Your message dated Sun, 01 Aug 2021 07:48:35 +0000
with message-id <[email protected]>
and subject line Bug#990439: fixed in postsrsd 1.10-2
has caused the Debian Bug report #990439,
regarding postsrsd: CVE-2021-35525
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
990439: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990439
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: postsrsd
Version: 1.10-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for postsrsd.
CVE-2021-35525[0]:
| PostSRSd before 1.11 allows a denial of service (subprocess hang) if
| Postfix sends certain long data fields such as multiple concatenated
| email addresses. NOTE: the PostSRSd maintainer acknowledges
| "theoretically, this error should never occur ... I'm not sure if
| there's a reliable way to trigger this condition by an external
| attacker, but it is a security bug in PostSRSd nevertheless."
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-35525
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35525
[1]
https://github.com/roehling/postsrsd/commit/077be98d8c8a9847e4ae0c7dc09e7474cbe27db2
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: postsrsd
Source-Version: 1.10-2
Done: Oxan van Leeuwen <[email protected]>
We believe that the bug you reported is fixed in the latest version of
postsrsd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Oxan van Leeuwen <[email protected]> (supplier of updated postsrsd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 14 Jul 2021 21:21:11 +0200
Source: postsrsd
Architecture: source
Version: 1.10-2
Distribution: unstable
Urgency: medium
Maintainer: Oxan van Leeuwen <[email protected]>
Changed-By: Oxan van Leeuwen <[email protected]>
Closes: 990439
Changes:
postsrsd (1.10-2) unstable; urgency=medium
.
* Fix CVE-2021-35525: potential DoS when Postfix sends certain long data
fields such as multiple concatenated email addresses. Fix backported from
upstream commit 077be98d8c8. (Closes: #990439)
Checksums-Sha1:
9b34ba77fa0c32426e9d7acaf741a00c9e31a86d 2084 postsrsd_1.10-2.dsc
cc773a8ea4a072756d55ab43a96342c0f149b4ec 12808 postsrsd_1.10-2.debian.tar.xz
Checksums-Sha256:
f6f7fd73a48e55cef28429aef1b56dd18f349c01a22cde7de80c7fd9f3ddc212 2084
postsrsd_1.10-2.dsc
ac4fa62fed2866833ec08565e77bae88a67a5fbe92c5fde0b116b78c9a544354 12808
postsrsd_1.10-2.debian.tar.xz
Files:
77da38ccac5d1da36fcbbd22632493f6 2084 mail optional postsrsd_1.10-2.dsc
b40fc1026d6eebfbc152305b1814a828 12808 mail optional
postsrsd_1.10-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmEGUH5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ek0sP/jM/jTETJMkkgUAmFiX4xk7fsNjO6qOQ
sVb6nLBC9etdpn5h+stlWoGwdFXSAYFXViIPnVhKu9AuLkTzq9P781vw88NYLpw5
DMP2yCF7Q+1nUKVOBxQEXcyJzEv9+1Z5Sm+HlJe24Crzf5HQWN0IXEzh/KiOdXPa
3/bQ32yyTVGI1twS7roFCJw6FtLD739eUQPdiS5cX096n13HqkgC4FnotvOqG27k
oRI29cVNXAx3wf6z8vhj5biddNHToWD8ONLo+hHCbpSx0YuFmX9jNKR8PcbVvQHP
FMj6vHlzGQ54kTkOWID9s5/+Rx1uwucrU722MaH381P7nwFxjI2uxnhiQ3vCt7vm
Xd1GLCKNeE8od9Ex3v3bM7o/eF5Rkgbfj7eoPHmFNfTVSbiEfFBTiECISuL34pW1
PZyoi+8DqCuTd7uBi/4/e+nteeLe3d3Ny3N0bxBwZdluA0u3wx1hk/uLB71Fg6cq
S6PBGYpqmlA4RpOxVN8Dk6Ea6ukOhmGMW8pKx0dOEn+KeOfa3CSs49ahGjcCw0hX
GOYP5fPfqy9SddbAew4GlQ/yPee6MtwngNJjxSYh6Qnj0xgfYnohb93N/GWLw9/3
baEvbnGhGdqPU8CgY3Ya9QeLANq6zQDKcC+VQ1YoMl1Fp4lO0iJa9mF+RAd4NJZA
AErrrGHf7UmA
=cIzF
-----END PGP SIGNATURE-----
--- End Message ---
