Postfix Plaintext to TLS Switching Error Lets Remote Users Inject Plaintext Commands
|
|
SecurityTracker Alert ID: 1025179 |
|
SecurityTracker URL: http://securitytracker.com/id/1025179
|
|
CVE Reference:
CVE-2011-0411
(Links to External Site)
|
Date: Mar 9 2011
|
Impact:
Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): prior to 2.8.0
|
Description:
A vulnerability was reported in Postfix. A remote user can inject plaintext commands.
A remote user with the ability to conduct a man-in-the-middle attack can inject arbitrary plaintext before the SMTP connection switches to SMTP over TLS. The plaintext will be interpreted by the remote mail server as potential commands.
Wietse Venema reported this vulnerability.
|
Impact:
A remote user can inject plaintext commands.
|
Solution:
The vendor has issued a fix (2.8.0).
The vendor's advisory is available at:
http://www.postfix.org/CVE-2011-0411.html
|
Vendor URL: www.postfix.org/CVE-2011-0411.html (Links to External Site)
|
Cause:
Access control error, State error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 09 Mar 2011 06:40:34 +0000
Subject: Postfix
|
http://www.postfix.org/CVE-2011-0411.html
CVE-2011-0411
|
|
