search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Postfix vulnerable to DoS by supplying a remote SMTP listener with a malformed envelope address

Vulnerability Note VU#895508

Original Release Date: 2003-08-11 | Last Revised: 2003-08-18

Overview

A denial-of-service vulnerability exists in all versions of Postfix prior to 2.0. This vulnerability may allow a remote attacker to cause mail service interruption.

Description

Postfix is a very popular mail transfer agent (MTA). Michal Zalewski has discovered a denial-of-service vulnerability in Postfix. According to Michal, the vulnerability exists in a portion of code responsible for address parsing. For further technical details, please see Michal's announcement.

Note that this vulnerability is message-oriented as opposed to connection-oriented. That means that the vulnerability is triggered by the contents of a specially-crafted email message rather than by lower-level network traffic. This is important because an MTA that does not contain the vulnerability may pass the malicious message along to other MTAs that may be protected at the network level. In other words, vulnerable Postfix servers on the interior of a network are still at risk, even if the site's border MTA uses software other than Postfix.

Impact

Postfix will be unable to deliver email.

Solution

Apply a patch from your vendor.

Workarounds

Based on feedback from the author of Postfix, if recipient name checking is turned on (Recipient name checking is turned off by default in version 1.1.11), mail for <nonexistent@[127.0.0.1]> is rejected.

Vendor Information

895508
 
Affected   Unknown   Unaffected

Conectiva

Updated:  August 08, 2003

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------

PACKAGE   : postfix
SUMMARY   : Remote denial of service vulnerability
DATE      : 2003-08-04 17:30:00
ID        : CLA-2003:717
RELEVANT
RELEASES  : 7.0, 8

- -------------------------------------------------------------------------

DESCRIPTION
Postfix[1] is a widely used MTA (Mail Transport Agent, sometimes
called just an email or SMTP server).


This update for Conectiva Linux 7.0 and 8 fixes two vulnerabilities
in Postfix reported[4] by Michal Zalewski:


1. Postfix used as a bounce scanner (CAN-2003-0468)[2]
By using specially created recipients, it is possible to make Postfix
attempt to establish SMTP sessions with arbitrary hosts on arbitrary
ports. This could be used to identify open TCP ports on remote
machines or to just generate traffic.


2. Remote denial of service (CAN-2003-0540)[3]
A malformed address can be used to cause a denial of service
condition in two ways:
- by locking up the queue manager: the offending message has to be
manually removed from the queue in order to restore the service;
- by locking up the smtpd listener: when supplied with the malformed
address, the listener process will stop responding. Multiple attacks
in parallel will hang many smtpd processes, leading to a denial of
service.
In order to be vulnerable to this issue, the "append_dot_mydomain"
paramater would have to be changed from the default value of "on" to
"off".



Conectiva Linux 9 is not vulnerable to any of these issues since it
ships with Postfix 2.0.x.



SOLUTION
All postfix users should upgrade their packages. The service will be
automatically restarted after the upgrade if it was already running.



REFERENCES
1.http://www.postfix.org/
2.http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0468
3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0540
4.http://www.securityfocus.com/archive/1/331713/2003-08-01/2003-08-07/0



UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/postfix-1.1.13-1U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/postfix-1.1.13-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/postfix-doc-1.1.13-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/postfix-1.1.13-1U80_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/postfix-1.1.13-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/postfix-doc-1.1.13-1U80_1cl.i386.rpm


ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:


- run:                 apt-get update
- after that, execute: apt-get upgrade


Detailed instructions reagarding the use of apt and upgrade examples
can be found at
http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at
http://distro.conectiva.com.br/seguranca/politica/?idioma=en

- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
Copyright (c) 2003 Conectiva Inc.
http://www.conectiva.com

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see
http://www.gnupg.org

iD8DBQE/LsuP42jd0JmAcZARAkSUAKCivRAFCAKjTgB6PgvM39MNhNkgxQCfRKSP
jPU9/qm3+LBktPbk8OYk3Jg=
=19Fy
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Updated:  August 18, 2003

Status

  Vulnerable

Vendor Statement

Both of these vulnerabilities were fixed in DSA-363-1.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Engarde

Updated:  August 08, 2003

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

+------------------------------------------------------------------------+
| Guardian Digital Security Advisory                     August 04, 2003 |
|
http://www.guardiandigital.com                        ESA-20030804-019 |
|                                                                        |
| Package: postfix                                                       |
| Summary: Remote denial-of-service.                                     |
+------------------------------------------------------------------------+

EnGarde Secure Linux is an enterprise class Linux platform engineered
to enable corporations to quickly and cost-effectively build a complete
and secure Internet presence while preventing Internet threats.


