[This this announcement will be available at
https://www.postfix.org/announcements/postfix-3.7.4.html]
Fixed in Postfix 3.7, 3.6, 3.5, 3.4:
* Workaround: with OpenSSL 3 and later always turn on
SSL_OP_IGNORE_UNEXPECTED_EOF, to avoid warning messages and missed
opportunities for TLS session reuse. This is safe because the SMTP
protocol implements application-level framing, and is therefore not
affected by TLS truncation attacks. Fix by Viktor Dukhovni.
* Workaround: OpenSSL 3.x EVP_get_digestbyname() can return
lazily-bound handles for digest implementations. In sufficiently
hostile configurations, Postfix could mistakenly believe that a digest
algorithm is available, and fail when it is not. A similar workaround
may be needed for EVP_get_cipherbyname(). Fix by Viktor Dukhovni.
* Bugfix (bug introduced in Postfix 2.11): the checkok() macro in
tls/tls_fprint.c evaluated its argument unconditionally; it should
evaluate the argument only if there was no prior error. Found during
code review.
* Bugfix (bug introduced in Postfix 2.8): postscreen died with a
segmentation violation when postscreen_dnsbl_threshold < 1. It
should reject such input with a fatal error instead. Discovered by
Benny Pedersen.
* Bitrot: fixes for linker warnings from newer Darwin (MacOS)
versions. Viktor Dukhovni.
* Portability: Linux 6 support.
Fixed in Postfix 3.4, 3.5:
* Workaround: shut up compiler warnings for legitimate string comparison
expressions. Back-ported from Postfix 3.6.
Fixed in Postfix 3.7:
* Added missing documentation that cidr:, pcre: and regexp: tables
support inline specification only in Postfix 3.7 and later.
You can find the updated Postfix source code at the mirrors listed at
https://www.postfix.org/.
Wietse
