GLSA 200809-09: Postfix: Denial of Service
Severity: | normal |
Title: | Postfix: Denial of Service |
Date: | 09/19/2008 |
Bugs: |
|
ID: | 200809-09 |
Synopsis
A memory leak in Postfix might allow local users to cause a Denial of Service.Background
Postfix is Wietse Venema's mailer that attempts to be fast, easy to administer, and secure, as an alternative to the widely-used Sendmail program.
Affected packages
Package | Vulnerable | Unaffected | Architecture(s) |
---|---|---|---|
mail-mta/postfix | < 2.4.9 | >= 2.4.9 | All supported architectures |
Description
It has been discovered than Postfix leaks an epoll file descriptor when executing external commands, e.g. user-controlled $HOME/.forward or $HOME/.procmailrc files. NOTE: This vulnerability only concerns Postfix instances running on Linux 2.6 kernels.
Impact
A local attacker could exploit this vulnerability to reduce the performance of Postfix, and possibly trigger an assertion, resulting in a Denial of Service.
Workaround
Allow only trusted users to control delivery to non-Postfix commands.
Resolution
All Postfix 2.4 users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.4.9"
All Postfix 2.5 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.5.5"
References
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.