-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 27 Jan 2024 10:21:04 -0500
Source: postfix
Architecture: source
Version: 3.5.24-0+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: LaMont Jones <lamont@debian.org>
Changed-By: Scott Kitterman <scott@kitterman.com>
Changes:
postfix (3.5.24-0+deb11u1) bullseye; urgency=medium
.
[Wietse Venema]
.
* 3.5.24
- Security (outbound SMTP smuggling): with the default setting
"cleanup_replace_stray_cr_lf = yes" Postfix will replace
stray <CR> or <LF> characters in message content with a
space character. This prevents Postfix from enabling
outbound (remote) SMTP smuggling, and it also makes evaluation
of Postfix-added DKIM etc. signatures independent from how
a remote mail server handles stray <CR> or <LF> characters.
Files: global/mail_params.h, cleanup/cleanup.c,
cleanup/cleanup_message.c, mantools/postlink, proto/postconf.proto.
- Security (inbound SMTP smuggling): with "smtpd_forbid_bare_newline
= normalize" (default "no" for Postfix < 3.9), the Postfix
SMTP server requires the standard End-of-DATA sequence
<CR><LF>.<CR><LF>, and otherwise allows command or message
content lines ending in the non-standard <LF>, processing
them as if the client sent the standard <CR><LF>.
The alternative setting, "smtpd_forbid_bare_newline = reject"
will reject any command or message that contains a bare
<LF>, and is more likely to cause problems with legitimate
clients.
For backwards compatibility, local clients are excluded by
default with "smtpd_forbid_bare_newline_exclusions =
$mynetworks".
Files: mantools/postlink, proto/postconf.proto,
global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
smtpd/smtpd.c, smtpd/smtpd_check.[hc].
Checksums-Sha1:
ece5511dbade908205df5fee9c5aa1bc62e1beac 3039 postfix_3.5.24-0+deb11u1.dsc
0233c4a96608d6592050d95ae8b1e1b2a40627c8 4656922 postfix_3.5.24.orig.tar.gz
486e4c507dc33f08a4b9ad72272cf00a03a2e8a7 220 postfix_3.5.24.orig.tar.gz.asc
21f22df1f4559127dd0bc80b2932cf2e683f36b6 211556 postfix_3.5.24-0+deb11u1.debian.tar.xz
42959f2ce798cf4d5ee500bc977fa15e52f43c14 7639 postfix_3.5.24-0+deb11u1_source.buildinfo
Checksums-Sha256:
ae97003d97a323b5158d08b377e52931559560a7c0da3f9e5f2bea2f8236337f 3039 postfix_3.5.24-0+deb11u1.dsc
ba64a8ed670d9bd43cc4199f01eb9ba032cba8f0401c5f52f3419e2f71fc6797 4656922 postfix_3.5.24.orig.tar.gz
639e0f9fdd4449f4e58ae105dfc6616277c9137fc1b3a60bb1eac41ab06fa69f 220 postfix_3.5.24.orig.tar.gz.asc
000516ca2657c8b1d6db484178566ab0e30ca94ee67f898a6aa823f1d56cb212 211556 postfix_3.5.24-0+deb11u1.debian.tar.xz
23fe5c598a61bc1fa8556153fa0f4d37e22b6327fe1acc20ca60daeba40ad27c 7639 postfix_3.5.24-0+deb11u1_source.buildinfo
Files:
8686c3439e2069c5b1b51c52d56bedb5 3039 mail optional postfix_3.5.24-0+deb11u1.dsc
cd439febbb471496a55c30b77401d79b 4656922 mail optional postfix_3.5.24.orig.tar.gz
78b91faff7005778fcc7befb66c3150e 220 mail optional postfix_3.5.24.orig.tar.gz.asc
977df168104708ec9128a84bd51fa27c 211556 mail optional postfix_3.5.24-0+deb11u1.debian.tar.xz
2916af20c7694001925603066706a3a7 7639 mail optional postfix_3.5.24-0+deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE53Kb/76FQA/u7iOxeNfe+5rVmvEFAmW1H5cACgkQeNfe+5rV
mvGodhAAuOpVTuHisrNk1FjmM74mQ9HGOb1hLW42oruhmaFTbgZow0cxRpP5Vm5y
uBr1u6G4T35up5PIR/zOg0SMLYER5f9ZUBsk5vs187VCQXM9+JMgRgVkog+IzJ4d
sM8N9GH5z7v5FAExFzsYiautkWMvey5lJsWeee8cEGa9zl5Y8U00tSnbcvd7aYp2
zG/hqL197FfCIkWpNhQLm45lNYV6RhyVgGDoALoguN+3i5bFl1POJDhp22YiTlgs
8zAs8skx0gxwEAmz8ZaeZGLF707Xo03zSt6giH8ZW+zalSqJQ5khXMZh7OXtw6O/
vyNpsR9ZcfHloWAFI+0KdvkjJw1HqdBNV3mDHH+VWBlPh/ztHciBy/fkWzDjSL7k
hmcXiBqtp2mzT522p41TZq/M4qQ0TWzEyrJO/TNf90csS8P/tsueiRi0DrU+eoNY
4j+v1M18M1fapP1hSr1JUE67BEfvHOIbwgjPJGKEZVeRY4thpiXZrcKBb4AwqNjJ
LmFCqUyImErvXy8T5VwLvD5S24c1CY7DPjINqi+qKbwAkNTGabUsuDHXktHMu7jJ
eIVJDAMpVsJIPtK59KgGM8RpJnln3MuLAmPtwytpmuJ25rS0wV/8h4TxcYrG9jNw
0RZ15dMen5wP4u3iVKbqb5C1I7ErYz5XWndn3BzpbMUkQudf4dY=
=V6jQ
-----END PGP SIGNATURE-----
