bernhard: doc/www/src/security kolab-vendor-notice-08.txt,NONE,1.1

[cvs at intevation.de]

Author: bernhard

Update of /kolabrepository/doc/www/src/security
In directory doto:/tmp/cvs-serv22675

Added Files:
	kolab-vendor-notice-08.txt 
Log Message:
Added kolab-vendor-notice-08 draft.


--- NEW FILE: kolab-vendor-notice-08.txt ---
Kolab Security Issue 08 20060113
================================

Package:              Kolab Server
Vulnerability:        Verbose logging for connections to port 465 (ssmtp)
		      includes the credentials of the connecting users.
		      Passwords might leak through this.
Kolab Specific:       yes
Impact:               high


Details
-------

Clients that connect to port 465 for secure SMTP and try to authenticate 
itself, will have the credentials logged in /kolab/var/postfix/log/postfix.log.
To make use of this, other untrusted unix users must exist on the server
machine that find can read the file. 
In this case the clear text user passwords can be learned from the logfile.

Note that usually postfix.log is world readable with permissions 0644.
You can change this with chmod and in /kolab/etc/fsl/fsl.postfix.

Affected Versions
-----------------

Vulnerable: Stable Kolab Servers 2.0.1 2.0.2  
Untested: Kolab Server 2.0

Vulnerable: Development Kolab Servers <= pre-2.1-20051215

Fixes
-----

Upgrade to Kolab Server 2.0.3

Alternatively: Remove the "-v" option from the line starting with "465"
in the master.cf.template and then run kolabconf to refresh postfix.

Timeline
--------
2005-11-02 Issue968 was filed, assumed logging only on failure.
2005-12-19 Discovered that logging happened alway.
2006-01-04 Security implications of world readable logfile noticed.
2006-01-11 Analysis, fix and new server release with fix.
2006-01-13 Advisory published.