Your message dated Sat, 11 Jul 2026 10:32:48 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1141410,
regarding trixie-pu: package postfix/3.10.11-0+deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1141410: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141410
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:postfix
User: [email protected]
Usertags: pu

[ Reason ]
There's a new upstream stable/bugfix release, 3.10.11, which
fixes 5 more low-impact security ussuses.

[ Tests ]
This release is running in production on our sites for quite
some time already, with no issues.

[ Risks ]
As usual, postfix stable releases (and actually all postfix
releases) are of excellent quality, have very low risk of
breakage.  The changes are all small and focused too.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
See below for the debdiff, including d/changelog and upstream
HISTORY changes.

[ Other info ]
The debdiff is against the previous trixie-pu version of
postfix, 3.10.10-0+deb13u1.

I'm uploading this release to the archive, to - hopefully -
save a round-trip in this bug report and to save you some
time.

Thanks,

/mjt

diff -Nru postfix-3.10.10/HISTORY postfix-3.10.11/HISTORY
--- postfix-3.10.10/HISTORY     2026-05-15 22:54:47.000000000 +0300
+++ postfix-3.10.11/HISTORY     2026-06-17 20:06:59.000000000 +0300
@@ -29356,3 +29356,173 @@
        implementation-defined behavior (shift one bit into the
        sign position). This works today but may break later.
        Reported by Kamil Frankowicz. File: util/sys_defs.h.
+
+20260524
+
+       Bugfix (defect introduced: Postfix 3.1, date 20150607):
+       null pointer read and heap data overread in the Postfix
+       SMTP client's smtp_dns_reply_filter. Problem reported by
+       TristanInSec, found with ASAN. Also reported by other people.
+       Reproduction and real-world impact researched by Wietse.
+       File: dns/dns_strrecord.c.
+
+       This is a different problem than the one that was introduced
+       later in Postfix 3.6.
+
+       The root cause is a missing 'break' statement after the
+       code that converts a TLSA record to string.
+
+       Reproduction:
+       =============
+
+       The problem happens when smtp_dns_reply_filter is configured
+       (this is disabled by default); the Postfix SMTP client is
+       configured to use opportunistic or mandatory DANE authentication
+       (this is disabled by default); the destination domain
+       publishes a TLSA record that is empty or shorter than 20
+       bytes; and the OS is configured to use a resolver that
+       passes such a TLSA record. For example, a zero-length TLSA
+       record is blocked by BIND, Google DNS, OpenDNS, and by
+       configurations that use systemd-resolved (the default on
+       many LINUX systems); it is passed by Cloudflare, Quad9 DNS,
+       and unbound, as long as these resolvers are used without
+       systemd-resolved.
+
+       Impact statement:
+       =================
+
+       SMTP client termination with a null pointer read crash when
+       the TLSA record length is zero; or an SMTP client data
+       overread (or rarely, SMTP client termination with a read
+       segfault crash) when 0 < record length < 20 bytes. The
+       overread content is not disclosed.
+
+       The impact of SMTP client crashes is easily overstated.
+       That said, crashes must be eliminated regardless of their
+       impact.
+
+       On systems that deliver fewer than one message per minute,
+       an SMTP client crash can result in a delay of up to one
+       minute for email delivery to other destination domains.  On
+       systems with a larger traffic volume, the impact of a null
+       pointer or other segfault crash on deliveries to other
+       destination domains is minor because Postfix reuses SMTP
+       client processes and replaces a failed process within seconds
+       (self-healing); the practical impact is believed to be no
+       worse than that of an uncooperative receiver that tarpits
+       SMTP connections from Postfix to one or more destination
+       domains under their control (by replying within Postfix
+       SMTP client read time limits which are several minutes by
+       default).
+
+20260529
+
+       Robustness: the Postfix SMTP server will no longer receive
+       (and discard) an unlimited amount of text while receiving
+       a long SMTP command line. Problem introduced: Postfix 2.9,
+       date: 20110205; reported by Michael Wollner (Ibonok). Under
+       high load conditions, the amount of text was already limited
+       by a 10-second deadline to receive an SMTP command. File:
+       global/smtp_stream.c.
+
+       Robustness: with the above change the Postfix SMTP client
+       will no longer receive (and discard) an unlimited amount
+       of text while receiving a long SMTP response line.
+
+       Robustness: do not receive (and discard) unlimited amounts
+       of data with BDAT commands. Problem introduced: Postfix
+       3.4, date: 20180825; found during code maintenance. File:
+       smtpd/smtpd.c.
+
+       Impact statement:
+       =================
+
+       Postfix should not receive and discard unlimited amounts
