CVE-2021-35525

PostSRSd before 1.11 allows a denial of service (subprocess hang) if Postfix sends certain long data fields such as multiple concatenated email addresses. NOTE: the PostSRSd maintainer acknowledges "theoretically, this error should never occur ... I'm not sure if there's a reliable way to trigger this condition by an external attacker, but it is a security bug in PostSRSd nevertheless."
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 31%
VendorProductVersion
postsrsd_projectpostsrsd
𝑥
< 1.11
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
postsrsd
bookworm
1.10-2
fixed
bullseye
1.10-2
fixed
stretch
no-dsa
sid
1.10-2.2
fixed
trixie
1.10-2.2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
postsrsd
noble
needed
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needed
impish
ignored
hirsute
ignored
groovy
ignored
focal
needed
bionic
needed
xenial
needs-triage
trusty
dne
References
https://bugs.gentoo.org/793674
https://github.com/roehling/postsrsd/commit/077be98d8c8a9847e4ae0c7dc09e7474cbe27db2
https://github.com/roehling/postsrsd/releases/tag/1.11
https://security.gentoo.org/glsa/202107-08
https://bugs.gentoo.org/793674
https://github.com/roehling/postsrsd/commit/077be98d8c8a9847e4ae0c7dc09e7474cbe27db2
https://github.com/roehling/postsrsd/releases/tag/1.11
https://security.gentoo.org/glsa/202107-08