Postgrey logging function denial of service

postgrey-logging-dos (20108) The risk level is classified as MediumMedium Risk

Description:

Postgrey is vulnerable to a denial of service attack caused by a format string vulnerability in the logging functionality. A remote attacker could send an email containing a specially-crafted sender address to cause the system to crash.


Consequences:

Denial of Service

Remedy:

Upgrade to the latest version of Postgrey (1.2.1 or later), available from the Postgrey Index Web page. See References.

For Debian GNU/Linux:
Refer to DSA-1121-1 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux:
Refer to Gentoo Linux Security Announcement GLSA 200608-18 for patch, upgrade, or suggested workaround information. See References.

References:

  • Postgrey Index Web page: Index of /tools/postgrey/pub.
  • Postgrey Web page: Postgrey - Postfix Greylisting Policy Server.
  • BID-13193: Rob Brown Net-Server Perl Module Logging Function Format String Vulnerability
  • CVE-2005-1127: Format string vulnerability in the log function in Net::Server 0.87 and earlier, as used in Postfix Greylisting Policy Server (Postgrey) 1.18 and earlier, and possibly other products, allows remote attackers to cause a denial of service (crash) via format string specifiers that are not properly handled before being sent to syslog, as demonstrated using sender addresses to Postgrey.
  • DSA-1121: postgrey -- format string
  • DSA-1122: libnet-server-perl -- format string
  • GLSA-200608-18: Net::Server: Format string vulnerability
  • MDKSA-2006:131: Updated perl-Net-Server packages fix format string vulnerability
  • OSVDB ID: 15517: Net::Server Logging Function Format String DoS
  • SA14958: Postgrey Format String Denial of Service Vulnerability
  • SA21149: Net::Server Log Format String Vulnerability
  • SUSE-SR:2005:015: SUSE Security Summary Report
  • SUSE-SR:2005:016: SUSE Security Summary Report
  • SUSE-SR:2005:017: SUSE Security Summary Report

Platforms Affected:

  • David Schweikert Postgrey 1.16
  • David Schweikert Postgrey 1.17
  • David Schweikert Postgrey 1.18
  • Debian Debian Linux 3.1
  • Gentoo Linux
  • MandrakeSoft Mandrake Linux Corporate Server 3.0 X86_64
  • MandrakeSoft Mandrake Linux Corporate Server 3.0

Reported:

Apr 15, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page