+       of input in SMTP commands, but fixing that will not
+       fundamentally change the situation.
+
+       By design, any SMTP client can force a server to receive
+       (and discard) an unlimited amount of text.  For example,
+       an attacker can repeatedly send messages that are a little
+       under the server's message size limit and abort each
+       transaction a before reaching the message end. When sending
+       a message with the "DATA" command, an attacker would
+       disconnect instead of sending <CR><LF>.<CR><LF>; and when
+       sending a message with the "BDAT" command, an attacker would
+       send "RSET" instead of "BDAT LAST".
+
+       To mitigate such abuse, Postfix can rate-limit the number
+       of message transactions from the same IP address or address
+       range (see smtpd_client_message_rate_limit and *prefix_length
+       parameters). Such a defense is ineffective when faced with
+       a distributed attack (botnet); for that, postscreen combined
+       with an IP reputation service (DNSBL) may be more effective.
+
+20260531
+
+       Bugfix: (defect introduced: Postfix 3.6, date: 20200710):
+       panic (assertion failure and voluntary crash) while parsing
+       a TLSA reply with length 3. Found during code maintenance.
+       See below for root cause, reproduction, and impact.
+
+       Root cause:
+       ===========
+
+       An incorrect test 'length < 3' instead of 'length <= 3'
+       causes a safety check to fail when a TLSA parser attempts
+       to create zero-length storage for a non-existent TLSA
+       certificate association data field.
+
+       Reproduction:
+       =============
+
+       The problem happens when the Postfix SMTP client is configured
+       to use opportunistic or mandatory DANE authentication (this
+       is disabled by default); a destination domain publishes a
+       TLSA record with a length of three bytes; and the OS is
+       configured to use a resolver that passes such a TLSA record.
+       For example, a length-three TLSA record is blocked by BIND,
+       and by configurations that use systemd-resolved (the default
+       on many LINUX systems). It is passed by many other resolvers.
+
+       This bug enables an attack that is more potent than the
+       TLSA parsing bug introduced with Postfix 3.1.
+
+       - An attack with a length-three TLSA reply does not depend
+       on smtp_dns_reply_filter configuration.
+
+       - An attack with a length-three TLSA reply propagates through
+       more resolvers than an attack with a length-zero TLSA reply.
+
+       Impact statement:
+       =================
+
+       SMTP client voluntary termination (crash) after an assertion
+       failure. This is a fail-safe mechanism.
+
+       The impact of SMTP client crashes (voluntary or not) is
+       easily overstated. That said, crashes must be eliminated
+       regardless of their impact.
+
+       On systems that deliver fewer than one message per minute,
+       an SMTP client crash can result in a delay of up to one
+       minute for email delivery to other destination domains.
+
+       On systems with a larger traffic volume, the impact of an
+       SMTP client crash on deliveries to other destination domains
+       is minor because Postfix reuses SMTP client processes and
+       replaces a failed process within seconds (self-healing);
+       the practical impact is believed to be no worse than that
+       of an uncooperative receiver that tarpits SMTP connections
+       from Postfix to one or more destination domains under their
+       control (by replying within Postfix SMTP client read time
+       limits which are several minutes by default).
+
+20260608
+
+       Bugfix (defect introduced: Postfix 3.0, date: 20140708):
+       the SMTP client did not xtext_quote a '+' character in a
+       DSN ORCPT parameter value. A strict receiver implementation
+       could reject or discard the parameter value, but this has
+       never been reported to happen. Found during code maintenance.
+       File: smtp_proto.c.
diff -Nru postfix-3.10.10/debian/changelog postfix-3.10.11/debian/changelog
--- postfix-3.10.10/debian/changelog    2026-06-11 09:55:11.000000000 +0300
+++ postfix-3.10.11/debian/changelog    2026-06-18 07:28:13.000000000 +0300
@@ -1,3 +1,20 @@
+postfix (3.10.11-0+deb13u1) trixie; urgency=medium
+
+  * New upstream version 3.10.11, fixing 5 low-impact issues:
+    - Bugfix: null pointer read and heap data overread
+      in the Postfix SMTP client's smtp_dns_reply_filter
+    - Robustness: the Postfix SMTP server will no longer receive (and discard)
+      an unlimited amount of text while receiving a long SMTP command line
+    - Robustness: do not receive (and discard) unlimited amounts of data
+      with BDAT commands
+    - Bugfix: panic (assertion failure and voluntary crash) while parsing
+      a TLSA reply with length 3
+    - Bugfix: the SMTP client did not xtext_quote a '+' character in a
+      DSN ORCPT parameter value.  A strict receiver implementation could reject
+      or discard the parameter value (this has never been reported to happen)
+
+ -- Michael Tokarev <[email protected]>  Thu, 18 Jun 2026 07:28:13 +0300
+
 postfix (3.10.10-0+deb13u1) trixie; urgency=medium
 
