Mandriva Linux Security Advisory 2009-224 - Postfix 2.5 before 2.5.4 and 2.6 before 2.6-20080814 delivers to a mailbox file even when this file is not owned by the recipient, which allows local users to read e-mail messages by creating a mailbox file corresponding to another user's account name. This update provides a solution to this vulnerability.
484433b051fc58ba1b7f551d28aa47085b0e7f28d53fd1880c4b8aecfd1a1824
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:224
http://www.mandriva.com/security/
_______________________________________________________________________
Package : postfix
Date : August 30, 2009
Affected: 2008.1, Corporate 3.0, Corporate 4.0
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in postfix:
Postfix 2.5 before 2.5.4 and 2.6 before 2.6-20080814 delivers to a
mailbox file even when this file is not owned by the recipient, which
allows local users to read e-mail messages by creating a mailbox file
corresponding to another user's account name (CVE-2008-2937).
This update provides a solution to this vulnerability.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2937
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.1:
7140f40e139be1cf8125074cab6e81b4 2008.1/i586/libpostfix1-2.5.1-2.3mdv2008.1.i586.rpm
f11354454b5e18ab3c95f97aacca6cb1 2008.1/i586/postfix-2.5.1-2.3mdv2008.1.i586.rpm
b4bea6c762263a307ba52b096e0b477b 2008.1/i586/postfix-ldap-2.5.1-2.3mdv2008.1.i586.rpm
b4e3859a783b67327039243e502aa157 2008.1/i586/postfix-mysql-2.5.1-2.3mdv2008.1.i586.rpm
8c7a5ae2e92c1f2527f21290f8c8d1d6 2008.1/i586/postfix-pcre-2.5.1-2.3mdv2008.1.i586.rpm
4a824e461d20be248d732a0ecee84b17 2008.1/i586/postfix-pgsql-2.5.1-2.3mdv2008.1.i586.rpm
2cf1299ed9de757fec29e360dfb24d83 2008.1/SRPMS/postfix-2.5.1-2.3mdv2008.1.src.rpm
Mandriva Linux 2008.1/X86_64:
bb834685ec49101148373ce708b5ed45 2008.1/x86_64/lib64postfix1-2.5.1-2.3mdv2008.1.x86_64.rpm
70fce4a57c601c85bad516b373a88548 2008.1/x86_64/postfix-2.5.1-2.3mdv2008.1.x86_64.rpm
fbf08c4d8b08fd4140843779bd28399b 2008.1/x86_64/postfix-ldap-2.5.1-2.3mdv2008.1.x86_64.rpm
cb40d1532368fff8cca7d05ef975b6d5 2008.1/x86_64/postfix-mysql-2.5.1-2.3mdv2008.1.x86_64.rpm
19a686b12a82ea1fc1baf04fd8246449 2008.1/x86_64/postfix-pcre-2.5.1-2.3mdv2008.1.x86_64.rpm
6cd370a66e8efe86541e73fd165921c9 2008.1/x86_64/postfix-pgsql-2.5.1-2.3mdv2008.1.x86_64.rpm
2cf1299ed9de757fec29e360dfb24d83 2008.1/SRPMS/postfix-2.5.1-2.3mdv2008.1.src.rpm
Corporate 3.0:
c31b8d0d1b7cfeffc4114a08c590394b corporate/3.0/i586/libpostfix1-2.1.1-0.5.C30mdk.i586.rpm
522a1d6583d13161f9048b922ef6cf98 corporate/3.0/i586/postfix-2.1.1-0.5.C30mdk.i586.rpm
