1
PublicDateAtUSN: 2011-03-16
2
Candidate: CVE-2011-0411
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0411
6
http://www.postfix.org/CVE-2011-0411.html
7
https://usn.ubuntu.com/usn/usn-1113-1
9
The STARTTLS implementation in Postfix 2.4.x before 2.4.16, 2.5.x before
10
2.5.12, 2.6.x before 2.6.9, and 2.7.x before 2.7.3 does not properly
11
restrict I/O buffering, which allows man-in-the-middle attackers to insert
12
commands into encrypted SMTP sessions by sending a cleartext command that
13
is processed after TLS is in place, related to a "plaintext command
17
mdeslaur> postfix 2.8 and 2.9 are not affected
20
Discovered-by: Wietse Venema
24
upstream: http://archive.mgm51.com/mirrors/postfix-source/official/postfix-2.4-patch16.gz (2.4)
25
upstream: http://archive.mgm51.com/mirrors/postfix-source/official/postfix-2.5-patch12.gz (2.5)
26
upstream: http://archive.mgm51.com/mirrors/postfix-source/official/postfix-2.6-patch09.gz (2.6)
27
upstream: http://archive.mgm51.com/mirrors/postfix-source/official/postfix-2.7-patch03.gz (2.7)
28
upstream_postfix: released (2.4.16, 2.5.12, 2.6.9, 2.7.3)
29
dapper_postfix: released (2.2.10-1ubuntu0.3)
30
hardy_postfix: released (2.5.1-2ubuntu1.3)
31
karmic_postfix: released (2.6.5-3ubuntu0.1)
32
lucid_postfix: released (2.7.0-1ubuntu0.1)
33
maverick_postfix: released (2.7.1-1ubuntu0.1)
34
devel_postfix: not-affected (2.8.2-1ubuntu1)