> Oh, and it will of course open a DB_CONFIG file in whatever happens
> to be the super-user's cwd when they invoke the postmap or postalias
> command, so this is not just a matter of set-gid Postfix commands.
>
> Although opening a DB_CONFIG file in the current directory is
> undocumented, there is prior art fixing Berkeley DB callers instead
> Berkeley DB, for example the fix for nss_db (CVE-2010-0826).
>
> Having rolled a new release this Saturday, I can save people some
> time by rolling out another one today, based on the nss_db fix.
> No point reinventing this.
The dev release is postfix-3.3-20170611. I'll roll out stable
releases for 2.11 .. 3.2 after a cool-down period. Sofar it passes
limited tests with Berkeley DB 5.3 (Linux x86-64), and Berkeley DB
4.7 and 6.0 (FreeBSD amd64).
Wietse
