| Summary: | Postfix security update - 3.8.4 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Stig-Ørjan Smelror <smelror> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | dan, davidwhodgins, geex+mageia, jim, mageia, marja11, mhrambo3501, sysadmin-bugs |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | postfix-3.8.1-2.mga9 | CVE: | CVE-2023-51764 |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 32832 | ||
|
Description
Stig-Ørjan Smelror
2023-12-22 21:17:50 CET
Advisory ======== Postfix has been updated to fix smtp smuggling, an email spoofing attack that involves a composition of email services with specific differences in the way they handle line endings other than <CR><LF>. References ========== https://www.postfix.org/smtp-smuggling.html https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ Files ===== Uploaded to core/updates_testing postfix-ldap-3.8.4-1.mga9 postfix-pgsql-3.8.4-1.mga9 postfix-cdb-3.8.4-1.mga9 postfix-sqlite-3.8.4-1.mga9 postfix-pcre-3.8.4-1.mga9 postfix-mysql-3.8.4-1.mga9 postfix-sdbm-3.8.4-1.mga9 lib64postfix1-3.8.4-1.mga9 postfix-3.8.4-1.mga9 from postfix-3.8.4-1.mga9.src.rpm Assignee:
smelror =>
qa-bugs
Marja Van Waes
2023-12-23 21:22:34 CET
Source RPM:
(none) =>
postfix-3.8.1-2.mga9 Advisory from comment 1 added to SVN. Also added 'CVE-2023-<still unknown>', because a CVE had been requested yesterday by Marcus Meissner and I expect this issue to get one, soon, after which the advisory in SVN can be updated. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete" Keywords:
(none) =>
advisory Don't put CVE: - CVE-2023-<still unknown> in the svn advisory, those two lines should be removed. Just add a comment in the advisory itself that a cve is pending. Otherwise the malformed cve will mess up the generation of http://advisories.mageia.org/ when the advisory is pushed along with the package. Add the CVE: line and actual cve number when updating the advisory later. I don't think the malformed cve will stop the update from being pushed, bug given how strict the script is on other things, it wouldn't surprise me. Also don't forget the leading space in the cve number line, which is currently missing. CC:
(none) =>
davidwhodgins (In reply to Dave Hodgins from comment #3) > Don't put > CVE: > - CVE-2023-<still unknown> > > in the svn advisory, those two lines should be removed. Just add a comment in > the advisory itself that a cve is pending. Done <snip> > > Also don't forget the leading space in the cve number line, which is > currently missing. papoteur has been studying yaml when he wrote mga-advisor and discovered that we were using leading spaces than we should according to the yaml documentation. So he left out the ones for the references and CVEs, and it works well. For instance, 32071.adv was processed fine. s/leading/more leading/ From: https://www.postfix.org/smtp-smuggling.html Dec 24: someone (not at SEC Consult) created CVE-2023-51764. Unfortunately this contains many factual errors. Wietse has informed the person who requested the CVE. I have added it to the advisory in SVN though, because it'll surely be corrected. CVE:
(none) =>
CVE-2023-51764 Wietse complains any time someone requests a CVE for postfix because he likes to brag about how few CVEs it's had over the years. (In reply to Marja Van Waes from comment #6) > From: https://www.postfix.org/smtp-smuggling.html According to this, the recommended settings: smtpd_forbid_bare_newline = yes smtpd_forbid_bare_newline_exclusions = $mynetworks are not the default in 3.8.4, so it will be fixed in 3.9 only ? CC:
(none) =>
geex+mageia Nice presentation about this: https://media.ccc.de/v/37c3-11782-smtp_smuggling_spoofing_e-mails_worldwide @Guilliaume: sure, we have to change the main.cf file. And maybe add some more information on update CC:
(none) =>
mageia *** Bug 32677 has been marked as a duplicate of this bug. *** Linux xxxx.xxxx.xxxx 6.5.13-desktop-6.mga9 #1 SMP PREEMPT_DYNAMIC Sun Dec 17 22:42:25 UTC 2023 x86_64 GNU/Linux
Installed and configured existing postfix (along with procmail, fetchmail, and mutt for processing and viewing mail as I usually do and as my postfix config calls for).
http://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/postfix-3.8.1-2.mga9.x86_64.rpm
http://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64postfix1-3.8.1-2.mga9.x86_64.rpm
installing postfix-3.8.1-2.mga9.x86_64.rpm lib64postfix1-3.8.1-2.mga9.x86_64.rpm from /var/cache/urpmi/rpms
Preparing... ###############################################################################################################################################################################
1/2: lib64postfix1 ###############################################################################################################################################################################
2/2: postfix ###############################################################################################################################################################################
Ran a few tests to ensure mail was sent and received/processed as intended.
