{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/debian10els/vex/2023/cve-2023-51764-els_os-debian10els.json" } ], "tracking": { "current_release_date": "2026-06-13T00:08:16Z", "generator": { "date": "2026-06-13T00:08:16Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2023-51764-ELS_OS-DEBIAN10ELS", "initial_release_date": "2023-12-24T05:15:00Z", "revision_history": [ { "date": "2023-12-24T05:15:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-06-13T00:08:16Z", "number": "2", "summary": "Official Publication" } ], "status": "final", "version": "2" }, "title": "Security update on CVE-2023-51764" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Debian 10", "product": { "name": "Debian 10", "product_id": "Debian-10", "product_identification_helper": { "cpe": "cpe:2.3:o:debian:debian_linux:10:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Debian" }, { "branches": [ { "category": "product_version", "name": "postfix-mysql-0:3.4.23-0+deb10u2.amd64", "product": { "name": "postfix-mysql-0:3.4.23-0+deb10u2.amd64", "product_id": "postfix-mysql-0:3.4.23-0+deb10u2.amd64", "product_identification_helper": { "purl": "pkg:deb/debian/postfix-mysql@3.4.23-0%2Bdeb10u2?arch=amd64" } } }, { "category": "product_version", "name": "postfix-ldap-0:3.4.23-0+deb10u2.amd64", "product": { "name": "postfix-ldap-0:3.4.23-0+deb10u2.amd64", "product_id": "postfix-ldap-0:3.4.23-0+deb10u2.amd64", "product_identification_helper": { "purl": "pkg:deb/debian/postfix-ldap@3.4.23-0%2Bdeb10u2?arch=amd64" } } }, { "category": "product_version", "name": "postfix-cdb-0:3.4.23-0+deb10u2.amd64", "product": { "name": "postfix-cdb-0:3.4.23-0+deb10u2.amd64", "product_id": "postfix-cdb-0:3.4.23-0+deb10u2.amd64", "product_identification_helper": { "purl": "pkg:deb/debian/postfix-cdb@3.4.23-0%2Bdeb10u2?arch=amd64" } } }, { "category": "product_version", "name": "postfix-lmdb-0:3.4.23-0+deb10u2.amd64", "product": { "name": "postfix-lmdb-0:3.4.23-0+deb10u2.amd64", "product_id": "postfix-lmdb-0:3.4.23-0+deb10u2.amd64", "product_identification_helper": { "purl": "pkg:deb/debian/postfix-lmdb@3.4.23-0%2Bdeb10u2?arch=amd64" } } }, { "category": "product_version", "name": "postfix-sqlite-0:3.4.23-0+deb10u2.amd64", "product": { "name": "postfix-sqlite-0:3.4.23-0+deb10u2.amd64", "product_id": "postfix-sqlite-0:3.4.23-0+deb10u2.amd64", "product_identification_helper": { "purl": "pkg:deb/debian/postfix-sqlite@3.4.23-0%2Bdeb10u2?arch=amd64" } } }, { "category": "product_version", "name": "postfix-pcre-0:3.4.23-0+deb10u2.amd64", "product": { "name": "postfix-pcre-0:3.4.23-0+deb10u2.amd64", "product_id": "postfix-pcre-0:3.4.23-0+deb10u2.amd64", "product_identification_helper": { "purl": "pkg:deb/debian/postfix-pcre@3.4.23-0%2Bdeb10u2?arch=amd64" } } }, { "category": "product_version", "name": "postfix-0:3.4.23-0+deb10u2.amd64", "product": { "name": "postfix-0:3.4.23-0+deb10u2.amd64", "product_id": "postfix-0:3.4.23-0+deb10u2.amd64", "product_identification_helper": { "purl": "pkg:deb/debian/postfix@3.4.23-0%2Bdeb10u2?arch=amd64" } } }, { "category": "product_version", "name": "postfix-pgsql-0:3.4.23-0+deb10u2.amd64", "product": { "name": "postfix-pgsql-0:3.4.23-0+deb10u2.amd64", "product_id": "postfix-pgsql-0:3.4.23-0+deb10u2.amd64", "product_identification_helper": { "purl": "pkg:deb/debian/postfix-pgsql@3.4.23-0%2Bdeb10u2?arch=amd64" } } } ], "category": "architecture", "name": "amd64" }, { "branches": [ { "category": "product_version", "name": "postfix-doc-0:3.4.23-0+deb10u2.all", "product": { "name": "postfix-doc-0:3.4.23-0+deb10u2.all", "product_id": "postfix-doc-0:3.4.23-0+deb10u2.all", "product_identification_helper": { "purl": "pkg:deb/debian/postfix-doc@3.4.23-0%2Bdeb10u2?arch=all" } } } ], "category": "architecture", "name": "all" } ], "category": "vendor", "name": "Software in the Public