-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 06 Mar 2024 10:10:14 -0500 Source: postfix Architecture: source Version: 3.7.11-0+deb12u1 Distribution: bookworm Urgency: medium Maintainer: LaMont Jones <lamont@debian.org> Changed-By: Scott Kitterman <scott@kitterman.com> Changes: postfix (3.7.11-0+deb12u1) bookworm; urgency=medium . [Wietse Venema] . * 3.7.11 - Bugfix (defect introduced: Postfix 2.3, date 20051222): the Dovecot auth client did not reset the 'reason' from a previous Dovecot auth service response, before parsing the next Dovecot auth server response in the same SMTP session. Reported by Stephan Bosch, File: xsasl/xsasl_dovecot_server.c. - Cleanup: Postfix SMTP server response with an empty authentication failure reason. File: smtpd/smtpd_sasl_glue.c. - Bugfix (defect introduced: Postfix 3.1, date: 20151128): "postqueue -j" produced broken JSON when escaping a control character as \uXXXX. Found during code maintenance. File: postqueue/showq_json.c. - Cleanup: posttls-finger certificate match expectations for all TLS security levels, including warnings for levels that don't implement certificate matching. Viktor Dukhovni. File: posttls-finger.c. - Bugfix (defect introduced: Postfix 2.3): after prepending a message header with a Postfix access table PREPEND action, a Milter request to delete or update an existing header could have no effect, or it could target the wrong instance of an existing header. Root cause: the fix dated 20141018 for the Postfix Milter client was incomplete. The client did correctly hide the first, Postfix-generated, Received: header when sending message header information to a Milter with the smfi_header() application callback function, but it was still hiding the first header (instead of the first Received: header) when handling requests from a Milter to delete or update an existing header. Problem report by Carlos Velasco. This change was verified to have no effect on requests from a Milter to add or insert a header. File: cleanup/cleanup_milter.c. - Workaround: tlsmgr logfile spam. Some OS lies under load: it says that a socket is readable, then it says that the socket has unread data, and then it says that read returns EOF, causing Postfix to spam the log with a warning message. File: tlsmgr/tlsmgr.c. - Bugfix (defect introduced: Postfix 3.4): the SMTP server's BDAT command handler could be tricked to read $message_size_limit bytes into memory. Found during code maintenance. File: smtpd/smtpd.c. - Performance: eliminate worst-case behavior where the queue manager defers delivery to all destinations over a specific delivery transport, after only a single delivery agent failure. The scheduler now throttles one destination, and allows deliveries to other destinations to keep making progress. Files: *qmgr/qmgr_deliver.c. - Safety: drop and log over-size DNS responses resulting in more than 100 records. This 20x larger than the number of server addresses that the Postfix SMTP client is willing to consider when delivering mail, and is well below the number of records that could cause a tail recursion crash in dns_rr_append() as reported by Toshifumi Sakaguchi. This also limits the number of DNS requests from check_*_*_access restrictions. Files: dns/dns.h, dns/dns_lookup.c, dns/dns_rr.c, dns/test_dns_lookup.c, posttls-finger/posttls-finger.c, smtp/smtp_addr.c, smtpd/smtpd_check.c. Checksums-Sha1: 78dff37ccaa6a7dfe83a83834c59935373427235 3018 postfix_3.7.11-0+deb12u1.dsc 0256843aa142b70f609951f32e1ddb27bfd0cd87 4845162 postfix_3.7.11.orig.tar.gz a114ec723ba3e9a6360c3456ac8a4cf128b81788 220 postfix_3.7.11.orig.tar.gz.asc 62a5e5ed1776db8ac694177c0d88c263ae171a58 199088 postfix_3.7.11-0+deb12u1.debian.tar.xz 4a432dfde8ae39e8e0b125b2d2cec20878c224bc 7311 postfix_3.7.11-0+deb12u1_source.buildinfo Checksums-Sha256: 7d421fb83cad8501ba98e1434ab0d3d6c037f21d0f62b819c5c21dac865160d0 3018 postfix_3.7.11-0+deb12u1.dsc 8451fb343692b23cba105b6a194a27a6f32ff21bd2c3bb2fed5ac50d0631deda 4845162 postfix_3.7.11.orig.tar.gz aec1770c51e83da95c09a9073f883496f3eefbfcd7e90efec8dfffd87330a3f3 220 postfix_3.7.11.orig.tar.gz.asc e47b941fc62f8e5a5754e8770edeb2495541074da4c33a817fb8a75c78a636f3 199088 postfix_3.7.11-0+deb12u1.debian.tar.xz c32673692f0201b87d4470920efd0ea89c27ee4ae66c36785c4a0f03a4e157d4 7311 postfix_3.7.11-0+deb12u1_source.buildinfo Files: 91f4b1a3dcc37c5475d4ea2fe3f5eccb 3018 mail optional postfix_3.7.11-0+deb12u1.dsc 91aad8d04381bbddfa423266a53284e9 4845162 mail optional postfix_3.7.11.orig.tar.gz 4f483cc44a81f3c6660cfcf8c17bf8e8 220 mail optional postfix_3.7.11.orig.tar.gz.asc b02f7f15e5145e9f05ccf9e60f398b9c 199088 mail optional postfix_3.7.11-0+deb12u1.debian.tar.xz d1fa139b2c1e05f9600950dbbe0d0ffd 7311 mail optional postfix_3.7.11-0+deb12u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE53Kb/76FQA/u7iOxeNfe+5rVmvEFAmXoh5cACgkQeNfe+5rV mvEuMxAAqVpAP2ERhKyZJ3Q7teXYksenkogSg9TDePZnq4Ld8xEf6NwNoACxFOsT kLJXtExoXa8cCsMKlHeZbjo0x7hZgcRd6uSBWd3LaQETdMp3bcB9dJA+2gdUQ41G GtBLbpULJqnXgVLRTtf0/nzFhjSPh5IsyrSN9EPyfwklWia893aenSreNa9HRZ9R ZeMoufq9f1VjIMi/4lpIajbeVzRhMbjl8v3141VtqlClfJPbvX1BmpriKduTLTxh 2obWohlg54Htu/jvpennoSJkjCwpQR/PBNbAoTPKXBHQNKBHN/jli6kUPon/YY5n CKbU6Yh16K4iNavil2u6Rbzp6A32uGW8oBvCFu/bEQR/6cOzLyqhquZkrcxDi7V/ S0h7UUPWaxRJOBdu9O65rSBYNx/0hw7q0FmiMPXr10U36eyZmEWLsQWXk5YTjm7D nypcoByW9bjWenyPEeP1jTrJjCmdOXIM6LkVs9A06euJs/XoX8IS4Y8g6Vf2FVZO hOvld1uykjwz07OcZGfoFl5OGlitptBPCMtM2yl39vDsbclFVJL1DhomA0oZSSyZ p2bUSrBklnZM6xzMdzDy0Tt0toKNVCryqMrbNVF3psUAgK8491iP/TMHlJZLH5Qv YZmYZwy56c2Iw7ob+cl6ZrnEH4vG7JJ1gMmyDrLwUi1JttopHds= =/vV+ -----END PGP SIGNATURE-----