Sebastian Krahmer of the SUSE Security Team discovered a flaw in
the way Postfix dereferenced symbolic links. If a local user had
write access to a mail spool directory without a root mailbox file,
it could be possible for them to append arbitrary data to files that
root had write permissions to (CVE-2008-2936).

The updated packages have been patched to correct this issue.