Manually updated to 3.8.4-1 from updates_testing.
installing postfix-3.8.4-1.mga9.x86_64.rpm lib64postfix1-3.8.4-1.mga9.x86_64.rpm from .
Preparing... ###############################################################################################################################################################################
1/2: lib64postfix1 ###############################################################################################################################################################################
2/2: postfix ##############################################################################################################################################################################
warning: /etc/postfix/main.cf created as /etc/postfix/main.cf.rpmnew
Re-ran all tests and found everything worked as it did prior to the update. My tests do not my any means use all the functions available with postfix but the things I do use all worked.
The update is good AFAICS.CC:
(none) =>
mhrambo3501 Installed using QA repo. MGA x86_64. There are some warnings but I cannot judge whether they are important to consider.
Pour satisfaire les dépendances, les paquetages suivants vont être installés :
Paquetage Version Révision Arch
(média « QA Testing (64-bit) »)
lib64postfix1 3.8.4 1.mga9 x86_64
postfix 3.8.4 1.mga9 x86_64
un espace additionnel de 11Ko sera utilisé.
2.1Mo de paquets seront récupérés.
Procéder à l'installation des 2 paquetages ? (O/n)
installation de postfix-3.8.4-1.mga9.x86_64.rpm lib64postfix1-3.8.4-1.mga9.x86_64.rpm depuis //rpmbuild/qa-testing/x86_64
Préparation... ###################################################################################
1/2: lib64postfix1 ###################################################################################
2/2: postfix #################################################################################attention : /etc/postfix/main.cf created as /etc/postfix/main.cf.rpmnew
##
postfix: Postfix is using backwards-compatible default settings
postfix: See http://www.postfix.org/COMPATIBILITY_README.html for details
postfix: To disable backwards compatibility use "postconf compatibility_level=3.6" and "postfix reload"
ldd: attention : vous n'avez pas la permission d'exécution pour `/var/spool/postfix/usr/lib64/libcap.so.2'
ldd: attention : vous n'avez pas la permission d'exécution pour `/var/spool/postfix/usr/lib64/libcap.so.2.52'
Reloading postfix configuration (via systemctl): Warning: The unit file, source configuration file or drop-ins of postfix.service changed on disk. Run 'systemctl daemon-reload' to reload units.
[ OK ]
ldd: attention : vous n'avez pas la permission d'exécution pour `/var/spool/postfix/usr/lib64/libcap.so.2'
ldd: attention : vous n'avez pas la permission d'exécution pour `/var/spool/postfix/usr/lib64/libcap.so.2.52'
Reloading postfix configuration (via systemctl): [ OK ]
1/2: désinstallation de postfix-1:3.8.1-2.mga9.x86_64
###################################################################################
2/2: désinstallation de lib64postfix1-1:3.8.1-2.mga9.x86_64
###################################################################################
I have some addons on my main.cf to use a relayhost.
I use smtp_tls_security_level = encrypt
instead of smtp_tls_security_level = may
as proposed by the rpmnew
I removed also:
#containment for CVE-2023-51764
# SMTP smuggling mitigation
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_discard_ehlo_keywords = chunking
service restarted
test email sent and it worked
I works as expected, for my use which is to get system email sent out, using a relayhost (external smtp provider).
Hope it helps.
