CVE-2021-35525

EUVD-2021-22161
PostSRSd before 1.11 allows a denial of service (subprocess hang) if Postfix sends certain long data fields such as multiple concatenated email addresses. NOTE: the PostSRSd maintainer acknowledges "theoretically, this error should never occur ... I'm not sure if there's a reliable way to trigger this condition by an external attacker, but it is a security bug in PostSRSd nevertheless."
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
Affected Products (NVD)
VendorProductVersion
postsrsd_projectpostsrsd
𝑥
< 1.11
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
postsrsd
bookworm
1.10-2
fixed
bullseye
1.10-2
fixed
sid
1.10-2.2
fixed
stretch
no-dsa
trixie
1.10-2.2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
postsrsd
bionic
needed
focal
needed
groovy
ignored
hirsute
ignored
impish
ignored
jammy
needed
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needed
trusty
dne
xenial
needs-triage
References
https://bugs.gentoo.org/793674
https://github.com/roehling/postsrsd/commit/077be98d8c8a9847e4ae0c7dc09e7474cbe27db2
https://github.com/roehling/postsrsd/releases/tag/1.11
https://security.gentoo.org/glsa/202107-08
https://bugs.gentoo.org/793674
https://github.com/roehling/postsrsd/commit/077be98d8c8a9847e4ae0c7dc09e7474cbe27db2
https://github.com/roehling/postsrsd/releases/tag/1.11
https://security.gentoo.org/glsa/202107-08