Module Name: src Committed By: riz Date: Fri Jul 15 22:29:31 UTC 2011
Modified Files: src/external/ibm-public/postfix/dist [netbsd-5]: HISTORY src/external/ibm-public/postfix/dist/src/global [netbsd-5]: mail_version.h src/external/ibm-public/postfix/dist/src/smtpd [netbsd-5]: smtpd_sasl_proto.c Log Message: Pull up following revision(s) (requested by tron in ticket #1637): external/ibm-public/postfix/dist/HISTORY patch external/ibm-public/postfix/dist/src/global/mail_version.h patch external/ibm-public/postfix/dist/src/smtpd/smtpd_sasl_proto.c patch Update Postfix to version 2.7.4. This update fixes the security vulnerability reported in CVE-2011-1720 which fortunately doesnt To generate a diff of this commit: cvs rdiff -u -r1.1.1.2.2.5 -r1.1.1.2.2.6 \ src/external/ibm-public/postfix/dist/HISTORY cvs rdiff -u -r1.1.1.2.2.5 -r1.1.1.2.2.6 \ src/external/ibm-public/postfix/dist/src/global/mail_version.h cvs rdiff -u -r1.1.1.1.2.3 -r1.1.1.1.2.4 \ src/external/ibm-public/postfix/dist/src/smtpd/smtpd_sasl_proto.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/external/ibm-public/postfix/dist/HISTORY diff -u src/external/ibm-public/postfix/dist/HISTORY:1.1.1.2.2.5 src/external/ibm-public/postfix/dist/HISTORY:1.1.1.2.2.6 --- src/external/ibm-public/postfix/dist/HISTORY:1.1.1.2.2.5 Thu Mar 24 19:54:07 2011 +++ src/external/ibm-public/postfix/dist/HISTORY Fri Jul 15 22:29:30 2011 @@ -15616,7 +15616,7 @@ for the "virtual:" transport to "/etc/postfix/virtual:". Symptom reported by Christoph Anton Mitterer. -20200102 +20100102 Workaround: don't report bogus Berkeley DB close errors as fatal errors. All operations before close are already error @@ -15884,3 +15884,10 @@ Portability: FreeBSD closefrom() support time window. Sahil Tandon. File: util/sys_defs.h. + +20110414 + + Bugfix (introduced with Postfix SASL patch 20000314): don't + reuse a server SASL handle after authentication failure. + Problem reported by Thomas Jarosch of Intra2net AG. File: + smtpd/smtpd_proto.c. Index: src/external/ibm-public/postfix/dist/src/global/mail_version.h diff -u src/external/ibm-public/postfix/dist/src/global/mail_version.h:1.1.1.2.2.5 src/external/ibm-public/postfix/dist/src/global/mail_version.h:1.1.1.2.2.6 --- src/external/ibm-public/postfix/dist/src/global/mail_version.h:1.1.1.2.2.5 Thu Mar 24 19:54:07 2011 +++ src/external/ibm-public/postfix/dist/src/global/mail_version.h Fri Jul 15 22:29:31 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: mail_version.h,v 1.1.1.2.2.5 2011/03/24 19:54:07 riz Exp $ */ +/* $NetBSD: mail_version.h,v 1.1.1.2.2.6 2011/07/15 22:29:31 riz Exp $ */ #ifndef _MAIL_VERSION_H_INCLUDED_ #define _MAIL_VERSION_H_INCLUDED_ @@ -22,8 +22,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20110303" -#define MAIL_VERSION_NUMBER "2.7.3" +#define MAIL_RELEASE_DATE "20110509" +#define MAIL_VERSION_NUMBER "2.7.4" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE Index: src/external/ibm-public/postfix/dist/src/smtpd/smtpd_sasl_proto.c diff -u src/external/ibm-public/postfix/dist/src/smtpd/smtpd_sasl_proto.c:1.1.1.1.2.3 src/external/ibm-public/postfix/dist/src/smtpd/smtpd_sasl_proto.c:1.1.1.1.2.4 --- src/external/ibm-public/postfix/dist/src/smtpd/smtpd_sasl_proto.c:1.1.1.1.2.3 Fri Jan 7 01:24:14 2011 +++ src/external/ibm-public/postfix/dist/src/smtpd/smtpd_sasl_proto.c Fri Jul 15 22:29:31 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: smtpd_sasl_proto.c,v 1.1.1.1.2.3 2011/01/07 01:24:14 riz Exp $ */ +/* $NetBSD: smtpd_sasl_proto.c,v 1.1.1.1.2.4 2011/07/15 22:29:31 riz Exp $ */ /*++ /* NAME @@ -186,6 +186,27 @@ return (-1); } + /* Don't reuse the SASL handle after authentication failure. */ +#ifndef SMTPD_FLAG_AUTH_USED +#define SMTPD_FLAG_AUTH_USED (1<<15) +#endif +#ifndef XSASL_TYPE_CYRUS +#define XSASL_TYPE_CYRUS "cyrus" +#endif + if (state->flags & SMTPD_FLAG_AUTH_USED) { + smtpd_sasl_deactivate(state); +#ifdef USE_TLS + if (state->tls_context != 0) + smtpd_sasl_activate(state, VAR_SMTPD_SASL_TLS_OPTS, + var_smtpd_sasl_tls_opts); + else +#endif + smtpd_sasl_activate(state, VAR_SMTPD_SASL_OPTS, + var_smtpd_sasl_opts); + } else if (strcmp(var_smtpd_sasl_type, XSASL_TYPE_CYRUS) == 0) { + state->flags |= SMTPD_FLAG_AUTH_USED; + } + /* * All authentication failures shall be logged. The 5xx reply code from * the SASL authentication routine triggers tar-pit delays, which help to