Postgrey logging function denial of service

postgrey-logging-dos (20108) The risk level is classified as LowLow Risk

Description:

Postgrey is vulnerable to a denial of service attack caused by a format string vulnerability in the logging functionality. A remote attacker could send an email containing a specially-crafted sender address to cause the system to crash.

Platforms Affected:

  • David Schweikert, Postgrey 1.16
  • David Schweikert, Postgrey 1.17
  • David Schweikert, Postgrey 1.18
  • Debian, Debian Linux 3.1
  • Gentoo, Linux
  • MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
  • MandrakeSoft, Mandrake Linux Corporate Server 3.0

Remedy:

Upgrade to the latest version of Postgrey (1.2.1 or later), available from the Postgrey Index Web page. See References.

For Debian GNU/Linux:
Refer to DSA-1121-1 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux:
Refer to Gentoo Linux Security Announcement GLSA 200608-18 for patch, upgrade, or suggested workaround information. See References.

Consequences:

Denial of Service

References:

  • Postgrey Index Web page, Index of /tools/postgrey/pub at http://isg.ee.ethz.ch/tools/postgrey/pub/.
  • Postgrey Web page, Postgrey - Postfix Greylisting Policy Server at http://isg.ee.ethz.ch/tools/postgrey/.
  • BID-13193: Rob Brown Net-Server Perl Module Logging Function Format String Vulnerability
  • CVE-2005-1127: Format string vulnerability in the log function in Net::Server 0.87 and earlier, as used in Postfix Greylisting Policy Server (Postgrey) 1.18 and earlier, and possibly other products, allows remote attackers to cause a denial of service (crash) via format string specifiers that are not properly handled before being sent to syslog, as demonstrated using sender addresses to Postgrey.
  • DSA-1121: postgrey -- format string
  • DSA-1122: libnet-server-perl -- format string
  • GLSA-200608-18: Net::Server: Format string vulnerability
  • MDKSA-2006:131: Updated perl-Net-Server packages fix format string vulnerability
  • OSVDB ID: 15517: Net::Server Logging Function Format String DoS
  • SA14958: Postgrey Format String Denial of Service Vulnerability
  • SA21149: Net::Server Log Format String Vulnerability
  • SUSE-SR:2005:015: SUSE Security Summary Report
  • SUSE-SR:2005:016: SUSE Security Summary Report
  • SUSE-SR:2005:017: SUSE Security Summary Report

Reported:

Apr 15, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page