Accepted postfix 3.5.23-0+deb11u1 (source) into oldstable-proposed-updates
- To: debian-changes@lists.debian.org
- Subject: Accepted postfix 3.5.23-0+deb11u1 (source) into oldstable-proposed-updates
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Thu, 28 Dec 2023 07:02:26 +0000
- Debian: DAK
- Debian-architecture: source
- Debian-archive-action: accept
- Debian-changes: postfix_3.5.23-0+deb11u1_source.changes
- Debian-source: postfix
- Debian-suite: oldstable-proposed-updates
- Debian-version: 3.5.23-0+deb11u1
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=VqSusVpIAfPrp3JXELQJFivqo8Dy8Vydn9vg4aTkhnc=; b=i5LDV5O/BRz+rMOWn4jJnw7gr9 hG6whRwBUZeGiR/nmMvzTk8XXoisKhZR+zFH2PdnYvn6hy/pOqhLAd1nY7hVr8+WzBGqngpi493bk o9c5uEjHyAY/YqBTiMl95UqVq9wOI0ADlTOuGaX0QIIJHjSS2HkQK3mM6ZplR3c7Mq6v8ieQN8nC4 u8/hW06x6utbsFvvs1N7f+wJMbQRtszKDOomMLxl6zJwSyixOJciROR4xI3aiyIIj9svloBd0nnl3 K0n0ev2c3KVn7CyrmnoYC5t2zgH9YoZ2q6evDH4kiMRThIOidGmdbDMdZTg2AbuWyFJD8s09KeB+5 wooM4Bnw==;
- Mail-followup-to: debian-devel@lists.debian.org
- Message-id: <E1rIkPS-00EXfR-JG@fasolo.debian.org>
- Reply-to: debian-devel@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 26 Dec 2023 16:07:38 -0500
Source: postfix
Architecture: source
Version: 3.5.23-0+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: LaMont Jones <lamont@debian.org>
Changed-By: Scott Kitterman <scott@kitterman.com>
Closes: 1059230
Changes:
postfix (3.5.23-0+deb11u1) bullseye; urgency=medium
.
[Wietse Venema]
.
* 3.5.19
- Portability: the EVP_get_digestbyname change broke OpenSSL
1.0.2 support. File: tls/tls.h.
- Bugfix (introduced: Postfix 3.4): the posttls-finger command
failed to detect that a connection was resumed in the case
that a server did not return a certificate. Viktor Dukhovni.
File: posttls-finger/posttls-finger.c.
- Workaround: OpenSSL 3.x EVP_get_cipherbyname() can return
lazily-bound handles. Postfix now checks that the expected
functionality will be available instead of failing later.
Fix by Viktor Dukhovni. File: tls/tls_server.c.
- Bugfix (introduced: Postfix 3.5): check_ccert_access did
not parse inline map specifications. Report and fix by Sean
Gallagher. File: global/map_search.c.
- Safety: the long form "{ name = value }" in import_environment
or export_environment is not documented, but accepted, and
it was stored in the process environment as the invalid
form "name = value", thus not setting or overriding an entry
for "name". This form is now stored as the expected
"name=value". Found during code maintenance. Also refined
the "missing attribute name" detection. Files: clean_env.c,
split_nameval.c.
- Bugfix (introduced: Postfix 3.2): the MySQL client could
return "not found" instead of "error" during the time that
all MySQL server connections were turned down after error.
Found during code maintenance. File: global/dict_mysql.c.
* 3.5.20
- Bugfix (defect introduced: Postfix 1.0): the command "postconf
.. name=v1 .. name=v2 .." (multiple instances of the same
parameter name) created multiple name=value entries with
the same parameter name. It now logs a warning and skips
the earlier update. Found during code maintenance. File:
postconf/postconf_edit.c
- Bugfix (defect introduced: Postfix 3.3): the command "postconf
-M name1/type1='name2 type2 ...'" died with a segmentation
violation when the request matched multiple master.cf
entries. The master.cf file was not damaged. Problem reported
by SATOH Fumiyasu. File: postconf/postconf_master.c.
- Bugfix (defect introduced: Postfix 2.11): the command
"postconf -M name1/type1='name2 type2 ...'" could add a
service definition to master.cf that conflicted with an
already existing service definition. It now replaces all
existing service definitions that match the service pattern
'name1/type1' or the service name and type in 'name2 type2
...' with a single service definition 'name2 type2 ...'.
Problem reported by SATOH Fumiyasu. File: postconf/postconf_edit.c.
