Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWg5Mm0tNDJoNC04MmY2

postfix-mta-sts-resolver Algorithm Downgrade vulnerability

Incorrect query parsing

Impact

All users of versions prior to 0.5.1 can receive incorrect response from daemon under rare conditions, rendering downgrade of effective STS policy.

Patches

Problem has been patched in version 0.5.1

Workarounds

Users may remediate this vulnerability without upgrading by applying these patches to older suppoorted versions.

For more information

If you have any questions or comments about this advisory:

Open an issue in postfix-mta-sts-resolver repo
Email me at vladislav at vm-0 dot com

Permalink: https://github.com/advisories/GHSA-h92m-42h4-82f6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWg5Mm0tNDJoNC04MmY2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 5 years ago
Updated: about 1 month ago

CVSS Score: 6.9
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

EPSS Percentage: 0.00105
EPSS Percentile: 0.43686

Identifiers: GHSA-h92m-42h4-82f6, CVE-2019-16791
References:

Repository: https://github.com/Snawoot/postfix-mta-sts-resolver
Blast Radius: 5.8

Affected Packages

pypi:postfix-mta-sts-resolver

Dependent packages: 0
Dependent repositories: 7
Downloads: 5,497 last month
Affected Version Ranges: < 0.5.1
Fixed in: 0.5.1
All affected versions: 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.7, 0.2.8, 0.2.9, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.5.0
All unaffected versions: 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.8.0, 0.8.1, 0.8.2, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.2.0, 1.3.0, 1.4.0