This was just posted on the Postfix list. Centos 7 ships with: postfix-2.10.1-6.el7
Has this cert advisory been applied to the Centos build of Postfix?
thank you
-------- Forwarded Message -------- Subject: Obsolete NSA exploit for Postfix 2.0 - 2.2 Date: Sun, 9 Apr 2017 16:18:06 -0400 (EDT) From: Wietse Venema wietse@porcupine.org To: Postfix users postfix-users@postfix.org CC: Postfix announce postfix-announce@postfix.org
A recent twitter post reveals the existence of an exploit for Postfix, in a collection of what appear to be NSA tools.
https://twitter.com/JulianAssange/status/850870683831648256
This is an exploit for Postfix 2.0 - 2.2, for a bug that was fixed 11 years ago in Postfix 2.2.11 and later.
There was a memory corruption bug in a Postfix workaround for a Sendmail bug (CERT advisory CA-2003-07, remote buffer overflow when message headers contain lots of comment text before an email address).
Technical details: the Postfix strip_address() function, which removes large comments from a mail header, called the printable() function on a string that wasn't null-terminated. This caused the printable() function to scribble past the end of malloc()ed memory, corrupting the memory heap.
Running the exploit against Postfix versions less than 11 years old results in odd-looking email messages in the super-user's mailbox, and warning messages in the maillog file (warning: stripping too many comments from address: <long character string>).
Wietse
On 10/04/17 12:08, Robert Moskowitz wrote:
This was just posted on the Postfix list. Centos 7 ships with: postfix-2.10.1-6.el7
Has this cert advisory been applied to the Centos build of Postfix?
This is an exploit for Postfix 2.0 - 2.2, for a bug that was fixed 11 years ago in Postfix 2.2.11 and later.
2.10.1 is way later than 2.2.11, this bug was never in any version of postfix that shipped after CentOS 4.
Peter
Too busy getting ready for Passover, and not looking carefully enough at the numbers.
I better get back to what I should be doing right now.
See you all Thursday.
On 04/09/2017 08:13 PM, Peter wrote:
On 10/04/17 12:08, Robert Moskowitz wrote:
This was just posted on the Postfix list. Centos 7 ships with: postfix-2.10.1-6.el7
Has this cert advisory been applied to the Centos build of Postfix?
This is an exploit for Postfix 2.0 - 2.2, for a bug that was fixed 11 years ago in Postfix 2.2.11 and later.
2.10.1 is way later than 2.2.11, this bug was never in any version of postfix that shipped after CentOS 4.
Peter _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-
Peter -
Robert Moskowitz