Bug#1059500: bullseye-pu: package postfix/3.5.18-0+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
This is another of the regular postfix maintenance updates. It
encompasses five upstream updates (3.5.19 - 3.5.23) because
life intervened and I got behind. This one is of particular importance/
urgency since it includes a new setting to address CVE-2023-51764.
[ Impact ]
Bugs remain unfixed, CVE-2023-51764 unresolved.
[ Tests ]
There is a high level autopkgtest.
[ Risks ]
Risks are low. These have all been released as part of upstream
maintenance and no regressions have been reported. There are no changes
in Debian packaging.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
* 3.5.19
- Portability: the EVP_get_digestbyname change broke OpenSSL
1.0.2 support. File: tls/tls.h.
- Bugfix (introduced: Postfix 3.4): the posttls-finger command
failed to detect that a connection was resumed in the case
that a server did not return a certificate. Viktor Dukhovni.
File: posttls-finger/posttls-finger.c.
- Workaround: OpenSSL 3.x EVP_get_cipherbyname() can return
lazily-bound handles. Postfix now checks that the expected
functionality will be available instead of failing later.
Fix by Viktor Dukhovni. File: tls/tls_server.c.
- Bugfix (introduced: Postfix 3.5): check_ccert_access did
not parse inline map specifications. Report and fix by Sean
Gallagher. File: global/map_search.c.
- Safety: the long form "{ name = value }" in import_environment
or export_environment is not documented, but accepted, and
it was stored in the process environment as the invalid
form "name = value", thus not setting or overriding an entry
for "name". This form is now stored as the expected
"name=value". Found during code maintenance. Also refined
the "missing attribute name" detection. Files: clean_env.c,
split_nameval.c.
- Bugfix (introduced: Postfix 3.2): the MySQL client could
return "not found" instead of "error" during the time that
all MySQL server connections were turned down after error.
Found during code maintenance. File: global/dict_mysql.c.
* 3.5.20
- Bugfix (defect introduced: Postfix 1.0): the command "postconf
.. name=v1 .. name=v2 .." (multiple instances of the same
parameter name) created multiple name=value entries with
the same parameter name. It now logs a warning and skips
the earlier update. Found during code maintenance. File:
postconf/postconf_edit.c
- Bugfix (defect introduced: Postfix 3.3): the command "postconf
-M name1/type1='name2 type2 ...'" died with a segmentation
violation when the request matched multiple master.cf
entries. The master.cf file was not damaged. Problem reported
by SATOH Fumiyasu. File: postconf/postconf_master.c.
- Bugfix (defect introduced: Postfix 2.11): the command
"postconf -M name1/type1='name2 type2 ...'" could add a
service definition to master.cf that conflicted with an
already existing service definition. It now replaces all
existing service definitions that match the service pattern
'name1/type1' or the service name and type in 'name2 type2
...' with a single service definition 'name2 type2 ...'.
Problem reported by SATOH Fumiyasu. File: postconf/postconf_edit.c.
- Bitrot: preliminary support for OpenSSL configuration files,
primarily OpenSSL 1.1.1b and later. This introduces new
parameters "tls_config_file" and "tls_config_name", which
can be used to limit collateral damage from OS distributions
that crank up security to 11, increasing the number of
plaintext email deliveries. Details are in the postconf(5)
manpage under "tls_config_file" and "tls_config_name".
Viktor Dukhovni. Files: mantools/postlink, proto/postconf.proto,
global/mail_params.h, posttls-finger/posttls-finger.c,
smtp/smtp.c, smtp/smtp_proto.c, tls/tls_client.c, tls/tls.h,
tls/tls_misc.c, tls/tls_proxy_client_print.c,
tls/tls_proxy_client_scan.c, tls/tls_proxy.h, tls/tls_server.c,
tlsproxy/tlsproxy.c.
- Cleanup: use TLS_CLIENT_PARAMS to pass the OpensSSL 'init'
configurations. This information is independent from the
client or server TLS context, and therefore does not belong
in tls_*_init() or tls_*_start() calls. The tlsproxy(8)
server uses TLS_CLIENT_PARAMS to report differences between
its own global TLS settings, and those from its clients.
