Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <2429368.YF0b0QFtOe@tux.boltz.de.vu>
Date: Thu, 09 Feb 2017 00:47:08 +0100
From: Christian Boltz <oss-security@...ltz.de>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: CVE request: PostfixAdmin allows to delete protected aliases

Hello,

Am Dienstag, 7. Februar 2017, 20:12:24 CET schrieb cve-assign@...re.org:
> > https://github.com/postfixadmin/postfixadmin/pull/23
> > 
> > Thanks to a missing permission check, domain admins can delete
> > aliases they are not allowed to delete (for example abuse@, which
> > the server admin might have setup so that he gets all abuse mails).
> > 
> >> Fix security hole in AliasHandler
> 
> Use CVE-2017-5930.

Thanks!

I released PostfixAdmin 3.0.2 which includes the fix for this bug (and 
some non-security bugs).

I also submitted updated packages to openSUSE Tumbleweed, Leap 42.2 and 
42.1. (Tracking bug: https://bugzilla.opensuse.org/1024211 )


Regards,

Christian Boltz
-- 
In most cases, XSLT is good enough. But I agree, for some parts
you need Aspirin. ;-)        [Thomas Schraitle in opensuse-doc]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.