Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-20740

Backport Postfix features smtpd_forbid_unauth_pipelining and smtpd_forbid_bare_newline_exclusions (for CVE-2023-51764)

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Minor Minor
    • None
    • rhel-8.9.0, CentOS Stream 8, CentOS Stream 9, rhel-9.3.0
    • postfix
    • None
    • Moderate
    • rhel-net-perf
    • ssg_core_services
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • All
    • None

      Hi

      See https://www.postfix.org/smtp-smuggling.html and CVE-2023-51764

      A recent SMTP security issue that has been fixed in all supported Postfix versions.

      However versions 3.5.8 and 3.5.9 shipped with RHEL 8 and 9 don't have the optional new "smtpd_forbid_unauth_pipelining" and "smtpd_forbid_bare_newline_exclusions" features yet.

      (and the alternative "smtpd_data_restrictions = reject_unauth_pipelining" is not 100% equivalent).

      Unless you're planning to rebase Postfix (to at least version 3.5.23), could you consider backporting these two new features?  They are disabled by default in Postfix versions < 3.9, so no change in behaviour unless explicitly configured.

      Thanks

              jskarvad Jaroslav Škarvada
              telenetnas Stef Van Dessel (Inactive)
              Jaroslav Škarvada
              Jaroslav Škarvada Jaroslav Škarvada
              Robin Hack Robin Hack
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: