when is it the official rpm. Simon Mudd the new rpms are still not present
Le lundi 07 mars 2011 à 15:18 -0500, Wietse Venema a écrit : > [An on-line version of this announcement will be available at > http://www.postfix.org/announcements/postfix-2.7.3.html] > > Postfix legacy releases 2.7.3, 2.6.9, 2.5.12 and 2.4.16 are available. > These releases contain a fix for CVE-2011-0411 which allows plaintext > command injection with SMTP sessions over TLS. This defect was > introduced with Postfix version 2.2. The same flaw exists in other > implementations of the STARTTLS command. > > Note: CVE-2011-0411 is an issue only for the minority of SMTP > clients that actually verify server certificates. Without server > certificate verification, clients are always vulnerable to > man-in-the-middle attacks that allow attackers to inject > plaintext commands or responses into SMTP sessions, and more. > > Postfix 2.8 and 2.9 are not affected. > > The following problems were fixed with the Postfix legacy releases: > > * Fix for CVE-2011-0411: discard buffered plaintext input, > after reading the SMTP "STARTTLS" command or response. > > * Fix to the local delivery agent: look up the "unextended" > address in the local aliases database, when that address has > a malformed address extension. > > * Fix to virtual alias expansion: report a tempfail error, > instead of silently ignoring recipients that exceed the > virtual_alias_expansion_limit or the virtual_alias_recursion_limit. > > * Fix for Solaris: the Postfix event engine was deaf for SIGHUP > and SIGALRM signals after the switch from select() to /dev/poll. > Symptoms were delayed "postfix reload" response, and killed > processes with watchdog timeout values under 100 seconds. > > * Fix for HP-UX: the Postfix event engine was deaf for SIGALRM > signals. Symptoms were killed processes with watchdog timeout > values under 100 seconds. > > * Fix for BSD-ish mkdir() to prevent maildir directories from > inheriting their group ownership from the parent directory. > > * Fix to the SMTP client: missing support for mail to > [ipv6:ipv6addr] address literal destinations. > > * FreeBSD back-ported closefrom() from FreeBSD 8x to 7x, breaking > Postfix builds retroactively. > > Historical note: > > Wietse Venema discovered the problem two weeks before the > Postfix 2.8 release, and silently fixed it pending further > investigation. While investigating the problem's scope and > impact, Victor Duchovni found that many other TLS applications > were also affected. At that point, CERT/CC was asked to coordinate > with the problem's resolution. > > You can find the updated Postfix source code at the mirrors listed > at http://www.postfix.org/. -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
signature.asc
Description: Ceci est une partie de message numériquement signée
