ALAS2023-2024-495 --- postfixID: oval:org.secpod.oval:def:19500583 | Date: (C)2024-02-13 (M)2024-06-17 |
Class: PATCH | Family: unix |
Postfix through 3.8.4 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking . Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports less than LF greater than .less than CR greater than less than LF greater than but some other popular e-mail servers do not. To prevent attack variants , a different solution is required: the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9
Platform: |
Amazon Linux 2023 |