Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2024:1149-1

Опубликовано: 08 апр. 2024
Источник: suse-cvrf

Описание

Security update for postfix

This update for postfix fixes the following issues:

  • CVE-2023-51764: Prevent SMTP smuggling attack. (bsc#1218304)

Список пакетов

SUSE Linux Enterprise Server 12 SP5
postfix-3.2.10-3.30.1
postfix-doc-3.2.10-3.30.1
postfix-mysql-3.2.10-3.30.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5
postfix-3.2.10-3.30.1
postfix-doc-3.2.10-3.30.1
postfix-mysql-3.2.10-3.30.1
SUSE Linux Enterprise Software Development Kit 12 SP5
postfix-devel-3.2.10-3.30.1

Ссылки

Описание

Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.

Затронутые продукты
SUSE Linux Enterprise Server 12 SP5:postfix-3.2.10-3.30.1
SUSE Linux Enterprise Server 12 SP5:postfix-doc-3.2.10-3.30.1
SUSE Linux Enterprise Server 12 SP5:postfix-mysql-3.2.10-3.30.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5:postfix-3.2.10-3.30.1
Ссылки