Bugzilla – Bug 1218304
VUL-0: CVE-2023-51764: postfix: new SMTP smuggling attack
Last modified: 2024-04-23 13:30:05 UTC
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ describes a new SMTP smuggling attack, that exploits "<cr><lf>.<cr><lf>" data end marker inconistent handling on some email servers. postfix has published a hardening measure that avoids accepting streamed emails. https://www.mail-archive.com/postfix-users@postfix.org/msg100901.html As part of a non-responsible disclosure process, SEC Consult has published an email spoofing attack that involves a composition of different mail service behaviors with respect to broken line endings. A short-term fix may deployed now, before the upcoming long holiday: - Postfix 3.9 (stable release early 2024), rejects unuthorised pipelining by default: "smtpd_forbid_unauth_pipelining = yes". - Postfix 3.8.1, 3.7.6, 3.6.10 and 3.5.20 include the same feature, but the "smtpd_forbid_unauth_pipelining" parameter defaults to "no". Setting "smtpd_forbid_unauth_pipelining = yes" may break legitimate SMTP clients that mis-implement SMTP, but such clients are exceedingly rare, especially when email is sent across the Internet. This short-term fix will stop the published form of the attack, but other forms exist that will not be stopped in this manner. The longer-term fix stops all forms of the smuggling attacks and is in testing. For most sites, this fix will be too late for deployment before a long holiday break, when typically production changes are not allowed until January. Timeline: Dec 18 SEC Consult publishes an attack (composition of mail service behaviors) Dec 19 Implement fix for Postfix, start testing and Q/A Dec ?? Publish updated stable Postfix versions 3.8, 3.7, 3.6, 3.5 Dec 23 First day of a 10+ day holiday break and production freeze References: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ Wietse
SUSE-SU-2023:4981-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1218304, 1218314 CVE References: CVE-2023-51764 Sources used: openSUSE Leap 15.5 (src): postfix-bdb-3.7.3-150500.3.11.1, postfix-3.7.3-150500.3.11.1 Basesystem Module 15-SP5 (src): postfix-3.7.3-150500.3.11.1 Legacy Module 15-SP5 (src): postfix-bdb-3.7.3-150500.3.11.1 Server Applications Module 15-SP5 (src): postfix-3.7.3-150500.3.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1218304) was mentioned in https://build.opensuse.org/request/show/1135431 Factory / postfix
SUSE-SU-2024:0012-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1218304, 1218314 CVE References: CVE-2023-51764 Sources used: SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): postfix-bdb-3.5.9-150300.5.15.1, postfix-3.5.9-150300.5.15.1 SUSE Manager Proxy 4.3 (src): postfix-3.5.9-150300.5.15.1 SUSE Manager Retail Branch Server 4.3 (src): postfix-3.5.9-150300.5.15.1 SUSE Manager Server 4.3 (src): postfix-3.5.9-150300.5.15.1 SUSE Enterprise Storage 7.1 (src): postfix-bdb-3.5.9-150300.5.15.1, postfix-3.5.9-150300.5.15.1 openSUSE Leap 15.3 (src): postfix-bdb-3.5.9-150300.5.15.1, postfix-3.5.9-150300.5.15.1 openSUSE Leap 15.4 (src): postfix-bdb-3.5.9-150300.5.15.1, postfix-3.5.9-150300.5.15.1 Basesystem Module 15-SP4 (src): postfix-3.5.9-150300.5.15.1 Legacy Module 15-SP4 (src): postfix-bdb-3.5.9-150300.5.15.1 Server Applications Module 15-SP4 (src): postfix-3.5.9-150300.5.15.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): postfix-bdb-3.5.9-150300.5.15.1, postfix-3.5.9-150300.5.15.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): postfix-bdb-3.5.9-150300.5.15.1, postfix-3.5.9-150300.5.15.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): postfix-bdb-3.5.9-150300.5.15.1, postfix-3.5.9-150300.5.15.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): postfix-bdb-3.5.9-150300.5.15.1, postfix-3.5.9-150300.5.15.1 SUSE Linux Enterprise Real Time 15 SP4 (src): postfix-3.5.9-150300.5.15.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): postfix-3.5.9-150300.5.15.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): postfix-bdb-3.5.9-150300.5.15.1, postfix-3.5.9-150300.5.15.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): postfix-bdb-3.5.9-150300.5.15.1, postfix-3.5.9-150300.5.15.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): postfix-bdb-3.5.9-150300.5.15.1, postfix-3.5.9-150300.5.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1218304) was mentioned in https://build.opensuse.org/request/show/1139680 Factory / postfix
This is an autogenerated message for OBS integration: This bug (1218304) was mentioned in https://build.opensuse.org/request/show/1139868 Factory / postfix
still needed for SUSE:SLE-12-SP3:Update postfix for SLES 12 SP5.
SUSE-SU-2024:1149-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (moderate) Bug References: 1218304, 1218314 CVE References: CVE-2023-51764 Maintenance Incident: [SUSE:Maintenance:33003](https://smelt.suse.de/incident/33003/) Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): postfix-3.2.10-3.30.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): postfix-3.2.10-3.30.1 SUSE Linux Enterprise Server 12 SP5 (src): postfix-3.2.10-3.30.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): postfix-3.2.10-3.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.