Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] This is another of the regular postfix maintenance updates. It encompasses five upstream updates (3.5.19 - 3.5.23) because life intervened and I got behind. This one is of particular importance/ urgency since it includes a new setting to address CVE-2023-51764. [ Impact ] Bugs remain unfixed, CVE-2023-51764 unresolved. [ Tests ] There is a high level autopkgtest. [ Risks ] Risks are low. These have all been released as part of upstream maintenance and no regressions have been reported. There are no changes in Debian packaging. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] * 3.5.19 - Portability: the EVP_get_digestbyname change broke OpenSSL 1.0.2 support. File: tls/tls.h. - Bugfix (introduced: Postfix 3.4): the posttls-finger command failed to detect that a connection was resumed in the case that a server did not return a certificate. Viktor Dukhovni. File: posttls-finger/posttls-finger.c. - Workaround: OpenSSL 3.x EVP_get_cipherbyname() can return lazily-bound handles. Postfix now checks that the expected functionality will be available instead of failing later. Fix by Viktor Dukhovni. File: tls/tls_server.c. - Bugfix (introduced: Postfix 3.5): check_ccert_access did not parse inline map specifications. Report and fix by Sean Gallagher. File: global/map_search.c. - Safety: the long form "{ name = value }" in import_environment or export_environment is not documented, but accepted, and it was stored in the process environment as the invalid form "name = value", thus not setting or overriding an entry for "name". This form is now stored as the expected "name=value". Found during code maintenance. Also refined the "missing attribute name" detection. Files: clean_env.c, split_nameval.c. - Bugfix (introduced: Postfix 3.2): the MySQL client could return "not found" instead of "error" during the time that all MySQL server connections were turned down after error. Found during code maintenance. File: global/dict_mysql.c. * 3.5.20 - Bugfix (defect introduced: Postfix 1.0): the command "postconf .. name=v1 .. name=v2 .." (multiple instances of the same parameter name) created multiple name=value entries with the same parameter name. It now logs a warning and skips the earlier update. Found during code maintenance. File: postconf/postconf_edit.c - Bugfix (defect introduced: Postfix 3.3): the command "postconf -M name1/type1='name2 type2 ...'" died with a segmentation violation when the request matched multiple master.cf entries. The master.cf file was not damaged. Problem reported by SATOH Fumiyasu. File: postconf/postconf_master.c. - Bugfix (defect introduced: Postfix 2.11): the command "postconf -M name1/type1='name2 type2 ...'" could add a service definition to master.cf that conflicted with an already existing service definition. It now replaces all existing service definitions that match the service pattern 'name1/type1' or the service name and type in 'name2 type2 ...' with a single service definition 'name2 type2 ...'. Problem reported by SATOH Fumiyasu. File: postconf/postconf_edit.c. - Bitrot: preliminary support for OpenSSL configuration files, primarily OpenSSL 1.1.1b and later. This introduces new parameters "tls_config_file" and "tls_config_name", which can be used to limit collateral damage from OS distributions that crank up security to 11, increasing the number of plaintext email deliveries. Details are in the postconf(5) manpage under "tls_config_file" and "tls_config_name". Viktor Dukhovni. Files: mantools/postlink, proto/postconf.proto, global/mail_params.h, posttls-finger/posttls-finger.c, smtp/smtp.c, smtp/smtp_proto.c, tls/tls_client.c, tls/tls.h, tls/tls_misc.c, tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c, tls/tls_proxy.h, tls/tls_server.c, tlsproxy/tlsproxy.c. - Cleanup: use TLS_CLIENT_PARAMS to pass the OpensSSL 'init' configurations. This information is independent from the client or server TLS context, and therefore does not belong in tls_*_init() or tls_*_start() calls. The tlsproxy(8) server uses TLS_CLIENT_PARAMS to report differences between its own global TLS settings, and those from its