Security update for postfixadmin SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:0488-1 Final 1 1 2017-02-16T20:54:02Z current 2017-02-16T20:54:02Z 2017-02-16T20:54:02Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for postfixadmin postfixadmin was updated to 3.0.2 to fix the following issues: - PostfixAdmin 3.0.2: - SECURITY: don't allow to delete protected aliases (CVE-2017-5930, boo#1024211) - fix VacationHandler for PostgreSQL - AliasHandler: restrict mailbox subquery to allowed and specified domains to improve performance on setups with lots of mailboxes - allow switching between dovecot:* password schemes while still accepting passwords hashed using the previous dovecot:* scheme - FetchmailHandler: use a valid date as default for 'date' - fix date formatting in non-english languages when using PostgreSQL - various small fixes - PostfixAdmin 3.0: - add sqlite backend option - add configurable smtp helo (CONF['smtp_client']) - new translation: ro (Romanian) - language update: tw, cs, de - fix escaping in gen_show_status() (could be used to DOS list-virtual by creating a mail address with special chars) - add CSRF protection for POST requests - list.tpl: base edit/editactive/delete links in list.tpl on $RAW_item to avoid double escaping, and fix some corner cases - fix db_quota_text() for postgresql (concat() vs. ||) - change default date for 'created' and 'updated' columns from 0000-00-00 (which causes problems with MySQL strict mode) to 2000-01-01 - allow punicode even in TLDs - update Smarty to 3.1.29 - add checks to login.php and cli to ensure database layout is up to date - whitelist '-1' as valid value for postfixadmin-cli - don't stripslashes() the password in pacrypt - various small bugfixes The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-02/msg00076.html E-Mail link for openSUSE-SU-2017:0488-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 openSUSE Leap 42.2 postfixadmin-3.0.2-3.1 postfixadmin-3.0.2-3.1 as a component of openSUSE Leap 42.1 postfixadmin-3.0.2-3.1 as a component of openSUSE Leap 42.2 The AliasHandler component in PostfixAdmin before 3.0.2 allows remote authenticated domain admins to delete protected aliases via the delete parameter to delete.php, involving a missing permission check. CVE-2017-5930 openSUSE Leap 42.1:postfixadmin-3.0.2-3.1 openSUSE Leap 42.2:postfixadmin-3.0.2-3.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-02/msg00076.html https://www.suse.com/security/cve/CVE-2017-5930.html CVE-2017-5930 https://bugzilla.suse.com/1024211 SUSE Bug 1024211