[dave@x3 advisories]$ cd
[dave@x3 ~]$ rpm -q postfix
postfix-3.8.4-1.mga9
[dave@x3 ~]$ systemctl status postfix.service
● postfix.service - LSB: Starts the postfix daemons
Loaded: loaded (/etc/rc.d/init.d/postfix; generated)
Drop-In: /etc/systemd/system/postfix.service.d
└─override.conf
Active: active (running) since Thu 2024-02-01 10:40:13 EST; 3 days ago
Docs: man:systemd-sysv-generator(8)
Process: 1583 ExecStart=/etc/rc.d/init.d/postfix start (code=exited, status=0/SUCCESS)
Main PID: 2091 (master)
Tasks: 3 (limit: 19085)
Memory: 54.7M
CPU: 3.847s
CGroup: /system.slice/postfix.service
├─ 2091 /usr/libexec/postfix/master -w
├─ 2192 qmgr -l -t unix -u -c
└─164352 pickup -l -t unix -u -c -o content_filter= -o receive_override_options=
Feb 04 04:26:15 x3.hodgins.homeip.net postfix/pickup[150159]: 32E5D3C22FE: uid=0 from=<root>
Feb 04 04:26:15 x3.hodgins.homeip.net postfix/cleanup[154133]: 32E5D3C22FE: message-id=<20240204092615.32E5D3C22FE@x3.hodgins.homeip.net>
Feb 04 04:26:15 x3.hodgins.homeip.net postfix/qmgr[2192]: 32E5D3C22FE: from=<root@x3.hodgins.homeip.net>, size=8136, nrcpt=1 (queue active)
Feb 04 04:26:15 x3.hodgins.homeip.net postfix/local[154139]: 32E5D3C22FE: to=<dave@x3.hodgins.homeip.net>, orig_to=<root>, relay=local, delay=0.02, delays=0.01/0/0/0.01, dsn=2.0.0, status=sent (delivered to ma>
Feb 04 04:26:15 x3.hodgins.homeip.net postfix/qmgr[2192]: 32E5D3C22FE: removed
Feb 04 04:26:15 x3.hodgins.homeip.net postfix/pickup[150159]: 421883C22FE: uid=0 from=<root>
Feb 04 04:26:15 x3.hodgins.homeip.net postfix/cleanup[154133]: 421883C22FE: message-id=<20240204092615.421883C22FE@x3.hodgins.homeip.net>
Feb 04 04:26:15 x3.hodgins.homeip.net postfix/qmgr[2192]: 421883C22FE: from=<root@x3.hodgins.homeip.net>, size=151145, nrcpt=1 (queue active)
Feb 04 04:26:15 x3.hodgins.homeip.net postfix/local[154139]: 421883C22FE: to=<dave@x3.hodgins.homeip.net>, orig_to=<root>, relay=local, delay=154, delays=154/0/0/0.01, dsn=2.0.0, status=sent (delivered to mail>
Feb 04 04:26:15 x3.hodgins.homeip.net postfix/qmgr[2192]: 421883C22FE: removed
Also tested on my rpi4b where it's working too.
No regressions noticed. Validating the update.Keywords:
(none) =>
validated_update (In reply to Stig-Ørjan Smelror from comment #0) > The Postfix team have released version 3.8.4 to fix smtp smuggling. > > https://www.postfix.org/smtp-smuggling.html > https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails- > worldwide/ Installed today. Seems good here. ISP will not allow incoming mail....ofw Outbound via relay. For what I'm able to test, looks ok. Jim CC:
(none) =>
jim An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0029.html Status:
NEW =>
RESOLVED I get some installation issues. after install I get the notice: ldd: warning: you do not have execution permission for `/var/spool/postfix/lib64/libcap.so.2' ldd: warning: you do not have execution permission for `/var/spool/postfix/usr/lib64/libcap.so.2.52' ldd: /usr/lib64/postfix/dict_pcre.so: No such file or directory I can't see we ship "dict_pcre.so". ls -la /var/spool/postfix/usr/lib64/libcap.so* -rw-r--r-- 1 root root 129184 Jun 22 2023 /var/spool/postfix/usr/lib64/libcap.so.2.52 Status:
RESOLVED =>
REOPENED (In reply to Marc Krämer from comment #16) > I get some installation issues. after install I get the notice: > > ldd: warning: you do not have execution permission for > `/var/spool/postfix/lib64/libcap.so.2' > ldd: warning: you do not have execution permission for > `/var/spool/postfix/usr/lib64/libcap.so.2.52' > ldd: /usr/lib64/postfix/dict_pcre.so: No such file or directory > > > I can't see we ship "dict_pcre.so". > > ls -la /var/spool/postfix/usr/lib64/libcap.so* > -rw-r--r-- 1 root root 129184 Jun 22 2023 > /var/spool/postfix/usr/lib64/libcap.so.2.52 Please open new bug against postfix-3.8.4-1.mga9.src.rpm For the execution permission, I've seen it before without it stopping postfix from working properly. For pcrc, I've never seen it. See https://unix.stackexchange.com/questions/572243/postfix-pcre-maps-broken-in-rhel8-error-unsupported-dictionary-type-pcre If you need it for a specific configuration, the postfix-pcre package is available. It sounds like the pcre issue is not a regression of postfix and the update is working like it did before. If that issue should still be addressed, please open a new bug, but I'm closing this one that has to do with the update. CC:
(none) =>
dan
Marc Krämer
2024-02-11 12:20:33 CET
Blocks:
(none) =>
32832 |