[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[postfix-jp: 3903] SECURITY: Postfix 2.7.3, 2.6.9, 2.5.12 and 2.4.16 available



こんにちは。

Postfix 2.8より前のリリースでTLSに関連した脆弱性が確認され、それぞれ
対応するリリースが出ています。問題の詳細な内容については、

	http://www.kb.cert.org/vuls/id/555316

に詳細があります。

-- 
神戸 隆博 (かんべ たかひろ)		at 仕事場 


Message-Id: <20110307201840.C377D1F3EAE@xxxxxxxxxxxxxxxxxxx>
Subject: Postfix 2.7.3, 2.6.9, 2.5.12 and 2.4.16 available
Date: Mon, 7 Mar 2011 15:18:40 -0500 (EST)
From: Wietse Venema <wietse@xxxxxxxxxxxxx>
To: Postfix announce <postfix-announce@xxxxxxxxxxx>
CC: Postfix users <postfix-users@xxxxxxxxxxx>
X-Mailer: ELM [version 2.4ME+ PL82 (25)]
Delivered-To: postfix-announce-outgoing@xxxxxxxxxx
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII

[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-2.7.3.html]

Postfix legacy releases 2.7.3, 2.6.9, 2.5.12 and 2.4.16 are available.
These releases contain a fix for CVE-2011-0411 which allows plaintext
command injection with SMTP sessions over TLS. This defect was
introduced with Postfix version 2.2. The same flaw exists in other
implementations of the STARTTLS command.

    Note: CVE-2011-0411 is an issue only for the minority of SMTP
    clients that actually verify server certificates. Without server
    certificate verification, clients are always vulnerable to
    man-in-the-middle attacks that allow attackers to inject
    plaintext commands or responses into SMTP sessions, and more.

Postfix 2.8 and 2.9 are not affected.

	...

_______________________________________________
Postfix-jp-list mailing list
Postfix-jp-list@xxxxxxxxxxxxxxxxxxxx
http://lists.sourceforge.jp/mailman/listinfo/postfix-jp-list


[検索ページ] [Postfix-JP ML Home]