> Oh, and it will of course open a DB_CONFIG file in whatever happens > to be the super-user's cwd when they invoke the postmap or postalias > command, so this is not just a matter of set-gid Postfix commands. > > Although opening a DB_CONFIG file in the current directory is > undocumented, there is prior art fixing Berkeley DB callers instead > Berkeley DB, for example the fix for nss_db (CVE-2010-0826). > > Having rolled a new release this Saturday, I can save people some > time by rolling out another one today, based on the nss_db fix. > No point reinventing this.
The dev release is postfix-3.3-20170611. I'll roll out stable releases for 2.11 .. 3.2 after a cool-down period. Sofar it passes limited tests with Berkeley DB 5.3 (Linux x86-64), and Berkeley DB 4.7 and 6.0 (FreeBSD amd64). Wietse