user/netqmail: CVE-2011-1431: STARTTLS command injection
| Bugzilla ID | 113 |
| Alias(es) | CVE-2011-1431 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2019-07-24 14:27:36 -0500 |
| Modified | 2019-07-24 14:27:50 -0500 |
| Status | RESOLVED NOTABUG |
| Version | 1.0-BETA3 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2011-1431 |
Description
The STARTTLS implementation in qmail-smtpd.c in qmail-smtpd in the
netqmail-1.06-tls patch for netqmail 1.06 does not properly restrict
I/O buffering, which allows man-in-the-middle attackers to insert
commands into encrypted SMTP sessions by sending a cleartext command
that is processed after TLS is in place, related to a "plaintext
command injection" attack, a similar issue to CVE-2011-0411.
We do not apply the patch in question.