Date: Thu, 19 Jan 2012 22:27:51 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Agostino Sarubbo <ago@...too.org> Subject: Re: CVE Request for spamdyke "STARTTLS" Plaintext On 01/15/2012 07:48 AM, Agostino Sarubbo wrote: > In reference of: http://www.openwall.com/lists/oss-security/2012/01/07/1 : > > According to secunia security advisory ( https://secunia.com/advisories/47435 > ) : > > Description: > A vulnerability has been reported in spamdyke, which can be exploited by > malicious people to manipulate certain data. > > The vulnerability is caused due to the TLS implementation not properly > clearing transport layer buffers when upgrading from plaintext to ciphertext > after receiving the "STARTTLS" command. This can be exploited to insert > arbitrary plaintext data (e.g. SMTP commands) during the plaintext phase, > which will then be executed after upgrading to the TLS ciphertext phase. > > The vulnerability is reported in versions prior to 4.2.1. > > > Solution: > Update to version 4.2.1. > > > And from upstream changelog ( > http://www.spamdyke.org/documentation/Changelog.txt ): > > Changed smtp_filter() and middleman() to discard any buffered input after TLS > is started. This prevents the injection of commands into a secure session > by sending extra input in the same packet as the "STARTTLS" command. Not > really a security problem but good practice anyway. Thanks to Eric > Shubert for reporting this one. > > > Sorry Kurt, but atm, I have not found the commit code. > > Thanks, this helped clarify it a lot. Please use CVE-2012-0070 for this issue. -- -- Kurt Seifried / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