Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 09 Feb 2017 00:47:08 +0100
From: Christian Boltz <oss-security@...ltz.de>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: CVE request: PostfixAdmin allows to delete protected aliases

Hello,

Am Dienstag, 7. Februar 2017, 20:12:24 CET schrieb cve-assign@...re.org:
> > https://github.com/postfixadmin/postfixadmin/pull/23
> > 
> > Thanks to a missing permission check, domain admins can delete
> > aliases they are not allowed to delete (for example abuse@, which
> > the server admin might have setup so that he gets all abuse mails).
> > 
> >> Fix security hole in AliasHandler
> 
> Use CVE-2017-5930.

Thanks!

I released PostfixAdmin 3.0.2 which includes the fix for this bug (and 
some non-security bugs).

I also submitted updated packages to openSUSE Tumbleweed, Leap 42.2 and 
42.1. (Tracking bug: https://bugzilla.opensuse.org/1024211 )


Regards,

Christian Boltz
-- 
In most cases, XSLT is good enough. But I agree, for some parts
you need Aspirin. ;-)        [Thomas Schraitle in opensuse-doc]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