-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2008:171 http://www.mandriva.com/security/ _______________________________________________________________________ Package : postfix Date : August 15, 2008 Affected: 2007.1, 2008.0, 2008.1, Corporate 3.0, Corporate 4.0 _______________________________________________________________________ Problem Description: Sebastian Krahmer of the SUSE Security Team discovered a flaw in the way Postfix dereferenced symbolic links. If a local user had write access to a mail spool directory without a root mailbox file, it could be possible for them to append arbitrary data to files that root had write permissions to (CVE-2008-2936). The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2936 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.1: 26e470b9c59a7f942865ff4c9a029f33 2007.1/i586/libpostfix1-2.3.8-1.1mdv2007.1.i586.rpm 886bae30f28144d5cd12330eadc29beb 2007.1/i586/postfix-2.3.8-1.1mdv2007.1.i586.rpm 4490c64a7b39685f04dff74ce114edd1 2007.1/i586/postfix-ldap-2.3.8-1.1mdv2007.1.i586.rpm 03bc15e8554bb5519bccc27147dc49c5 2007.1/i586/postfix-mysql-2.3.8-1.1mdv2007.1.i586.rpm 4ce6d3583264a3d9a89e99554d8f5334 2007.1/i586/postfix-pcre-2.3.8-1.1mdv2007.1.i586.rpm 1fa256a3a7306dc4711d2c1f394e4779 2007.1/i586/postfix-pgsql-2.3.8-1.1mdv2007.1.i586.rpm 585a32ed0e7d643bec4be76ca56e96a3 2007.1/SRPMS/postfix-2.3.8-1.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: c5b9aba41a5f7d4762e07611ab796ba9 2007.1/x86_64/lib64postfix1-2.3.8-1.1mdv2007.1.x86_64.rpm 34aaf8a7f5489382ae2fe752239c1ad3 2007.1/x86_64/postfix-2.3.8-1.1mdv2007.1.x86_64.rpm c1bbbc34d1a6951dfea07b479e7546a6 2007.1/x86_64/postfix-ldap-2.3.8-1.1mdv2007.1.x86_64.rpm 72c368adfd81383032aee96564edd1dc 2007.1/x86_64/postfix-mysql-2.3.8-1.1mdv2007.1.x86_64.rpm b6e9329425e1e4f6f1b591ca01c07527 2007.1/x86_64/postfix-pcre-2.3.8-1.1mdv2007.1.x86_64.rpm 858ac67feca2fae49be70f752a9f5688 2007.1/x86_64/postfix-pgsql-2.3.8-1.1mdv2007.1.x86_64.rpm 585a32ed0e7d643bec4be76ca56e96a3 2007.1/SRPMS/postfix-2.3.8-1.1mdv2007.1.src.rpm Mandriva Linux 2008.0: 28f80755d3e08a050a3294f15bcdf0b0 2008.0/i586/libpostfix1-2.4.5-2.1mdv2008.0.i586.rpm 8e5a684b87309c502f34d76104e7291f 2008.0/i586/postfix-2.4.5-2.1mdv2008.0.i586.rpm fd4bd15f398bb8f9a90e59216b4a01dc 2008.0/i586/postfix-ldap-2.4.5-2.1mdv2008.0.i586.rpm 63e5be0f5c1dc8b28f173726c1648831 2008.0/i586/postfix-mysql-2.4.5-2.1mdv2008.0.i586.rpm 75e6b126fd04ce8cbef1d024a8d4af94 2008.0/i586/postfix-pcre-2.4.5-2.1mdv2008.0.i586.rpm 3eb0a04a986f20d4771b774b0707d5ff 2008.0/i586/postfix-pgsql-2.4.5-2.1mdv2008.0.i586.rpm d18e696ddd9948b311e84c1df3b4edfa 2008.0/SRPMS/postfix-2.4.5-2.