Interest, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "postfix-mysql-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "product": { "name": "postfix-mysql-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "product_id": "postfix-mysql-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/postfix-mysql@3.4.23-0%2Bdeb10u2%2Btuxcare.els1?arch=amd64" } } }, { "category": "product_version", "name": "postfix-ldap-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "product": { "name": "postfix-ldap-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "product_id": "postfix-ldap-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/postfix-ldap@3.4.23-0%2Bdeb10u2%2Btuxcare.els1?arch=amd64" } } }, { "category": "product_version", "name": "postfix-cdb-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "product": { "name": "postfix-cdb-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "product_id": "postfix-cdb-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/postfix-cdb@3.4.23-0%2Bdeb10u2%2Btuxcare.els1?arch=amd64" } } }, { "category": "product_version", "name": "postfix-lmdb-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "product": { "name": "postfix-lmdb-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "product_id": "postfix-lmdb-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/postfix-lmdb@3.4.23-0%2Bdeb10u2%2Btuxcare.els1?arch=amd64" } } }, { "category": "product_version", "name": "postfix-sqlite-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "product": { "name": "postfix-sqlite-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "product_id": "postfix-sqlite-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/postfix-sqlite@3.4.23-0%2Bdeb10u2%2Btuxcare.els1?arch=amd64" } } }, { "category": "product_version", "name": "postfix-pcre-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "product": { "name": "postfix-pcre-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "product_id": "postfix-pcre-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/postfix-pcre@3.4.23-0%2Bdeb10u2%2Btuxcare.els1?arch=amd64" } } }, { "category": "product_version", "name": "postfix-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "product": { "name": "postfix-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "product_id": "postfix-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/postfix@3.4.23-0%2Bdeb10u2%2Btuxcare.els1?arch=amd64" } } }, { "category": "product_version", "name": "postfix-pgsql-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "product": { "name": "postfix-pgsql-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "product_id": "postfix-pgsql-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/postfix-pgsql@3.4.23-0%2Bdeb10u2%2Btuxcare.els1?arch=amd64" } } } ], "category": "architecture", "name": "amd64" }, { "branches": [ { "category": "product_version", "name": "postfix-doc-0:3.4.23-0+deb10u2+tuxcare.els1.all", "product": { "name": "postfix-doc-0:3.4.23-0+deb10u2+tuxcare.els1.all", "product_id": "postfix-doc-0:3.4.23-0+deb10u2+tuxcare.els1.all", "product_identification_helper": { "purl": "pkg:deb/tuxcare/postfix-doc@3.4.23-0%2Bdeb10u2%2Btuxcare.els1?arch=all" } } } ], "category": "architecture", "name": "all" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "postfix-mysql-0:3.4.23-0+deb10u2+tuxcare.els1.amd64 as a component of Debian 10", "product_id": "Debian-10:postfix-mysql-0:3.4.23-0+deb10u2+tuxcare.els1.amd64" }, "product_reference": "postfix-mysql-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "postfix-mysql-0:3.4.23-0+deb10u2.amd64 as a component of Debian 10", "product_id": "Debian-10:postfix-mysql-0:3.4.23-0+deb10u2.amd64" }, "product_reference": "postfix-mysql-0:3.4.23-0+deb10u2.amd64", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "postfix-ldap-0:3.4.23-0+deb10u2+tuxcare.els1.amd64 