[Bug 219996] mail/postfix: Update to 3.2.2 (security fix)

Wed Jun 14 20:55:29 UTC 2017

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219996

            Bug ID: 219996
           Summary: mail/postfix: Update to 3.2.2 (security fix)
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
               URL: http://www.postfix.org/announcements/postfix-3.2.2.htm
                    l
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ohauer at FreeBSD.org
          Reporter: rootservice at gmail.com
          Assignee: ohauer at FreeBSD.org
             Flags: maintainer-feedback?(ohauer at FreeBSD.org)

Postfix 3.2.2 was released yesterday to address a security issue due to an
undocumented feature of Berkeley DB

Quote from http://www.postfix.org/announcements/postfix-3.2.2.html

Fixed in all supported releases:

Security: Berkeley DB versions 2 and later try to read settings from a file
DB_CONFIG in the current directory. This undocumented feature may introduce
undisclosed vulnerabilities resulting in privilege escalation with Postfix
set-gid programs (postdrop, postqueue) before they chdir to the Postfix queue
directory, and with the postmap and postalias commands depending on whether the
user's current directory is writable by other users. This fix does not change
Postfix behavior for Berkeley DB versions < 3, but it does reduce postmap and
postalias 'create' performance with Berkeley DB versions 3.0 .. 4.6.

-- 
You are receiving this mail because:
You are the assignee for the bug.