Date: Wed, 14 Jun 2017 20:55:28 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 219996] mail/postfix: Update to 3.2.2 (security fix) Message-ID: <bug-219996-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219996 Bug ID: 219996 Summary: mail/postfix: Update to 3.2.2 (security fix) Product: Ports & Packages Version: Latest Hardware: Any URL: http://www.postfix.org/announcements/postfix-3.2.2.htm l OS: Any Status: New Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: ohauer@FreeBSD.org Reporter: rootservice@gmail.com Assignee: ohauer@FreeBSD.org Flags: maintainer-feedback?(ohauer@FreeBSD.org) Postfix 3.2.2 was released yesterday to address a security issue due to an undocumented feature of Berkeley DB Quote from http://www.postfix.org/announcements/postfix-3.2.2.html Fixed in all supported releases: Security: Berkeley DB versions 2 and later try to read settings from a file DB_CONFIG in the current directory. This undocumented feature may introduce undisclosed vulnerabilities resulting in privilege escalation with Postfix set-gid programs (postdrop, postqueue) before they chdir to the Postfix que= ue directory, and with the postmap and postalias commands depending on whether= the user's current directory is writable by other users. This fix does not chan= ge Postfix behavior for Berkeley DB versions < 3, but it does reduce postmap a= nd postalias 'create' performance with Berkeley DB versions 3.0 .. 4.6. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-219996-13>