as a component of Debian 10", "product_id": "Debian-10:postfix-ldap-0:3.4.23-0+deb10u2+tuxcare.els1.amd64" }, "product_reference": "postfix-ldap-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "postfix-ldap-0:3.4.23-0+deb10u2.amd64 as a component of Debian 10", "product_id": "Debian-10:postfix-ldap-0:3.4.23-0+deb10u2.amd64" }, "product_reference": "postfix-ldap-0:3.4.23-0+deb10u2.amd64", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "postfix-cdb-0:3.4.23-0+deb10u2+tuxcare.els1.amd64 as a component of Debian 10", "product_id": "Debian-10:postfix-cdb-0:3.4.23-0+deb10u2+tuxcare.els1.amd64" }, "product_reference": "postfix-cdb-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "postfix-cdb-0:3.4.23-0+deb10u2.amd64 as a component of Debian 10", "product_id": "Debian-10:postfix-cdb-0:3.4.23-0+deb10u2.amd64" }, "product_reference": "postfix-cdb-0:3.4.23-0+deb10u2.amd64", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "postfix-doc-0:3.4.23-0+deb10u2+tuxcare.els1.all as a component of Debian 10", "product_id": "Debian-10:postfix-doc-0:3.4.23-0+deb10u2+tuxcare.els1.all" }, "product_reference": "postfix-doc-0:3.4.23-0+deb10u2+tuxcare.els1.all", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "postfix-doc-0:3.4.23-0+deb10u2.all as a component of Debian 10", "product_id": "Debian-10:postfix-doc-0:3.4.23-0+deb10u2.all" }, "product_reference": "postfix-doc-0:3.4.23-0+deb10u2.all", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "postfix-lmdb-0:3.4.23-0+deb10u2+tuxcare.els1.amd64 as a component of Debian 10", "product_id": "Debian-10:postfix-lmdb-0:3.4.23-0+deb10u2+tuxcare.els1.amd64" }, "product_reference": "postfix-lmdb-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "postfix-lmdb-0:3.4.23-0+deb10u2.amd64 as a component of Debian 10", "product_id": "Debian-10:postfix-lmdb-0:3.4.23-0+deb10u2.amd64" }, "product_reference": "postfix-lmdb-0:3.4.23-0+deb10u2.amd64", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "postfix-sqlite-0:3.4.23-0+deb10u2+tuxcare.els1.amd64 as a component of Debian 10", "product_id": "Debian-10:postfix-sqlite-0:3.4.23-0+deb10u2+tuxcare.els1.amd64" }, "product_reference": "postfix-sqlite-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "postfix-sqlite-0:3.4.23-0+deb10u2.amd64 as a component of Debian 10", "product_id": "Debian-10:postfix-sqlite-0:3.4.23-0+deb10u2.amd64" }, "product_reference": "postfix-sqlite-0:3.4.23-0+deb10u2.amd64", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "postfix-pcre-0:3.4.23-0+deb10u2+tuxcare.els1.amd64 as a component of Debian 10", "product_id": "Debian-10:postfix-pcre-0:3.4.23-0+deb10u2+tuxcare.els1.amd64" }, "product_reference": "postfix-pcre-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "postfix-pcre-0:3.4.23-0+deb10u2.amd64 as a component of Debian 10", "product_id": "Debian-10:postfix-pcre-0:3.4.23-0+deb10u2.amd64" }, "product_reference": "postfix-pcre-0:3.4.23-0+deb10u2.amd64", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "postfix-0:3.4.23-0+deb10u2+tuxcare.els1.amd64 as a component of Debian 10", "product_id": "Debian-10:postfix-0:3.4.23-0+deb10u2+tuxcare.els1.amd64" }, "product_reference": "postfix-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "postfix-0:3.4.23-0+deb10u2.amd64 as a component of Debian 10", "product_id": "Debian-10:postfix-0:3.4.23-0+deb10u2.amd64" }, "product_reference": "postfix-0:3.4.23-0+deb10u2.amd64", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "postfix-pgsql-0:3.4.23-0+deb10u2+tuxcare.els1.amd64 as a component of Debian 10", "product_id": "Debian-10:postfix-pgsql-0:3.4.23-0+deb10u2+tuxcare.els1.amd64" }, "product_reference": "postfix-pgsql-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "postfix-pgsql-0:3.4.23-0+deb10u2.amd64 as a component of Debian 