On Thu, Dec 28, 2023 at 03:31:55PM -0500, Scott Kitterman wrote: > Postfix is a High-performance mail transport agent. > > Upstream published versions 3.5.23 and 3.7.9. > > These are bug-fix releases. The changes are not currently required for > operation, but upstream strongly recommends that users update. > > Changes since 3.5.18 and 3.7.6 currently in bullseye and bookworm include > fixes > for multiple implementation defects identified since these packages were last > updated, see debian/changelog for details. Of particular note is a new > optional feature to prevent 'SMTP Smuggling' attacks. It is disabled by > default. A configuration change is required to enable this protection [1]. > > If you use postfix, we recommend that you install this update. > > [1] https://www.postfix.org/smtp-smuggling.html
The important part is the CVE fix with config change requirement, no? How about this, rephrasing to shift the emphasis: | Postfix is a high-performance mail transport agent. | | This update consists of recommended upstream bug fixes since the versions | in bullseye and bookworm. In particular, a fix for CVE-2023-51764 (SMTP | smuggling) requires a configuration change to take full effect. | | The configuration change is not done automatically to avoid causing | issues with existing installations. Users should consult the relevant | Postfix documentation [1] before setting "smtpd_forbid_bare_newline = yes" | in the main.cf file. | | 1: https://www.postfix.org/smtp-smuggling.html If you are able to comment before 13:00 UTC I can get it out this afternoon. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1