Plaintext injection in multiple implementations of STARTTLS

Mark Martinec Mark.Martinec+amavis at
Tue Mar 8 11:05:38 CET 2011

For those wondering about CVE-2011-0411 / VU#555316 status:

Amavisd-new is NOT AFFECTED by this vulnerability
even when TLS is used ( $tls_security_level_in ).

Version 2.6.4 and earlier does not use a stream and does not
buffer SMTP data at this level. Switching to TLS replaces
the I/O methods.

Version 2.7.0(-pre*) does use buffering at the application
level of transport, but properly discards any buffered
leftovers (pipelining violations) when switching to TLS
after a STARTTLS command.


More information about the amavis-users mailing list