dist

Jeff Rizzo Fri, 15 Jul 2011 15:29:42 -0700

Module Name:    src
Committed By:   riz
Date:           Fri Jul 15 22:29:31 UTC 2011


Modified Files:
        src/external/ibm-public/postfix/dist [netbsd-5]: HISTORY
        src/external/ibm-public/postfix/dist/src/global [netbsd-5]:
            mail_version.h
        src/external/ibm-public/postfix/dist/src/smtpd [netbsd-5]:
            smtpd_sasl_proto.c

Log Message:
Pull up following revision(s) (requested by tron in ticket #1637):
external/ibm-public/postfix/dist/HISTORY                        patch
external/ibm-public/postfix/dist/src/global/mail_version.h      patch
external/ibm-public/postfix/dist/src/smtpd/smtpd_sasl_proto.c   patch

        Update Postfix to version 2.7.4. This update fixes the security
        vulnerability reported in CVE-2011-1720 which fortunately doesnt


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.2.2.5 -r1.1.1.2.2.6 \
    src/external/ibm-public/postfix/dist/HISTORY
cvs rdiff -u -r1.1.1.2.2.5 -r1.1.1.2.2.6 \
    src/external/ibm-public/postfix/dist/src/global/mail_version.h
cvs rdiff -u -r1.1.1.1.2.3 -r1.1.1.1.2.4 \
    src/external/ibm-public/postfix/dist/src/smtpd/smtpd_sasl_proto.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/external/ibm-public/postfix/dist/HISTORY
diff -u src/external/ibm-public/postfix/dist/HISTORY:1.1.1.2.2.5 src/external/ibm-public/postfix/dist/HISTORY:1.1.1.2.2.6
--- src/external/ibm-public/postfix/dist/HISTORY:1.1.1.2.2.5	Thu Mar 24 19:54:07 2011
+++ src/external/ibm-public/postfix/dist/HISTORY	Fri Jul 15 22:29:30 2011
@@ -15616,7 +15616,7 @@
 	for the "virtual:" transport to "/etc/postfix/virtual:".
 	Symptom reported by Christoph Anton Mitterer.
 
-20200102
+20100102
 
 	Workaround: don't report bogus Berkeley DB close errors as
 	fatal errors. All operations before close are already error
@@ -15884,3 +15884,10 @@
 
 	Portability: FreeBSD closefrom() support time window.  Sahil
 	Tandon.  File: util/sys_defs.h.
+
+20110414
+
+	Bugfix (introduced with Postfix SASL patch 20000314): don't
+	reuse a server SASL handle after authentication failure.
+	Problem reported by Thomas Jarosch of Intra2net AG. File:
+	smtpd/smtpd_proto.c.

Index: src/external/ibm-public/postfix/dist/src/global/mail_version.h
diff -u src/external/ibm-public/postfix/dist/src/global/mail_version.h:1.1.1.2.2.5 src/external/ibm-public/postfix/dist/src/global/mail_version.h:1.1.1.2.2.6
--- src/external/ibm-public/postfix/dist/src/global/mail_version.h:1.1.1.2.2.5	Thu Mar 24 19:54:07 2011
+++ src/external/ibm-public/postfix/dist/src/global/mail_version.h	Fri Jul 15 22:29:31 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: mail_version.h,v 1.1.1.2.2.5 2011/03/24 19:54:07 riz Exp $	*/
+/*	$NetBSD: mail_version.h,v 1.1.1.2.2.6 2011/07/15 22:29:31 riz Exp $	*/
 
 #ifndef _MAIL_VERSION_H_INCLUDED_
 #define _MAIL_VERSION_H_INCLUDED_
@@ -22,8 +22,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20110303"
-#define MAIL_VERSION_NUMBER	"2.7.3"
+#define MAIL_RELEASE_DATE	"20110509"
+#define MAIL_VERSION_NUMBER	"2.7.4"
 
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE

Index: src/external/ibm-public/postfix/dist/src/smtpd/smtpd_sasl_proto.c
diff -u src/external/ibm-public/postfix/dist/src/smtpd/smtpd_sasl_proto.c:1.1.1.1.2.3 src/external/ibm-public/postfix/dist/src/smtpd/smtpd_sasl_proto.c:1.1.1.1.2.4
--- src/external/ibm-public/postfix/dist/src/smtpd/smtpd_sasl_proto.c:1.1.1.1.2.3	Fri Jan  7 01:24:14 2011
+++ src/external/ibm-public/postfix/dist/src/smtpd/smtpd_sasl_proto.c	Fri Jul 15 22:29:31 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: smtpd_sasl_proto.c,v 1.1.1.1.2.3 2011/01/07 01:24:14 riz Exp $	*/
+/*	$NetBSD: smtpd_sasl_proto.c,v 1.1.1.1.2.4 2011/07/15 22:29:31 riz Exp $	*/
 
 /*++
 /* NAME
@@ -186,6 +186,27 @@
 	return (-1);
     }
 
+    /* Don't reuse the SASL handle after authentication failure. */
+#ifndef SMTPD_FLAG_AUTH_USED
+#define SMTPD_FLAG_AUTH_USED	(1<<15)
+#endif
+#ifndef XSASL_TYPE_CYRUS 
+#define XSASL_TYPE_CYRUS	"cyrus"
+#endif
+    if (state->flags & SMTPD_FLAG_AUTH_USED) {
+	smtpd_sasl_deactivate(state);
+#ifdef USE_TLS
+	if (state->tls_context != 0)
+	    smtpd_sasl_activate(state, VAR_SMTPD_SASL_TLS_OPTS,
+				var_smtpd_sasl_tls_opts);
+	else
+#endif
+	    smtpd_sasl_activate(state, VAR_SMTPD_SASL_OPTS,
+				var_smtpd_sasl_opts);
+    } else if (strcmp(var_smtpd_sasl_type, XSASL_TYPE_CYRUS) == 0) {
+	state->flags |= SMTPD_FLAG_AUTH_USED;
+    }
+
     /*
      * All authentication failures shall be logged. The 5xx reply code from
      * the SASL authentication routine triggers tar-pit delays, which help to

CVS commit: [netbsd-5] src/external/ibm-public/postfix/dist

Reply via email to