-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 21 Jan 2023 20:17:03 -0500 Source: postfix Architecture: source Version: 3.5.18-0+deb11u1 Distribution: bullseye Urgency: medium Maintainer: LaMont Jones <lamont@debian.org> Changed-By: Scott Kitterman <scott@kitterman.com> Changes: postfix (3.5.18-0+deb11u1) bullseye; urgency=medium . [Wietse Venema] . * 3.5.18 - Bugfix (introduced: Postfix 2.2): the smtpd_proxy_client code mis-parsed the last XFORWARD attribute name in the SMTP server's EHLO response. The result was that the smtpd_proxy_client code failed to forward the IDENT attribute. Fix by Andreas Weigel. File: smtpd/smtpd_proxy.c. . - Portability: LINUX6 support. Files: makedefs, util/sys_defs.h. . - Workaround: OpenSSL 3.x EVP_get_digestbyname() can return lazily bound handles that may fail to work when one attempts to use them, because no provider search happens until one constructs an actual operation context. In sufficiently hostile configurations, Postfix could mistakenly believe that an algorithm is available, when in fact it is not. A similar workaround may be needed for EVP_get_cipherbyname(). Fix by Viktor Dukhovni. Files: tls/tls.h, tls/tls_dane.c, tls/tls_fprint.c, tls/tls_misc.c. . - Bugfix (introduced: Postfix 2.11): the checkok() macro in tls/tls_fprint.c evaluated its argument unconditionally; it should evaluate the argument only if there was no prior error. Found during code review. File: tls/tls_fprint.c. . - Foolproofing: postscreen segfault with postscreen_dnsbl_threshold < 1. It should reject such input with a fatal error instead. Discovered by Benny Pedersen. File: postscreen/postscreen.c. . - Bugfix (introduced: Postfix 2.7): the verify daemon logged a garbled cache name when terminating a cache scan in progress. Reported by Phil Biggs, fix by Viktor Dukhovni. File: util/dict_cache.c. . - Workaround: STRREF() macro to shut up compiler warnings for legitimate string comparison expressions. Back-ported from Postfix 3.6 and later. Files: util/stringops.h, flush/flush.c. . - Workaround for a breaking change in OpenSSL 3: always turn on SSL_OP_IGNORE_UNEXPECTED_EOF, to avoid warning messages and missed opportunities for TLS session reuse. This is safe because the SMTP protocol implements application-level framing, and is therefore not affected by TLS truncation attacks. Fix by Viktor Dukhovni. Files: tls/tls.h, tls_client.c, tls/tls_server.c. Checksums-Sha1: 06dcb2fd157b1d36b670ea9b715a852690c4dae0 3039 postfix_3.5.18-0+deb11u1.dsc b5db9c79fcadb817651b743163419934dbc77e2a 4627739 postfix_3.5.18.orig.tar.gz 4432a21266b9ba8c719110585cfaeb8c404b3ab3 220 postfix_3.5.18.orig.tar.gz.asc a1a5c3215c756da9e19efe6ba7fc515ab3a24489 209192 postfix_3.5.18-0+deb11u1.debian.tar.xz 48facf31b299e9f6008a5a7629ae384ce3a7e8ac 7572 postfix_3.5.18-0+deb11u1_source.buildinfo Checksums-Sha256: 0e8b7f9cc5a93b9f3405dfcaaa36c7605c458bb7785a4281287deda191a0ab9c 3039 postfix_3.5.18-0+deb11u1.dsc 1f250722f5e2b85dae7e57196ffab48e251f10eb40e86823a4a8304bc6c02852 4627739 postfix_3.5.18.orig.tar.gz d9d85851dfb4e5c1b94060f3207e0ebda19c67be3a2886e9ff79ef2d5f2bddf0 220 postfix_3.5.18.orig.tar.gz.asc 9c9556d71a45d5e2fbf267cb23f84e4d8046bf21b97bd66b02f856316b0cd559 209192 postfix_3.5.18-0+deb11u1.debian.tar.xz 051140afb7b329e7c5bbad7a1904f99f74957e895fa7309fe44636f73b4a21dc 7572 postfix_3.5.18-0+deb11u1_source.buildinfo Files: 4c024aee4d22c585da00fbae7cb4ab87 3039 mail optional postfix_3.5.18-0+deb11u1.dsc 9a8dcd03eda6d456b8c61fd22e41fe18 4627739 mail optional postfix_3.5.18.orig.tar.gz ecf1cc875faa396b112c81b1265c0438 220 mail optional postfix_3.5.18.orig.tar.gz.asc 27f735a3397a4da9b76a138ff3097793 209192 mail optional postfix_3.5.18-0+deb11u1.debian.tar.xz 556e8e8ff5777951f7ec7f5a51b83f3a 7572 mail optional postfix_3.5.18-0+deb11u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE53Kb/76FQA/u7iOxeNfe+5rVmvEFAmPey48ACgkQeNfe+5rV mvF2Bg//U1WmYiG6YzM47A4Ktvlg51gDDRfjnnSqb7Hkf8e9hAg/3E/OMFAflxaw LueVi71es5nPwt7Njm0qcheMDd1YQZELweuBbzjKzxqRum97AmpAZ2W0tt7fUau5 6qe3Xdv4LxBugiYsLdJm6SDwt4GvBfyeyM7NOrKGwgVcUg0N6XS5ZRdoczWsIqy7 8J+qrhMF0c4pH9Zq/hW8KrVVLMKB1PAoDHljCkJYvERdb6gce6u/PWIka1PhNyOW E0qPfCj1feNBlNStEtdljkw5vKZ9dgO8fIBAzyhBEko4BFFjjnnglLFGW/jhAo1Y 49E2snk2Rx5ClHwIqz4gVl0dRgApICovVNU+TL/v3aeW0/1gDC1rY8RNMbqvnH1s cMS/1rPvmzqfE2wh5bNr9zic1Qig4wbl5bl3vB9UJQOuiNHPWd6nBCjkcSP7F0ML sJlIBUZttmis86Hv5RTadzXwkjQRsUrXD5f6x32Ax3d85ziudYpcUltPpqKimbJG yP/CaTuOckmc9s0HSKjGiJAmc11Ew/a3nNAXKVPbOWAoF9vfvxpD420oJg/c9SJO g9OHur+ZtDNfAzpsLYhnuNAMfDNtKmngsUMTZz974coNL0UEIxsOL053v6bNbi6L MO++YeTMhIrYjX00TQgjr6OZcKfeCa7CotW8rhv8vh2c/7+rLyY= =TIIS -----END PGP SIGNATURE-----