Package: postfix
Version: 2.9.6-2
Severity: important
Tags: patch upstream
>From the HISTORY file for 3.2.2:
20170611
Security: Berkeley DB 2 and later try to read settings from
a file DB_CONFIG in the current directory. This undocumented
feature may introduce undisclosed vulnerabilities resulting
in privilege escalation with Postfix set-gid programs
(postdrop, postqueue) before they chdir to the Postfix queue
directory, and with the postmap and postalias commands
depending on whether the user's current directory is writable
by other users. This fix does not change Postfix behavior
for Berkeley DB < 3, but reduces file create performance
for Berkeley DB 3 .. 4.6. File: util/dict_db.c.
For reference, the patch for postfix 3.2 can be found here:
https://git.launchpad.net/postfix/commit/?h=stable/v3.2&id=308925894ca444766f485f247ec3a1103d949e8f
This is known to affect stretch and jessie and upstream has also
released updates for the postfix versions they include. The version in
wheezy is likely affected, but it is no longer supported by upstream and
I lack the time to check. The LTS team is welcome to go ahead with any
needed changes (there is a wheezy-backports package that is affected).
Scott K
