oss-sec mailing list archives
Re: CVE request: PostfixAdmin allows to delete protected aliases
From: Christian Boltz <oss-security () cboltz de>
Date: Thu, 09 Feb 2017 00:47:08 +0100
Hello, Am Dienstag, 7. Februar 2017, 20:12:24 CET schrieb cve-assign () mitre org:
https://github.com/postfixadmin/postfixadmin/pull/23 Thanks to a missing permission check, domain admins can delete aliases they are not allowed to delete (for example abuse@, which the server admin might have setup so that he gets all abuse mails).Fix security hole in AliasHandlerUse CVE-2017-5930.
Thanks! I released PostfixAdmin 3.0.2 which includes the fix for this bug (and some non-security bugs). I also submitted updated packages to openSUSE Tumbleweed, Leap 42.2 and 42.1. (Tracking bug: https://bugzilla.opensuse.org/1024211 ) Regards, Christian Boltz -- In most cases, XSLT is good enough. But I agree, for some parts you need Aspirin. ;-) [Thomas Schraitle in opensuse-doc]
Current thread:
- CVE request: PostfixAdmin allows to delete protected aliases Christian Boltz (Feb 07)
- Re: CVE request: PostfixAdmin allows to delete protected aliases cve-assign (Feb 07)
- Re: CVE request: PostfixAdmin allows to delete protected aliases Christian Boltz (Feb 08)
- Re: CVE request: PostfixAdmin allows to delete protected aliases cve-assign (Feb 07)