Another security update for Postfix
The open source mail transfer agent PostFix has has another security update. The update is specifically for Postfix 2.4 and later running on Linux 2.6 kernels, where a denial of service vulnerability has been found. Just over two weeks have passed since the last security update for PostFix.
The issue is, according to the advisory, down to a leak in file descriptors in the epoll
call when non-Postfix commands are executed from, for example, a users .forward
file. An attack could result in reduced performance or an automatic shutdown when internal safety mechanisms in Postfix detect a problem.
BSD and Solaris systems are unaffected by the issue because they use different mechanisms for high speed IO. A workaround is detailed in the advisory, and new versions of Postfix, 2.4.9, 2.5.5, and 2.6-20080902, are available on the Postfix site.
See also:
(djwm)