OVERVIEW
- --------

Michal Zalewski has discovered a vulnerability in the Postfix MTA which
could lead to a remote DoS attack.


The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0540 to this issue.


Guardian Digital products affected by this issue include:

EnGarde Secure Community v1.0.1
EnGarde Secure Community 2
EnGarde Secure Professional v1.1
EnGarde Secure Professional v1.2
EnGarde Secure Professional v1.5


It is recommended that all users apply this update as soon as possible.

SOLUTION
- --------

Guardian Digital Secure Network subscribers may automatically update
affected systems by accessing their account from within the Guardian
Digital WebTool.


To modify your GDSN account and contact preferences, please go to:

https://www.guardiandigital.com/account/

Below are MD5 sums for the updated EnGarde Secure Linux 1.0.1 packages:

SRPMS/postfix-20001121-1.0.21.src.rpm
MD5 Sum: d595e164f2e48766043486fbc71c32b8


i386/postfix-20001121-1.0.21.i386.rpm
MD5 Sum: 4402f4bb441d30c9c631a97ad843700e


i686/postfix-20001121-1.0.21.i686.rpm
MD5 Sum: 2750ae2169625dba290e80c13009f258


REFERENCES
- ----------

Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

Postfix's Official Web Site:
http://www.postfix.org/

Guardian Digital Advisories:
http://infocenter.guardiandigital.com/advisories/

Security Contact: security@guardiandigital.com

- --------------------------------------------------------------------------
Author: Ryan W. Maple <ryan@guardiandigital.com>
Copyright 2003, Guardian Digital, Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/Lq7RHD5cqd57fu0RAlOsAJ9k3DyYqp800B2hqsBfQHiKSaOhmQCglIM0
+k8quMhreGMKixrD8WeF8yM=
=78Il
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc.

Updated:  August 08, 2003

Status

  Vulnerable

Vendor Statement

Red Hat Linux 7.3, 8.0, and 9 ship with a Postfix package vulnerable to these issues. Updated Postfix packages are available along with our advisory at the URLs below. Users of the Red Hat Network can update their systems using the 'up2date' tool.

https://rhn.redhat.com/errata/RHSA-2003-251.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc.

Updated:  August 08, 2003

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________

SuSE Security Announcement

Package:                postfix
Announcement-ID:        SuSE-SA:2003:033
Date:                   Mon Aug  4 13:30:00 MEST 2003
Affected products:      7.2, 7.3, 8.0, 8.1

SuSE Linux Database Server
SuSE eMail Server III, 3.1
SuSE Linux Enterprise Server 7, 8
SuSE Linux Connectivity Server
SuSE Linux Office Server
SuSE Linux Openexchange Server
UnitedLinux 1.0
SuSE Linux Desktop 1.0

Vulnerability Type:     remote Denial of Service (DoS) attack
Severity (1-10):        4
SuSE default package:   Since SuSE Linux 8.1.
Cross References:       CAN-2003-0468

CAN-2003-0540

Content of this advisory:
1) security vulnerability resolved: remote DoS in postfix

problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds:

- kernel
3) standard appendix (further information)


______________________________________________________________________________

1)  problem description, brief discussion, solution, upgrade information

Postfix is a flexible MTA replacement for sendmail.
Michal Zalewski has reported problems in postfix which can lead to

a remote DoS attack or allow attackers to bounce-scan private networks.
These problems have been fixed. Even though not all of our products are
vulnerable in their default configurations, the updates should be applied.


In order for the update to take effect, you have to restart your MTA
by issuing the following command as root:


"/sbin/rcpostfix restart"


Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.


i386 Intel Platform:

SuSE-8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/postfix-1.1.12-12.i586.rpm

4b3b65905911440051f869b3e95c2c66
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/postfix-1.1.12-12.i586.patch.rpm
e73917624b5adfdbe113909135a50a42
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/postfix-1.1.12-12.src.rpm

0e5bcc6c3cd95f09c423cf00aac0c303

SuSE-8.0:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n4/postfix-1.1.12-13.i386.rpm

e0090e0ed051a532a62d787b020ac580
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n4/postfix-1.1.12-13.i386.patch.rpm

8c156ca92ad4be83588041192efe5b60
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/postfix-1.1.12-13.src.rpm
f9389f00de109cea2f0b3b6c27f5a515

SuSE-7.3:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/postfix-20010228pl08-22.i386.rpm

1f4d3af8d10850096bc0260567caa334
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/postfix-20010228pl08-22.src.rpm
0ccc29a957609b3aeb2c12f3cc85284d

SuSE-7.2:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/postfix-20010228pl03-82.i386.rpm

