user/netqmail: CVE-2011-1431: STARTTLS command injection
Bugzilla ID | 113 |
Alias(es) | CVE-2011-1431 |
Reporter | Max Rees (sroracle) |
Assignee | Max Rees (sroracle) |
Reported | 2019-07-24 14:27:36 -0500 |
Modified | 2019-07-24 14:27:50 -0500 |
Status | RESOLVED NOTABUG |
Version | 1.0-BETA3 |
Hardware | Adélie Linux / All |
Importance | --- / normal |
URL | https://nvd.nist.gov/vuln/detail/CVE-2011-1431 |
Description
The STARTTLS implementation in qmail-smtpd.c in qmail-smtpd in the
netqmail-1.06-tls patch for netqmail 1.06 does not properly restrict
I/O buffering, which allows man-in-the-middle attackers to insert
commands into encrypted SMTP sessions by sending a cleartext command
that is processed after TLS is in place, related to a "plaintext
command injection" attack, a similar issue to CVE-2011-0411.
We do not apply the patch in question.