Vulnerability Note VU#727230
Postfix SMTP server Cyrus SASL support contains a memory corruption vulnerability
The Postfix SMTP server has a memory corruption error when the Cyrus SASL library is used with authentication mechanisms other than PLAIN and LOGIN.
The Postfix Advisory for CVE-2011-1720 states:
"The Postfix SMTP server fails to create a new Cyrus SASL server handle after authentication failure. This causes memory corruption when, for example, a client requests CRAM-MD5 authentication, fails to authenticate, and then invokes some other authentication mechanism except PLAIN (or ANONYMOUS if available). The likely outcome is that the Postfix SMTP server process crashes with a segmentation violation error (SIGSEGV, a.k.a. signal 11)."
A remote attacker can cause a denial of service or possibly execute arbitrary code.
Apply an Update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Debian GNU/Linux||Affected||20 Apr 2011||11 May 2011|
|Mandriva S. A.||Affected||20 Apr 2011||17 May 2011|
|Red Hat, Inc.||Affected||20 Apr 2011||11 May 2011|
|SUSE Linux||Affected||20 Apr 2011||11 May 2011|
|Ubuntu||Affected||20 Apr 2011||11 May 2011|
|Apple Inc.||Unknown||20 Apr 2011||20 Apr 2011|
|CentOS||Unknown||22 Apr 2011||22 Apr 2011|
|FreeBSD Project||Unknown||20 Apr 2011||20 Apr 2011|
|Gentoo Linux||Unknown||20 Apr 2011||20 Apr 2011|
|NetBSD||Unknown||20 Apr 2011||20 Apr 2011|
|OpenBSD||Unknown||20 Apr 2011||20 Apr 2011|
|Oracle Corporation||Unknown||20 Apr 2011||20 Apr 2011|
|Slackware Linux Inc.||Unknown||20 Apr 2011||20 Apr 2011|
|Symantec||Unknown||20 Apr 2011||20 Apr 2011|
CVSS Metrics (Learn More)
Thanks to Thomas Jarosch of Intra2net AG for reporting this vulnerability.
This document was written by Jared Allar.
- CVE IDs: CVE-2011-1720
- Date Public: 09 May 2011
- Date First Published: 11 May 2011
- Date Last Updated: 17 May 2011
- Severity Metric: 1.87
- Document Revision: 16
If you have feedback, comments, or additional information about this vulnerability, please send us email.