diff options
| author | tron <tron> | 2011-03-09 19:22:11 +0000 |
|---|---|---|
| committer | tron <tron> | 2011-03-09 19:22:11 +0000 |
| commit | a3d74bd76873be942af15f09ffba8481bdca00e4 (patch) | |
| tree | 646cac0429798a30de04f0cbd23e88540a3bad9a | |
| parent | 23d525a9d3f50e42235ccf5dac1d4a9bd5fb61c9 (diff) | |
| download | pkgsrc-a3d74bd76873be942af15f09ffba8481bdca00e4.tar.gz | |
Pullup ticket #3384 - requested by taca
mail/postfix: security update
Revisions pulled up:
- mail/postfix/Makefile patch
- mail/postfix/distinfo patch
- mail/postfix/patches/patch-ag patch
---
Postfix legacy releases 2.7.3, 2.6.9, 2.5.12 and 2.4.16 are available.
These releases contain a fix for CVE-2011-0411 which allows plaintext
command injection with SMTP sessions over TLS. This defect was
introduced with Postfix version 2.2. The same flaw exists in other
implementations of the STARTTLS command.
Note: CVE-2011-0411 is an issue only for the minority of SMTP
clients that actually verify server certificates. Without server
certificate verification, clients are always vulnerable to
man-in-the-middle attacks that allow attackers to inject
plaintext commands or responses into SMTP sessions, and more.
Postfix 2.8 and 2.9 are not affected.
The following problems were fixed with the Postfix legacy releases:
* Fix for CVE-2011-0411: discard buffered plaintext input,
after reading the SMTP "STARTTLS" command or response.
* Fix to the local delivery agent: look up the "unextended"
address in the local aliases database, when that address has
a malformed address extension.
* Fix to virtual alias expansion: report a tempfail error,
instead of silently ignoring recipients that exceed the
virtual_alias_expansion_limit or the virtual_alias_recursion_limit.
* Fix for Solaris: the Postfix event engine was deaf for SIGHUP
and SIGALRM signals after the switch from select() to /dev/poll.
Symptoms were delayed "postfix reload" response, and killed
processes with watchdog timeout values under 100 seconds.
* Fix for HP-UX: the Postfix event engine was deaf for SIGALRM
signals. Symptoms were killed processes with watchdog timeout
values under 100 seconds.
* Fix for BSD-ish mkdir() to prevent maildir directories from
inheriting their group ownership from the parent directory.
* Fix to the SMTP client: missing support for mail to
[ipv6:ipv6addr] address literal destinations.
* FreeBSD back-ported closefrom() from FreeBSD 8x to 7x, breaking
Postfix builds retroactively.
Historical note:
Wietse Venema discovered the problem two weeks before the
Postfix 2.8 release, and silently fixed it pending further
investigation. While investigating the problem's scope and
impact, Victor Duchovni found that many other TLS applications
were also affected. At that point, CERT/CC was asked to coordinate
with the problem's resolution.
You can find the updated Postfix source code at the mirrors listed
at http://www.postfix.org/.
| -rw-r--r-- | mail/postfix/Makefile | 4 | ||||
| -rw-r--r-- | mail/postfix/distinfo | 10 | ||||
| -rw-r--r-- | mail/postfix/patches/patch-ag | 12 |
3 files changed, 8 insertions, 18 deletions
diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile index 9558b3ebb79..88db0381354 100644 --- a/mail/postfix/Makefile +++ b/mail/postfix/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.236 2010/11/28 18:14:10 tron Exp $ +# $NetBSD: Makefile,v 1.236.2.1 2011/03/09 19:22:11 tron Exp $ -DISTNAME= postfix-2.7.2 +DISTNAME= postfix-2.7.3 CATEGORIES= mail MASTER_SITES= ftp://ftp.porcupine.org/mirrors/postfix-release/official/ MASTER_SITES+= http://postfix.it-austria.net/releases/official/ diff --git a/mail/postfix/distinfo b/mail/postfix/distinfo index 09d893c7d76..66d55437116 100644 --- a/mail/postfix/distinfo +++ b/mail/postfix/distinfo @@ -1,10 +1,10 @@ -$NetBSD: distinfo,v 1.132 2010/11/28 18:14:10 tron Exp $ +$NetBSD: distinfo,v 1.132.2.1 2011/03/09 19:22:11 tron Exp $ -SHA1 (postfix/postfix-2.7.2.tar.gz) = 2415c63c98ba0e0273bcb490ee7753a3891f5a73 -RMD160 (postfix/postfix-2.7.2.tar.gz) = e07a59f2f663b286a6c24e75b98952a51d2234fe -Size (postfix/postfix-2.7.2.tar.gz) = 3421671 bytes +SHA1 (postfix/postfix-2.7.3.tar.gz) = 46713f335f19754839d70d76099eac3f24ce1f0b +RMD160 (postfix/postfix-2.7.3.tar.gz) = fb4bf033568ef934a656ff1efffb7b189a59910b +Size (postfix/postfix-2.7.3.tar.gz) = 3423755 bytes SHA1 (patch-aa) = 5b4923402c80957e47b8a4e16c897287b88544bb -SHA1 (patch-ag) = 53f42aec86af576e1ffc420f1b9a19c988c3fe6c +SHA1 (patch-ag) = e335304c9126b9b648fc96110bc68e2795b1ae35 SHA1 (patch-ai) = ef3feef8a4fe7781a89f7e087fc5780760b461b1 SHA1 (patch-as) = 621b92e56606794f28ab267c6c5d723734471389 SHA1 (patch-at) = b0abf2c49bfe94153f7a3845b5709ff8e0027a03 diff --git a/mail/postfix/patches/patch-ag b/mail/postfix/patches/patch-ag index 4c620c5745f..ec790d31d71 100644 --- a/mail/postfix/patches/patch-ag +++ b/mail/postfix/patches/patch-ag @@ -1,4 +1,4 @@ -$NetBSD: patch-ag,v 1.30 2010/04/16 15:32:58 taca Exp $ +$NetBSD: patch-ag,v 1.30.6.1 2011/03/09 19:22:12 tron Exp $ Only define HAS_DB if it hasn't been defined. Add support for NetBSD 5.x and DragonFly BSD. @@ -27,16 +27,6 @@ Handle closefrom() on FreeBSD. #define HAS_SA_LEN #define DEF_DB_TYPE "hash" #if (defined(__NetBSD_Version__) && __NetBSD_Version__ >= 104250000) -@@ -111,7 +113,8 @@ - #define HAS_DUPLEX_PIPE /* 4.1 breaks with kqueue(2) */ - #endif - --#if __FreeBSD_version >= 800107 /* safe; don't believe the experts */ -+#if (__FreeBSD_version >= 702104 && __FreeBSD_version <= 800000) \ -+ || __FreeBSD_version >= 800100 - #define HAS_CLOSEFROM - #endif - @@ -163,9 +166,19 @@ #define HAS_FUTIMES #endif |