Publishing details

• Published on 2023-04-29

Changelog

postfix (3.5.18-0+deb11u1) bullseye; urgency=medium

  [Wietse Venema]

  * 3.5.18
    - Bugfix (introduced: Postfix 2.2): the smtpd_proxy_client
      code mis-parsed the last XFORWARD attribute name in the
      SMTP server's EHLO response. The result was that the
      smtpd_proxy_client code failed to forward the IDENT attribute.
      Fix by Andreas Weigel. File: smtpd/smtpd_proxy.c.

    - Portability: LINUX6 support. Files: makedefs, util/sys_defs.h.

    - Workaround: OpenSSL 3.x EVP_get_digestbyname() can return
      lazily bound handles that may fail to work when one attempts
      to use them, because no provider search happens until one
      constructs an actual operation context. In sufficiently
      hostile configurations, Postfix could mistakenly believe
      that an algorithm is available, when in fact it is not. A
      similar workaround may be needed for EVP_get_cipherbyname().
      Fix by Viktor Dukhovni. Files: tls/tls.h, tls/tls_dane.c,
      tls/tls_fprint.c, tls/tls_misc.c.

    - Bugfix (introduced: Postfix 2.11): the checkok() macro in
      tls/tls_fprint.c evaluated its argument unconditionally;
      it should evaluate the argument only if there was no prior
      error. Found during code review. File: tls/tls_fprint.c.

    - Foolproofing: postscreen segfault with postscreen_dnsbl_threshold
      < 1. It should reject such input with a fatal error instead.
      Discovered by Benny Pedersen. File: postscreen/postscreen.c.

    - Bugfix (introduced: Postfix 2.7): the verify daemon logged
      a garbled cache name when terminating a cache scan in
      progress. Reported by Phil Biggs, fix by Viktor Dukhovni.
      File: util/dict_cache.c.

    - Workaround: STRREF() macro to shut up compiler warnings for
      legitimate string comparison expressions. Back-ported from
      Postfix 3.6 and later. Files: util/stringops.h, flush/flush.c.

    - Workaround for a breaking change in OpenSSL 3: always turn
      on SSL_OP_IGNORE_UNEXPECTED_EOF, to avoid warning messages
      and missed opportunities for TLS session reuse. This is
      safe because the SMTP protocol implements application-level
      framing, and is therefore not affected by TLS truncation
      attacks. Fix by Viktor Dukhovni. Files: tls/tls.h, tls_client.c,
      tls/tls_server.c.

 -- Scott Kitterman <email address hidden>  Sat, 21 Jan 2023 20:17:03 -0500

Builds

Package files

• postfix_3.5.18-0+deb11u1.debian.tar.xz (204.3 KiB)
• postfix_3.5.18-0+deb11u1.dsc (3.0 KiB)
• postfix_3.5.18.orig.tar.gz (4.4 MiB)
• postfix_3.5.18.orig.tar.gz.asc (220 bytes)