postfix-master/announcements/postfix-2.7.3.html

   1 <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
   2       "http://www.w3.org/TR/html4/loose.dtd">
   3
   4 <html>
   5
   6 <head>
   7
   8 <title> Postfix legacy releases 2.7.3, 2.6.9, 2.5.12 and 2.4.16
   9 </title>
  10
  11 <meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
  12
  13 </head>
  14
  15 <body>
  16
  17 <h1> Postfix legacy releases 2.7.3, 2.6.9, 2.5.12 and 2.4.16 </h1>
  18
  19 <p> [An on-line version of this announcement will be available at
  20 <a href="http://www.postfix.org/announcements/postfix-2.7.3.html">
  21 http://www.postfix.org/announcements/postfix-2.7.3.html</a>] </p>
  22
  23 <p> Postfix legacy releases 2.7.3, 2.6.9, 2.5.12 and 2.4.16 are
  24 available.  These releases contain a fix for CVE-2011-0411 which
  25 allows plaintext command injection with SMTP sessions over TLS.
  26 This defect was introduced with Postfix version 2.2. </p>
  27
  28 <blockquote> <p> Note: CVE-2011-0411 is an issue only for the
  29 minority of SMTP clients that actually verify server certificates.
  30 Without server certificate verification, clients are always vulnerable
  31 to man-in-the-middle attacks that allow attackers to inject plaintext
  32 commands or responses into SMTP sessions, and more.  </p> </blockquote>
  33
  34 <p> Postfix 2.8 and 2.9 are not affected. </p>
  35
  36 <p> The following problems were fixed with the Postfix legacy
  37 releases: </p>
  38
  39 <ul>
  40
  41 <li> <p> Fix for CVE-2011-0411: discard buffered plaintext input,
  42   after reading the SMTP "STARTTLS" command or response. </p>
  43
  44 <li> <p> Fix to the local delivery agent: look up the "unextended"
  45   address in the local aliases database, when that address has a
  46   malformed address extension.  </p>
  47
  48 <li> <p> Fix to virtual alias expansion: report a tempfail error,
  49   instead of silently ignoring recipients that exceed the
  50   virtual_alias_expansion_limit or the virtual_alias_recursion_limit.
  51   </p>
  52
  53 <li> <p> Fix for Solaris: the Postfix event engine was deaf for
  54   SIGHUP and SIGALRM signals after the switch from select() to
  55   /dev/poll.  Symptoms were delayed "postfix reload" response, and
  56   killed processes with watchdog timeout values under 100 seconds. </p>
  57
  58 <li> <p> Fix for HP-UX: the Postfix event engine was deaf for SIGALRM
  59   signals.  Symptoms were killed processes with watchdog timeout
  60   values under 100 seconds. </p>
  61
  62 <li> <p> Fix for BSD-ish mkdir() to prevent maildir directories
  63   from inheriting their group ownership from the parent directory. </p>
  64
  65 <li> <p> Fix to the SMTP client: missing support for mail to
  66   [ipv6:ipv6addr] address literal destinations.  </p>
  67
  68 <li> <p> FreeBSD back-ported closefrom() from FreeBSD 8x to 7x,
  69   breaking Postfix builds retroactively. </p>
  70
  71 </ul>
  72
  73 <p> Historical note: </p>
  74
  75 <blockquote> <p> Wietse Venema discovered the problem two weeks
  76 before the Postfix 2.8 release, and silently fixed it pending further
  77 investigation.  While investigating the problem's scope and impact,
  78 Victor Duchovni found that many other TLS applications were also
  79 affected.  At that point, CERT/CC was asked to coordinate with the
  80 problem's resolution.  </p> </blockquote>
  81
  82 <p> You can find the updated Postfix source code at the mirrors
  83 listed at <a href="http://www.postfix.org/">http://www.postfix.org/</a>.
  84 </p>
  85
  86 </body>
  87
  88 </html>