Bug 677792 - VUL-0: postfix: STARTTLS plaintext injection
VUL-0: postfix: STARTTLS plaintext injection
Status: RESOLVED FIXED
: 689178 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Peter Varkoly
Security Team bot
maint:released:11.2:39458 maint:relea...
:
Depends on:
Blocks: 689178
  Show dependency treegraph
 
Reported: 2011-03-08 15:18 UTC by Swamp Workflow Management
Modified: 2016-07-07 16:00 UTC (History)
6 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Swamp Workflow Management 2011-03-08 15:18:51 UTC
Your friendly security team received the following report.
Please respond ASAP.
The issue is public.

A MITM may inject plain text commands after STARTTLS
CVE-2011-0411

http://www.kb.cert.org/vuls/id/555316
http://www.postfix.org/announcements/postfix-2.7.3.html
http://www.postfix.org/CVE-2011-0411.html
Comment 1 Swamp Workflow Management 2011-03-08 15:23:09 UTC
The SWAMPID for this issue is 39265.
This issue was rated as moderate.
Please submit fixed packages until 2011-03-22.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 3 Ruediger Oertel 2011-03-21 23:33:55 UTC
11.2 and 11.3 have been submitted, what about 11.4 (and factory) ?
Comment 4 Peter Varkoly 2011-03-30 10:25:21 UTC
11.4 is submitted also. On factory I'll update to 2.8.2
Comment 5 Swamp Workflow Management 2011-04-21 11:51:53 UTC
Update released for: postfix, postfix-debuginfo, postfix-debugsource, postfix-devel, postfix-doc, postfix-mysql, postfix-mysql-debuginfo, postfix-postgresql, postfix-postgresql-debuginfo
Products:
openSUSE 11.2 (debug, i586, x86_64)
openSUSE 11.3 (debug, i586, x86_64)
openSUSE 11.4 (debug, i586, x86_64)
Comment 6 Swamp Workflow Management 2011-04-21 14:51:37 UTC
Update released for: postfix, postfix-debuginfo, postfix-mysql, postfix-postgresql
Products:
SLE-DESKTOP 10-SP3 (i386, x86_64)
SLE-SAP-APL 10-SP3 (x86_64)
SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64)
Comment 7 Swamp Workflow Management 2011-04-21 15:14:16 UTC
Update released for: postfix, postfix-debuginfo, postfix-debugsource, postfix-devel, postfix-doc, postfix-mysql, postfix-postgresql
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 11 Swamp Workflow Management 2011-04-27 15:32:21 UTC
Update released for: postfix
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 15 Swamp Workflow Management 2011-05-10 16:55:23 UTC
Update released for: postfix
Products:
Novell-Linux-POS 9 (i386)
Open-Enterprise-Server 9 (i386)
SUSE-CORE 9 (i386, ia64, ppc, s390, s390x, x86_64)
Comment 16 Leonardo Chiquitto 2011-05-10 20:16:16 UTC
*** Bug 689178 has been marked as a duplicate of this bug. ***
Comment 17 Marcus Meissner 2011-05-20 08:30:54 UTC
sle10 sp2 ltss released too, all done
Comment 18 Swamp Workflow Management 2011-05-20 10:43:37 UTC
Update released for: postfix, postfix-mysql, postfix-postgresql
Products:
SLE-SERVER 10-SP2-LTSS (i386, s390x, x86_64)