- Bitrot: preliminary support for OpenSSL configuration files,
primarily OpenSSL 1.1.1b and later. This introduces new
parameters "tls_config_file" and "tls_config_name", which
can be used to limit collateral damage from OS distributions
that crank up security to 11, increasing the number of
plaintext email deliveries. Details are in the postconf(5)
manpage under "tls_config_file" and "tls_config_name".
Viktor Dukhovni. Files: mantools/postlink, proto/postconf.proto,
global/mail_params.h, posttls-finger/posttls-finger.c,
smtp/smtp.c, smtp/smtp_proto.c, tls/tls_client.c, tls/tls.h,
tls/tls_misc.c, tls/tls_proxy_client_print.c,
tls/tls_proxy_client_scan.c, tls/tls_proxy.h, tls/tls_server.c,
tlsproxy/tlsproxy.c.
- Cleanup: use TLS_CLIENT_PARAMS to pass the OpensSSL 'init'
configurations. This information is independent from the
client or server TLS context, and therefore does not belong
in tls_*_init() or tls_*_start() calls. The tlsproxy(8)
server uses TLS_CLIENT_PARAMS to report differences between
its own global TLS settings, and those from its clients.
Files: posttls-finger/posttls-finger.c, smtp/smtp.c,
smtp/smtp_proto.c, tls/tls.h, tls/tls_proxy_client_misc.c,
tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
tls/tls_proxy.h, tlsproxy/tlsproxy.c.
- Cleanup: reverted cosmetic-only changes to minimize the
patch footprint for OpenSSL INI file support; updated daemon
manpages with the new tls_config_file and tls_config_name
configuration parameters. Files: smtp/smtp.c, smtpd/smtpd.c,
tls/tls_client.c, tls/tls.h, tls/tls_server.c, tlsproxy/tlsproxy.c,
- Cleanup: made OpenSSL 'default' INI file support error
handling consistent with OpenSSL default behavior. Viktor
Dukhovni. Files: proto/postconf.proto, tls/tls_misc.c.
- Backwards compatibility for stable releases that originally
had no OpenSSL INI support. Skip the new OpenSSL INI support
code, unless the Postfix configuration actually specifies
non-default tls_config_xxx settings. File: tls/tls_misc.c.
- Cleanup: added a multiple initialization guard in the
tls_library_init() function, and made an initialization
error sticky. File: tls/tls_misc.c.
- Security: new parameter smtpd_forbid_unauth_pipelining
(default: no) to disconnect remote SMTP clients that violate
RFC 2920 (or 5321) command pipelining constraints. Files:
global/mail_params.h, smtpd/smtpd.c, proto/postconf.proto.
* 3.5.21
- Bugfix (bug introduced: 20140218): when opportunistic TLS fails
during or after the handshake, don't require that a probe
message spent a minimum time-in-queue before falling back to
plaintext. Problem reported by Serg. File: smtp/smtp.h.
- Bugfix (defect introduced: 19980207): the valid_hostname()
check in the Postfix DNS client library was blocking unusual
but legitimate wildcard names (*.name) in some DNS lookup
results and lookup requests. Examples:
name class/type value
*.one.example IN CNAME *.other.example
*.other.example IN A 10.0.0.1
*.other.example IN TLSA ..certificate info...
Such syntax is blesed in RFC 1034 section 4.3.3.
This problem was reported first in the context of TLSA
record lookups. Files: util/valid_hostname.[hc],
dns/dns_lookup.c.
* 3.5.22
- Bugfix (defect introduced Postfix 2.5, 20080104): the Postfix
SMTP server was waiting for a client command instead of
replying immediately, after a client certificate verification
error in TLS wrappermode. Reported by Andreas Kinzler. File:
smtpd/smtpd.c.
- Usability: the Postfix SMTP server now attempts to log the
SASL username after authentication failure. In Postfix
logging, this appends ", sasl_username=xxx" after the reason
for SASL authentication failure. The logging replaces an
unavailable reason with "(reason unavailable)", and replaces
an unavailable sasl_username with "(unavailable)". Based
on code by Jozsef Kadlecsik. Files: xsasl/xsasl_server.c,
xsasl/xsasl_cyrus_server.c, smtpd/smtpd_sasl_glue.c.
- Bugfix (defect introduced: Postfix 2.11): in forward_path,
the expression ${recipient_delimiter} would expand to an
empty string when a recipient address had no recipient
delimiter. Fixed by restoring Postfix 2.10 behavior to use
a configured recipient delimiter value. Reported by Tod
A. Sandman. Files: proto/postconf.proto, local/local_expand.c.
* 3.5.23 (Closes: #1059230)
- Addresses CVE-2023-51764, requires configuration change
- Security: with "smtpd_forbid_bare_newline = yes" (default
"no" for Postfix < 3.9), reply with "Error: bare <LF>
received" and disconnect when an SMTP client sends a line
ending in <LF>, violating the RFC 5321 requirement that
lines must end in <CR><LF>. This prevents SMTP smuggling
attacks that target a recipient at a Postfix server. For
backwards compatibility, local clients are excluded by
default with "smtpd_forbid_bare_newline_exclusions =
$mynetworks". Files: mantools/postlink, proto/postconf.proto,
global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
.
