CVE-2008-3889

EUVD-2008-3875
Postfix 2.4 before 2.4.9, 2.5 before 2.5.5, and 2.6 before 2.6-20080902, when used with the Linux 2.6 kernel, leaks epoll file descriptors during execution of "non-Postfix" commands, which allows local users to cause a denial of service (application slowdown or exit) via a crafted command, as demonstrated by a command in a .forward file.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
2.1 UNKNOWN
LOCAL
LOW
AV:L/AC:L/Au:N/C:N/I:N/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 19%
Affected Products (NVD)
VendorProductVersion
postfixpostfix
2.4
postfixpostfix
2.4.0
postfixpostfix
2.4.1
postfixpostfix
2.4.2
postfixpostfix
2.4.3
postfixpostfix
2.4.4
postfixpostfix
2.4.5
postfixpostfix
2.4.6
postfixpostfix
2.4.7
postfixpostfix
2.4.8
postfixpostfix
2.5.1
postfixpostfix
2.5.2
postfixpostfix
2.5.3
postfixpostfix
2.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
postfix
bookworm
3.7.11-0+deb12u1
fixed
bullseye
3.5.25-0+deb11u1
fixed
etch
not-affected
sid
3.9.0-3
fixed
trixie
3.9.0-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
postfix
dapper
not-affected
feisty
not-affected
gutsy
Fixed 2.4.5-3ubuntu1.3
released
hardy
Fixed 2.5.1-2ubuntu1.2
released
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html
http://secunia.com/advisories/31716
http://secunia.com/advisories/31800
http://secunia.com/advisories/31982
http://secunia.com/advisories/31986
http://secunia.com/advisories/32231
http://security.gentoo.org/glsa/glsa-200809-09.xml
http://securityreason.com/securityalert/4239
http://securitytracker.com/id?1020800
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0311
http://www.mandriva.com/security/advisories?name=MDVSA-2008:190
http://www.postfix.org/announcements/20080902.html
http://www.securityfocus.com/archive/1/495894/100/0/threaded
http://www.securityfocus.com/archive/1/496420/100/0/threaded
http://www.securityfocus.com/archive/1/498037/100/0/threaded
http://www.securityfocus.com/bid/30977
http://www.ubuntu.com/usn/usn-642-1
http://www.wekk.net/research/CVE-2008-3889/
https://exchange.xforce.ibmcloud.com/vulnerabilities/44865
https://www.exploit-db.com/exploits/6472
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00271.html
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00287.html
http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html
http://secunia.com/advisories/31716
http://secunia.com/advisories/31800
http://secunia.com/advisories/31982
http://secunia.com/advisories/31986
http://secunia.com/advisories/32231
http://security.gentoo.org/glsa/glsa-200809-09.xml
http://securityreason.com/securityalert/4239
http://securitytracker.com/id?1020800
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0311
http://www.mandriva.com/security/advisories?name=MDVSA-2008:190
http://www.postfix.org/announcements/20080902.html
http://www.securityfocus.com/archive/1/495894/100/0/threaded
http://www.securityfocus.com/archive/1/496420/100/0/threaded
http://www.securityfocus.com/archive/1/498037/100/0/threaded
http://www.securityfocus.com/bid/30977
http://www.ubuntu.com/usn/usn-642-1
http://www.wekk.net/research/CVE-2008-3889/
https://exchange.xforce.ibmcloud.com/vulnerabilities/44865
https://www.exploit-db.com/exploits/6472
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00271.html
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00287.html