postfix-20010228pl08-36.src.rpm
f2e5aa58e24599777a95dce715c3bcad
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- kernel
Various bugs inside the kernel have been reported recently. The most
important ones are
- NFSv3 remote DoS
- netfilter DoS
- /proc infoleak
- race condition in the ELF loader
These bugs are fixed. The new kernel packages will be approved as soon as
the testing is finished.
______________________________________________________________________________
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum
Hello Sebastian, hello list, * Sebastian Krahmer wrote on Aug/04/2003:
SuSE-8.1: [snip] postfix-1.1.12-12.i586.rpm
Is there any plan to update the postfix package to a newer version at all? Seems like we're all trying to get 1.1.12 fixed, while the current version is 2.0.13. And as far as i understand, version 2 fixes - or rather avoids the current vulnerability already. I've had difficulties with connecting to my mail provider (university) using tls. As everything was configured correctly, the problem simply dissolved when i installed 2.0.10... There are rpms around and SuSE would "only" have to examine them if they're okay: ftp://ftp.oxixares.com/pub/rpms/ (I backed up my postfix config files to be on the safe side, but these rpms left my settings alone - no changes to master.cf or any of the other configuration files) (I don't want to make people go away from SuSE's original packages, but i wonder when these will be more up-to-date) Cheers, Andreas -- The opinions expressed herein are not necessarily those of my employer, not necessarily mine, and probably not necessary at all. -- My Public PGP Keys: 1024 Bit DH/DSS: 0x869F81BA 768 Bit RSA: 0x1AD97BA5
SuSE-8.1: [snip] postfix-1.1.12-12.i586.rpm
Is there any plan to update the postfix package to a newer version at all? Seems like we're all trying to get 1.1.12 fixed, while the current version is 2.0.13.
Have you tried running the version 2 of postfix from SuSE 8.2? Volker -- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me.
Hello Volker, hello list, * Volker Kuhlmann wrote on Aug/05/2003:
SuSE-8.1: [snip] postfix-1.1.12-12.i586.rpm
Is there any plan to update the postfix package to a newer version at all? Seems like we're all trying to get 1.1.12 fixed, while the current version is 2.0.13.
Have you tried running the version 2 of postfix from SuSE 8.2?
*I* have my 2.0.10. The urls i posted before are "unofficial" SuSE rpms and you find rpms for 8.0, 8.1, 8.2 (now it's postfix 2.0.13). Works okay for me. But i had a hell of a time with my configuration until i found out that obviously SASL/TLS wasn't working correctly in the distro's rpm and that the unofficial one fixed it at once without any hassle. Didn't want to sound too demanding - just the delay between 1.1.12 and 2.0.13 (along with the bug i had encountered and the current vulnerability) made me think of at least posting the urls to the unofficial rpms ;-) CU, Andreas -- _________________________________________________ No I Don't Yahoo! And I'm getting pretty sick of being asked if I do. _________________________________________________ -- My Public PGP Keys: 1024 Bit DH/DSS: 0x869F81BA 768 Bit RSA: 0x1AD97BA5
SuSE-8.1: [snip] postfix-1.1.12-12.i586.rpm
Is there any plan to update the postfix package to a newer version at all? Seems like we're all trying to get 1.1.12 fixed, while the current version is 2.0.13.
Have you tried running the version 2 of postfix from SuSE 8.2?
*I* have my 2.0.10. The urls i posted before are "unofficial" SuSE rpms and you find rpms for 8.0, 8.1, 8.2 (now it's postfix 2.0.13). Works okay for me. But i had a hell of a time with my configuration until i found out that obviously SASL/TLS wasn't working correctly in the distro's rpm and that the unofficial one fixed it at once without any hassle. Didn't want to sound too demanding - just the delay between 1.1.12 and 2.0.13 (along with the bug i had encountered and the current vulnerability) made me think of at least posting the urls to the unofficial rpms ;-)
That's always a good idea, and mentioning that the URL points at _unofficial_ RPMs is another good one. :-) Why we do not update versions of packages in SuSE products? (Peter, this question might be worth being included in the FAQ on www.susesecurity.com...) A modern Linux distribution is a set of packages that are carefully configured, built, configured (again, this time runtime), tested, modified and tested again. Packages are built using one another, causing the packages to depend on others. These package dependencies make some packages so-called leaf-packages, and others non-leaf-packages (from inside the depedency tree). The level of dependency can range up to 10-15 iterations. Adding a new version to a package that other packages depend on (such as the openssl library, or the glibc) can cause unpredictable side effects. Even though the packages may claim that they are downwards compatible, side effects can't be avoided in most cases. Sometimes, packages even have bug-to-bug compatibility, which causes the dependency tree to crack if one of several bugs gets fixed. Package version updates are possible in some cases where a change in the behaviour of a package does not have any effect on another package - this must be a leaf package. SuSE can't predict if the resulting incompatibilities break someone's scripts and programs, but it happens that we are willing to take that risk. The rule however is to maintain the maximum level of proficiency and to change only what is a bug. Thanks, Roman.
* Roman Drahtmueller;
Why we do not update versions of packages in SuSE products? (Peter, this question might be worth being included in the FAQ on www.susesecurity.com...)
It is explained at the unofficial SuSEFAQ http://susefaq.sourceforge.net/addingsoftware.html#AEN4076 -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
participants (5)
-
Andreas Wagner
-
krahmer@suse.de
-
Roman Drahtmueller
-
Togan Muftuoglu
-
Volker Kuhlmann