New postfix packages fix security issues.

Advisory:	RHSA-2003:251-07
Type:	Security Advisory
Severity:	N/A
Issued on:	2003-08-04
Last updated on:	2003-08-04
Affected Products:	Red Hat Linux 7.3 Red Hat Linux 8.0 Red Hat Linux 9
OVAL:	N/A
CVEs (cve.mitre.org):	CVE-2003-0468 CVE-2003-0540

Details

New Postfix packages that fix two potential security issues are now available.

Postfix is a Mail Transport Agent (MTA).

Two security issues have been found in Postfix that affect the Postfix
packages in Red Hat Linux 7.3, 8.0, and 9.

Postfix versions before 1.1.12 allow an attacker to bounce-scan private
networks, or use the daemon as a DDoS tool by forcing the daemon to connect
to an arbitrary service at an arbitrary IP address and receiving either a
bounce message or by analyzing timing. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0468 to
this issue.

Postfix versions from 1.1 up to and including 1.1.12 have a bug where a
remote attacker could send a malformed envelope address and:

1) cause the queue manager to lock up until an entry is removed from the
queue or,

2) lock up the SMTP listener, leading to a DoS.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0540 to this issue.

Users of Postfix are advised to upgrade to these erratum packages, which
contain a version of Postfix 1.1.12 with the addition of a security patch
and is not vulnerable to either of these issues.

Red Hat would like to thank Michal Zalewski for discovering and disclosing
the flaws and to Wietse Venema for providing patches.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Linux 7.3

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/postfix-1.1.12-0.7.src.rpm Missing file	`1c17ca698971a1b5904590b97c0cbf8f`

IA-32:
ftp://updates.redhat.com/7.3/en/os/i386/postfix-1.1.12-0.7.i386.rpm Missing file	`d862e447c46cc4587dc96d4d44ef1a58`

Red Hat Linux 8.0

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/postfix-1.1.12-0.8.src.rpm Missing file	`e9e79099eb8e23dc0eff8f26d059cf53`

IA-32:
ftp://updates.redhat.com/8.0/en/os/i386/postfix-1.1.12-0.8.i386.rpm Missing file	`48e8299644a815e5dd67e67ef9aff8b5`

Red Hat Linux 9

SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/postfix-1.1.12-1.src.rpm Missing file	`4c1500d10e8533eda4168a0cd193b561`

IA-32:
ftp://updates.redhat.com/9/en/os/i386/postfix-1.1.12-1.i386.rpm Missing file	`b3345751920862dc4ab2e82bcc0c51f9`

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0540

Keywords

address, envelope, postfix

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/