[Scott Kitterman]
.
* Refresh patches
Checksums-Sha1:
76d1a77ea4608eeb7d643db76c789b5e7b980a54 3039 postfix_3.5.23-0+deb11u1.dsc
d3e41d90e76bd6ad845ecc71fd2105a3e09e6e58 4649997 postfix_3.5.23.orig.tar.gz
cc9c887391f16058cf5c1a915d4b20452f6e864b 220 postfix_3.5.23.orig.tar.gz.asc
619eb5bff8d1059f5c252c37e2c9bec563ecec6b 211128 postfix_3.5.23-0+deb11u1.debian.tar.xz
d038d955af8dcf0fda95b2d282080f4de9d656c9 7639 postfix_3.5.23-0+deb11u1_source.buildinfo
Checksums-Sha256:
73ecce675283e37ae99de4c0b9cddd22b80fe300606c71e16278537ecf358c3f 3039 postfix_3.5.23-0+deb11u1.dsc
35fc0489ddc997cc83a835907e7deb9e725ca0f5bbce2c9d007634f8873b5b31 4649997 postfix_3.5.23.orig.tar.gz
76f3256c4a85e1bac0b0f6dd0dd98b058e30dde68916d93d95bc8c4849813360 220 postfix_3.5.23.orig.tar.gz.asc
b141d0aabab7dd7463b11caa168f45f2fe654148f7ffe590c008a4d4a7f46c4b 211128 postfix_3.5.23-0+deb11u1.debian.tar.xz
0ffbf069b71deb167cebe1d07a0b17fbd26306b67195092336c8abd864fe5a5c 7639 postfix_3.5.23-0+deb11u1_source.buildinfo
Files:
7c7058ff58950583b6f3cec6b77b53b1 3039 mail optional postfix_3.5.23-0+deb11u1.dsc
bb925ee7ac13d061da049ed04bbe6fa5 4649997 mail optional postfix_3.5.23.orig.tar.gz
46ae7ea3bd6bfef63f5e6d7c80401b7c 220 mail optional postfix_3.5.23.orig.tar.gz.asc
9e7c56e4e13cd890167b49a7675daba3 211128 mail optional postfix_3.5.23-0+deb11u1.debian.tar.xz
4fc6ddcc7584e3c88feebc9a2b0b7b5e 7639 mail optional postfix_3.5.23-0+deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE53Kb/76FQA/u7iOxeNfe+5rVmvEFAmWLQNQACgkQeNfe+5rV
mvGFcxAAxEHb/VHZ1475KpTQSLua3A9Cqe/IgLUcXQ2B2Ip3RcmTx05fMmbHB2Gr
T3W+OtutEfoWUxo+dAI41/Sgu+OpKEebm2lDQdBzrrp2qeeunH3xK055Snr9p7CE
Cph7H+Q6YbX3HqRHyB7uZI4XrdYzXropdUyUk31Y75tQJNRWK2JpdeMM5hRkIv6f
c52JjcNtqRFQYfk39ZYzZuPl9am/tihXqwyZR/00IhMXOKleR0q9yd45UKokq+Dw
7rA/qE/LRD1Y62NB3uGppMB5/jtT6rGWoQfadF2mWcfWQ9qdmNR7t//uXNECt3Me
0qEiPgzhrvNEZ55ZEjdhZnKiQkfZDAFjCgD0oRryVG7q4WLiFHWGb298+RzxWlz2
8qzikP9W7Qk3xqHIv2uMhR877/sPJfAfgRnyrjySWePG8Rc2TYLlHZhBVPIjBe9d
L5AocTgQCpqunMIXUZzsf9ug6Gr6YAQfEE5QIKvw4hIn7gu04STlFM0H7+LhS1Vc
fD/oIE8ujkSyvAKb//lbP5jWjC/NFabvX1rOUgTCfYZIJSCWd5UysyqDV7AyoOkU
gzyY1XKF/eGSYrzReM6SAIZUKvVs0dCwjVozcqMmMK47YkORXrdc53xYdLX7pXP1
yRUPiJT/Jd+43FdEhUkKOWaSLfRhQHFy7lFDtslTsKboi5VArkc=
=0z0h
-----END PGP SIGNATURE-----