ALAS-2024-495

Amazon Linux 2023 Security Advisory: ALAS-2024-495
Advisory Release Date: 2024-01-19 01:31 Pacific
Advisory Updated Date: 2024-01-22 20:30 Pacific
Severity: Important
Issue Overview:

Postfix through 3.8.4 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required: the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9. (CVE-2023-51764)


Affected Packages:

postfix


Issue Correction:
Run dnf update postfix --releasever 2023.3.20240122 to update your system.

New Packages:
aarch64:
    postfix-cdb-debuginfo-3.7.2-4.amzn2023.0.5.aarch64
    postfix-sqlite-3.7.2-4.amzn2023.0.5.aarch64
    postfix-sqlite-debuginfo-3.7.2-4.amzn2023.0.5.aarch64
    postfix-pcre-debuginfo-3.7.2-4.amzn2023.0.5.aarch64
    postfix-perl-scripts-3.7.2-4.amzn2023.0.5.aarch64
    postfix-pgsql-3.7.2-4.amzn2023.0.5.aarch64
    postfix-lmdb-3.7.2-4.amzn2023.0.5.aarch64
    postfix-mysql-debuginfo-3.7.2-4.amzn2023.0.5.aarch64
    postfix-lmdb-debuginfo-3.7.2-4.amzn2023.0.5.aarch64
    postfix-mysql-3.7.2-4.amzn2023.0.5.aarch64
    postfix-ldap-3.7.2-4.amzn2023.0.5.aarch64
    postfix-debuginfo-3.7.2-4.amzn2023.0.5.aarch64
    postfix-pcre-3.7.2-4.amzn2023.0.5.aarch64
    postfix-ldap-debuginfo-3.7.2-4.amzn2023.0.5.aarch64
    postfix-pgsql-debuginfo-3.7.2-4.amzn2023.0.5.aarch64
    postfix-cdb-3.7.2-4.amzn2023.0.5.aarch64
    postfix-debugsource-3.7.2-4.amzn2023.0.5.aarch64
    postfix-3.7.2-4.amzn2023.0.5.aarch64

src:
    postfix-3.7.2-4.amzn2023.0.5.src

x86_64:
    postfix-mysql-debuginfo-3.7.2-4.amzn2023.0.5.x86_64
    postfix-ldap-debuginfo-3.7.2-4.amzn2023.0.5.x86_64
    postfix-perl-scripts-3.7.2-4.amzn2023.0.5.x86_64
    postfix-cdb-debuginfo-3.7.2-4.amzn2023.0.5.x86_64
    postfix-sqlite-3.7.2-4.amzn2023.0.5.x86_64
    postfix-pcre-3.7.2-4.amzn2023.0.5.x86_64
    postfix-pgsql-3.7.2-4.amzn2023.0.5.x86_64
    postfix-sqlite-debuginfo-3.7.2-4.amzn2023.0.5.x86_64
    postfix-ldap-3.7.2-4.amzn2023.0.5.x86_64
    postfix-pcre-debuginfo-3.7.2-4.amzn2023.0.5.x86_64
    postfix-pgsql-debuginfo-3.7.2-4.amzn2023.0.5.x86_64
    postfix-lmdb-3.7.2-4.amzn2023.0.5.x86_64
    postfix-lmdb-debuginfo-3.7.2-4.amzn2023.0.5.x86_64
    postfix-cdb-3.7.2-4.amzn2023.0.5.x86_64
    postfix-mysql-3.7.2-4.amzn2023.0.5.x86_64
    postfix-3.7.2-4.amzn2023.0.5.x86_64
    postfix-debuginfo-3.7.2-4.amzn2023.0.5.x86_64
    postfix-debugsource-3.7.2-4.amzn2023.0.5.x86_64

Additional References

Red Hat: CVE-2023-51764

Mitre: CVE-2023-51764