π ~4 min read β’ Source: Ubuntu Security Notice USN-6550-1
Related CVEs: CVE-2022-29221 CVE-2022-31129 CVE-2023-28447
Upstream summary: It was discovered that Smarty, that is integrated in the PostfixAdmin
code, was not properly sanitizing user input when generating templates. An
attacker could, through PHP injection, possibly use this issue to execute
arbitrary code. (CVE-2022-29221)
It was discovered that Moment.js, that is integrated in the PostfixAdmin
code, was using an inefficient parsing algorithm when processing date
strings in the RFC 2822 standard. An attacker could possibly use this
issue to cause
Table of contents
Symptom & Impact
On Ubuntu 18.04 (bionic) hosts that have postfixadmin installed, administrators report behaviour consistent with Ubuntu Security Notice USN-6550-1: apt reports pending security updates, services backed by postfixadmin fail or restart unexpectedly, AppArmor denials appear in the kernel log, and β for security-rated advisories β the host is exposed to the vulnerability set above. Impact ranges from a single service-restart loop to wider availability incidents whenever postfixadmin sits on the serving path.
Environment & Reproduction
Reproduction targets Ubuntu 18.04 (bionic). Confirm release and installed package:
lsb_release -a
cat /etc/os-release
dpkg -l postfixadmin | tail -2
apt-cache policy postfixadmin
uname -rTrigger the workflow that exposes postfixadmin β multiple vulnerabilities (3 CVEs) β patch and remediation guide while collecting:
sudo journalctl -u postfixadmin -b --no-pager | tail -200
sudo journalctl -xe --no-pager | tail -200
sudo tail -200 /var/log/apt/history.log
sudo tail -200 /var/log/kern.log | grep -i apparmorRoot Cause Analysis
Root cause is documented in Ubuntu Security Notice USN-6550-1. Canonical security maintainers shipped fixes in the corresponding postfixadmin update for Ubuntu 18.04; running an outdated build leaves the host exposed to the failure modes described in the advisory. On this release the fix typically arrives via the Ubuntu Pro ESM (esm-infra / esm-apps) channels rather than the standard archive. Correlate apt history with the journal:
grep -A2 -B2 postfixadmin /var/log/apt/history.log
zgrep -A2 -B2 postfixadmin /var/log/apt/history.log.*.gz 2>/dev/null
cat /proc/sys/kernel/tainted # non-zero = tainted kernel / out-of-tree modulesQuick Triage
Run these on Ubuntu 18.04 to capture the current state of postfixadmin:
dpkg -l postfixadmin | tail -1 # installed version
dpkg -V postfixadmin # verify shipped files
sudo apt update && apt list --upgradable 2>/dev/null | grep -i security
systemctl is-active postfixadmin
sudo ufw status verbose 2>/dev/null | head -20
sudo aa-status 2>/dev/null | head -20
# If postfixadmin ships a service unit (unit/job name often differs from pkg name, e.g.
# bind9βnamed, apache2βapache2, postgresql-NNβpostgresql@NN-main):
systemctl list-unit-files | grep -i postfixadmin | headOn bionic the standard archive no longer ships security fixes. Verify Ubuntu Pro ESM coverage:
# Ubuntu Pro CLI is the standard tool:
sudo pro status --format=json 2>/dev/null | head
apt-cache policy | grep -i esmStep-by-Step Diagnosis
-
List failing services.
systemctl --failed --no-pager -
Tail the journal / syslog for
postfixadmin.sudo journalctl -u postfixadmin -f --no-pager sudo journalctl -xe -f --no-pager -
Inspect UFW (Uncomplicated Firewall) state.
sudo ufw status numbered sudo ufw show added sudo iptables -L -n -v | head -30 -
Surface AppArmor denials and switch the profile to complain mode if needed.
sudo journalctl -k 2>/dev/null | grep -i 'apparmor="DENIED"' | tail -30 sudo aa-status # /etc/apparmor.d/usr.bin.postfixadmin or usr.sbin.postfixadmin β inspect first sudo aa-complain /etc/apparmor.d/usr.bin.postfixadmin 2>/dev/null || true -
Verify
postfixadminintegrity and reinstall if anything is altered.sudo dpkg -V postfixadmin sudo debsums -c postfixadmin 2>/dev/null sudo apt install --reinstall -y postfixadmin -
Correlate findings with
/var/log/apt/history.log,/var/log/dpkg.log, and Ubuntu Security Notice USN-6550-1 to pin the change that introduced postfixadmin β multiple vulnerabilities (3 CVEs) β patch and remediation guide.
Solution – Primary Fix
Apply the corrective apt transaction referenced by Ubuntu Security Notice USN-6550-1, then reload the affected service:
sudo apt update
sudo apt -y install --only-upgrade postfixadmin
sudo systemctl daemon-reload
# Service name may differ from pkg name; check first:
systemctl list-unit-files | grep -i postfixadmin | head
sudo systemctl restart postfixadmin
dpkg -l postfixadmin | tail -1 # confirm new version
systemctl is-active postfixadminOn bionic the standard archive is past EoL for security; enable Ubuntu Pro ESM to receive the fix:
# Standard pro CLI:
sudo pro attach <token>
sudo pro enable esm-infra
sudo pro enable esm-apps
sudo apt update
sudo apt -y install --only-upgrade postfixadminFor kernel / glibc / systemd / openssl advisories a reboot (or Livepatch) is required:
sudo apt install -y needrestart
sudo needrestart -r l # list units that need restart
sudo systemctl reboot # or: sudo shutdown -r now
# Livepatch (Ubuntu Pro) avoids reboot for many kernel CVEs:
sudo canonical-livepatch status
sudo canonical-livepatch refreshNeed help rolling this patch across an Ubuntu fleet? Our IT Solutions & Services team manages Ubuntu patch windows with Landscape and Ubuntu Pro integration. Get in touch for a free consultation.
Solution – Alternative Approaches
If the primary upgrade is not viable, pick from these:
-
Hold the package so apt cannot upgrade it:
sudo apt-mark hold postfixadmin apt-mark showhold | grep postfixadmin # Release the hold later with: sudo apt-mark unhold postfixadmin -
Pin a known-good version via apt preferences:
# /etc/apt/preferences.d/postfixadmin.pref Package: postfixadmin Pin: version <good-version> Pin-Priority: 1001 -
Downgrade to an older version if a regression is suspected:
apt-cache madison postfixadmin sudo apt install --allow-downgrades -y postfixadmin=<older-version> -
Investigate AppArmor blocking the new binary; switch to complain briefly, capture denials, then re-enforce:
sudo aa-complain /etc/apparmor.d/usr.bin.postfixadmin 2>/dev/null # reproduce the failure sudo journalctl -k | grep apparmor | tail sudo aa-enforce /etc/apparmor.d/usr.bin.postfixadmin 2>/dev/null -
Apply Canonical Livepatch (Ubuntu Pro) to land kernel fixes without reboot:
sudo canonical-livepatch status sudo canonical-livepatch refresh -
Take only the security pocket update and defer the full point-release upgrade:
sudo apt -y install --only-upgrade -t bionic-security postfixadmin
Verification & Acceptance Criteria
All of these should pass after the fix is applied:
dpkg -l postfixadmin | tail -1 # expected fixed version
apt list --upgradable 2>/dev/null | grep -i security || echo OK
systemctl is-active postfixadmin
sudo journalctl -u postfixadmin --since "5 minutes ago" --no-pager | grep -iE "error|fail" || echo OK
sudo ufw status numbered | head
sudo aa-status 2>/dev/null | head -5The original reproduction for postfixadmin β multiple vulnerabilities (3 CVEs) β patch and remediation guide must not trigger across two consecutive runs.
Rollback Plan
Capture state before any change:
apt list --installed 2>/dev/null > /root/apt-pre.txt
dpkg --get-selections > /root/dpkg-pre.txt
# ZFS-on-root (Ubuntu 20.04+ default installer option):
sudo zfs snapshot rpool/ROOT/ubuntu@pre-postfixadmin
# LVM-on-root:
sudo lvcreate -L 4G -s -n root_pre_patch /dev/<vg>/<root-lv>To revert:
sudo apt install --allow-downgrades -y postfixadmin=<old-version>
sudo systemctl daemon-reload
sudo systemctl restart postfixadmin
# Kernel rollback: pick the prior kernel from the GRUB menu, then:
sudo systemctl reboot
# ZFS rollback (rolls the whole root dataset):
sudo zfs rollback -r rpool/ROOT/ubuntu@pre-postfixadminPrevention & Hardening
Reduce the chance of this recurring on Ubuntu 18.04 (bionic):
-
Enable scheduled security updates via
unattended-upgrades:sudo apt install -y unattended-upgrades update-notifier-common sudo dpkg-reconfigure -plow unattended-upgrades # /etc/apt/apt.conf.d/50unattended-upgrades: Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}-security"; }; -
Install
needrestartso services restart automatically after library upgrades:sudo apt install -y needrestart # /etc/needrestart/needrestart.conf -> $nrconf{restart} = 'a'; -
Attach Ubuntu Pro for ESM (mandatory on this past-EoL release) and Livepatch where supported:
sudo pro attach <token> sudo pro enable esm-infra sudo pro enable esm-apps sudo pro enable livepatch -
Subscribe to ubuntu-security-announce and watch ubuntu.com/security/cves.
-
Monitor file integrity with
debsumsand AIDE:sudo apt install -y debsums aide sudo debsums -ca sudo aideinit && sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db sudo aide --check -
For estate-wide patching, manage with Canonical Landscape:
sudo apt install -y landscape-client sudo landscape-config -
Keep AppArmor profiles in enforce mode and apply CIS Ubuntu Linux Benchmark hardening.
Related Errors & Cross-Refs
Issues that commonly surface alongside postfixadmin β multiple vulnerabilities (3 CVEs) β patch and remediation guide: apt lock contention, broken dpkg state, systemd ordering cycles, AppArmor denials, and UFW rule drift. Useful triage:
sudo dpkg --configure -a
sudo apt --fix-broken install
systemd-analyze critical-chain
sudo journalctl -k 2>/dev/null | grep -i apparmor | tail
cat /proc/sys/kernel/taintedView all ubuntu-18-04 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
Primary reference: Ubuntu Security Notice USN-6550-1. Manual pages useful on Ubuntu 18.04:
man apt
man apt-get
man apt-mark
man dpkg
man systemctl
man journalctl
man ufw
man apparmor
man aa-status
man unattended-upgrades
man canonical-livepatch
man proOther resources: Ubuntu Security Notices, Ubuntu CVE Tracker, Ubuntu upgrade notes, and per-package notes in /usr/share/doc/postfixadmin/ for components implicated in postfixadmin β multiple vulnerabilities (3 CVEs) β patch and remediation guide.
