Red Hat, Inc. Information for VU#555316

STARTTLS plaintext command injection vulnerability

Status

Affected

Vendor Statement

Vulnerable. This issue affects postfix packages in Red Hat Enterprise

Linux 4, 5, and 6. The Red Hat Security Response Team has rated this
issue as having moderate security impact, a future update will address
this flaw.

This issue did not affect the versions of the sendmail package as shipped
with Red Hat Enterprise Linux 3, 4, 5, or 6, as Sendmail by switching to
SMTP over TLS replaces the entire received SMTP commands stream, along
with its read/write buffers and read/write functions.

This issue did not affect the versions of the exim package as shipped
with Red Hat Enterprise Linux 4 and 5, as Exim by switching to SMTP over
TLS replaces plaintext read/write functions with TLS read/write functions.

Vendor Information

Red Hat has released updated postfix packages, for:
Red Hat Enterprise Linux 4 and 5:

  • https://rhn.redhat.com/errata/RHSA-2011-0422.html
  • https://bugzilla.redhat.com/show_bug.cgi?id=674814#c26
    Red Hat Enterprise Linux 6:
  • https://rhn.redhat.com/errata/RHSA-2011-0423.html
  • https://bugzilla.redhat.com/show_bug.cgi?id=674814#c27

    Vendor References

    http://www.redhat.com/security/data/cve/CVE-2011-0411.html
    https://rhn.redhat.com/errata/RHSA-2011-0422.html
    https://bugzilla.redhat.com/show_bug.cgi?id=674814#c26
    https://rhn.redhat.com/errata/RHSA-2011-0423.html
    https://bugzilla.redhat.com/show_bug.cgi?id=674814#c27

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.