Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package postfix for openSUSE:Factory checked in at 2023-12-28 22:55:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/postfix (Old) and /work/SRC/openSUSE:Factory/.postfix.new.28375 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "postfix" Thu Dec 28 22:55:13 2023 rev:231 rq:1135431 version:3.8.4 Changes: -------- --- /work/SRC/openSUSE:Factory/postfix/postfix.changes 2023-12-25 19:04:42.532188071 +0100 +++ /work/SRC/openSUSE:Factory/.postfix.new.28375/postfix.changes 2023-12-28 22:55:24.469163367 +0100 @@ -1,0 +2,8 @@ +Thu Dec 28 07:57:23 UTC 2023 - Dirk Müller <dmuel...@suse.com> + +- update default configuration to enable the long-term fix for + bsc#1218304, CVE-2023-51764, SMTP smuggling attack: + * smtpd_forbid_bare_newline = yes + * smtpd_forbid_bare_newline_exclusions = $mynetworks + +------------------------------------------------------------------- @@ -4 +12 @@ -- update to 3.8.4 +- update to 3.8.4 (bsc#1218304, CVE-2023-51764): @@ -8 +16 @@ - https://www.postfix.org/smtp-smuggling.html. + https://www.postfix.org/smtp-smuggling.html ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ postfix-bdb.spec ++++++ --- /var/tmp/diff_new_pack.87m6ha/_old 2023-12-28 22:55:25.481200312 +0100 +++ /var/tmp/diff_new_pack.87m6ha/_new 2023-12-28 22:55:25.481200312 +0100 @@ -62,7 +62,7 @@ Version: 3.8.4 Release: 0 Summary: A fast, secure, and flexible mailer -License: IPL-1.0 OR EPL-2.0 +License: EPL-2.0 OR IPL-1.0 Group: Productivity/Networking/Email/Servers URL: http://www.postfix.org Source0: http://cdn.postfix.johnriley.me/mirrors/postfix-release/official/postfix-%{version}.tar.gz @@ -108,8 +108,8 @@ Requires(pre): %fillup_prereq Requires(pre): permissions Conflicts: exim -Conflicts: sendmail Conflicts: postfix +Conflicts: sendmail Provides: smtp_daemon %{?systemd_ordering} %if %{with lmdb} @@ -128,14 +128,14 @@ %endif # /usr/lib/postfix/bin//post-install: line 667: ed: command not found Requires(pre): ed -Requires(preun): ed +Requires(preun):ed Requires(post): ed -Requires(postun): ed +Requires(postun):ed # /usr/sbin/config.postfix needs perl Requires(pre): perl -Requires(preun): perl +Requires(preun):perl Requires(post): perl -Requires(postun): perl +Requires(postun):perl %description Postfix aims to be an alternative to the widely-used sendmail program with bdb support @@ -395,6 +395,7 @@ %if 0%{?suse_version} >= 1330 %pre -f postfix.pre %else + %pre getent group postfix >/dev/null || groupadd -g %{pf_gid} -o -r postfix getent group maildrop >/dev/null || groupadd -g %{maildrop_gid} -o -r maildrop ++++++ postfix.spec ++++++ --- /var/tmp/diff_new_pack.87m6ha/_old 2023-12-28 22:55:25.525201918 +0100 +++ /var/tmp/diff_new_pack.87m6ha/_new 2023-12-28 22:55:25.529202064 +0100 @@ -49,7 +49,7 @@ Version: 3.8.4 Release: 0 Summary: A fast, secure, and flexible mailer -License: IPL-1.0 OR EPL-2.0 +License: EPL-2.0 OR IPL-1.0 Group: Productivity/Networking/Email/Servers URL: http://www.postfix.org Source0: http://cdn.postfix.johnriley.me/mirrors/postfix-release/official/postfix-%{version}.tar.gz @@ -110,14 +110,14 @@ %endif # /usr/lib/postfix/bin//post-install: line 667: ed: command not found Requires(pre): /usr/bin/ed -Requires(preun): /usr/bin/ed +Requires(preun):/usr/bin/ed Requires(post): /usr/bin/ed -Requires(postun): /usr/bin/ed +Requires(postun):/usr/bin/ed # /usr/sbin/config.postfix needs perl Requires(pre): perl -Requires(preun): perl +Requires(preun):perl Requires(post): perl -Requires(postun): perl +Requires(postun):perl %description Postfix aims to be an alternative to the widely-used sendmail program. ++++++ postfix-main.cf.patch ++++++ --- /var/tmp/diff_new_pack.87m6ha/_old 2023-12-28 22:55:25.597204547 +0100 +++ /var/tmp/diff_new_pack.87m6ha/_new 2023-12-28 22:55:25.601204693 +0100 @@ -1,5 +1,7 @@ ---- conf/main.cf.orig 2022-11-14 15:57:24.689108581 +0100 -+++ conf/main.cf 2022-11-14 16:02:33.255317483 +0100 +Index: conf/main.cf +=================================================================== +--- conf/main.cf.orig ++++ conf/main.cf @@ -285,7 +285,7 @@ unknown_local_recipient_reject_code = 55 # #mynetworks = 168.100.3.0/28, 127.0.0.0/8 @@ -48,7 +50,7 @@ # PARALLEL DELIVERY TO THE SAME DESTINATION # -@@ -682,4 +683,149 @@ sample_directory = +@@ -682,4 +683,155 @@ sample_directory = # readme_directory: The location of the Postfix README files. # readme_directory = @@ -105,6 +107,12 @@ + +smtpd_recipient_restrictions = + ++# mitigation for CVE-2023-51764 - SMTP smuggling attack ++# but allow local clients with non-standard SMTP implementations ++# such as netcat, fax machines, or load balancer health checks. ++# ++smtpd_forbid_bare_newline = yes ++smtpd_forbid_bare_newline_exclusions = $mynetworks + +############################################################ +# SASL stuff
