-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 09 Mar 2024 10:38:51 -0500 Source: postfix Architecture: source Version: 3.5.25-0+deb11u1 Distribution: bullseye Urgency: medium Maintainer: LaMont Jones <lamont@debian.org> Changed-By: Scott Kitterman <scott@kitterman.com> Changes: postfix (3.5.25-0+deb11u1) bullseye; urgency=medium . [Wietse Venema] . * 3.5.25 - Bugfix (defect introduced: Postfix 2.3, date 20051222): the Dovecot auth client did not reset the 'reason' from a previous Dovecot auth service response, before parsing the next Dovecot auth server response in the same SMTP session. Reported by Stephan Bosch, File: xsasl/xsasl_dovecot_server.c. - Cleanup: Postfix SMTP server response with an empty authentication failure reason. File: smtpd/smtpd_sasl_glue.c. - Bugfix (defect introduced: Postfix 3.1, date: 20151128): "postqueue -j" produced broken JSON when escaping a control character as \uXXXX. Found during code maintenance. File: postqueue/showq_json.c. - Cleanup: posttls-finger certificate match expectations for all TLS security levels, including warnings for levels that don't implement certificate matching. Viktor Dukhovni. File: posttls-finger.c. - Bugfix (defect introduced: Postfix 2.3): after prepending a message header with a Postfix access table PREPEND action, a Milter request to delete or update an existing header could have no effect, or it could target the wrong instance of an existing header. Root cause: the fix dated 20141018 for the Postfix Milter client was incomplete. The client did correctly hide the first, Postfix-generated, Received: header when sending message header information to a Milter with the smfi_header() application callback function, but it was still hiding the first header (instead of the first Received: header) when handling requests from a Milter to delete or update an existing header. Problem report by Carlos Velasco. This change was verified to have no effect on requests from a Milter to add or insert a header. File: cleanup/cleanup_milter.c. - Workaround: tlsmgr logfile spam. Some OS lies under load: it says that a socket is readable, then it says that the socket has unread data, and then it says that read returns EOF, causing Postfix to spam the log with a warning message. File: tlsmgr/tlsmgr.c. - Bugfix (defect introduced: Postfix 3.4): the SMTP server's BDAT command handler could be tricked to read $message_size_limit bytes into memory. Found during code maintenance. File: smtpd/smtpd.c. - Performance: eliminate worst-case behavior where the queue manager defers delivery to all destinations over a specific delivery transport, after only a single delivery agent failure. The scheduler now throttles one destination, and allows deliveries to other destinations to keep making progress. Files: *qmgr/qmgr_deliver.c. - Safety: drop and log over-size DNS responses resulting in more than 100 records. This 20x larger than the number of server addresses that the Postfix SMTP client is willing to consider when delivering mail, and is well below the number of records that could cause a tail recursion crash in dns_rr_append() as reported by Toshifumi Sakaguchi. This also limits the number of DNS requests from check_*_*_access restrictions. Files: dns/dns.h, dns/dns_lookup.c, dns/dns_rr.c, dns/test_dns_lookup.c, posttls-finger/posttls-finger.c, smtp/smtp_addr.c, smtpd/smtpd_check.c. Checksums-Sha1: 1257eba1cfe6297467ff561d1fc7f00bec0d2c9d 3039 postfix_3.5.25-0+deb11u1.dsc f4113ea664e9b240ec11e64799c06f9e0650e2d5 4660537 postfix_3.5.25.orig.tar.gz aa0e4b11babb2db0c211131670b5294010d6e9b2 220 postfix_3.5.25.orig.tar.gz.asc 93cf6295540636d7fed5c5d04c9e9658c74b59c0 212404 postfix_3.5.25-0+deb11u1.debian.tar.xz 37cad9dec398aa57e8bb6adca95b756458c9ee4a 7462 postfix_3.5.25-0+deb11u1_source.buildinfo Checksums-Sha256: 35d7d5ac0b26bcfc9d85b73724031fc70b3e09c35c30bc3c13b3fe2cc0e93fc5 3039 postfix_3.5.25-0+deb11u1.dsc 618bd4de7aab3d14763eed93d937a8ebf72cfa186a26751e7463748d78b779d8 4660537 postfix_3.5.25.orig.tar.gz a8af9bf04470cea2b1bb7f2b1c60a27258130ecde2ebecfaf67d92b0c30be856 220 postfix_3.5.25.orig.tar.gz.asc bbbba9d8e0d716f1704e85c5892edd2c6441f139964459689c64ceb1d35c53c9 212404 postfix_3.5.25-0+deb11u1.debian.tar.xz e35072be5e6b102ebc551f45ae44947d6a2422432d4a338f1e301f0f948674d1 7462 postfix_3.5.25-0+deb11u1_source.buildinfo Files: c651b271787f5f96862978dbc27ebe69 3039 mail optional postfix_3.5.25-0+deb11u1.dsc 0849a4b2fff023fac1647ed3c5ba1e9d 4660537 mail optional postfix_3.5.25.orig.tar.gz e35958f5a953d319c9e61d33d633d2d9 220 mail optional postfix_3.5.25.orig.tar.gz.asc fa975deeb76e93855f22d48a2f8473ac 212404 mail optional postfix_3.5.25-0+deb11u1.debian.tar.xz ba4e10ea0b5318f04b9f1280e7c15bf6 7462 mail optional postfix_3.5.25-0+deb11u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE53Kb/76FQA/u7iOxeNfe+5rVmvEFAmXsg6wACgkQeNfe+5rV mvFnXg/8CM0fhk2t7SCqYa7ipHzl2Vc/sSL1UDXW1aNdYwoUeoeRDYqQsKZVFJ4d +lbP2ytm5ZtjVkK2cguu/dJv2auqLlJE4CaWv2399X8tn3yV4e/WDFHErRZmDxPK p2+6Z8m09RsljQAJy346hYgPQb2EFVpOKXyyBVIAuJyj+N48S0MNuCEby+WbcdBE UcNP0GUX9IHq6Brd72Pa3RnvWfIbP++g3slgosTDq/S+4W3N6HoGUr7G6fhx3GsT 9NNv0qJpSYIFssYNcFVuYTH/fRSsDpVb+7/FjeXNK2pD2yUXRc4VgR9Pjdwpoau1 11ma7EFibHxnIcPlXKDQY01O34qw5NexaKdoa47ADCMNT3PqCYZKJij6Cd/5PXXm LKWXHbGc7TgFh2qOLIzcWlACbIxhORllRwAuP/xOJSq67BKMotGMSEte7lRZUS5F jetc0b7MMcHCN3tJXN/L9epLqlaRj2zm2mhQE/67QlO7+SANyL/3IGQGhyRbRKxl Z+3gCfEzssptkkxIWhyVB+qItpgL39chPp2K2YQVB0RHaaItWzbBKbNQcKYPkUs6 ycwnR8YeAQ1rjd/Ngn8P0yMLVc3WcCZXlrMp4cUw2NTF4YEi4kMwdwdllKYP2lea GPFSUwacdQS0mjgjFM485epvGHlkvu681TokytNX3FzRB6pSWWI= =q3Om -----END PGP SIGNATURE-----