LinuxSecurity.com 		Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
How strictly do your users obey your security policies?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
Emily Ratliff: OS Security
DanWalsh LiveJournal
Security Bloggers Network
Latest Newsletters
Linux Security Week: December 1st, 2008
Linux Advisory Watch: November 28th, 2008
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Debian: New postfix packages fix installability problem on i386 Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Debian Note that only specific configurations are vulnerable; the default Debian installation is not affected. Only a configuration meeting the following requirements is vulnerable: * The mail delivery style is mailbox, with the Postfix built-in local(8) or virtual(8) delivery agents. * The mail spool directory (/var/spool/mail) is user-writeable. * The user can create hardlinks pointing to root-owned symlinks located in other directories. 
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1629-2                  security@debian.org
http://www.debian.org/security/                          Thijs Kinkhorst
August 19, 2008                       http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : postfix
Vulnerability  : programming error
Problem type   : local
Debian-specific: no
CVE Id(s)      : CVE-2008-2936

Due to a version numbering problem, the Postfix update for DSA 1629 was
not installable on the i386 (Intel ia32) architecture. This update
increases the version number to make it installable on i386 aswell.
For reference the original advisory text is below.

Sebastian Krahmer discovered that Postfix, a mail transfer agent,
incorrectly checks the ownership of a mailbox. In some configurations,
this allows for appending data to arbitrary files as root.

Note that only specific configurations are vulnerable; the default
Debian installation is not affected. Only a configuration meeting
the following requirements is vulnerable:
 * The mail delivery style is mailbox, with the Postfix built-in
   local(8) or virtual(8) delivery agents.
 * The mail spool directory (/var/spool/mail) is user-writeable.
 * The user can create hardlinks pointing to root-owned symlinks
   located in other directories.

For a detailed treating of the issue, please refer to the upstream
author's announcement:
http://article.gmane.org/gmane.mail.postfix.announce/110

For the stable distribution (etch), this problem has been fixed in
version 2.3.8-2+etch1.

For the testing distribution (lenny), this problem has been fixed in
version 2.5.2-2lenny1.

For the unstable distribution (sid), this problem has been fixed
in version 2.5.4-1.

We recommend that you upgrade your postfix package.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1.diff.gz
    Size/MD5 checksum:   187783 06817c1a9ac78db520c4a9856e1f606f
  http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8.orig.tar.gz
    Size/MD5 checksum:  2787761 a6c560657788fc7a5444fa9ea32f5513
  http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1.dsc
    Size/MD5 checksum:     1201 67cfbe6d62f54b03248610decf23430c

Architecture independent packages:

  http://security.debian.org/pool/updates/main/p/postfix/postfix-doc_2.3.8-2+etch1_all.deb
    Size/MD5 checksum:   784924 be2dfaabc9e4346fb211be9383c6b7b0
  http://security.debian.org/pool/updates/main/p/postfix/postfix-dev_2.3.8-2+etch1_all.deb
    Size/MD5 checksum:   130964 ee83b6a25f458aa3fe785202db29763c

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_amd64.deb
    Size/MD5 checksum:    38398 7a1047488b79e2e02f624d11014eeecf
  http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_amd64.deb
    Size/MD5 checksum:    38426 a016eeaf7033d0ac5eb07b999f2e6af7
  http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_amd64.deb
    Size/MD5 checksum:    36466 e0e5537af489daac95e2d74fdee07a6e
  http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_amd64.deb
    Size/MD5 checksum:  1148900 f631d16e8027a78c47ac6ab2c6503e56
  http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_amd64.deb
    Size/MD5 checksum:    43348 1daae02f16464e366f2386e4b82de1d9
  http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_amd64.deb
    Size/MD5 checksum:    38532 63a6da1adb632be43c7118e48ef6f5a6

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_hppa.deb
    Size/MD5 checksum:    45392 6d5ac13f7d0cd38c4568f5dce3b2de18
  http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_hppa.deb
    Size/MD5 checksum:    39720 89ed20f277270f74b7b6f7e92bb5b2b1
  http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_hppa.deb
    Size/MD5 checksum:    40194 8635fee29c0e8b661ea8cbd3bf6093e9
  http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_hppa.deb
    Size/MD5 checksum:  1174188 fee76ba8167cdffacd22445eca7396b2
  http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_hppa.deb
    Size/MD5 checksum:    37600 c3cddbeefe87b66277dccd6e2bd52f64
  http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_hppa.deb
    Size/MD5 checksum:    39922 572e0d5c09d39a34373d8340c2326b2b

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_i386.deb
    Size/MD5 checksum:  1090008 e38c0784774c29bb313b8b7d77719782
  http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_i386.deb
    Size/MD5 checksum:    36596 88af7c1ebb9d6ef8ff1ae1fe82892ca5
  http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_i386.deb
    Size/MD5 checksum:    38456 3fd5eb9b366ff22b4a8c46b621a216df
  http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_i386.deb
    Size/MD5 checksum:    38772 049c34f8a10e283505978c6be7255a7b
  http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_i386.deb
    Size/MD5 checksum:    38864 440cb71e2a26168a938896ff2af1adc2
  http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_i386.deb
    Size/MD5 checksum:    43250 f5432050f81caf7e58f52cb48c22e7e1

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_ia64.deb
    Size/MD5 checksum:    47956 915c2fab14248e142187e5a613f274c9
  http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_ia64.deb
    Size/MD5 checksum:    38050 4b9c7bda45177283e157153d43633e43
  http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_ia64.deb
    Size/MD5 checksum:    40858 0cdb4f975d9a630f8df58c9cf124fbd1
  http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_ia64.deb
    Size/MD5 checksum:    41164 f0a564de59c461d0e0b667848a18a3f5
  http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_ia64.deb
    Size/MD5 checksum:    40856 3e9ad3317bf31270eaa686f84f7fb8bb
  http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_ia64.deb
    Size/MD5 checksum:  1439632 c341d7a699bbe6b13dc560e6f5b4cbbd

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_powerpc.deb
    Size/MD5 checksum:    44290 4c9c2a9c614643bfe983d13b6423d423
  http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_powerpc.deb
    Size/MD5 checksum:    40060 4804a7f44b861b6dbeb1a7294709c5ed
  http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_powerpc.deb
    Size/MD5 checksum:    37822 11ba1ae93492801dc9de16b6130288d1
  http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_powerpc.deb
    Size/MD5 checksum:  1167796 7a24c4ea8588e62178a5d2a1c4817f85
  http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_powerpc.deb
    Size/MD5 checksum:    39902 363e664c54605ee838c6cf0c8fd9f790
  http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_powerpc.deb
    Size/MD5 checksum:    39758 a33b97afba4cfe193884cdf4a3543e03

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_s390.deb
    Size/MD5 checksum:    43392 1318549e29ce2585850562abb98b07f7
  http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_s390.deb
    Size/MD5 checksum:    38836 a76263d1e6715aa1294307bf581b6424
  http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_s390.deb
    Size/MD5 checksum:    38454 00b3e98eb57590201dfe4d8775ce298b
  http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_s390.deb
    Size/MD5 checksum:    39010 2d3a02a0e7c7a8ddbe9d0619fe4f8c7d
  http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_s390.deb
    Size/MD5 checksum:    36654 82b473e570eff711781cc384e86636e2
  http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_s390.deb
    Size/MD5 checksum:  1154442 64bf33d9dc4f14badb1c6397a74713f4


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
 
< Prev   Next >
    
Partner:

 
Latest Features
A Secure Nagios Server
Never Installed a Firewall on Ubuntu? Try Firestarter
Review: Hacking Exposed Linux, Third Edition
Security Features of Firefox 3.0
Review: The Book of Wireless
April 2008 Open Source Tool of the Month: sudo
Open Source Tool of March: ZoneMinder
Yesterday's Edition
Linux Role in Botnets Studied
10 Mistakes New Linux Administrators Make

QuickLinks: Comunity , HOWTOs , Blogs , Features , Book Reviews , Networking ,
  Security Projects ,   Latest News ,  Newsletters ,  SELinux ,  Privacy ,  Home,
 Hardening ,   About Us,   Advertise,   Legal Notice,   RSS,   Guardian Digital

(c)Copyright 2008 Guardian Digital, Inc. All rights reserved.