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 25c8159e3a2b78ab281dcf6c7b5886d1 2008.0/x86_64/lib64postfix1-2.4.5-2.1mdv2008.0.x86_64.rpm 56bc517d9bb1cf9221ce8d35999ac7de 2008.0/x86_64/postfix-2.4.5-2.1mdv2008.0.x86_64.rpm 08af0c3454a642e57252180f6f8b8b1c 2008.0/x86_64/postfix-ldap-2.4.5-2.1mdv2008.0.x86_64.rpm c8777d4816b661a2853df44228c97e26 2008.0/x86_64/postfix-mysql-2.4.5-2.1mdv2008.0.x86_64.rpm 08579717946ec5c32df7674286f9f45a 2008.0/x86_64/postfix-pcre-2.4.5-2.1mdv2008.0.x86_64.rpm fda669add03041fa744d5738c7457c3a 2008.0/x86_64/postfix-pgsql-2.4.5-2.1mdv2008.0.x86_64.rpm d18e696ddd9948b311e84c1df3b4edfa 2008.0/SRPMS/postfix-2.4.5-2.1mdv2008.0.src.rpm Mandriva Linux 2008.1: 5a3804f2c3effc218f5c2e2e3df27564 2008.1/i586/libpostfix1-2.5.1-2.1mdv2008.1.i586.rpm 506d51b49e9c8c0e439fc8bc4c63ba29 2008.1/i586/postfix-2.5.1-2.1mdv2008.1.i586.rpm 34ef86dd70c956f2a99bdfac81183e09 2008.1/i586/postfix-ldap-2.5.1-2.1mdv2008.1.i586.rpm 1d07b91d48c60906f28b8a2eba99ca1c 2008.1/i586/postfix-mysql-2.5.1-2.1mdv2008.1.i586.rpm 70ba3c286521579fc49a54bba84472dd 2008.1/i586/postfix-pcre-2.5.1-2.1mdv2008.1.i586.rpm dca57a1b0579a8418ad10aac03322b2e 2008.1/i586/postfix-pgsql-2.5.1-2.1mdv2008.1.i586.rpm 0f3cb76c3893354103745ee331942f0d 2008.1/SRPMS/postfix-2.5.1-2.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 16d38a5b0b47edb0fc3395c63511bd6c 2008.1/x86_64/lib64postfix1-2.5.1-2.1mdv2008.1.x86_64.rpm 546f25ac9ea5aa167b9282bd8d4f537a 2008.1/x86_64/postfix-2.5.1-2.1mdv2008.1.x86_64.rpm f1a917d26a5366044e570f6571c2fb10 2008.1/x86_64/postfix-ldap-2.5.1-2.1mdv2008.1.x86_64.rpm 4b2f2a4d53ef97dbd2c609afc9e61c77 2008.1/x86_64/postfix-mysql-2.5.1-2.1mdv2008.1.x86_64.rpm 266433d35cd238e9132b6225bc5d1258 2008.1/x86_64/postfix-pcre-2.5.1-2.1mdv2008.1.x86_64.rpm 78f8df45bf1c009701112a60294ccdeb 2008.1/x86_64/postfix-pgsql-2.5.1-2.1mdv2008.1.x86_64.rpm 0f3cb76c3893354103745ee331942f0d 2008.1/SRPMS/postfix-2.5.1-2.1mdv2008.1.src.rpm Corporate 3.0: 7d6dc0a422fa43c691a6819a9954d29c corporate/3.0/i586/libpostfix1-2.1.1-0.4.C30mdk.i586.rpm 6c90a40a69bcd261d1fff8124d087d48 corporate/3.0/i586/postfix-2.1.1-0.4.C30mdk.i586.rpm 9e3468e37e512a5207a982ba606d8fb8 corporate/3.0/i586/postfix-ldap-2.1.1-0.4.C30mdk.i586.rpm 8018f6af47a5659396a3d903c27b33d4 corporate/3.0/i586/postfix-mysql-2.1.1-0.4.C30mdk.i586.rpm ac40a515260bd75fe00c5e1610b11e7b