e5a0cf0f5ebb3a67a53e1d437fc4048e corporate/3.0/i586/postfix-ldap-2.1.1-0.5.C30mdk.i586.rpm
5751e5109eda7b406214a9439dda8baf corporate/3.0/i586/postfix-mysql-2.1.1-0.5.C30mdk.i586.rpm
7641b8ed287b7a710dc9465702918154 corporate/3.0/i586/postfix-pcre-2.1.1-0.5.C30mdk.i586.rpm
cf61094ca95d221df9bdbb24e3adbef6 corporate/3.0/i586/postfix-pgsql-2.1.1-0.5.C30mdk.i586.rpm
b36ec66c7a2e93e6e203f1858478bad7 corporate/3.0/SRPMS/postfix-2.1.1-0.5.C30mdk.src.rpm
Corporate 3.0/X86_64:
df9a2254b1450fc898668b7f22a06a6a corporate/3.0/x86_64/lib64postfix1-2.1.1-0.5.C30mdk.x86_64.rpm
ffbfb3a2c9f95842c5214c69e74cf0cf corporate/3.0/x86_64/postfix-2.1.1-0.5.C30mdk.x86_64.rpm
0948f13bb6c5978cb033e33a79604c45 corporate/3.0/x86_64/postfix-ldap-2.1.1-0.5.C30mdk.x86_64.rpm
a6cd459457454d854bd73de328c7489f corporate/3.0/x86_64/postfix-mysql-2.1.1-0.5.C30mdk.x86_64.rpm
aa6c2cec11d17d77e928ee124e1e29d9 corporate/3.0/x86_64/postfix-pcre-2.1.1-0.5.C30mdk.x86_64.rpm
ec8fce55884bb814e84b2891d9be1cce corporate/3.0/x86_64/postfix-pgsql-2.1.1-0.5.C30mdk.x86_64.rpm
b36ec66c7a2e93e6e203f1858478bad7 corporate/3.0/SRPMS/postfix-2.1.1-0.5.C30mdk.src.rpm
Corporate 4.0:
23bf5745a5b5f7457e4d7c346c6bcbb9 corporate/4.0/i586/libpostfix1-2.3.5-0.3.20060mlcs4.i586.rpm
d4ae172e884ce5388edd7808f2371717 corporate/4.0/i586/postfix-2.3.5-0.3.20060mlcs4.i586.rpm
81d27bf78511b84bb31ec4da82d2f8dd corporate/4.0/i586/postfix-ldap-2.3.5-0.3.20060mlcs4.i586.rpm
b438d4b45642c94756b0d74638328322 corporate/4.0/i586/postfix-mysql-2.3.5-0.3.20060mlcs4.i586.rpm
ba4c2a8d4126c10a1640a83098d4c4b9 corporate/4.0/i586/postfix-pcre-2.3.5-0.3.20060mlcs4.i586.rpm
c8a3c2cfbb1f9cea2117d6e0c25f9b4e corporate/4.0/i586/postfix-pgsql-2.3.5-0.3.20060mlcs4.i586.rpm
782004a450a90bbcaa94837c36eb07dd corporate/4.0/SRPMS/postfix-2.3.5-0.3.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
26a2a20d5b6a8f3f56640667ebabe810 corporate/4.0/x86_64/lib64postfix1-2.3.5-0.3.20060mlcs4.x86_64.rpm
85b91925447997c52c15fdc8e4bafbd9 corporate/4.0/x86_64/postfix-2.3.5-0.3.20060mlcs4.x86_64.rpm
7fbac100a9c73446b73c7a1ac5115509 corporate/4.0/x86_64/postfix-ldap-2.3.5-0.3.20060mlcs4.x86_64.rpm
ecbaa69125310c3e1bc6682135b39d61 corporate/4.0/x86_64/postfix-mysql-2.3.5-0.3.20060mlcs4.x86_64.rpm
a194d65c69e642307a54960f0df99294 corporate/4.0/x86_64/postfix-pcre-2.3.5-0.3.20060mlcs4.x86_64.rpm
bf10b2360063f21bf61280fd36ff68eb corporate/4.0/x86_64/postfix-pgsql-2.3.5-0.3.20060mlcs4.x86_64.rpm
782004a450a90bbcaa94837c36eb07dd corporate/4.0/SRPMS/postfix-2.3.5-0.3.20060mlcs4.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKmsg4mqjQ0CJFipgRAiPcAKDeYjyMPZqfjGw2jz9nDMkfl+WyVwCggbiA
+4owaopmdcKSZ60jJ9vbb0k=
=DMHj
-----END PGP SIGNATURE-----