CESA-2011:0843 -- centos 4 i386 postfixID: oval:org.secpod.oval:def:200640 | Date: (C)2012-01-31 (M)2023-11-09 |
Class: PATCH | Family: unix |
Postfix is a Mail Transport Agent , supporting LDAP, SMTP AUTH , and TLS. A heap-based buffer over-read flaw was found in the way Postfix performed SASL handlers management for SMTP sessions, when Cyrus SASL authentication was enabled. A remote attacker could use this flaw to cause the Postfix smtpd server to crash via a specially-crafted SASL authentication request. The smtpd process was automatically restarted by the postfix master process after the time configured with service_throttle_time elapsed. Note: Cyrus SASL authentication for Postfix is not enabled by default. Red Hat would like to thank the CERT/CC for reporting this issue. Upstream acknowledges Thomas Jarosch of Intra2net AG as the original reporter. Users of Postfix are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the postfix service will be restarted automatically.