Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),and TLS.It was discovered that Postfix did not flush the received SMTP commandsbuffer after switching to TLS encryption for an SMTP session. Aman-in-the-middle attacker could use this flaw to inject SMTP commands intoa victim's session during the plain text phase. This would lead to thosecommands being processed by Postfix after TLS encryption is enabled,possibly allowing the attacker to steal the victim's mail or authenticationcredentials. (CVE-2011-0411)It was discovered that Postfix did not properly check the permissions ofusers' mailbox files. A local attacker able to create files in the mailspool directory could use this flaw to create mailbox files for other localusers, and be able to read mail delivered to those users. (CVE-2008-2937)Red Hat would like to thank the CERT/CC for reporting CVE-2011-0411, andSebastian Krahmer of the SuSE Security Team for reporting CVE-2008-2937.The CERT/CC acknowledges Wietse Venema as the original reporter ofCVE-2011-0411.Users of Postfix are advised to upgrade to these updated packages, whichcontain backported patches to resolve these issues. After installing thisupdate, the postfix service will be restarted automatically.