CVE-2011-0411 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2011-0411 Interim 1 21 2024-07-27T01:40:59Z current 2021-05-30T12:55:49Z 2024-07-27T01:40:59Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2011-0411 The STARTTLS implementation in Postfix 2.4.x before 2.4.16, 2.5.x before 2.5.12, 2.6.x before 2.6.9, and 2.7.x before 2.7.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4MN2XZHBZNY6EHRNRASQC35KVQQGVM73/#4MN2XZHBZNY6EHRNRASQC35KVQQGVM73 E-Mail link for SUSE-SR:2011:008 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LELHDVK3NB65FNSKEM3ZI6U2R5NOGDN3/#LELHDVK3NB65FNSKEM3ZI6U2R5NOGDN3 E-Mail link for SUSE-SR:2011:009 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/J3SFKURISLALS2JGJL22FCLRZSUGU7TT/#J3SFKURISLALS2JGJL22FCLRZSUGU7TT E-Mail link for SUSE-SR:2011:010 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2GYOIMCZROPCPAJ2KKWIHJNXYM6WHVDA/#2GYOIMCZROPCPAJ2KKWIHJNXYM6WHVDA E-Mail link for SUSE-SU-2011:0608-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Server 11 SP1 for Teradata SUSE Linux Enterprise Server 11 SP1-TERADATA SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3 for Teradata SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Server 11 SP4 LTSS openSUSE Tumbleweed postfix-2.5.6-5.6.1 postfix-doc-2.5.6-5.6.1 postfix-mysql-2.5.6-5.6.1 pure-ftpd pure-ftpd-1.0.22-3.15.1 pure-ftpd-1.0.22-3.19.1 pure-ftpd-1.0.22-3.25.1 pure-ftpd-1.0.43-1.3 postfix-2.5.6-5.6.1 as a component of SUSE Linux Enterprise Server 11 SP1-TERADATA postfix-doc-2.5.6-5.6.1 as a component of SUSE Linux Enterprise Server 11 SP1-TERADATA postfix-mysql-2.5.6-5.6.1 as a component of SUSE Linux Enterprise Server 11 SP1-TERADATA pure-ftpd-1.0.22-3.15.1 as a component of SUSE Linux Enterprise Server 11 SP2 pure-ftpd-1.0.22-3.19.1 as a component of SUSE Linux Enterprise Server 11 SP3 pure-ftpd-1.0.22-3.25.1 as a component of SUSE Linux Enterprise Server 11 SP4 pure-ftpd-1.0.43-1.3 as a component of openSUSE Tumbleweed pure-ftpd as a component of SUSE Linux Enterprise Server 11 SP1 for Teradata pure-ftpd as a component of SUSE Linux Enterprise Server 11 SP3 for Teradata pure-ftpd as a component of SUSE Linux Enterprise Server 11 SP4 LTSS The STARTTLS implementation in Postfix 2.4.x before 2.4.16, 2.5.x before 2.5.12, 2.6.x before 2.6.9, and 2.7.x before 2.7.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack. CVE-2011-0411 SUSE Linux Enterprise Server 11 SP1-TERADATA:postfix-2.5.6-5.6.1 SUSE Linux Enterprise Server 11 SP1-TERADATA:postfix-doc-2.5.6-5.6.1 SUSE Linux Enterprise Server 11 SP1-TERADATA:postfix-mysql-2.5.6-5.6.1 SUSE Linux Enterprise Server 11 SP2:pure-ftpd-1.0.22-3.15.1 SUSE Linux Enterprise Server 11 SP3:pure-ftpd-1.0.22-3.19.1 SUSE Linux Enterprise Server 11 SP4:pure-ftpd-1.0.22-3.25.1 openSUSE Tumbleweed:pure-ftpd-1.0.43-1.3 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P