Files: posttls-finger/posttls-finger.c, smtp/smtp.c,
smtp/smtp_proto.c, tls/tls.h, tls/tls_proxy_client_misc.c,
tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
tls/tls_proxy.h, tlsproxy/tlsproxy.c.
- Cleanup: reverted cosmetic-only changes to minimize the
patch footprint for OpenSSL INI file support; updated daemon
manpages with the new tls_config_file and tls_config_name
configuration parameters. Files: smtp/smtp.c, smtpd/smtpd.c,
tls/tls_client.c, tls/tls.h, tls/tls_server.c, tlsproxy/tlsproxy.c,
- Cleanup: made OpenSSL 'default' INI file support error
handling consistent with OpenSSL default behavior. Viktor
Dukhovni. Files: proto/postconf.proto, tls/tls_misc.c.
- Backwards compatibility for stable releases that originally
had no OpenSSL INI support. Skip the new OpenSSL INI support
code, unless the Postfix configuration actually specifies
non-default tls_config_xxx settings. File: tls/tls_misc.c.
- Cleanup: added a multiple initialization guard in the
tls_library_init() function, and made an initialization
error sticky. File: tls/tls_misc.c.
- Security: new parameter smtpd_forbid_unauth_pipelining
(default: no) to disconnect remote SMTP clients that violate
RFC 2920 (or 5321) command pipelining constraints. Files:
global/mail_params.h, smtpd/smtpd.c, proto/postconf.proto.
* 3.5.21
- Bugfix (bug introduced: 20140218): when opportunistic TLS fails
during or after the handshake, don't require that a probe
message spent a minimum time-in-queue before falling back to
plaintext. Problem reported by Serg. File: smtp/smtp.h.
- Bugfix (defect introduced: 19980207): the valid_hostname()
check in the Postfix DNS client library was blocking unusual
but legitimate wildcard names (*.name) in some DNS lookup
results and lookup requests. Examples:
name class/type value
*.one.example IN CNAME *.other.example
*.other.example IN A 10.0.0.1
*.other.example IN TLSA ..certificate info...
Such syntax is blesed in RFC 1034 section 4.3.3.
This problem was reported first in the context of TLSA
record lookups. Files: util/valid_hostname.[hc],
dns/dns_lookup.c.
* 3.5.22
- Bugfix (defect introduced Postfix 2.5, 20080104): the Postfix
SMTP server was waiting for a client command instead of
replying immediately, after a client certificate verification
error in TLS wrappermode. Reported by Andreas Kinzler. File:
smtpd/smtpd.c.
- Usability: the Postfix SMTP server now attempts to log the
SASL username after authentication failure. In Postfix
logging, this appends ", sasl_username=xxx" after the reason
for SASL authentication failure. The logging replaces an
unavailable reason with "(reason unavailable)", and replaces
an unavailable sasl_username with "(unavailable)". Based
on code by Jozsef Kadlecsik. Files: xsasl/xsasl_server.c,
xsasl/xsasl_cyrus_server.c, smtpd/smtpd_sasl_glue.c.
- Bugfix (defect introduced: Postfix 2.11): in forward_path,
the expression ${recipient_delimiter} would expand to an
empty string when a recipient address had no recipient
delimiter. Fixed by restoring Postfix 2.10 behavior to use
a configured recipient delimiter value. Reported by Tod
A. Sandman. Files: proto/postconf.proto, local/local_expand.c.
* 3.5.23 (Closes: #1059230)
- Addresses CVE-2023-51764, requires configuration change
- Security: with "smtpd_forbid_bare_newline = yes" (default
"no" for Postfix < 3.9), reply with "Error: bare <LF>
received" and disconnect when an SMTP client sends a line
ending in <LF>, violating the RFC 5321 requirement that
lines must end in <CR><LF>. This prevents SMTP smuggling
attacks that target a recipient at a Postfix server. For
backwards compatibility, local clients are excluded by
default with "smtpd_forbid_bare_newline_exclusions =
$mynetworks". Files: mantools/postlink, proto/postconf.proto,
global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
[ Other info ]
The bulk of the diff is dcoumentation updates related to the documented
code changes. The actual code changes start ~ line 2100 in the diff.
The CVE fix requires a configuration change, which is not set be default
as it would likely break some configuratins. We should be sure to
mention that in the SUA.
Scott K
Reply to: