Bug#864942: marked as done (postfix: Berkeley DB reads DB_CONFIG from cwd affects Postfix)

Sat, 17 Jun 2017 17:22:14 -0700 

Your message dated Sun, 18 Jun 2017 00:20:53 +0000
with message-id <[email protected]>
and subject line Bug#864942: fixed in postfix 3.2.2-1
has caused the Debian Bug report #864942,
regarding postfix: Berkeley DB reads DB_CONFIG from cwd affects Postfix
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
864942: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864942
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: postfix
Version: 2.9.6-2
Severity: important
Tags: patch upstream

>From the HISTORY file for 3.2.2:

20170611

        Security: Berkeley DB 2 and later try to read settings from
        a file DB_CONFIG in the current directory.  This undocumented
        feature may introduce undisclosed vulnerabilities resulting
        in privilege escalation with Postfix set-gid programs
        (postdrop, postqueue) before they chdir to the Postfix queue
        directory, and with the postmap and postalias commands
        depending on whether the user's current directory is writable
        by other users. This fix does not change Postfix behavior
        for Berkeley DB < 3, but reduces file create performance
        for Berkeley DB 3 .. 4.6.  File: util/dict_db.c.

For reference, the patch for postfix 3.2 can be found here:

https://git.launchpad.net/postfix/commit/?h=stable/v3.2&id=308925894ca444766f485f247ec3a1103d949e8f

This is known to affect stretch and jessie and upstream has also
released updates for the postfix versions they include.  The version in
wheezy is likely affected, but it is no longer supported by upstream and
I lack the time to check.  The LTS team is welcome to go ahead with any
needed changes (there is a wheezy-backports package that is affected).

Scott K

--- End Message ---
--- Begin Message --- 
Source: postfix
Source-Version: 3.2.2-1

We believe that the bug you reported is fixed in the latest version of
postfix, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Scott Kitterman <[email protected]> (supplier of updated postfix package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 17 Jun 2017 14:10:34 -0400
Source: postfix
Binary: postfix postfix-ldap postfix-lmdb postfix-cdb postfix-pcre 
postfix-mysql postfix-pgsql postfix-sqlite postfix-doc
Architecture: source amd64 all
Version: 3.2.2-1
Distribution: unstable
Urgency: medium
Maintainer: LaMont Jones <[email protected]>
Changed-By: Scott Kitterman <[email protected]>
Description:
 postfix    - High-performance mail transport agent
 postfix-cdb - CDB map support for Postfix
 postfix-doc - Documentation for Postfix
 postfix-ldap - LDAP map support for Postfix
 postfix-lmdb - LMDB map support for Postfix
 postfix-mysql - MySQL map support for Postfix
 postfix-pcre - PCRE map support for Postfix
 postfix-pgsql - PostgreSQL map support for Postfix
 postfix-sqlite - SQLite map support for Postfix
Closes: 864942
Changes:
 postfix (3.2.2-1) unstable; urgency=medium
 .
   [Scott Kitterman]
 .
   * Upload to unstable
   * New upstream release
   * Refresh patches
   * Remove temporary stretch configuration that ensured postfix-sqlite was not
     lost on upgrade:
     - postfix-sqlite now Depends instead of Recommends postfix
     - postfix no longer Depends postfix-sqlite
     - postfix-sqlite addmap is done in postfix-sqlite.postinst and not in
       postfix.postinst
     - postfix suggests postfix-sqlite
   * postfix.prerm post-stretch clean up: remove obsolete delmap calls
   * Delete postfix-cdb,- ldap, -lmdb, -mysql, -pcre, and -pgsql.preinst, no
     longer needed after stretch release
   * Remove circa 2006 fixup from postfix-cdb.postinst
   * Remove old (circa 2002, pre-postfix 1.0) master.cf fixups from
     postfix.prerm
 .
   [Wietse Venema]
 .
   * 3.2.2 (Closes: #864942)
Checksums-Sha1:
 b8eef183dc1056f44f879fd051da9d56f96e26cd 2650 postfix_3.2.2-1.dsc
 1a0d01e79ced46b38e8bd5b7a726a1622cf1bc07 4390318 postfix_3.2.2.orig.tar.gz
 ef5aecb19e0cd77c373eb4297b83f9fb685130b9 190648 postfix_3.2.2-1.debian.tar.xz
 27cbbeaae4920418af9c3df188f12ddd0c0750a3 2406 
postfix-cdb-dbgsym_3.2.2-1_amd64.deb
 b9e281c0b64d6893df6560bc72f9f4cef4b33672 319988 postfix-cdb_3.2.2-1_amd64.deb
 4cb29b7756114d925db39734da35ce10f1ba8171 98260 postfix-dbgsym_3.2.2-1_amd64.deb
 82d85766ca75b0467716cbdb863851fb307b782d 1183394 postfix-doc_3.2.2-1_all.deb
 1f412381c04fecb77fc8bb64f370122406e5b8c6 3118 
postfix-ldap-dbgsym_3.2.2-1_amd64.deb
 0242e5994f0fa749c19b2cfdb4c92cda938417c7 337446 postfix-ldap_3.2.2-1_amd64.deb
 cb299a53977fa4043dae682ede44915be5809370 2758 
postfix-lmdb-dbgsym_3.2.2-1_amd64.deb
 f73d9dced5b4deddaa9253a84705d2a37455f602 325124 postfix-lmdb_3.2.2-1_amd64.deb
 68de71131324be1cc5e6e600699aa364c493ec1d 2714 
postfix-mysql-dbgsym_3.2.2-1_amd64.deb
 6609ecedd849ce97c576fb711247037b04952367 327850 postfix-mysql_3.2.2-1_amd64.deb
 6594302e02646febfec708646f88a13dbd799696 2514 
postfix-pcre-dbgsym_3.2.2-1_amd64.deb
 b8f4b4c293aa677052a823811b3ba3a47bb25892 325692 postfix-pcre_3.2.2-1_amd64.deb
 adfb391b800469b2a80854dc6baea19934f65157 2638 
postfix-pgsql-dbgsym_3.2.2-1_amd64.deb
 39e18c2ea3af610e8309ed5be0e952c966bfd63a 326302 postfix-pgsql_3.2.2-1_amd64.deb
 5b49e9910a283c3051724df0f631d6f2b94fbd89 2460 
postfix-sqlite-dbgsym_3.2.2-1_amd64.deb
 97076af103e814596a23aff5254941914ff9bc88 323530 
postfix-sqlite_3.2.2-1_amd64.deb
 06379bcf47dbcd73e9bf4ec4be60713bf6ac1acc 10763 postfix_3.2.2-1_amd64.buildinfo
 83687a29954dbd79dc92ea02ad184886f94e33e0 1447940 postfix_3.2.2-1_amd64.deb
Checksums-Sha256:
 a14c1b372cf152e0e40af851fd17a498549cba27f4bb9db6cfb59a705e82ea9a 2650 
postfix_3.2.2-1.dsc
 d06849418d119d09366997b2b481bb23f737629769b4e4a52da42fb3ad8b0576 4390318 
postfix_3.2.2.orig.tar.gz
 df72099aa7e2a47cc494752059865a729abc0621a74e21344965927afcdddde7 190648 
postfix_3.2.2-1.debian.tar.xz
 3be2b160209a840c8d16a109366fa6b1fc35efe66c1caa9b68b36e2087d1de03 2406 
postfix-cdb-dbgsym_3.2.2-1_amd64.deb
 b6e32b92cf1cce0ef7d7c2b1b0ead26815e88af5169dcb5e7460b1e991547eb9 319988 
postfix-cdb_3.2.2-1_amd64.deb
 c61019586fa6881c8e459a5f52ddf73c1de44b1b89429f67573f4049b946f69a 98260 
