bernhard: doc/www/src/security kolab-vendor-notice-08.txt,NONE,1.1
cvs at intevation.de
cvs at intevation.de
Thu Jan 12 21:27:24 CET 2006
Author: bernhard
Update of /kolabrepository/doc/www/src/security
In directory doto:/tmp/cvs-serv22675
Added Files:
kolab-vendor-notice-08.txt
Log Message:
Added kolab-vendor-notice-08 draft.
--- NEW FILE: kolab-vendor-notice-08.txt ---
Kolab Security Issue 08 20060113
================================
Package: Kolab Server
Vulnerability: Verbose logging for connections to port 465 (ssmtp)
includes the credentials of the connecting users.
Passwords might leak through this.
Kolab Specific: yes
Impact: high
Details
-------
Clients that connect to port 465 for secure SMTP and try to authenticate
itself, will have the credentials logged in /kolab/var/postfix/log/postfix.log.
To make use of this, other untrusted unix users must exist on the server
machine that find can read the file.
In this case the clear text user passwords can be learned from the logfile.
Note that usually postfix.log is world readable with permissions 0644.
You can change this with chmod and in /kolab/etc/fsl/fsl.postfix.
Affected Versions
-----------------
Vulnerable: Stable Kolab Servers 2.0.1 2.0.2
Untested: Kolab Server 2.0
Vulnerable: Development Kolab Servers <= pre-2.1-20051215
Fixes
-----
Upgrade to Kolab Server 2.0.3
Alternatively: Remove the "-v" option from the line starting with "465"
in the master.cf.template and then run kolabconf to refresh postfix.
Timeline
--------
2005-11-02 Issue968 was filed, assumed logging only on failure.
2005-12-19 Discovered that logging happened alway.
2006-01-04 Security implications of world readable logfile noticed.
2006-01-11 Analysis, fix and new server release with fix.
2006-01-13 Advisory published.
More information about the commits
mailing list