The Postfix SMTP server has a memory corruption error when the Cyrus SASL library is used with authentication mechanisms other than PLAIN and LOGIN.
The Postfix Advisory for CVE-2011-1720 states:
"The Postfix SMTP server fails to create a new Cyrus SASL server handle after authentication failure. This causes memory corruption when, for example, a client requests CRAM-MD5 authentication, fails to authenticate, and then invokes some other authentication mechanism except PLAIN (or ANONYMOUS if available). The likely outcome is that the Postfix SMTP server process crashes with a segmentation violation error (SIGSEGV, a.k.a. signal 11)."
A remote attacker can cause a denial of service or possibly execute arbitrary code.
Apply an Update
Debian GNU/Linux Affected
Mandriva S. A. Affected
Red Hat, Inc. Affected
SUSE Linux Affected
Apple Inc. Unknown
FreeBSD Project Unknown
Gentoo Linux Unknown
Oracle Corporation Unknown
Slackware Linux Inc. Unknown
Thanks to Thomas Jarosch of Intra2net AG for reporting this vulnerability.
This document was written by Jared Allar.
|Date First Published:||2011-05-11|
|Date Last Updated:||2011-05-17 11:52 UTC|