Synopsis: Moderate: postfix security update Issue Date: 2011-05-31 CVE Numbers: CVE-2011-1720 Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), and TLS. A heap-based buffer over-read flaw was found in the way Postfix performed SASL handlers management for SMTP sessions, when Cyrus SASL authentication was enabled. A remote attacker could use this flaw to cause the Postfix smtpd server to crash via a specially-crafted SASL authentication request. The smtpd process was automatically restarted by the postfix master process after the time configured with service_throttle_time elapsed. (CVE-2011-1720) Note: Cyrus SASL authentication for Postfix is not enabled by default. Users of Postfix are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the postfix service will be restarted automatically. SL4: x86_64 postfix-2.2.10-1.5.el4.x86_64.rpm postfix-pflogsumm-2.2.10-1.5.el4.x86_64.rpm postfix-debuginfo-2.2.10-1.5.el4.x86_64.rpm i386 postfix-2.2.10-1.5.el4.i386.rpm postfix-pflogsumm-2.2.10-1.5.el4.i386.rpm postfix-debuginfo-2.2.10-1.5.el4.i386.rpm SL5: x86_64 postfix-pflogsumm-2.3.3-2.3.el5_6.x86_64.rpm postfix-2.3.3-2.3.el5_6.x86_64.rpm postfix-debuginfo-2.3.3-2.3.el5_6.x86_64.rpm i386 postfix-2.3.3-2.3.el5_6.i386.rpm postfix-debuginfo-2.3.3-2.3.el5_6.i386.rpm postfix-pflogsumm-2.3.3-2.3.el5_6.i386.rpm - Scientific Linux Development Team