Bug#1003293: buster-pu: package postfix/3.4.14-0+deb10u1
On Saturday, March 19, 2022 12:42:32 PM EDT Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Fri, 2022-01-07 at 13:01 -0500, Scott Kitterman wrote: > > This is similar to #1003261 for bullseye, although there are fewer > > Debian specific changes because most weren't applicable to or would > > have > > been more invasive for buster. > > > > I've put together my usual postfix post-release update. Because I'm > > behind, it's rather larger than usual. Also, a number of packaging > > bugs > > that apply to buster have been recently fixed in Bookworm, so the low > > Please feel free to go ahead; sorry for the delay. Uploaded. Scott K signature.asc Description: This is a digitally signed message part.
Bug#1003293: buster-pu: package postfix/3.4.14-0+deb10u1
Control: tags -1 + confirmed On Fri, 2022-01-07 at 13:01 -0500, Scott Kitterman wrote: > This is similar to #1003261 for bullseye, although there are fewer > Debian specific changes because most weren't applicable to or would > have > been more invasive for buster. > > I've put together my usual postfix post-release update. Because I'm > behind, it's rather larger than usual. Also, a number of packaging > bugs > that apply to buster have been recently fixed in Bookworm, so the low > Please feel free to go ahead; sorry for the delay. Regards, Adam
Bug#1003293: buster-pu: package postfix/3.4.14-0+deb10u1
Debdiff attached. Scott Kdiff -Nru postfix-3.4.14/debian/changelog postfix-3.4.23/debian/changelog --- postfix-3.4.14/debian/changelog 2020-06-29 21:33:31.0 -0400 +++ postfix-3.4.23/debian/changelog 2022-01-07 11:04:17.0 -0500 @@ -1,3 +1,247 @@ +postfix (3.4.23-0+deb10u1) buster; urgency=medium + + [Scott Kitterman] + + * Refresh patches + * Update d/p/70_postfix-check.diff to exclude makedefs.out from synlink +check. Closes: #926331 + * Do not override user set default_transport in postinst. Closes: #988538 + * Remove left-over ca-certificates.crt file from postfix chroot. +Closes: #991609 + * Add information about keeping resolv.conf up to date in the chroot with +the resolvconf package. Closes: #964762 + + [Sergio Gelato] + + * Correct if-up.d to not error out if postfix can't send mail yet. +Closes: #959864 + + [Paride Legovini] + + * d/postfix.postinst: tolerate search domain with a leading dot. +Closes: #991950 + + [Wietse Venema] + + * 3.4.15 +- Bugfix (introduced: Postfix 3.0): minor memory leaks in the + Postfix TLS library, found during tests. File: tls/tls_misc.c. + +- Bugfix (introduced: Postfix 3.0): 4kbyte per session memory + leak in the Postfix TLS library, found during tests. File: + tls/tls_misc.c. + +- Workaround for distros that override Postfix protocol + settings in a system-wide OpenSSL configuration file, causing + interoperability problems after an OS update. File: + tls/tls_client.c, tls/tls_server.c. + + * 3.4.16 +- Bugfix (introduced: Postfix 3.4.15): part of a memory leak + fix was backported to the wrong place. File: tls/tls_misc.c. + +- The Postfix 3.4.15 workaround did not explictly override + the system-wide OpenSSL configuration of allowed TLS protocol + versions, for sessions where the remote SMTP client sends + SNI. It's better to be safe than sorry. File: tls/tls_server.c. + + * 3.4.17 +- Bugfix (introduced: Postfix 3.4, already fixed in Postfix + 3.6): tlsproxy(8) was using the wrong DANE macro for + connections with DANE trust anchors or with non-DANE trust + anchors (WTF: Thorsten Habich found this bug in the use + case that has nothing to do with DANE). This resulted in a + global certificate verify function pointer race, between + TLS handshakes that use TLS trust achors and handshakes + that use PKI. No memory was corrupted in the course of all + this. Viktor Dukhovni. File: tlsproxy/tlsproxy.c. + +- Cleanup: the posttls-finger '-X' option reported a false + conflict with '-r'. File: posttls-finger/posttls-finger.c. + + * 3.4.18 +- Bugfix (introduced: Postfix 2.0): smtp_sasl_mechanism_filter + ignored table lookup errors, treating them as 'not found'. + Found during Postfix 3.6 development. File: smtp/smtp_sasl_proto.c. + +- Bugfix (introduced: Postfix 2.3): when deleting a recipient + with a milter, delete the recipient from the duplicate + filter, so that the recipient can be added back. Backported + from Postfix 3.6. Files: global/been_here.[hc], + cleanup/cleanup_milter.c. + +- Bugfix (introduced: before Postfix alpha): the code that + looks for Delivered-To: headers ignored headers longer than + $line_length_limit. Backported from Postfix 3.6. File: + global/delivered_hdr.c. + +- Bugfix (introduced: Postfix 2.8): save a copy of the + postscreen_dnsbl_reply_map lookup result. This has no effect + when the recommended texthash: look table is used, but it + may avoid stale data with other lookup tables. File: + postscreen/postscreen_dnsbl.c. + +- Bugfix (introduced: Postfix 2.2): after processing an + XCCLIENT command, the smtps service was waiting for a TLS + handshake. Found by Aki Tuomi. File: smtpd/smtpd.c. + +- Bugfix (introduced: Postfix 2.3): static maps did not free + their casefolding buffer. File: util/dict_static.c. + + * 3.4.19 +- Feature: when a Postfix program makes a DNS query that + requests DNSSEC validation (usually for Postfix DANE support) + but the DNS response is not DNSSEC validated, Postfix will + send a DNS query configured with the "dnssec_probe" parameter + to determine if DNSSEC support is available, and logs a + warning if it is not. By default, the probe has type "ns" + and domain name ".". The probe is sent once per process + lifetime. Files: dns/dns.h, dns/dns_lookup.c, dns/dns_sec.c, + test_dns_lookup.c, global/mail_params.[hc], mantools/postlink. + +- The default "smtp_tls_dane_insecure_mx_policy = dane" was + causing unnecessary dnssec_probe activity. The default is now + "dane" when smtp_tls_security_level is "dane", otherwise it is + "may". File: global/mail_params.h. + + * 3.4.20 +- Missing null pointer checks (introduced: Postfix 3.4) after + an internal I/O error
Bug#1003293: buster-pu: package postfix/3.4.14-0+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu This is similar to #1003261 for bullseye, although there are fewer Debian specific changes because most weren't applicable to or would have been more invasive for buster. I've put together my usual postfix post-release update. Because I'm behind, it's rather larger than usual. Also, a number of packaging bugs that apply to buster have been recently fixed in Bookworm, so the low risk changes there have been backported too. The diff is rather large, so I don't include it in the original bug report to increase the chances this makes it to the mailing list. Also, as usual, I have this update ready to upload and running in production locally. Here is the debian/changelog entry for this update: postfix (3.4.23-0+deb10u1) buster; urgency=medium [Scott Kitterman] * Refresh patches * Update d/p/70_postfix-check.diff to exclude makedefs.out from synlink check. Closes: #926331 * Do not override user set default_transport in postinst. Closes: #988538 * Remove left-over ca-certificates.crt file from postfix chroot. Closes: #991609 * Add information about keeping resolv.conf up to date in the chroot with the resolvconf package. Closes: #964762 [Sergio Gelato] * Correct if-up.d to not error out if postfix can't send mail yet. Closes: #959864 [Paride Legovini] * d/postfix.postinst: tolerate search domain with a leading dot. Closes: #991950 [Wietse Venema] * 3.4.15 - Bugfix (introduced: Postfix 3.0): minor memory leaks in the Postfix TLS library, found during tests. File: tls/tls_misc.c. - Bugfix (introduced: Postfix 3.0): 4kbyte per session memory leak in the Postfix TLS library, found during tests. File: tls/tls_misc.c. - Workaround for distros that override Postfix protocol settings in a system-wide OpenSSL configuration file, causing interoperability problems after an OS update. File: tls/tls_client.c, tls/tls_server.c. * 3.4.16 - Bugfix (introduced: Postfix 3.4.15): part of a memory leak fix was backported to the wrong place. File: tls/tls_misc.c. - The Postfix 3.4.15 workaround did not explictly override the system-wide OpenSSL configuration of allowed TLS protocol versions, for sessions where the remote SMTP client sends SNI. It's better to be safe than sorry. File: tls/tls_server.c. * 3.4.17 - Bugfix (introduced: Postfix 3.4, already fixed in Postfix 3.6): tlsproxy(8) was using the wrong DANE macro for connections with DANE trust anchors or with non-DANE trust anchors (WTF: Thorsten Habich found this bug in the use case that has nothing to do with DANE). This resulted in a global certificate verify function pointer race, between TLS handshakes that use TLS trust achors and handshakes that use PKI. No memory was corrupted in the course of all this. Viktor Dukhovni. File: tlsproxy/tlsproxy.c. - Cleanup: the posttls-finger '-X' option reported a false conflict with '-r'. File: posttls-finger/posttls-finger.c. * 3.4.18 - Bugfix (introduced: Postfix 2.0): smtp_sasl_mechanism_filter ignored table lookup errors, treating them as 'not found'. Found during Postfix 3.6 development. File: smtp/smtp_sasl_proto.c. - Bugfix (introduced: Postfix 2.3): when deleting a recipient with a milter, delete the recipient from the duplicate filter, so that the recipient can be added back. Backported from Postfix 3.6. Files: global/been_here.[hc], cleanup/cleanup_milter.c. - Bugfix (introduced: before Postfix alpha): the code that looks for Delivered-To: headers ignored headers longer than $line_length_limit. Backported from Postfix 3.6. File: global/delivered_hdr.c. - Bugfix (introduced: Postfix 2.8): save a copy of the postscreen_dnsbl_reply_map lookup result. This has no effect when the recommended texthash: look table is used, but it may avoid stale data with other lookup tables. File: postscreen/postscreen_dnsbl.c. - Bugfix (introduced: Postfix 2.2): after processing an XCCLIENT command, the smtps service was waiting for a TLS handshake. Found by Aki Tuomi. File: smtpd/smtpd.c. - Bugfix (introduced: Postfix 2.3): static maps did not free their casefolding buffer. File: util/dict_static.c. * 3.4.19 - Feature: when a Postfix program makes a DNS query that requests DNSSEC validation (usually for Postfix DANE support) but the DNS response is not DNSSEC validated, Postfix will send a DNS query configured with the "dnssec_probe" parameter to determine if DNSSEC support is available, and logs a warning if it is not. By default, the probe has type "ns" and domain name ".". The probe is sent once per process lifetime. Files: dns/dns.h,
