SLUG Mailing List ArchivesSLUG Mailing List ArchivesSounds like the qmail guy was right.... Cheers, Scott Matt Zimmerman <mdz@xxxxxxxxx> wrote on 04-08-2003 08:25:40 AM: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - -------------------------------------------------------------------------- > Debian Security Advisory DSA 363-1 security@xxxxxxxxxx > http://www.debian.org/security/ Matt Zimmerman > August 3rd, 2003 http://www.debian.org/security/faq > - -------------------------------------------------------------------------- > > Package : postfix > Vulnerability : denial of service, bounce-scanning > Problem-Type : remote > Debian-specific: no > CVE Ids : CAN-2003-0468, CAN-2003-0540 > > The postfix mail transport agent in Debian 3.0 contains two > vulnerabilities: > > CAN-2003-0468: Postfix would allow an attacker to bounce-scan private > networks or use the daemon as a DDoS tool by forcing the daemon to > connect to an arbitrary service at an arbitrary IP address and > either receiving a bounce message or observing queue operations to > infer the status of the delivery attempt. > > CAN-2003-0540: a malformed envelope address can 1) cause the queue > manager to lock up until an entry is removed from the queue and 2) > lock up the smtp listener leading to a denial of service > > For the current stable distribution (woody) these problems have been > fixed in version 1.1.11-0.woody3. > > For the unstable distribution (sid) these problems will be fixed soon. > > We recommend that you update your postfix package. > > Upgrade Instructions > - -------------------- > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given below: > > apt-get update > will update the internal database > apt-get upgrade > will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > Debian GNU/Linux 3.0 alias woody > - -------------------------------- > > Source archives: > > > http://security.debian.org/pool/updates/main/p/postfix/postfix_1.1.11-0.woody3.dsc > Size/MD5 checksum: 714 63f8dfe8115d2b6ee9495444b51f38ff > > http://security.debian.org/pool/updates/main/p/postfix/postfix_1.1.11-0.woody3.diff.gz > Size/MD5 checksum: 67858 7d4141b4f8751bd624b73e098754ff92 > > http://security.debian.org/pool/updates/main/p/postfix/postfix_1.1.11.orig.tar.gz > Size/MD5 checksum: 1190741 b34bb2b5018327c19456a77814141208 > > Architecture independent components: > > > http://security.debian.org/pool/updates/main/p/postfix/postfix-dev_1.1.11-0.woody3_all.deb > Size/MD5 checksum: 74036 c890416be4ddb61410919d2935a8d2ae > > http://security.debian.org/pool/updates/main/p/postfix/postfix-doc_1.1.11-0.woody3_all.deb > Size/MD5 checksum: 344376 55a049625aa50b01d1c1001be7322931 > > Alpha architecture: > > > http://security.debian.org/pool/updates/main/p/postfix/postfix_1.1.11-0.woody3_alpha.deb > Size/MD5 checksum: 605684 556af2c5463a268e7e2c1141b1feca6f > > http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_1.1.11-0.woody3_alpha.deb > Size/MD5 checksum: 28286 1051c9af8059a06a20277fee38c46eed > > http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_1.1.11-0.woody3_alpha.deb > Size/MD5 checksum: 25840 0fa1abe8d1203dc0caef928edb9cbfa1 > > http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_1.1.11-0.woody3_alpha.deb > Size/MD5 checksum: 24386 5cd779b6f1b8e19b31305999d2d99a03 > > ARM architecture: > > > http://security.debian.org/pool/updates/main/p/postfix/postfix_1.1.11-0.woody3_arm.deb > Size/MD5 checksum: 520402 9c9846e4c3b3a842f9476a590653ee2a > > http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_1.1.11-0.woody3_arm.deb > Size/MD5 checksum: 27480 8d7ca95fe4ca8ad8590e767e733ea73f > > http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_1.1.11-0.woody3_arm.deb > Size/MD5 checksum: 25088 2c009beda5132fade32da110dbe08505 > > http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_1.1.11-0.woody3_arm.deb > Size/MD5 checksum: 23974 3f399c1c0f783ef8a32cd5ff2586beeb > > Intel IA-32 architecture: > > > http://security.debian.org/pool/updates/main/p/postfix/postfix_1.1.11-0.woody3_i386.deb > Size/MD5 checksum: 508482 23220e1154476d616f4231c1aab08961 > > http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_1.1.11-0.woody3_i386.deb > Size/MD5 checksum: 27020 599799ed8999f4cd440db3bf27d0a144 > > http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_1.1.11-0.woody3_i386.deb > Size/MD5 checksum: 24962 d2057f8047247c13eb1530c974c3214f > > http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_1.1.11-0.woody3_i386.deb > Size/MD5 checksum: 23774 9a56259b465146461e24b1074dbb9378 > > Intel IA-64 architecture: > > > http://security.debian.org/pool/updates/main/p/postfix/postfix_1.1.11-0.woody3_ia64.deb > Size/MD5 checksum: 715268 4b3b20647254766b9ea61000f6fabf6b > > http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_1.1.11-0.woody3_ia64.deb > Size/MD5 checksum: 31250 0472e4740e5a8089389ebb5ac0e3287a > > http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_1.1.11-0.woody3_ia64.deb > Size/MD5 checksum: 27468 ab3f9b3f25ff6e1c7c85ebe1bb8746a1 > > http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_1.1.11-0.woody3_ia64.deb > Size/MD5 checksum: 25620 074c809aea6dc4be33a3fc02fa4269e9 > > HP Precision architecture: > > > http://security.debian.org/pool/updates/main/p/postfix/postfix_1.1.11-0.woody3_hppa.deb > Size/MD5 checksum: 547490 f6c526ca243ecff15ba1fca5b5f1b66c > > http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_1.1.11-0.woody3_hppa.deb > Size/MD5 checksum: 27970 942e49f343905da65092903517dc3415 > > http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_1.1.11-0.woody3_hppa.deb > Size/MD5 checksum: 25722 ffa283e47e289d5cee9cf0216a2a3ba4 > > http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_1.1.11-0.woody3_hppa.deb > Size/MD5 checksum: 24422 0ac384dab6e94a64f108655e4e1d1b73 > > Motorola 680x0 architecture: > > > http://security.debian.org/pool/updates/main/p/postfix/postfix_1.1.11-0.woody3_m68k.deb > Size/MD5 checksum: 507710 9fb65f8b4ceef076ce6ff714e3915a9e > > http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_1.1.11-0.woody3_m68k.deb > Size/MD5 checksum: 27370 c48f95fab1a490b6b09dfa4a7b26ab91 > > http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_1.1.11-0.woody3_m68k.deb > Size/MD5 checksum: 25054 65b484b1bf326d724dc38b144e185bd3 > > http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_1.1.11-0.woody3_m68k.deb > Size/MD5 checksum: 23796 f0168fa13739555d29096c0543fa8dea > > Big endian MIPS architecture: > > > http://security.debian.org/pool/updates/main/p/postfix/postfix_1.1.11-0.woody3_mips.deb > Size/MD5 checksum: 545344 5d95ea078f00cf155e717d7698bb39b3 > > http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_1.1.11-0.woody3_mips.deb > Size/MD5 checksum: 26882 9ed43af513be789bd187ac6a2ec504bd > > http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_1.1.11-0.woody3_mips.deb > Size/MD5 checksum: 25102 f87d8f4086277f46b52bebd3e267f18d > > http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_1.1.11-0.woody3_mips.deb > Size/MD5 checksum: 23956 58e9c16d3c27ad5d043566fa3bf0597d > > Little endian MIPS architecture: > > > http://security.debian.org/pool/updates/main/p/postfix/postfix_1.1.11-0.woody3_mipsel.deb > Size/MD5 checksum: 545522 7fe4a3c93289c5a5739fb6180bf8f97e > > http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_1.1.11-0.woody3_mipsel.deb > Size/MD5 checksum: 26888 0496ef4b059d449745363e4e77832cf6 > > http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_1.1.11-0.woody3_mipsel.deb > Size/MD5 checksum: 25100 88f26e2aff54b403bdd4a91e685ab62c > > http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_1.1.11-0.woody3_mipsel.deb > Size/MD5 checksum: 23954 ac4942b8b1f798a6f9bfa41a66eae6e7 > > PowerPC architecture: > > > http://security.debian.org/pool/updates/main/p/postfix/postfix_1.1.11-0.woody3_powerpc.deb > Size/MD5 checksum: 523612 ac006fecf3d9e355403cc284c7b59a67 > > http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_1.1.11-0.woody3_powerpc.deb > Size/MD5 checksum: 27482 c579b63eb17de0cd64662ccfbcc24421 > > http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_1.1.11-0.woody3_powerpc.deb > Size/MD5 checksum: 25180 380841ca73f243f0892545400bd0e433 > > http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_1.1.11-0.woody3_powerpc.deb > Size/MD5 checksum: 23962 acf4ce767365da22d08f9421413cfc31 > > IBM S/390 architecture: > > > http://security.debian.org/pool/updates/main/p/postfix/postfix_1.1.11-0.woody3_s390.deb > Size/MD5 checksum: 539476 45c0dfe2421fe6913085629df92befa6 > > http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_1.1.11-0.woody3_s390.deb > Size/MD5 checksum: 27458 145d980da8ffb3f077a70fea768f2dca > > http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_1.1.11-0.woody3_s390.deb > Size/MD5 checksum: 25268 d1fb9abe20874c98a7046dd0c3b606a4 > > http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_1.1.11-0.woody3_s390.deb > Size/MD5 checksum: 24054 69b7cb2d47709e4cb4e9ae8ed0b0c86f > > Sun Sparc architecture: > > > http://security.debian.org/pool/updates/main/p/postfix/postfix_1.1.11-0.woody3_sparc.deb > Size/MD5 checksum: 539342 e8fdc2ca77c41f4046e1e212683a5f18 > > http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_1.1.11-0.woody3_sparc.deb > Size/MD5 checksum: 27920 f945a9c32434b4b617620e966a840564 > > http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_1.1.11-0.woody3_sparc.deb > Size/MD5 checksum: 25114 4437625a8d2e34058b4e4f94823b4385 > > http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_1.1.11-0.woody3_sparc.deb > Size/MD5 checksum: 23926 c716ff776a4246c2ab864bac204dd4da > > These files will probably be moved into the stable distribution on > its next revision. > > - > --------------------------------------------------------------------------------- > For apt-get: deb http://security.debian.org/ stable/updates main > For dpkg-ftp: ftp://security.debian.org/debian-security > dists/stable/updates/main > Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx > Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.2 (GNU/Linux) > > iD8DBQE/LYu9ArxCt0PiXR4RAmwDAJ0ez/2Km4H0popgoyYp7aus68aXWgCgvrP3 > QYYliUAgYWlCg7A5j+kAKlA= > =gOIX > -----END PGP SIGNATURE----- > > > -- > To UNSUBSCRIBE, email to debian-security-announce-request@xxxxxxxxxxxxxxxx > with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx >