Synopsis:	Moderate: postfix security update
Issue date:	2011-04-06
CVE Names:	CVE-2008-2937 CVE-2011-0411

It was discovered that Postfix did not flush the received SMTP commands
buffer after switching to TLS encryption for an SMTP session. A
man-in-the-middle attacker could use this flaw to inject SMTP commands 
into a victim's session during the plain text phase. This would lead to 
those commands being processed by Postfix after TLS encryption is 
enabled, possibly allowing the attacker to steal the victim's mail or 
authentication credentials. (CVE-2011-0411)

It was discovered that Postfix did not properly check the permissions of
users' mailbox files. A local attacker able to create files in the mail
spool directory could use this flaw to create mailbox files for other 
local users, and be able to read mail delivered to those users. 
(CVE-2008-2937)

  After installing this update, the postfix service will be restarted 
automatically.

SL 4.x

       SRPMS:
postfix-2.2.10-1.4.el4.src.rpm
       i386:
postfix-2.2.10-1.4.el4.i386.rpm
postfix-pflogsumm-2.2.10-1.4.el4.i386.rpm
       x86_64:
postfix-2.2.10-1.4.el4.x86_64.rpm
postfix-pflogsumm-2.2.10-1.4.el4.x86_64.rpm

SL 5.x

       SRPMS:
postfix-2.3.3-2.2.el5_6.src.rpm
       i386:
postfix-2.3.3-2.2.el5_6.i386.rpm
postfix-pflogsumm-2.3.3-2.2.el5_6.i386.rpm
       x86_64:
postfix-2.3.3-2.2.el5_6.x86_64.rpm
postfix-pflogsumm-2.3.3-2.2.el5_6.x86_64.rpm

- Scientific Linux Development Team