   [ Michael Tokarev ]
diff -Nru postfix-3.10.10/html/smtpd.8.html postfix-3.10.11/html/smtpd.8.html
--- postfix-3.10.10/html/smtpd.8.html   2025-10-23 23:05:16.000000000 +0300
+++ postfix-3.10.11/html/smtpd.8.html   2026-06-17 20:13:38.000000000 +0300
@@ -264,7 +264,7 @@
               sions for communication with  a  Milter  application;  prior  to
               Postfix 2.6 the default protocol is 2.
 
-       <b><a 
href="postconf.5.html#milter_default_action">milter_default_action</a> 
(tempfail)</b>
+       <b><a 
href="postconf.5.html#milter_default_action">milter_default_action</a> (see 
'postconf -d <a 
href="postconf.5.html#milter_default_action">milter_default_action</a>' 
output)</b>
               The  default  action  when  a  Milter  (mail filter) response is
               unavailable (for example, bad Postfix  configuration  or  Milter
               failure).
diff -Nru postfix-3.10.10/man/man8/smtpd.8 postfix-3.10.11/man/man8/smtpd.8
--- postfix-3.10.10/man/man8/smtpd.8    2025-10-23 23:05:15.000000000 +0300
+++ postfix-3.10.11/man/man8/smtpd.8    2026-06-17 20:13:38.000000000 +0300
@@ -259,7 +259,7 @@
 The mail filter protocol version and optional protocol extensions
 for communication with a Milter application; prior to Postfix 2.6
 the default protocol is 2.
-.IP "\fBmilter_default_action (tempfail)\fR"
+.IP "\fBmilter_default_action (see 'postconf -d milter_default_action' 
output)\fR"
 The default action when a Milter (mail filter) response is
 unavailable (for example, bad Postfix configuration or Milter
 failure).
diff -Nru postfix-3.10.10/src/dns/dns_strrecord.c 
postfix-3.10.11/src/dns/dns_strrecord.c
--- postfix-3.10.10/src/dns/dns_strrecord.c     2023-02-13 23:58:00.000000000 
+0300
+++ postfix-3.10.11/src/dns/dns_strrecord.c     2026-06-17 20:06:59.000000000 
+0300
@@ -99,6 +99,8 @@
        } else {
            vstring_sprintf_append(buf, "[truncated record]");
        }
+       /* 202605 Missing break found by TristanInSec using ASAN. */
+       break;
 
        /*
         * We use the SOA record TTL to determine the negative reply TTL. We
diff -Nru postfix-3.10.10/src/global/mail_version.h 
postfix-3.10.11/src/global/mail_version.h
--- postfix-3.10.10/src/global/mail_version.h   2026-05-15 21:38:35.000000000 
+0300
+++ postfix-3.10.11/src/global/mail_version.h   2026-06-17 20:07:33.000000000 
+0300
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE      "20260515"
-#define MAIL_VERSION_NUMBER    "3.10.10"
+#define MAIL_RELEASE_DATE      "20260617"
+#define MAIL_VERSION_NUMBER    "3.10.11"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE      "-" MAIL_RELEASE_DATE
diff -Nru postfix-3.10.10/src/global/smtp_stream.c 
postfix-3.10.11/src/global/smtp_stream.c
--- postfix-3.10.10/src/global/smtp_stream.c    2024-01-12 21:39:59.000000000 
+0300
+++ postfix-3.10.11/src/global/smtp_stream.c    2026-06-17 20:06:59.000000000 
+0300
@@ -457,8 +457,12 @@
        && vstream_feof(stream) == 0 && vstream_ferror(stream) == 0)
        while ((next_char = VSTREAM_GETC(stream)) != VSTREAM_EOF
               && next_char != '\n')
-            /* void */ ;
-
+           if (--bound <= 0) {
+               msg_warn("disabling input from %s", VSTREAM_PATH(stream));
+               vstream_fpurge(stream, VSTREAM_PURGE_READ);
+               shutdown(vstream_fileno(stream), SHUT_RD);
+               break;
+           }
     return (last_char);
 }
 
