Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2023-51764

Published: 24 December 2023

Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.

Notes

AuthorNote
mdeslaur
We will not be releasing updates for Lunar which is EoL on
2024-01-25

Mitigation

smtpd_forbid_unauth_pipelining = yes

Priority

Medium

Cvss 3 Severity Score

5.3

Score breakdown

Status

Package Release Status
postfix
Launchpad, Ubuntu, Debian
trusty
Released (2.11.0-1ubuntu1.2+esm3)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
bionic
Released (3.3.0-1ubuntu0.4+esm3)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
focal
Released (3.4.13-0ubuntu1.4)
jammy
Released (3.6.4-1ubuntu1.3)
lunar Ignored
(end of life)
mantic
Released (3.8.1-2ubuntu0.2)
upstream
Released (3.8.4-1)
xenial
Released (3.1.0-3ubuntu0.4+esm3)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)

Severity score breakdown

Parameter Value
Base score 5.3
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact Low
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N