2011年3月10日

[installer 2720] postfix-2.4.16, 2.5.12, 2.6.9, 2.7.3

postfix-2.4.16, 2.5.12, 2.6.9, 2.7.3 出ています。

STARTTLS 使用時のセキュリティホールの修正が含まれています。
http://www.postfix.org/CVE-2011-0411.html
http://www.kb.cert.org/vuls/id/555316
参照のこと。

☆ postfix-2.4.16

http://www.postfix.org/
ftp://ring.aist.go.jp/pub/net/mail/postfix/official/postfix-2.4.16.tar.gz
http://mirror.postfix.jp/postfix-release/official/postfix-2.4.16.tar.gz
http://mirror.ramix.jp/postfix-release/official/postfix-2.4.16.tar.gz
ftp://ftp.ixp.jp/postfix/official/postfix-2.4.16.tar.gz

20100422

Workaround (introduced: postfix-19990906 a.k.a. Postfix
0.8.0). The Postfix local delivery agent did not properly
distinguish between "address has no extension" and "address
has an extension, but the extension is invalid". In both
cases it would run only the full recipient local-part through
the alias maps. Instead, it now drops the faulty extension
from the recipient address local-part (it would be too
error-prone to replace all tests for "no extension" by tests
for "no valid extension". File: local/recipient.c.

20100610

Bugfix (introduced Postfix 2.2): Postfix no longer appends
the system default CA certificates to the lists specified
with *_tls_CAfile or with *_tls_CApath. This prevents
third-party certificates from getting mail relay permission
with the permit_tls_all_clientcerts feature. Unfortunately
this may cause compatibility problems with configurations
that rely on certificate verification for other purposes.
To get the old behavior, specify "tls_append_default_CA =
yes". Files: tls/tls_certkey.c, smtp/smtp_params.c,
smtpd/smtpd.c, global/mail_params.h. proto/postconf.proto,
mantools/postlink.

20100714

Compatibility with Postfix < 2.3: fix 20061207 was incomplete
(undoing the change to bounce instead of defer after
pipe-to-command delivery fails with a signal). Fix by Thomas
Arnett. File: global/pipe_command.c.

20100827

Performance: fix for poor smtpd_proxy_filter TCP performance
over loopback (127.0.0.1) connections. Problem reported by
Mark Martinec. Files: smtpd/smtpd_proxy.c.

20101023

Cleanup: don't apply reject_rhsbl_helo to non-domain forms
such as network addresses. This would cause false positives
with dbl.spamhaus.org. File: smtpd/smtpd_check.c.

20101117

Bugfix: the "421" reply after Milter error was overruled
by Postfix 1.1 code that replied with "503" for RFC 2821
compliance. We now make an exception for "final" replies,
as permitted by RFC. Solution by Victor Duchovni. File:
smtpd/smtpd.c.

20101201

Workaround: BSD-ish mkdir() ignores the effective GID and
copies group ownership from the parent directory. File:
util/make_dirs.c.

20101202

Cleanup: the cleanup server now reports a temporary delivery
error when it reaches the virtual_alias_expansion_limit or
virtual_alias_recursion_limit. Previously, it would silently
ignore the excess recipients and deliver the message. File:
cleanup/cleanup_map1n.c.

20110105

Bugfix (introduced with the Postfix TLS patch): discard
plaintext following the STARTTLS command or response. This
matters only for the minority of SMTP clients that actually
verify server certificates. Files: smtpd/smtpd.c,
smtp/smtp_proto.c.

This vulnerability is also known as CVE-2011-0411.

20110109

Bugfix (introduced Postfix 2.4): on Solaris the Postfix
event engine was deaf for SIGHUP and SIGALRM signals after
the switch to /dev/poll. Symptoms were delayed "postfix
reload" response, and killed processes when the watchdog
timeout was less than max_idle. The fix is to set up SIGHUP
and SIGALRM handlers that write to a pipe, and to monitor
that pipe for read events via the Postfix event engine.
Files: master/master_sig.c, util/watchdog.c, util/sys_defs.h.

20110117

Bugfix (introduced Postfix alpha, or thereabouts): on HP-UX
the Postfix event engine was deaf for SIGALRM signals.
Symptoms were killed processes when the watchdog timeout
was less than max_idle. The fix is the same as Solaris fix
20110109. Since we can't know what other systems need this,
the workaround is enabled by default. Files: util/sys_defs.h.

20110225

Workaround (problem introduced with IPv6 support in Postfix
2.2): the SMTP client did not support mail to [ipv6:ipv6addr].
Fix based on a patch by Gurusamy Sarathy (Sophos). File:
util/host_port.c and regression test files.