diff -Nru postfix-3.10.10/src/smtp/smtp_proto.c 
postfix-3.10.11/src/smtp/smtp_proto.c
--- postfix-3.10.10/src/smtp/smtp_proto.c       2025-10-23 21:17:45.000000000 
+0300
+++ postfix-3.10.11/src/smtp/smtp_proto.c       2026-06-17 20:06:59.000000000 
+0300
@@ -1867,7 +1867,7 @@
                            vstring_sprintf_append(next_command, " ORCPT=%s",
                                             vstring_str(session->scratch));
                    } else {
-                       xtext_quote(session->scratch, orcpt_type_addr, "=");
+                       xtext_quote(session->scratch, orcpt_type_addr, "+=");
                        vstring_sprintf_append(next_command, " ORCPT=%s",
                                             vstring_str(session->scratch));
                    }
diff -Nru postfix-3.10.10/src/smtpd/smtpd.c postfix-3.10.11/src/smtpd/smtpd.c
--- postfix-3.10.10/src/smtpd/smtpd.c   2025-10-23 19:45:51.000000000 +0300
+++ postfix-3.10.11/src/smtpd/smtpd.c   2026-06-17 20:13:38.000000000 +0300
@@ -233,7 +233,7 @@
 /*     The mail filter protocol version and optional protocol extensions
 /*     for communication with a Milter application; prior to Postfix 2.6
 /*     the default protocol is 2.
-/* .IP "\fBmilter_default_action (tempfail)\fR"
+/* .IP "\fBmilter_default_action (see 'postconf -d milter_default_action' 
output)\fR"
 /*     The default action when a Milter (mail filter) response is
 /*     unavailable (for example, bad Postfix configuration or Milter
 /*     failure).
@@ -3958,6 +3958,21 @@
     off_t   len;
 
     /*
+     * Skip inputs below 1.5 times the message size limit, staying in sync
+     * with the remote SMTP client. Otherwise, force a negative chunk_size
+     * value to disable reading and discarding input here, and to force a
+     * "lost connection" condition upon a later read operation.
+     */
+    if (ENFORCING_SIZE_LIMIT(var_message_limit)
+       && state->act_size / 1.5 > var_message_limit - chunk_size / 1.5) {
+       chunk_size = -1;
+    } else if (state->act_size > OFF_T_MAX - chunk_size) {
+       state->act_size = OFF_T_MAX;
+    } else {
+       state->act_size += chunk_size;
+    }
+
+    /*
      * Read and discard content from the remote SMTP client. TODO: drop the
      * connection in case of overload.
      */
@@ -3975,6 +3990,16 @@
     va_end(ap);
 
     /*
+     * Force a "lost connection" condition upon the next read operation.
+     */
+    if (chunk_size < 0) {
+       msg_warn("%s: too much BDAT content -- disabling further input from %s",
+                state->queue_id ? state->queue_id : "NOQUEUE",
+                state->namaddr);
+       shutdown(vstream_fileno(state->client), SHUT_RD);
+    }
+
+    /*
      * Reset state, or drop subsequent BDAT payloads until BDAT LAST or RSET.
      */
     if (final_chunk)
diff -Nru postfix-3.10.10/src/tls/tls_dane.c postfix-3.10.11/src/tls/tls_dane.c
--- postfix-3.10.10/src/tls/tls_dane.c  2024-10-11 01:15:24.000000000 +0300
+++ postfix-3.10.11/src/tls/tls_dane.c  2026-06-17 20:06:59.000000000 +0300
@@ -518,7 +518,7 @@
                  q, a, r, rr->type);
 
     /* Drop truncated records */
-    if ((dlen = rr->data_len - 3) < 0) {
+    if ((dlen = rr->data_len - 3) <= 0) {
        msg_warn("%s%s%s: truncated TLSA RR length == %u",
                 q, a, r, (unsigned) rr->data_len);
        return (0);

--- End Message ---
--- Begin Message ---
Version: 13.6

This update was released as part of 13.6.

--- End Message ---

Reply via email to