10", "product_id": "Debian-10:postfix-pgsql-0:3.4.23-0+deb10u2.amd64" }, "product_reference": "postfix-pgsql-0:3.4.23-0+deb10u2.amd64", "relates_to_product_reference": "Debian-10" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-51764", "cwe": { "id": "CWE-345", "name": "Insufficient Verification of Data Authenticity" }, "notes": [ { "category": "description", "text": "Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports . but some other popular e-mail servers do not. To prevent attack variants (by always disallowing without ), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "Debian-10:postfix-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "Debian-10:postfix-0:3.4.23-0+deb10u2.amd64", "Debian-10:postfix-cdb-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "Debian-10:postfix-cdb-0:3.4.23-0+deb10u2.amd64", "Debian-10:postfix-doc-0:3.4.23-0+deb10u2+tuxcare.els1.all", "Debian-10:postfix-doc-0:3.4.23-0+deb10u2.all", "Debian-10:postfix-ldap-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "Debian-10:postfix-ldap-0:3.4.23-0+deb10u2.amd64", "Debian-10:postfix-lmdb-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "Debian-10:postfix-lmdb-0:3.4.23-0+deb10u2.amd64", "Debian-10:postfix-mysql-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "Debian-10:postfix-mysql-0:3.4.23-0+deb10u2.amd64", "Debian-10:postfix-pcre-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "Debian-10:postfix-pcre-0:3.4.23-0+deb10u2.amd64", "Debian-10:postfix-pgsql-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "Debian-10:postfix-pgsql-0:3.4.23-0+deb10u2.amd64", "Debian-10:postfix-sqlite-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "Debian-10:postfix-sqlite-0:3.4.23-0+deb10u2.amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-51764" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2023/12/24/1", "url": "http://www.openwall.com/lists/oss-security/2023/12/24/1" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2023/12/25/1", "url": "http://www.openwall.com/lists/oss-security/2023/12/25/1" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2024/05/09/3", "url": "http://www.openwall.com/lists/oss-security/2024/05/09/3" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2023-51764", "url": "https://access.redhat.com/security/cve/CVE-2023-51764" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=2255563", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255563" }, { "category": "external", "summary": "https://fahrplan.events.ccc.de/congress/2023/fahrplan/events/11782.html", "url": "https://fahrplan.events.ccc.de/congress/2023/fahrplan/events/11782.html" }, { "category": "external", "summary": "https://github.com/duy-31/CVE-2023-51764", "url": "https://github.com/duy-31/CVE-2023-51764" }, { "category": "external", "summary": "https://github.com/eeenvik1/CVE-2023-51764", "url": "https://github.com/eeenvik1/CVE-2023-51764" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2024/01/msg00020.html", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00020.html" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JQ5WXFCW2N6G2PH3JXDTYW5PH5EBQEGO/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JQ5WXFCW2N6G2PH3JXDTYW5PH5EBQEGO/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRLF5SOS7TP5N7FQSEK2NFNB44ISVTZC/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRLF5SOS7TP5N7FQSEK2NFNB44ISVTZC/" }, { "category": "external", "summary": "https://lwn.net/Articles/956533/", "url": "https://lwn.net/Articles/956533/" }, { "category": "external", "summary": "https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/", "url": "https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2024/01/22/1", "url": "https://www.openwall.com/lists/oss-security/2024/01/22/1" }, { "category": "external", "summary": "https://www.postfix.org/announcements/postfix-3.8.5.html", "url": "https://www.postfix.org/announcements/postfix-3