Описание
Security update for postfix
This update for postfix fixes the following issues:
- CVE-2023-51764: Fixed new SMTP smuggling attack (bsc#1218304).
Список пакетов
SUSE Linux Enterprise Module for Basesystem 15 SP5
SUSE Linux Enterprise Module for Legacy 15 SP5
SUSE Linux Enterprise Module for Server Applications 15 SP5
openSUSE Leap 15.5
Ссылки
- Link for SUSE-SU-2023:4981-1
- E-Mail link for SUSE-SU-2023:4981-1
- SUSE Security Ratings
- SUSE Bug 1218304
- SUSE Bug 1218314
- SUSE CVE CVE-2023-51764 page
Описание
Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.
Затронутые продукты
Ссылки
- CVE-2023-51764
- SUSE Bug 1218304