ALT-PU-2024-7313-2

Package update postfix in branch sisyphus

Version3.8.6-alt1

Published2024-05-08

Max severityMEDIUM

Severity:

Closed issues (2)

MEDIUM5.3

Уязвимость демона smtpd почтового сервера Postfix, позволяющая нарушителю обойти ограничения безопасности и осуществить подмену электронных писем (атака типа SMTP Smuggling)

Published: 2024-01-10Modified: 2025-11-19

CVSS 3.xMEDIUM 5.3

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N

References

CVE-2023-51764

MEDIUM5.3

Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports . but some other popular e-mail servers do not. To prevent attack variants (by always disallowing without ), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.

Published: 2023-12-24Modified: 2025-11-04

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

Closed bugs (2)

Предупреждения о попытке чтения несуществующих библиотек

CVE-2023-51764 для закрытия необходимо обновление до версии 3.8.4 и старше