Date: Thu, 09 Feb 2017 00:47:08 +0100 From: Christian Boltz <oss-security@...ltz.de> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: CVE request: PostfixAdmin allows to delete protected aliases Hello, Am Dienstag, 7. Februar 2017, 20:12:24 CET schrieb cve-assign@...re.org: > > https://github.com/postfixadmin/postfixadmin/pull/23 > > > > Thanks to a missing permission check, domain admins can delete > > aliases they are not allowed to delete (for example abuse@, which > > the server admin might have setup so that he gets all abuse mails). > > > >> Fix security hole in AliasHandler > > Use CVE-2017-5930. Thanks! I released PostfixAdmin 3.0.2 which includes the fix for this bug (and some non-security bugs). I also submitted updated packages to openSUSE Tumbleweed, Leap 42.2 and 42.1. (Tracking bug: https://bugzilla.opensuse.org/1024211 ) Regards, Christian Boltz -- In most cases, XSLT is good enough. But I agree, for some parts you need Aspirin. ;-) [Thomas Schraitle in opensuse-doc]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.