From owner-freebsd-ports@FreeBSD.ORG Mon May 11 08:36:05 2015 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D5921A04; Mon, 11 May 2015 08:36:05 +0000 (UTC) Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass DE-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6D0621020; Mon, 11 May 2015 08:36:04 +0000 (UTC) Received: from [10.193.61.94] ([109.42.0.174]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0MO7Ca-1YoRwG1VEy-005byR; Mon, 11 May 2015 10:35:56 +0200 User-Agent: K-9 Mail for Android In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: Wrong security audit for mail/postfix ? From: olli hauer Date: Mon, 11 May 2015 10:35:58 +0200 To: Cristiano Deana , FreeBSD Stable Mailing List , freebsd-security@freebsd.org, freebsd-ports@freebsd.org Message-ID: <35A69C37-F4ED-4235-8491-5F66E355592F@gmx.de> X-Provags-ID: V03:K0:cWXn3P5boDTf4vf7N7SjyHZosCJf4Qm4pKpMdUYcq7KKQC+qB6o KGbsl7WmRZJv1R2i3+eZdQxVbtxvyk3xkk8GFpvR3xSV1YzfB28R/AgE/yGkhX5xsCeMBQt DKS/OEqaQ0e97ZbRMr6JKcrzZnE0fN4SBZQtuyxjOGI67oD6v2SMGO49FDWu+jZedm2+7aX anR01PTCqaI92qVGub9rA== X-UI-Out-Filterresults: notjunk:1; X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 May 2015 08:36:05 -0000 On May 11, 2015 9:38:46 AM CEST, Cristiano Deana wrote: > Hi, >=20 > this morning I got for my mailservers >=20 > # pkg audit > postfix-2=2E11=2E4,1 is vulnerable: > postfix -- plaintext command injection with SMTP over TLS > CVE: CVE-2011-0411 > WWW: > http://vuxml=2EFreeBSD=2Eorg/freebsd/14a6f516-502f-11e0-b448-bbfa2731f9c= 7=2Ehtml >=20 > postfix-2=2E11=2E4,1 is vulnerable: > Postfix -- memory corruption vulnerability > CVE: CVE-2011-1720 > WWW: > http://vuxml=2EFreeBSD=2Eorg/freebsd/3eb2c100-738b-11e0-89f4-001e90d4663= 5=2Ehtml >=20 > But this is a bug from 2011, and it's blocking new install or updates > of postfix packages=2E >=20 > Who should be warned of this? >=20 > Thank you=2E Hi Cristiano, this should be fixed=2Emeanwhile=2E Please run the command=20 # pkg audit -F --=20 Regards, olli