Date: Thu, 09 Feb 2017 00:47:08 +0100 From: Christian Boltz <oss-security@...ltz.de> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: CVE request: PostfixAdmin allows to delete protected aliases Hello, Am Dienstag, 7. Februar 2017, 20:12:24 CET schrieb cve-assign@...re.org: > > https://github.com/postfixadmin/postfixadmin/pull/23 > > > > Thanks to a missing permission check, domain admins can delete > > aliases they are not allowed to delete (for example abuse@, which > > the server admin might have setup so that he gets all abuse mails). > > > >> Fix security hole in AliasHandler > > Use CVE-2017-5930. Thanks! I released PostfixAdmin 3.0.2 which includes the fix for this bug (and some non-security bugs). I also submitted updated packages to openSUSE Tumbleweed, Leap 42.2 and 42.1. (Tracking bug: https://bugzilla.opensuse.org/1024211 ) Regards, Christian Boltz -- In most cases, XSLT is good enough. But I agree, for some parts you need Aspirin. ;-) [Thomas Schraitle in opensuse-doc]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