.8.5.html" }, { "category": "external", "summary": "https://www.postfix.org/smtp-smuggling.html", "url": "https://www.postfix.org/smtp-smuggling.html" }, { "category": "external", "summary": "https://www.youtube.com/watch?v=V8KPV96g1To", "url": "https://www.youtube.com/watch?v=V8KPV96g1To" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JQ5WXFCW2N6G2PH3JXDTYW5PH5EBQEGO/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JQ5WXFCW2N6G2PH3JXDTYW5PH5EBQEGO/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRLF5SOS7TP5N7FQSEK2NFNB44ISVTZC/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRLF5SOS7TP5N7FQSEK2NFNB44ISVTZC/" } ], "release_date": "2023-12-24T05:15:00Z", "remediations": [ { "category": "no_fix_planned", "date": "2026-06-12T12:56:30.788755Z", "details": "This flaw only affects systems acting as Internet‑facing MTAs that accept unauthenticated SMTP and relies on an inter‑server parsing discrepancy to smuggle a second message; it does not enable code execution, data exposure, or privilege escalation on the Postfix host, making the direct host impact low. Postfix instances used strictly as local relays or bound to localhost/internal networks are not reachable for this remote attack and therefore fall out of scope. Moreover, Postfix provides server‑side options that eliminate this behavior (e.g., forbidding bare newlines or rejecting unauthenticated pipelining), so any residual exposure is easy to neutralize, justifying deprioritization.", "product_ids": [ "Debian-10:postfix-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "Debian-10:postfix-0:3.4.23-0+deb10u2.amd64", "Debian-10:postfix-cdb-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "Debian-10:postfix-cdb-0:3.4.23-0+deb10u2.amd64", "Debian-10:postfix-doc-0:3.4.23-0+deb10u2+tuxcare.els1.all", "Debian-10:postfix-doc-0:3.4.23-0+deb10u2.all", "Debian-10:postfix-ldap-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "Debian-10:postfix-ldap-0:3.4.23-0+deb10u2.amd64", "Debian-10:postfix-lmdb-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "Debian-10:postfix-lmdb-0:3.4.23-0+deb10u2.amd64", "Debian-10:postfix-mysql-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "Debian-10:postfix-mysql-0:3.4.23-0+deb10u2.amd64", "Debian-10:postfix-pcre-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "Debian-10:postfix-pcre-0:3.4.23-0+deb10u2.amd64", "Debian-10:postfix-pgsql-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "Debian-10:postfix-pgsql-0:3.4.23-0+deb10u2.amd64", "Debian-10:postfix-sqlite-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "Debian-10:postfix-sqlite-0:3.4.23-0+deb10u2.amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "Debian-10:postfix-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "Debian-10:postfix-0:3.4.23-0+deb10u2.amd64", "Debian-10:postfix-cdb-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "Debian-10:postfix-cdb-0:3.4.23-0+deb10u2.amd64", "Debian-10:postfix-doc-0:3.4.23-0+deb10u2+tuxcare.els1.all", "Debian-10:postfix-doc-0:3.4.23-0+deb10u2.all", "Debian-10:postfix-ldap-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "Debian-10:postfix-ldap-0:3.4.23-0+deb10u2.amd64", "Debian-10:postfix-lmdb-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "Debian-10:postfix-lmdb-0:3.4.23-0+deb10u2.amd64", "Debian-10:postfix-mysql-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "Debian-10:postfix-mysql-0:3.4.23-0+deb10u2.amd64", "Debian-10:postfix-pcre-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "Debian-10:postfix-pcre-0:3.4.23-0+deb10u2.amd64", "Debian-10:postfix-pgsql-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "Debian-10:postfix-pgsql-0:3.4.23-0+deb10u2.amd64", "Debian-10:postfix-sqlite-0:3.4.23-0+deb10u2+tuxcare.els1.amd64", "Debian-10:postfix-sqlite-0:3.4.23-0+deb10u2.amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }