james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Luc (JIRA)" <server-...@james.apache.org>
Subject [jira] [Updated] (JAMES-1862) Plaintext command injection of STARTTLS (CVE-2011-0411)
Date Thu, 17 Nov 2016 16:42:58 GMT

     [ https://issues.apache.org/jira/browse/JAMES-1862?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Luc updated JAMES-1862:
-----------------------
    Description: 
Security issue described by this post :
Plaintext command injection in multiple implementations of STARTTLS
[http://www.postfix.org/CVE-2011-0411.html]

here you will find a dockerfile to run patched openssl, as described in previous link, to
see the security issue.

{code}
FROM centos:latest
### Some env variables
ENV OPENSSL_VERSION="1.0.2d"
RUN yum clean all \
&& yum -y update \
### Install tool for compiling
&& yum -y install gcc \
&& yum -y install make \
&& yum -y install wget \
&& yum -y install tar \
&& yum -y install perl \
&& yum clean all
### BUILD OpenSSL
RUN wget "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz" -P /tmp/ \
&& tar -xvf /tmp/openssl-${OPENSSL_VERSION}.tar.gz \
&& rm -rf /tmp/openssl-${OPENSSL_VERSION}.tar.gz
RUN sed -i -e 's/BIO_printf(sbio, "STARTTLS\\r\\n")/BIO_printf(sbio, "STARTTLS\\r\\nRSET\\r\\n")/g'
openssl-${OPENSSL_VERSION}/apps/s_client.c
RUN cd openssl-${OPENSSL_VERSION} \
&& ./Configure linux-x86_64 \
&& make \
&& make install \
&& cd .. \
&& rm -rf openssl-${OPENSSL_VERSION}

############
# run this command in container :
# /usr/local/ssl/bin/openssl s_client -quiet -starttls smtp -connect {replace with your james
listen address}:{replace with your james listen port}

{code}

  was:
Security issue described by this post :
Plaintext command injection in multiple implementations of STARTTLS
[#http://www.postfix.org/CVE-2011-0411.html]

here you will find a dockerfile to run patched openssl, as described in previous link, to
see the security issue.

{code}
FROM centos:latest
### Some env variables
ENV OPENSSL_VERSION="1.0.2d"
RUN yum clean all \
&& yum -y update \
### Install tool for compiling
&& yum -y install gcc \
&& yum -y install make \
&& yum -y install wget \
&& yum -y install tar \
&& yum -y install perl \
&& yum clean all
### BUILD OpenSSL
RUN wget "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz" -P /tmp/ \
&& tar -xvf /tmp/openssl-${OPENSSL_VERSION}.tar.gz \
&& rm -rf /tmp/openssl-${OPENSSL_VERSION}.tar.gz
RUN sed -i -e 's/BIO_printf(sbio, "STARTTLS\\r\\n")/BIO_printf(sbio, "STARTTLS\\r\\nRSET\\r\\n")/g'
openssl-${OPENSSL_VERSION}/apps/s_client.c
RUN cd openssl-${OPENSSL_VERSION} \
&& ./Configure linux-x86_64 \
&& make \
&& make install \
&& cd .. \
&& rm -rf openssl-${OPENSSL_VERSION}

############
# run this command in container :
# /usr/local/ssl/bin/openssl s_client -quiet -starttls smtp -connect {replace with your james
listen address}:{replace with your james listen port}

{code}


> Plaintext command injection of STARTTLS (CVE-2011-0411)
> -------------------------------------------------------
>
>                 Key: JAMES-1862
>                 URL: https://issues.apache.org/jira/browse/JAMES-1862
>             Project: James Server
>          Issue Type: Bug
>          Components: James Core
>    Affects Versions: 3.0-beta4
>         Environment: centos6/7/windows openjdk8/jdk8 jboss eap6.4.2
>            Reporter: Luc
>            Priority: Critical
>              Labels: security
>
> Security issue described by this post :
> Plaintext command injection in multiple implementations of STARTTLS
> [http://www.postfix.org/CVE-2011-0411.html]
> here you will find a dockerfile to run patched openssl, as described in previous link,
to see the security issue.
> {code}
> FROM centos:latest
> ### Some env variables
> ENV OPENSSL_VERSION="1.0.2d"
> RUN yum clean all \
> && yum -y update \
> ### Install tool for compiling
> && yum -y install gcc \
> && yum -y install make \
> && yum -y install wget \
> && yum -y install tar \
> && yum -y install perl \
> && yum clean all
> ### BUILD OpenSSL
> RUN wget "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz" -P /tmp/
\
> && tar -xvf /tmp/openssl-${OPENSSL_VERSION}.tar.gz \
> && rm -rf /tmp/openssl-${OPENSSL_VERSION}.tar.gz
> RUN sed -i -e 's/BIO_printf(sbio, "STARTTLS\\r\\n")/BIO_printf(sbio, "STARTTLS\\r\\nRSET\\r\\n")/g'
openssl-${OPENSSL_VERSION}/apps/s_client.c
> RUN cd openssl-${OPENSSL_VERSION} \
> && ./Configure linux-x86_64 \
> && make \
> && make install \
> && cd .. \
> && rm -rf openssl-${OPENSSL_VERSION}
> ############
> # run this command in container :
> # /usr/local/ssl/bin/openssl s_client -quiet -starttls smtp -connect {replace with your
james listen address}:{replace with your james listen port}
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message