postfix-dbgsym_3.2.2-1_amd64.deb
 9675fa8e7831962e92cfb528e99539050e0d59fad8a99a24309b628e071e1555 1183394 
postfix-doc_3.2.2-1_all.deb
 67615c4b72166649fbf5698aa71f657b3735f1caa98b7287e0f8ebe8d3f3af05 3118 
postfix-ldap-dbgsym_3.2.2-1_amd64.deb
 1eac99860fc6cb80b68ef02f3e8a26c9dbb2472ad1cbb12c41fc6bbe510e4058 337446 
postfix-ldap_3.2.2-1_amd64.deb
 ff7465e313a17d146789f1384c8ffcabb89696088097f56e3dd8dbc3873c2870 2758 
postfix-lmdb-dbgsym_3.2.2-1_amd64.deb
 e9d81d102fa54e1da6c71350b505e7f210835a53742e39fd0c669a3711fd8c06 325124 
postfix-lmdb_3.2.2-1_amd64.deb
 501fe97f367bf35deb0d227b98fffc3c8c747287b43ecdeab5b009bca548489f 2714 
postfix-mysql-dbgsym_3.2.2-1_amd64.deb
 fe80f715d54b87305f062ed23a4acc50a6b959295f8835f5c107b69858ff138c 327850 
postfix-mysql_3.2.2-1_amd64.deb
 4401e48cc6fcf5136ebc0220c9e8aaa305be7f178cd5fc0943ea38b497c808aa 2514 
postfix-pcre-dbgsym_3.2.2-1_amd64.deb
 5a29ba7ae056cde0b873994e7d0d1904f1c41d178d9933c9f12997dc3f999698 325692 
postfix-pcre_3.2.2-1_amd64.deb
 324f41776ab195521df135da6b81e71b628216793d17ec98fc21628afdf44daf 2638 
postfix-pgsql-dbgsym_3.2.2-1_amd64.deb
 a0fe0d02cef22fa94c3778834debb72747c3dc94b3252e10c965a2fd1dec5ad7 326302 
postfix-pgsql_3.2.2-1_amd64.deb
 8f8fb4614a6ba7e565aaf7c0868096c674065369ca73bd0b2b5e258a4bdfc42e 2460 
postfix-sqlite-dbgsym_3.2.2-1_amd64.deb
 7e46d15cb9ee9b605689064b9c5222e0fa37535003c7ee63d6ae729602ae1ea0 323530 
postfix-sqlite_3.2.2-1_amd64.deb
 f5ce02b288385d57d704458bce5e3b3865551c879569bdce476f6cb13e74b5e0 10763 
postfix_3.2.2-1_amd64.buildinfo
 10d20f7a5ccd0e02c64d37b3897661ed5762afd166feaa195d8456e10609ecec 1447940 
postfix_3.2.2-1_amd64.deb
Files:
 322f16ae6dab738e9299c345537c58be 2650 mail extra postfix_3.2.2-1.dsc
 aea073a9b0bea5bdb590460a270a4aa0 4390318 mail extra postfix_3.2.2.orig.tar.gz
 b13dce53cc1f89f3109215ae312c834e 190648 mail extra 
postfix_3.2.2-1.debian.tar.xz
 469e4a060742920d5a9b54ed85ce2463 2406 debug extra 
postfix-cdb-dbgsym_3.2.2-1_amd64.deb
 34abd2c0e78f976e5ca921e81ac18c28 319988 mail extra 
postfix-cdb_3.2.2-1_amd64.deb
 e8429390b67cf2c9aab11b1a69b47424 98260 debug extra 
postfix-dbgsym_3.2.2-1_amd64.deb
 cd8a33cc42b0de78b264d399a661f862 1183394 doc extra postfix-doc_3.2.2-1_all.deb
 9581db1484e21b04f70711b2f7970fb9 3118 debug extra 
postfix-ldap-dbgsym_3.2.2-1_amd64.deb
 ae5be324872c0d210f6e8722484d8c70 337446 mail extra 
postfix-ldap_3.2.2-1_amd64.deb
 be200acd32f1cff158f1921057af4ccf 2758 debug extra 
postfix-lmdb-dbgsym_3.2.2-1_amd64.deb
 d692522bb010039a295278958d3c9e35 325124 mail extra 
postfix-lmdb_3.2.2-1_amd64.deb
 2ef575e62ee3f292e241a048c067c596 2714 debug extra 
postfix-mysql-dbgsym_3.2.2-1_amd64.deb
 958686b3b28a071472d09d7ff0886208 327850 mail extra 
postfix-mysql_3.2.2-1_amd64.deb
 65df395fc56f10f497061a5ff730f6f2 2514 debug extra 
postfix-pcre-dbgsym_3.2.2-1_amd64.deb
 35d98aecc0ef9f3a557704f1f43cf133 325692 mail extra 
postfix-pcre_3.2.2-1_amd64.deb
 6e367a6b3d7ec53d01c6b04a109878df 2638 debug extra 
postfix-pgsql-dbgsym_3.2.2-1_amd64.deb
 b4c9d5dc2287d9953daaf0b265abf98e 326302 mail extra 
postfix-pgsql_3.2.2-1_amd64.deb
 f22758fee18b5a0609ec439d20a87f14 2460 debug extra 
postfix-sqlite-dbgsym_3.2.2-1_amd64.deb
 171a6f80a43c5ad5b69f4e5c42c175b6 323530 mail extra 
postfix-sqlite_3.2.2-1_amd64.deb
 3002447eeffd9d1d1c0ca2b9f129eea3 10763 mail extra 
postfix_3.2.2-1_amd64.buildinfo
 5158ebdaec53a0614617dc390d8ce0d9 1447940 mail extra postfix_3.2.2-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJZRXpxAAoJEHjX3vua1ZrxCuQQAJaBhFC5QzskOSF4X44bC0F5
pGBCubi16osAIn/Uq+F5tZN+gdNE6NWH+IPdWevzWOGk2u+wzdLh7oEYmbc/10Yu
2tTR0fNm2QIBXlTt1VlIeHNet5BcJlc57HScueiox509iUIKN+MFKskPbsCvWQN8
sN0/z5mh+KLgYYs41nyfuN/c/UpP+5ag+J7eOzut7RvXwP9N6E6gF0h6cIYoAxZS
2nhJgyTdu9ZQkVkJ1hRS/0Sa0PelxkAsCtqS0NC1R/y+LoOjwq+FTvrY7ZSVENAD
XQkOPVlCufK8JuX96nJpFzLw1ruXrIHSYp6IGg2QcqO57A0d0+TfQ9b250Estk3a
srOtxil5wgwDB+C8Orh1bU4g3My/+EacLCVjL3Oq5CiVS+t2x+mx1J1ZWvrKYvgZ
3O1WQr80JQqbXoQcqNttyokhktP72O1X2bYi6FHn24vdzJRRBcmFc+PP5TQVzDuc
tRrKcJO39DS5/UVV7V6Pj7t/WV0eCU3Is7qlovd8q/tLYZCYMauawbAPLNz/Px0G
T8q7bGF2k6GbwmyUtvD1wswjnWK/i/PO4WQ57oqWq9xgSXFuLNqSFzTkJTpoV5kx
OAid7tpp5NMt4Qwv+d8/HlEpCs6PowwcQOixFIuzQwdBHJsOBN66P3GMO+rw7NUS
B7oqwWe4nEKJKYvEiDin
=RUld
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to