444f983a8c8f0d18621a1e8b4c3dd260
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/postfix-20010228pl03-82.src.rpm
6d479bd0ed90bc7dc59a4201327ffc05


Sparc Platform:

SuSE-7.3:
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/postfix-20010228pl08-15.sparc.rpm

83eb074dbcedae2c9947006b4c0411d2
source rpm(s):
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/postfix-20010228pl08-15.src.rpm
ec7ae58e31fd2ec63ccd881454372307


PPC Power PC Platform:

SuSE-7.3:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/postfix-20010228pl08-36.ppc.rpm

f7b331c15b7bf705274afe2665e9e187
source rpm(s):
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/postfix-20010228pl08-36.src.rpm

f2e5aa58e24599777a95dce715c3bcad

______________________________________________________________________________

2)  Pending vulnerabilities in SuSE Distributions and Workarounds:

- kernel
Various bugs inside the kernel have been reported recently. The most
important ones are

- NFSv3 remote DoS
- netfilter DoS
- /proc infoleak
- race condition in the ELF loader

These bugs are fixed. The new kernel packages will be approved as soon as
the testing is finished.


______________________________________________________________________________

3)  standard appendix: authenticity verification, additional information

- Package authenticity verification:

SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.


1) execute the command
md5sum <name-of-the-file.rpm>

after you downloaded the file from a SuSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key security@suse.de),
the checksums show proof of the authenticity of the package.
We disrecommend to subscribe to security lists which cause the
email message containing the announcement to be modified so that
the signature does not match after transport through the mailing
list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.


2) rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command

rpm -v --checksig <file.rpm>
to verify the signature of the package, where <file.rpm> is the
filename of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an un-installed rpm
package file.
Prerequisites:

a) gpg is installed
b) The package is signed using a certain key. The public part of this

key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SuSE in rpm packages for SuSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):

gpg --batch; gpg < announcement.txt | gpg --import
SuSE Linux distributions version 7.1 and thereafter install the
key "build@suse.de" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the top-level directory of the first CD (pubring.gpg)
and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de
 .


- SuSE runs two security mailing lists to which any interested party may
subscribe:


suse-security@suse.com
-   general/linux/SuSE security discussion.

All SuSE security announcements are sent to this list.
To subscribe, send an email to

<suse-security-subscribe@suse.com>.

suse-security-announce@suse.com
-   SuSE's announce-only mailing list.

Only SuSE's security announcements are sent to this list.
To subscribe, send an email to

<suse-security-announce-subscribe@suse.com>.

For general information or the frequently asked questions (faq)
send mail to:

<suse-security-info@suse.com> or
<suse-security-faq@suse.com> respectively.


=====================================================================
SuSE's security contact is <security@suse.com> or <security@suse.de>.
The <security@suse.de> public key is listed below.
=====================================================================

______________________________________________________________________________

The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the clear-text signature shows proof of the
authenticity of the text.
SuSE Linux AG makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.


Type Bits/KeyID    Date       User ID
pub  2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub  1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff
4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d
M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO
QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK
XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE
D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd
G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM
CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE
myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr
YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD
wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d
NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe
QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe
LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t
XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU
D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3
0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot
1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW
cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E
ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f
AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E
Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/
HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h
t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT
tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM
523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q
2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8
QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw
JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ
1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH
ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1
wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY
EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol
0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK
CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co
SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo
omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt
A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J
/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE
GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf
ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT
ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8
RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ
8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb
B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X
11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA
8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj
qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL
hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG
BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+
AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi
RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0
zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM
/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7
whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl
D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz
dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI
RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI
DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE=
=LRKC
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iQEVAwUBPy5NNney5gA9JdPZAQGNTwf/ThT8WIpdODuOOS3Ppz7giCzglbLEEinr
3A87mrnRdzumggoPuuXU6yMRTugBdcpBihfS/kHzoHjhx1g0PA3qi3Rer4RaqyDn
Kc+LMrX2/u8XtClXfkMuJinZ6YXE9p1Z6xeRkgOgZnlWtlIegZMXlIPcnTFa4jeC
c2sgFIHUoeSoTQLtML6xILqpmh2fpGlQSxuuMGfNMChV4s+Khz99vKSnCe9uuFqX
HmtzqRzl3CdSMWMWGPpGq+ZlE5KmwC9MYZS1SPKoTs/9CIoj14Yxk3EMW4xVZ/aa
xuEBCimOhqinUuIpVKkQinfpvBDU1FFR9CwUBBJNn5JbVtI25/5sZw==
=znPh
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trusix

Updated:  August 08, 2003

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2003-0029

Package name:      postfix
Summary:           Denial of service
Date:              2003-08-04
Affected versions: TSL 1.2, 1.5

- --------------------------------------------------------------------------
Package description:

Postfix is an alternative to the sendmail mailer daemon. Postfix attempts
to be fast, easy to administer, and secure, while at the same time being
sendmail compatible enough to not upset existing users.