corporate/3.0/i586/postfix-pcre-2.1.1-0.4.C30mdk.i586.rpm f8675212bf047f8373846efe438d6e34 corporate/3.0/i586/postfix-pgsql-2.1.1-0.4.C30mdk.i586.rpm 0b9d6b89f64cf5c5ba64d4234ba958d3 corporate/3.0/SRPMS/postfix-2.1.1-0.4.C30mdk.src.rpm Corporate 3.0/X86_64: f695f71cf4e3cff94b76ffaa79e79276 corporate/3.0/x86_64/lib64postfix1-2.1.1-0.4.C30mdk.x86_64.rpm 479831782b7e851ee64b8686e5435742 corporate/3.0/x86_64/postfix-2.1.1-0.4.C30mdk.x86_64.rpm a52bf688f3f842c8062ca1e43748a442 corporate/3.0/x86_64/postfix-ldap-2.1.1-0.4.C30mdk.x86_64.rpm e286020374420577f7372bf98b3145f0 corporate/3.0/x86_64/postfix-mysql-2.1.1-0.4.C30mdk.x86_64.rpm 7c4d75cb5df1951918a3baf56aff0dcd corporate/3.0/x86_64/postfix-pcre-2.1.1-0.4.C30mdk.x86_64.rpm e1b6ff7a49ab9dbd1cc8559ec9a747fe corporate/3.0/x86_64/postfix-pgsql-2.1.1-0.4.C30mdk.x86_64.rpm 0b9d6b89f64cf5c5ba64d4234ba958d3 corporate/3.0/SRPMS/postfix-2.1.1-0.4.C30mdk.src.rpm Corporate 4.0: c7e11fa492370b389f507fc3ae2b1d4a corporate/4.0/i586/libpostfix1-2.3.5-0.2.20060mlcs4.i586.rpm f78b08147813d142dbebccfa3f2d1fc1 corporate/4.0/i586/postfix-2.3.5-0.2.20060mlcs4.i586.rpm 982fb6adba17ab2acfd477323a55db4c corporate/4.0/i586/postfix-ldap-2.3.5-0.2.20060mlcs4.i586.rpm 163b41ad32263b2a319720144153f5af corporate/4.0/i586/postfix-mysql-2.3.5-0.2.20060mlcs4.i586.rpm 7be21bfdc0f6e70d6da173d5005516f8 corporate/4.0/i586/postfix-pcre-2.3.5-0.2.20060mlcs4.i586.rpm 26c0b02352463bd5c33b67c146330701 corporate/4.0/i586/postfix-pgsql-2.3.5-0.2.20060mlcs4.i586.rpm f9251f61013674ae03a5122d8c5cfd25 corporate/4.0/SRPMS/postfix-2.3.5-0.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: 91d8789d61bc41409d96b0442ffb8d13 corporate/4.0/x86_64/lib64postfix1-2.3.5-0.2.20060mlcs4.x86_64.rpm db6e1d07cd48fd215db13b6c0812629f corporate/4.0/x86_64/postfix-2.3.5-0.2.20060mlcs4.x86_64.rpm 6d57adb992f1903344a12c213116e2d9 corporate/4.0/x86_64/postfix-ldap-2.3.5-0.2.20060mlcs4.x86_64.rpm c3217315a710dddef6addc566542dbef corporate/4.0/x86_64/postfix-mysql-2.3.5-0.2.20060mlcs4.x86_64.rpm 21db2224670acce491ff87269f21ec5e corporate/4.0/x86_64/postfix-pcre-2.3.5-0.2.20060mlcs4.x86_64.rpm 89d5796c4d94bb6ab1ef26de400d032f corporate/4.0/x86_64/postfix-pgsql-2.3.5-0.2.20060mlcs4.x86_64.rpm f9251f61013674ae03a5122d8c5cfd25 corporate/4.0/SRPMS/postfix-2.3.5-0.2.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFIpbu8mqjQ0CJFipgRApsdAJ0XV7YMQObXpiNScy6r/ct8BPjTIACg0mow TLWvKH+6JSz18dJfpEjIxFw= =rHfX -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/