[ https://issues.apache.org/jira/browse/JAMES-1862?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Antoine Duprat resolved JAMES-1862. ----------------------------------- Resolution: Fixed Fixed. Commands can't be passed after STARTTLS, so the security issue is no more. > Plaintext command injection of STARTTLS (CVE-2011-0411) > ------------------------------------------------------- > > Key: JAMES-1862 > URL: https://issues.apache.org/jira/browse/JAMES-1862 > Project: James Server > Issue Type: Bug > Components: James Core > Affects Versions: 3.0-beta4 > Environment: centos6/7/windows openjdk8/jdk8 jboss eap6.4.2 > Reporter: Luc > Priority: Critical > Labels: security > > Security issue described by this post : > Plaintext command injection in multiple implementations of STARTTLS > [http://www.postfix.org/CVE-2011-0411.html] > here you will find a dockerfile to run patched openssl, as described in > previous link, to see the security issue. > {code} > FROM centos:latest > ### Some env variables > ENV OPENSSL_VERSION="1.0.2d" > RUN yum clean all \ > && yum -y update \ > ### Install tool for compiling > && yum -y install gcc \ > && yum -y install make \ > && yum -y install wget \ > && yum -y install tar \ > && yum -y install perl \ > && yum clean all > ### BUILD OpenSSL > RUN wget "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz" > -P /tmp/ \ > && tar -xvf /tmp/openssl-${OPENSSL_VERSION}.tar.gz \ > && rm -rf /tmp/openssl-${OPENSSL_VERSION}.tar.gz > RUN sed -i -e 's/BIO_printf(sbio, "STARTTLS\\r\\n")/BIO_printf(sbio, > "STARTTLS\\r\\nRSET\\r\\n")/g' openssl-${OPENSSL_VERSION}/apps/s_client.c > RUN cd openssl-${OPENSSL_VERSION} \ > && ./Configure linux-x86_64 \ > && make \ > && make install \ > && cd .. \ > && rm -rf openssl-${OPENSSL_VERSION} > ############ > # run this command in container : > # /usr/local/ssl/bin/openssl s_client -quiet -starttls smtp -connect {replace > with your james listen address}:{replace with your james listen port} > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org