20110227

Portability: FreeBSD closefrom() support time window. Sahil
Tandon. File: util/sys_defs.h.


☆ postfix-2.5.12
http://www.postfix.org/
ftp://ring.aist.go.jp/pub/net/mail/postfix/official/postfix-2.5.12.tar.gz
http://mirror.postfix.jp/postfix-release/official/postfix-2.5.12.tar.gz
http://mirror.ramix.jp/postfix-release/official/postfix-2.5.12.tar.gz
ftp://ftp.ixp.jp/postfix/official/postfix-2.5.12.tar.gz

20100422

Workaround (introduced: postfix-19990906 a.k.a. Postfix
0.8.0). The Postfix local delivery agent did not properly
distinguish between "address has no extension" and "address
has an extension, but the extension is invalid". In both
cases it would run only the full recipient local-part through
the alias maps. Instead, it now drops the faulty extension
from the recipient address local-part (it would be too
error-prone to replace all tests for "no extension" by tests
for "no valid extension". File: local/recipient.c.

20100610

Bugfix (introduced Postfix 2.2): Postfix no longer appends
the system default CA certificates to the lists specified
with *_tls_CAfile or with *_tls_CApath. This prevents
third-party certificates from getting mail relay permission
with the permit_tls_all_clientcerts feature. Unfortunately
this may cause compatibility problems with configurations
that rely on certificate verification for other purposes.
To get the old behavior, specify "tls_append_default_CA =
yes". Files: tls/tls_certkey.c, tls/tls_misc.c,
global/mail_params.h. proto/postconf.proto, mantools/postlink.

20100714

Compatibility with Postfix < 2.3: fix 20061207 was incomplete
(undoing the change to bounce instead of defer after
pipe-to-command delivery fails with a signal). Fix by Thomas
Arnett. File: global/pipe_command.c.

20100827

Performance: fix for poor smtpd_proxy_filter TCP performance
over loopback (127.0.0.1) connections. Problem reported by
Mark Martinec. Files: smtpd/smtpd_proxy.c.

20101023

Cleanup: don't apply reject_rhsbl_helo to non-domain forms
such as network addresses. This would cause false positives
with dbl.spamhaus.org. File: smtpd/smtpd_check.c.

20101117

Bugfix: the "421" reply after Milter error was overruled
by Postfix 1.1 code that replied with "503" for RFC 2821
compliance. We now make an exception for "final" replies,
as permitted by RFC. Solution by Victor Duchovni. File:
smtpd/smtpd.c.

20101201

Workaround: BSD-ish mkdir() ignores the effective GID and
copies group ownership from the parent directory. File:
util/make_dirs.c.

20101202

Cleanup: the cleanup server now reports a temporary delivery
error when it reaches the virtual_alias_expansion_limit or
virtual_alias_recursion_limit. Previously, it would silently
ignore the excess recipients and deliver the message. File:
cleanup/cleanup_map1n.c.

20110105

Bugfix (introduced with the Postfix TLS patch): discard
plaintext following the STARTTLS command or response. This
matters only for the minority of SMTP clients that actually
verify server certificates. Files: smtpd/smtpd.c,
smtp/smtp_proto.c.

This vulnerability is also known as CVE-2011-0411.

20110109

Bugfix (introduced Postfix 2.4): on Solaris the Postfix
event engine was deaf for SIGHUP and SIGALRM signals after
the switch to /dev/poll. Symptoms were delayed "postfix
reload" response, and killed processes when the watchdog
timeout was less than max_idle. The fix is to set up SIGHUP
and SIGALRM handlers that write to a pipe, and to monitor
that pipe for read events via the Postfix event engine.
Files: master/master_sig.c, util/watchdog.c, util/sys_defs.h.

20110117

Bugfix (introduced Postfix alpha, or thereabouts): on HP-UX
the Postfix event engine was deaf for SIGALRM signals.
Symptoms were killed processes when the watchdog timeout
was less than max_idle. The fix is the same as Solaris fix
20110109. Since we can't know what other systems need this,
the workaround is enabled by default. Files: util/sys_defs.h.

20110225

Workaround (problem introduced with IPv6 support in Postfix
2.2): the SMTP client did not support mail to [ipv6:ipv6addr].
Fix based on a patch by Gurusamy Sarathy (Sophos). File:
util/host_port.c and regression test files.

20110227

Portability: FreeBSD closefrom() support time window. Sahil
Tandon. File: util/sys_defs.h.


☆ postfix-2.6.9
http://www.postfix.org/
ftp://ring.aist.go.jp/pub/net/mail/postfix/official/postfix-2.6.9.tar.gz
http://mirror.postfix.jp/postfix-release/official/postfix-2.6.9.tar.gz
http://mirror.ramix.jp/postfix-release/official/postfix-2.6.9.tar.gz
ftp://ftp.ixp.jp/postfix/official/postfix-2.6.9.tar.gz

20101201

Workaround: BSD-ish mkdir() ignores the effective GID and
copies group ownership from the parent directory. File:
util/make_dirs.c.

