obsolete postfix version exposing to DROWN vulnerability

Asked by Cristian Balan on 2016-03-03

Hi guys,
I'm wondering why Ubuntu 14 LTS is using postifx 2.11.0 release in January 15, 2014 when there are so many stable releases after.
http://www.postfix.org/announcements.html

Looks like the 2.11.0 of postfix is vulnerable to the recent discovered DROWN
https://drownattack.com/
http://www.bbc.co.uk/news/technology-35706730

Could you please do something?

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu postfix Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said :
#1

I suggest you report a bug. Mark it as a security bug

Revision history for this message
Manfred Hampl (m-hampl) said :
#2

What I read from https://drownattack.com/postfix.html is that the problem is solved with updated openssl (which is already done in Ubuntu, see https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0800.html ) and by adapting your postfix configuration.

I would not expect that there will be a new postfix package in Ubuntu to update the existing user configuration files. That is something that each system manager should take care of himself.

Can you help with this problem?

Provide an answer of your own, or ask Cristian Balan for more information if necessary.

To post a message you must log in.