-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3725-1 [email protected] https://www.debian.org/lts/security/ Bastien Roucariès January 30, 2024 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : postfix Version : 3.4.23-0+deb10u2 CVE ID : CVE-2023-51764 Debian Bug : 1059230 Postfix, a popular mail server, allowed SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supported <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required, such as setting the backported configuration option smtpd_forbid_bare_newline=yes For Debian 10 buster, this problem has been fixed in version 3.4.23-0+deb10u2. We recommend that you upgrade your postfix packages. For the detailed security status of postfix please refer to its security tracker page at: https://security-tracker.debian.org/tracker/postfix Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmW48EoACgkQADoaLapB CF+LQhAAil34Nfsl3v9k4z7/1fAyRbxU6og2+h/h3swadjcwk/LSyiGK9aRtMmS7 nyced5A0sxaVM/CGXfyYN8TIa5lxJaH3nrBhz6mfQzHIT0VJ2+2a/lnKDdE3lmEK wgmh1gaZQ6BnDXlHzptdUtGx8UBi3Ypux++tppw649rJyk+PpvO2qz/Ri19Guqc3 ieZGCPgeQ1BWjQl89K/uREu9eArRcYmIvsfCpgbT0WxtgxygDXdCt1SC1RAAM5Pp kOluJ1+OC0QTevx+AxMrnO+3RtsHht1MZm5UNk/ivOLfWSrNOK38issrTueYhFAI XDZM47sd2KpMWqK+yFBNmi0GPY0AHWILzR5HvqVYXkpaJ1dLeiH+IgWxLEBX+zXd dtmYirBB8vi2ZBOYudNpH9N3WjzRBpGelmW/ursQWKOVvGH0U6mury8l5iH2Zs2n t1q9w9afN0CREg+sfviqScWVYClATNZ3o5+S6Lxa8nfE0GyxJfSEgaVm6LTuJnrf nWYQ8cw1dlE9TRZdWPc7lCtiYdr0zr7/cpPWMbDNc4H/UFSrQqgmpR2dS0ZjELF1 LR0j8+i9/7x3w4C5v4nxZC/lLYpsnkhrwucE6olANUJcbadRwA0b2NDG/ADSQqIp lP4z1J1/O4MEAAlNooUdCzwhla+GCLgoPZUfTga03lKTrl0mM5w= =3Tgx -----END PGP SIGNATURE-----