Problem description:
From the Postfix 1.1.13 release notes:
This patch fixes a denial of service condition in the Postfix smtpd,
qmgr, and other programs that use the trivial-rewrite service.
The problem is triggered when an invalid address resolves to an
impossible result. This causes the affected programs to reject the
result and to retry the trivial-rewrite request indefinitely.



Action:
We recommend that all systems with this package installed be upgraded.



Location:
All TSL updates are available from
<URI:
http://www.trustix.net/pub/Trustix/updates/>
<URI:
ftp://ftp.trustix.net/pub/Trustix/updates/>


About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.



Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.


Users of TSL 1.2 can get SWUP from:
<URI:
ftp://ftp.trustix.net/pub/Trustix/software/swup/>
(In later versions of TSL, SWUP is included in the default installation.)



Public testing:
These packages have been available for public testing for some time.
If you want to contribute by testing the various packages in the
testing tree, please feel free to share your findings on the
tsl-discuss mailinglist.
The testing tree is located at
<URI:
http://www.trustix.net/pub/Trustix/testing/>
<URI:
ftp://ftp.trustix.net/pub/Trustix/testing/>


Questions?
Check out our mailing lists:
<URI:
http://www.trustix.net/support/>


Verification:
This advisory along with all TSL packages are signed with the TSL sign key.
This key is available from:
<URI:
http://www.trustix.net/TSL-GPG-KEY>

The advisory itself is available from the errata pages at
<URI:
http://www.trustix.net/errata/trustix-1.2/>,
<URI:
http://www.trustix.net/errata/trustix-1.5/> and
or directly at
<URI:
http://www.trustix.net/errata/misc/2003/TSL-2003-0029-postfix.asc.txt>


MD5sums of the packages:
- --------------------------------------------------------------------------
26387f7f959eacb1620f42cbace8e162  ./1.2/SRPMS/postfix-19991231_pl13-4tr.src.rpm
1f87c828b670cc05edac720cdbc12959  ./1.2/RPMS/postfix-19991231_pl13-4tr.i586.rpm
98beb1be7bb4ccff74be305535fad7b7  ./1.5/RPMS/postfix-0.0.20010228.pl08-4tr.i586.rpm
7ace98a742facf4dfaeea8f7dcfd18c5  ./1.5/SRPMS/postfix-0.0.20010228.pl08-4tr.src.rpm
- --------------------------------------------------------------------------


Trustix Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/MjftwRTcg4BxxS0RAvwZAJ9PLVQHsNMSteq1/2x0Zm3zq/sMhwCfQU2S
BdJzXDV9UVVXgqclGceJeNM=
=JJRt
-----END PGP SIGNATURE-----

_______________________________________________
tsl-announce mailing list
tsl-announce@trustix.org
http://www.trustix.org/mailman/listinfo/tsl-announce

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer Inc.

Updated:  August 11, 2003

Status

  Not Vulnerable

Vendor Statement

For both Postfix issues: VU#895508 and VU#697508, our Vendor Statement is "Not Vulnerable".

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F5 Networks

Updated:  August 08, 2003

Status

  Not Vulnerable

Vendor Statement

The F5 Products, BIG-IP and 3-DNS are not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Updated:  August 18, 2003

Status

  Not Vulnerable

Vendor Statement

Fujitsu's UXP/V o.s. is not affected by the problem in VU#895508 & VU#697508 because it does not support the postfix.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Updated:  August 08, 2003

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lotus Software

Updated:  August 08, 2003

Status

  Not Vulnerable

Vendor Statement

Lotus products are not vulnerable. We do not ship Postfix.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux

Updated:  August 13, 2003

Status

  Not Vulnerable

Vendor Statement

The version of Postfix included in Openwall GNU/*/Linux is not vulnerable to this DoS attack in its default configuration. We will fully address this issue with the next scheduled update of our Postfix package."

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was discovered by Michal Zalewski. The CERT/CC thanks Michal for providing information upon which this document is based. We also thank the author of Postfix, Wietse Venema, for his help in understanding the vulnerability.

This document was written by Ian A Finlay.

Other Information

CVE IDs: CVE-2003-0540
Severity Metric: 8.10
Date Public: 2003-08-03
Date First Published: 2003-08-11
Date Last Updated: 2003-08-18 13:09 UTC
Document Revision: 11

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.