clients. Files: posttls-finger/posttls-finger.c, smtp/smtp.c, smtp/smtp_proto.c, tls/tls.h, tls/tls_proxy_client_misc.c, tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c, tls/tls_proxy.h, tlsproxy/tlsproxy.c. - Cleanup: reverted cosmetic-only changes to minimize the patch footprint for OpenSSL INI file support; updated daemon manpages with the new tls_config_file and tls_config_name configuration parameters. Files: smtp/smtp.c, smtpd/smtpd.c, tls/tls_client.c, tls/tls.h, tls/tls_server.c, tlsproxy/tlsproxy.c, - Cleanup: made OpenSSL 'default' INI file support error handling consistent with OpenSSL default behavior. Viktor Dukhovni. Files: proto/postconf.proto, tls/tls_misc.c. - Backwards compatibility for stable releases that originally had no OpenSSL INI support. Skip the new OpenSSL INI support code, unless the Postfix configuration actually specifies non-default tls_config_xxx settings. File: tls/tls_misc.c. - Cleanup: added a multiple initialization guard in the tls_library_init() function, and made an initialization error sticky. File: tls/tls_misc.c. - Security: new parameter smtpd_forbid_unauth_pipelining (default: no) to disconnect remote SMTP clients that violate RFC 2920 (or 5321) command pipelining constraints. Files: global/mail_params.h, smtpd/smtpd.c, proto/postconf.proto. * 3.5.21 - Bugfix (bug introduced: 20140218): when opportunistic TLS fails during or after the handshake, don't require that a probe message spent a minimum time-in-queue before falling back to plaintext. Problem reported by Serg. File: smtp/smtp.h. - Bugfix (defect introduced: 19980207): the valid_hostname() check in the Postfix DNS client library was blocking unusual but legitimate wildcard names (*.name) in some DNS lookup results and lookup requests. Examples: name class/type value *.one.example IN CNAME *.other.example *.other.example IN A 10.0.0.1 *.other.example IN TLSA ..certificate info... Such syntax is blesed in RFC 1034 section 4.3.3. This problem was reported first in the context of TLSA record lookups. Files: util/valid_hostname.[hc], dns/dns_lookup.c. * 3.5.22 - Bugfix (defect introduced Postfix 2.5, 20080104): the Postfix SMTP server was waiting for a client command instead of replying immediately, after a client certificate verification error in TLS wrappermode. Reported by Andreas Kinzler. File: smtpd/smtpd.c. - Usability: the Postfix SMTP server now attempts to log the SASL username after authentication failure. In Postfix logging, this appends ", sasl_username=xxx" after the reason for SASL authentication failure. The logging replaces an unavailable reason with "(reason unavailable)", and replaces an unavailable sasl_username with "(unavailable)". Based on code by Jozsef Kadlecsik. Files: xsasl/xsasl_server.c, xsasl/xsasl_cyrus_server.c, smtpd/smtpd_sasl_glue.c. - Bugfix (defect introduced: Postfix 2.11): in forward_path, the expression ${recipient_delimiter} would expand to an empty string when a recipient address had no recipient delimiter. Fixed by restoring Postfix 2.10 behavior to use a configured recipient delimiter value. Reported by Tod A. Sandman. Files: proto/postconf.proto, local/local_expand.c. * 3.5.23 (Closes: #1059230) - Addresses CVE-2023-51764, requires configuration change - Security: with "smtpd_forbid_bare_newline = yes" (default "no" for Postfix < 3.9), reply with "Error: bare <LF> received" and disconnect when an SMTP client sends a line ending in <LF>, violating the RFC 5321 requirement that lines must end in <CR><LF>. This prevents SMTP smuggling attacks that target a recipient at a Postfix server. For backwards compatibility, local clients are excluded by default with "smtpd_forbid_bare_newline_exclusions = $mynetworks". Files: mantools/postlink, proto/postconf.proto, global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h, [ Other info ] The bulk of the diff is dcoumentation updates related to the documented code changes. The actual code changes start ~ line 2100 in the diff. The CVE fix requires a configuration change, which is not set be default as it would likely break some configuratins. We should be sure to mention that in the SUA. Scott K