20101202

Cleanup: the cleanup server now reports a temporary delivery
error when it reaches the virtual_alias_expansion_limit or
virtual_alias_recursion_limit. Previously, it would silently
ignore the excess recipients and deliver the message. File:
cleanup/cleanup_map1n.c.

20110105

Bugfix (introduced with the Postfix TLS patch): discard
plaintext following the STARTTLS command or response. This
matters only for the minority of SMTP clients that actually
verify server certificates. Files: smtpd/smtpd.c,
smtp/smtp_proto.c.

This vulnerability is also known as CVE-2011-0411.

20110109

Bugfix (introduced Postfix 2.4): on Solaris the Postfix
event engine was deaf for SIGHUP and SIGALRM signals after
the switch to /dev/poll. Symptoms were delayed "postfix
reload" response, and killed processes when the watchdog
timeout was less than max_idle. The fix is to set up SIGHUP
and SIGALRM handlers that write to a pipe, and to monitor
that pipe for read events via the Postfix event engine.
Files: master/master_sig.c, util/watchdog.c, util/sys_defs.h.

20110117

Bugfix (introduced Postfix alpha, or thereabouts): on HP-UX
the Postfix event engine was deaf for SIGALRM signals.
Symptoms were killed processes when the watchdog timeout
was less than max_idle. The fix is the same as Solaris fix
20110109. Since we can't know what other systems need this,
the workaround is enabled by default. Files: util/sys_defs.h.

20110225

Workaround (problem introduced with IPv6 support in Postfix
2.2): the SMTP client did not support mail to [ipv6:ipv6addr].
Fix based on a patch by Gurusamy Sarathy (Sophos). File:
util/host_port.c and regression test files.

20110227

Portability: FreeBSD closefrom() support time window. Sahil
Tandon. File: util/sys_defs.h.


☆ postfix-2.7.3
http://www.postfix.org/
ftp://ring.aist.go.jp/pub/net/mail/postfix/official/postfix-2.7.3.tar.gz
http://mirror.postfix.jp/postfix-release/official/postfix-2.7.3.tar.gz
http://mirror.ramix.jp/postfix-release/official/postfix-2.7.3.tar.gz
ftp://ftp.ixp.jp/postfix/official/postfix-2.7.3.tar.gz

20101201

Workaround: BSD-ish mkdir() ignores the effective GID and
copies group ownership from the parent directory. File:
util/make_dirs.c.

20101202

Cleanup: the cleanup server now reports a temporary delivery
error when it reaches the virtual_alias_expansion_limit or
virtual_alias_recursion_limit. Previously, it would silently
ignore the excess recipients and deliver the message. File:
cleanup/cleanup_map1n.c.

20110105

Bugfix (introduced with the Postfix TLS patch): discard
plaintext following the STARTTLS command or response. This
matters only for the minority of SMTP clients that actually
verify server certificates. Files: smtpd/smtpd.c,
smtp/smtp_proto.c.

This vulnerability is also known as CVE-2011-0411.

20110109

Bugfix (introduced Postfix 2.4): on Solaris the Postfix
event engine was deaf for SIGHUP and SIGALRM signals after
the switch to /dev/poll. Symptoms were delayed "postfix
reload" response, and killed processes when the watchdog
timeout was less than max_idle. The fix is to set up SIGHUP
and SIGALRM handlers that write to a pipe, and to monitor
that pipe for read events via the Postfix event engine.
Files: master/master_sig.c, util/watchdog.c, util/sys_defs.h.

20110117

Bugfix (introduced Postfix alpha, or thereabouts): on HP-UX
the Postfix event engine was deaf for SIGALRM signals.
Symptoms were killed processes when the watchdog timeout
was less than max_idle. The fix is the same as Solaris fix
20110109. Since we can't know what other systems need this,
the workaround is enabled by default. Files: util/sys_defs.h.

20110225

Workaround (problem introduced with IPv6 support in Postfix
2.2): the SMTP client did not support mail to [ipv6:ipv6addr].
Fix based on a patch by Gurusamy Sarathy (Sophos). File:
util/host_port.c and regression test files.

20110227

Portability: FreeBSD closefrom() support time window. Sahil
Tandon. File: util/sys_defs.h.

----
こがよういちろう


投稿者 xml-rpc : 2011年3月10日 09:09
役に立ちました?:
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/102549
トラックバック
コメント
コメントする




画像の中に見える文字を入力してください。