Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Postfix 2.3.7 available

7 views
Skip to first unread message

Wietse Venema

unread,
Jan 31, 2007, 9:03:44 PM1/31/07
to
Postfix 2.3 patchlevel 07 is available. It fixes minor problems and
introduces one incompatibility. Note: the stable release is not
changed except for bugfixes and emergencies. New features are field
tested as Postfix-2.4-yyyymmdd experimental releases.

- postmap support for NIS maps was broken with Postfix 2.3.

- Workaround to avoid breaking digital signatures for malformed
MIME attachments.

- Incorrect handling of ![address] forms in match lists. such as
mynetworks, inet_interfaces etc.

Available from the mirrors listed at http://www.postfix.org/

9878 Jan 30 20:13 postfix-2.3-patch07.gz
450370 Jan 30 20:11 postfix-2.3.7.HISTORY
36275 Jan 30 20:11 postfix-2.3.7.RELEASE_NOTES
2785739 Jan 30 20:13 postfix-2.3.7.tar.gz
280 Jan 30 20:13 postfix-2.3.7.tar.gz.sig

Details are given below the signature.

Wietse

RELEASE_NOTES file:
===================

Incompatible changes with Postfix 2.3.7
---------------------------------------

Postfix no longer inserts an empty-line header/body separator into
malformed MIME attachments, to avoid breaking digital signatures.

This change introduces ambiguity. Postfix still treats the remainder
of the attachment as body content; header_checks rules will therefore
not detect forbidden MIME types inside a message/rfc822 attachment.

With the empty-line header/body separator no longer inserted by
Postfix, other software may process the malformed attachment
differently, and thus may become exposed to forbidden MIME types.


HISTORY file:
=============

20070104

Bugfix (introduced Postfix 2.3): when creating an alias map
on a NIS-enabled system, don't case-fold the YP_MASTER_NAME
and YP_LAST_MODIFIED lookup keys. This requires that an
application can turn off case folding on the fly. This is
a point fix. A complete fix requires updates to other map
types and to the proxymap protocol, which is too much change
for a stable release. Files: postalias/postalias.c,
util/dict_db.c, util/dict_dbm.c, util/dict_cdb.c.

20070112

Bugfix (introduced 20011008): after return from a nested
access restriction, possible longjump into exited stack
frame upon configuration error or table lookup error. Victor
Duchovni. Files: smtpd/smtpd_check.c.

Workaround: don't insert empty-line header/body separator
into malformed MIME attachments, to avoid breaking digital
signatures. This change introduces ambiguity. Postfix still
treats the remainder of the attachment as body content;
header_checks rules will not detect forbidden MIME types
inside a message/rfc822 attachment. With the empty-line
header/body separator no longer inserted by Postfix, other
software may process the malformed attachment differently,
and thus may become exposed to forbidden MIME types. This
is back-ported from Postfix 2.4. File: global/mime_state.c.

20070118

Bugfix: match lists didn't implement ![ipv6address]. Problem
reported by Paulo Pacheco. File: util/match_list.c.

Robert Schetterer

unread,
Feb 1, 2007, 10:03:46 AM2/1/07
to
Wietse Venema schrieb:
> --
> Diese Nachricht wurde auf Viren und andere gefährliche Inhalte untersucht
> und ist - aktuelle Virenscanner vorausgesetzt - sauber.
>

Hi @ll
please corect me if iam wrong
just a small understanding question

changes 20070112
"will not" break such rules in body_checks

/^((Content-(Disposition: attachment;|Type:).*|\ +)| *)(file)?name\ *=\
*"?.*\.(lnk|asd|ocx|reg|bat|c[ho]m|cmd|exe|dll|.....etc

should i be aware of other bugs with filters like clamsmtp, spampd etc
with this change

--
Mit freundlichen Gruessen
Best Regards

Robert Schetterer

https://www.schetterer.org
Munich/Bavaria/Germany

--
Diese Nachricht wurde auf Viren und andere gefährliche Inhalte untersucht
und ist - aktuelle Virenscanner vorausgesetzt - sauber.

Wietse Venema

unread,
Feb 1, 2007, 10:57:48 AM2/1/07
to
Robert Schetterer:

> > Incompatible changes with Postfix 2.3.7
> > ---------------------------------------
> >
> > Postfix no longer inserts an empty-line header/body separator into
> > malformed MIME attachments, to avoid breaking digital signatures.
> >
> > This change introduces ambiguity. Postfix still treats the remainder
> > of the attachment as body content; header_checks rules will therefore
> > not detect forbidden MIME types inside a message/rfc822 attachment.
> >
> > With the empty-line header/body separator no longer inserted by
> > Postfix, other software may process the malformed attachment
> > differently, and thus may become exposed to forbidden MIME types.
>
> Hi @ll
> please corect me if iam wrong
> just a small understanding question
>
> changes 20070112
> "will not" break such rules in body_checks
>
> /^((Content-(Disposition: attachment;|Type:).*|\ +)| *)(file)?name\ *=\
> *"?.*\.(lnk|asd|ocx|reg|bat|c[ho]m|cmd|exe|dll|.....etc
>
> should i be aware of other bugs with filters like clamsmtp, spampd etc
> with this change

As documented they DID NOT work in a MALFORMED attachment and they
STILL DO NOT work in a MALFORMED attachment.

Wietse

Robert Schetterer

unread,
Feb 1, 2007, 2:05:35 PM2/1/07
to
Wietse Venema schrieb:
> --
> Diese Nachricht wurde auf Viren und andere gefährliche Inhalte untersucht
> und ist - aktuelle Virenscanner vorausgesetzt - sauber.
>
Hi Wietse, ok thx to make this clear
0 new messages