Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWg5Mm0tNDJoNC04MmY2
High severity vulnerability that affects postfix-mta-sts-resolver
Incorrect query parsing
Impact
All users of versions prior to 0.5.1 can receive incorrect response from daemon under rare conditions, rendering downgrade of effective STS policy.
Patches
Problem has been patched in version 0.5.1
Workarounds
Users may remediate this vulnerability without upgrading by applying these patches to older suppoorted versions.
For more information
If you have any questions or comments about this advisory:
- Open an issue in postfix-mta-sts-resolver repo
- Email me at vladislav at vm-0 dot com
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWg5Mm0tNDJoNC04MmY2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 5 years ago
Updated: over 1 year ago
CVSS Score: 6.9
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N
Identifiers: GHSA-h92m-42h4-82f6, CVE-2019-16791
References:
- https://github.com/Snawoot/postfix-mta-sts-resolver/security/advisories/GHSA-h92m-42h4-82f6
- https://nvd.nist.gov/vuln/detail/CVE-2019-16791
- https://gist.github.com/Snawoot/b9da85d6b26dea5460673b29df1adc6b
- https://github.com/advisories/GHSA-h92m-42h4-82f6
Blast Radius: 5.8
Affected Packages
pypi:postfix-mta-sts-resolver
Dependent packages: 0Dependent repositories: 7
Downloads: 3,916 last month
Affected Version Ranges: < 0.5.1
Fixed in: 0.5.1
All affected versions: 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.7, 0.2.8, 0.2.9, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.5.0
All unaffected versions: 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.8.0, 0.8.1, 0.8.2, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.2.0, 1.3.0, 1.4.0