Postfix IPv6 Unauthorized Mail Relay Vulnerability
BID:12445
Info
Postfix IPv6 Unauthorized Mail Relay Vulnerability
| Bugtraq ID: | 12445 |
| Class: | Design Error |
| CVE: |
CVE-2005-0337 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 04 2005 12:00AM |
| Updated: | Jul 12 2009 10:06AM |
| Credit: | Discovery is credited to Jean-Samuel Reynaud. |
| Vulnerable: |
Wietse Venema Postfix 2.1.3 SuSE Linux 8.1 SuSE Linux 8.0 i386 SuSE Linux 8.0 S.u.S.E. Linux Personal 9.2 S.u.S.E. Linux Personal 9.1 S.u.S.E. Linux Personal 9.0 x86_64 S.u.S.E. Linux Personal 9.0 S.u.S.E. Linux Personal 8.2 Redhat Enterprise Linux WS 4 Redhat Enterprise Linux ES 4 Redhat Enterprise Linux AS 4 Redhat Desktop 4.0 |
| Not Vulnerable: | |
Discussion
Postfix IPv6 Unauthorized Mail Relay Vulnerability
Postfix is prone to a vulnerability that allows the application to be abused as a mail relay.
Arbitrary mail may be sent to any MX host with an IPv6 address. This could be exploited by spammers or other malicious parties.
Postfix 2.1.3 is reported prone to this issue. It is possible that other versions are affected as well.
Postfix is prone to a vulnerability that allows the application to be abused as a mail relay.
Arbitrary mail may be sent to any MX host with an IPv6 address. This could be exploited by spammers or other malicious parties.
Postfix 2.1.3 is reported prone to this issue. It is possible that other versions are affected as well.
Exploit / POC
Postfix IPv6 Unauthorized Mail Relay Vulnerability
An exploit is not required.
An exploit is not required.
Solution / Fix
Postfix IPv6 Unauthorized Mail Relay Vulnerability
Solution:
Ubuntu has released advisory USN-74-1 to address this issue. Please see the referenced advisory for more information.
SuSE Linux has released a security summary report (SUSE-SR:2005:003) that contains fixes to address this and other vulnerabilities. Customers are advised to peruse the referenced advisory for further information regarding obtaining and applying appropriate updates.
Ubuntu has updated advisory USN-74-1 to USN-74-2 to fix erroneous fixes included in USN-74-1. Please see the referenced advisory for more information.
Red Hat has released advisory RHSA-2005:152-04 to address this issue in Red Hat Enterprise Linux 4. Please see the advisory in Web references for more information.
Wietse Venema Postfix 2.1.3
Solution:
Ubuntu has released advisory USN-74-1 to address this issue. Please see the referenced advisory for more information.
SuSE Linux has released a security summary report (SUSE-SR:2005:003) that contains fixes to address this and other vulnerabilities. Customers are advised to peruse the referenced advisory for further information regarding obtaining and applying appropriate updates.
Ubuntu has updated advisory USN-74-1 to USN-74-2 to fix erroneous fixes included in USN-74-1. Please see the referenced advisory for more information.
Red Hat has released advisory RHSA-2005:152-04 to address this issue in Red Hat Enterprise Linux 4. Please see the advisory in Web references for more information.
Wietse Venema Postfix 2.1.3
-
SuSE postfix-2.1.5-3.2.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/postfix-2.1.5-3.2 .i586.rpm -
SuSE postfix-2.1.5-3.2.x86_64.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/postfix-2.1.5 -3.2.x86_64.rpm -
Ubuntu postfix-dev_2.1.3-1ubuntu17.1_all.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-dev_2.1. 3-1ubuntu17.1_all.deb -
Ubuntu postfix-doc_2.1.3-1ubuntu17.1_all.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-doc_2.1. 3-1ubuntu17.1_all.deb -
Ubuntu postfix-ldap_2.1.3-1ubuntu17.1_amd64.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-ldap_2.1 .3-1ubuntu17.1_amd64.deb -
Ubuntu postfix-ldap_2.1.3-1ubuntu17.1_i386.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-ldap_2.1 .3-1ubuntu17.1_i386.deb -
Ubuntu postfix-ldap_2.1.3-1ubuntu17.1_powerpc.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-ldap_2.1 .3-1ubuntu17.1_powerpc.deb -
Ubuntu postfix-mysql_2.1.3-1ubuntu17.1_amd64.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-mysql_2. 1.3-1ubuntu17.1_amd64.deb -
Ubuntu postfix-mysql_2.1.3-1ubuntu17.1_i386.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-mysql_2. 1.3-1ubuntu17.1_i386.deb -
Ubuntu postfix-mysql_2.1.3-1ubuntu17.1_powerpc.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-mysql_2. 1.3-1ubuntu17.1_powerpc.deb -
Ubuntu postfix-pcre_2.1.3-1ubuntu17.1_amd64.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-pcre_2.1 .3-1ubuntu17.1_amd64.deb -
Ubuntu postfix-pcre_2.1.3-1ubuntu17.1_i386.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-pcre_2.1 .3-1ubuntu17.1_i386.deb -
Ubuntu postfix-pcre_2.1.3-1ubuntu17.1_powerpc.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-pcre_2.1 .3-1ubuntu17.1_powerpc.deb -
Ubuntu postfix-pgsql_2.1.3-1ubuntu17.1_amd64.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-pgsql_2. 1.3-1ubuntu17.1_amd64.deb -
Ubuntu postfix-pgsql_2.1.3-1ubuntu17.1_i386.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-pgsql_2. 1.3-1ubuntu17.1_i386.deb -
Ubuntu postfix-pgsql_2.1.3-1ubuntu17.1_powerpc.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-pgsql_2. 1.3-1ubuntu17.1_powerpc.deb -
Ubuntu postfix-tls_2.1.3-1ubuntu17.1_amd64.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-tls_2.1. 3-1ubuntu17.1_amd64.deb -
Ubuntu postfix-tls_2.1.3-1ubuntu17.1_i386.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-tls_2.1. 3-1ubuntu17.1_i386.deb -
Ubuntu postfix-tls_2.1.3-1ubuntu17.1_powerpc.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-tls_2.1. 3-1ubuntu17.1_powerpc.deb -
Ubuntu postfix_2.1.3-1ubuntu17.1_amd64.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix_2.1.3-1u buntu17.1_amd64.deb -
Ubuntu postfix_2.1.3-1ubuntu17.1_i386.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix_2.1.3-1u buntu17.1_i386.deb -
Ubuntu postfix_2.1.3-1ubuntu17.1_powerpc.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix_2.1.3-1u buntu17.1_powerpc.deb
References
Postfix IPv6 Unauthorized Mail Relay Vulnerability
References:
References:
- Postfix Homepage (Wietse Venema)
- RHSA-2005:152-04 - postfix security update (RedHat)