Bug 219996 - mail/postfix: Update to 3.2.2 (security fix)
Summary: mail/postfix: Update to 3.2.2 (security fix)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Olli Hauer
URL: http://www.postfix.org/announcements/...
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-14 20:55 UTC by Markus Kohlmeyer
Modified: 2017-06-21 19:53 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (ohauer)
ohauer: merge-quarterly?

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Markus Kohlmeyer 2017-06-14 20:55:28 UTC 
Postfix 3.2.2 was released yesterday to address a security issue due to an undocumented feature of Berkeley DB

Quote from http://www.postfix.org/announcements/postfix-3.2.2.html


Fixed in all supported releases:

Security: Berkeley DB versions 2 and later try to read settings from a file DB_CONFIG in the current directory. This undocumented feature may introduce undisclosed vulnerabilities resulting in privilege escalation with Postfix set-gid programs (postdrop, postqueue) before they chdir to the Postfix queue directory, and with the postmap and postalias commands depending on whether the user's current directory is writable by other users. This fix does not change Postfix behavior for Berkeley DB versions < 3, but it does reduce postmap and postalias 'create' performance with Berkeley DB versions 3.0 .. 4.6.
Comment 1 commit-hook freebsd_committer freebsd_triage 2017-06-21 19:39:11 UTC 
A commit references this bug:

Author: ohauer
Date: Wed Jun 21 19:38:47 UTC 2017
New revision: 444073
URL: https://svnweb.freebsd.org/changeset/ports/444073

Log:
  - update to 3.2.2
  - adjust PORTSCOUT

  Changelog:
  20170221
    Compatibility fix (introduced: Postfix 3.1): some Milter
    applications do not recognize macros sent as {name} when
    macros have single-character names. Postfix now sends such
    macros without {} as it has done historically. Viktor
    Dukhovni. File: milter/milter.c.

  20170402
    Bugfix (introduced: Postfix 3.2): restore the SMTP server
    receive override options at the end of an SMTP session,
    after the options may have been modified by an smtpd_milter_maps
    setting of "DISABLE". Problem report by Christian R__ner,
    root cause analysis by Viktor Dukhovni. File: smtpd/smtpd.c.

  20170430
    Safety net: append a null byte to vstring buffers, so that
    C-style string operations won't scribble past the end. File:
    vstring.c.

  20170531
    Bugfix (introduced: Postfix 3.2): after the table lookup
    overhaul, the check_sender_access and check_recipient_access
    features ignored the parent_domain_matches_subdomains
    setting. Reported by Henrik Larsson. File: smtpd/smtpd_check.c.

  20170610
    Workaround (introduced: Postfix 3.0 20140718): prevent MIME
    downgrade of Postfix-generated message/delivery status.
    It's supposed to be 7bit, therefore quoted-printable encoding
    is not expected. Problem reported by Griff. File:
    bounce/bounce_notify_util.c.

  20170611
    Security: Berkeley DB 2 and later try to read settings from
    a file DB_CONFIG in the current directory.  This undocumented
    feature may introduce undisclosed vulnerabilities resulting
    in privilege escalation with Postfix set-gid programs
    (postdrop, postqueue) before they chdir to the Postfix queue
    directory, and with the postmap and postalias commands
    depending on whether the user's current directory is writable
    by other users. This fix does not change Postfix behavior
    for Berkeley DB < 3, but reduces file create performance
    for Berkeley DB 3 .. 4.6.  File: util/dict_db.c.

  PR:		219996
  Reported by:	Markus Kohlmeyer
  MFH:		2017Q2

Changes:
  head/mail/postfix/Makefile
  head/mail/postfix/distinfo
Comment 2 Olli Hauer freebsd_committer freebsd_triage 2017-06-21 19:53:23 UTC 
Update to 3.2.2 was commited