SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Postfix Vendors:   Postfix.org
(Debian Issues Fix) Postfix Mail Server Can Be Crashed By Remote Users Initiating Unsuccessful Sessions
SecurityTracker Alert ID:  1002951
SecurityTracker URL:  http://securitytracker.com/id/1002951
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 12 2001
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Postfix version 20010228-pl05, other versions are apparently affected
Description:   A denial of service vulnerability was reported in the Postfix mailer. A remote user can cause the mail server to consume all available memory and crash.

It is reported that a remote user can cause the Postfix smtpd to consume all available memory by initiating a large number of unsuccessful sessions. This is apparently due to the lack of a resource limit on the dynamically allocated SMTP session log.

Impact:   A remote user can cause the mail server to consume all available memory and crash.
Solution:   The vendor has released a fix (version 0.0.19991231pl11-2).

Debian GNU/Linux 2.2 alias potato
- ---------------------------------

Potato was released for alpha, arm, i386, m68k, powerpc and sparc.

Source archives:
http://security.debian.org/dists/stable/updates/main/source/postfix_0.0.19991231pl11-2.diff.gz
MD5 checksum: ebbd478c0feef6854bd4b82471d5db39
http://security.debian.org/dists/stable/updates/main/source/postfix_0.0.19991231pl11-2.dsc
MD5 checksum: 67653116044cc7735031275317b878eb
http://security.debian.org/dists/stable/updates/main/source/postfix_0.0.19991231pl11.orig.tar.gz
MD5 checksum: 97c6b1912b9917cca2e1cb957b2449fd

Alpha architecture:
http://security.debian.org/dists/stable/updates/main/binary-alpha/postfix_0.0.19991231pl11-2_alpha.deb
MD5 checksum: 338079e3346d86c95c655335b3e0649d

ARM architecture:
http://security.debian.org/dists/stable/updates/main/binary-arm/postfix_0.0.19991231pl11-2_arm.deb
MD5 checksum: 0a89e703dfd0f303690628d6deac862c

Intel IA-32 architecture:
http://security.debian.org/dists/stable/updates/main/binary-i386/postfix_0.0.19991231pl11-2_i386.deb
MD5 checksum: abe5ae7acbd0decde71c79f3bfaac6e7

Motorola 680x0 architecture:
http://security.debian.org/dists/stable/updates/main/binary-m68k/postfix_0.0.19991231pl11-2_m68k.deb
MD5 checksum: 2051d03ca9b61e4cdd6815fd67d578ef

PowerPC architecture:
http://security.debian.org/dists/stable/updates/main/binary-powerpc/postfix_0.0.19991231pl11-2_powerpc.deb
MD5 checksum: e214c21f2ba7311456268f12579c7b71

Sun Sparc architecture:
http://security.debian.org/dists/stable/updates/main/binary-sparc/postfix_0.0.19991231pl11-2_sparc.deb
MD5 checksum: 7e588f3fa1d1682318975a88a201780b

These packages will be moved into the stable distribution on its next
revision.

For not yet released architectures please refer to the appropriate
directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/

Vendor URL:  www.postfix.org/ (Links to External Site)
Cause:   Resource error
Underlying OS:  Linux (Debian)

Message History:   This archive entry is a follow-up to the message listed below.
Nov 15 2001 Postfix Mail Server Can Be Crashed By Remote Users Initiating Unsuccessful Sessions



 Source Message Contents

Subject:  [SECURITY] [DSA-093-1] postfix memory exhaustion


-----BEGIN PGP SIGNED MESSAGE-----

- ------------------------------------------------------------------------
Debian Security Advisory DSA-093-1                   security@debian.org
http://www.debian.org/security/                         Wichert Akkerman
December 12, 2001
- ------------------------------------------------------------------------


Package        : postfix
Problem type   : remote DoS
Debian-specific: no

Wietse Venema reported he found a denial of service vulnerability in
postfix. The SMTP session log that postfix keeps for debugging purposes
could grow to an unreasonable size.

This has been fixed in version 0.0.19991231pl11-2.

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.


Debian GNU/Linux 2.2 alias potato
- ---------------------------------

  Potato was released for alpha, arm, i386, m68k, powerpc and sparc.

  Source archives:
    http://security.debian.org/dists/stable/updates/main/source/postfix_0.0.19991231pl11-2.diff.gz
      MD5 checksum: ebbd478c0feef6854bd4b82471d5db39
    http://security.debian.org/dists/stable/updates/main/source/postfix_0.0.19991231pl11-2.dsc
      MD5 checksum: 67653116044cc7735031275317b878eb
    http://security.debian.org/dists/stable/updates/main/source/postfix_0.0.19991231pl11.orig.tar.gz
      MD5 checksum: 97c6b1912b9917cca2e1cb957b2449fd

  Alpha architecture:
    http://security.debian.org/dists/stable/updates/main/binary-alpha/postfix_0.0.19991231pl11-2_alpha.deb
      MD5 checksum: 338079e3346d86c95c655335b3e0649d

  ARM architecture:
    http://security.debian.org/dists/stable/updates/main/binary-arm/postfix_0.0.19991231pl11-2_arm.deb
      MD5 checksum: 0a89e703dfd0f303690628d6deac862c

  Intel IA-32 architecture:
    http://security.debian.org/dists/stable/updates/main/binary-i386/postfix_0.0.19991231pl11-2_i386.deb
      MD5 checksum: abe5ae7acbd0decde71c79f3bfaac6e7

  Motorola 680x0 architecture:
    http://security.debian.org/dists/stable/updates/main/binary-m68k/postfix_0.0.19991231pl11-2_m68k.deb
      MD5 checksum: 2051d03ca9b61e4cdd6815fd67d578ef

  PowerPC architecture:
    http://security.debian.org/dists/stable/updates/main/binary-powerpc/postfix_0.0.19991231pl11-2_powerpc.deb
      MD5 checksum: e214c21f2ba7311456268f12579c7b71

  Sun Sparc architecture:
    http://security.debian.org/dists/stable/updates/main/binary-sparc/postfix_0.0.19991231pl11-2_sparc.deb
      MD5 checksum: 7e588f3fa1d1682318975a88a201780b

  These packages will be moved into the stable distribution on its next
  revision.

For not yet released architectures please refer to the appropriate
directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ .

- -- 
- ----------------------------------------------------------------------------
apt-get: deb http://security.debian.org/ stable/updates main
dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQB1AwUBPBeEgajZR/ntlUftAQGoQgMAmxPhiNsOgyKWJflOgFFgyIk2V5f3LYfX
InChxxXVqfm2ThkY2VCklLaKDkV+TVrcPTxVTYEGB+lKxDWKLPd2V6yBezhKRULd
XaOcunqRvlLQMHXEDjbYtu2ry07LEI9X
=+bwZ
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC