-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 11 Jun 2026 09:55:11 +0300
Source: postfix
Architecture: source
Version: 3.10.10-0+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Postfix Team <[email protected]>
Changed-By: Michael Tokarev <[email protected]>
Closes: 1120869 1135718
Changes:
 postfix (3.10.10-0+deb13u1) trixie; urgency=medium
 .
   [ Michael Tokarev ]
   * keep postfix running during upgrades (Closes: #1120869)
   * linux7.patch: support building of the source on 7.x kernels
 .
   * new upstream stable/bugfix release 3.10.10:
   - Bitrot: builds with musl libc broke, because they were using an obsolete
     NO_SNPRINTF code path.
   - Two fixes for a signed integer overshift condition (a left shift into the
     sign bit). This "works" on contemporary CPUs, but may break in the future.
   - Fix an 'uninitialized value' error in the 'collate.pl' script.
 .
   * new upstream stable/bugfix release 3.10.9:
   - Bugfix: The RFC 2047 encoder for the sender "full name" could
     loop when a very long full_name_encoding_charset value was
     configured in main.cf.
   - Bugfix buffer over-read when Postfix an enhanced status code is not
     followed by other text. For example, "5.7.2" without text after the
     three-number code.  This CANNOT be triggered with an SMTP or LMTP server
     response; is confirmed with an access(5) table and likely with a policy
     server response; can possibly be triggered with pipe-to-command output,
     header_checks(5), body_checks(5), an error(8) transport in transport_maps,
     or a milter response; and is confirmed with a DNSBL server TXT response
     while Postfix is configured with "$rbl_code $rbl_text" in rbl_reply_maps
     or default_rbl_reply. This could result in process termination.
     (Closes: #1135718, CVE-2026-43964)
   - Code cleanup: log a fatal error instead of dereferencing a null pointer
     after a first/next cursor initialization failure.
   - Portability: support for recent FreeBSD, NetBSD, and OpenBSD versions.
   - Bugfix: When truncating a database file, the cdb: database client looked
     at the file size from before requesting an exclusive lock on a database
     file, instead of the file size after the exclusive lock was granted.
   - Bugfix: file descriptor leak after fork() failure.
   - Mistakes in debug logging.
   - Unchecked null pointer results after an out-of-memory condition in a
     library dependency. Found by Claude Opus 4.6. The fix is to return an
     error status or to log a fatal error.
   - Missing or incomplete guards for ssize_t or int overflow.  These limits
     are unlikely to be exceeded because the size of in-memory objects is
     limited by design (the number of in-memory objects is also limited).
 .
   * new upstream stable/bugfix release 3.10.8:
   - Improved Milter error handling for messages that arrive over a
     long-lived SMTP connection.
   - Fix "posttls-finger -v -v -v" panic and recursive panic.
 .
   * new upstream stable/bugfix release 3.10.7:
   - build fix for modern compilers and standard bool types
     (already included in debian)
 .
   * new upstream stable/bugfix release 3.10.6:
   - Bugfix: warning messages that smtp_tls_wrappermode requires
     "smtp_tls_security_level = encrypt".
     Root cause: support for "TLS-Required: no" broke client-side
     TLS wrappermode support, by downgrading a connection to TLS
     security level 'may'.
     The fix changes the downgrade level for wrappermode connections
     to 'encrypt'.
     Rationale: by design, TLS can be optional only for connections
     that use STARTTLS.  The downgrade to unauthenticated 'encrypt'
     allows a sender to avoid an email delivery problem.
   - New logging: the Postfix SMTP client will log a warning when
     an MX hostname does not match STS policy MX patterns, with
     "smtp_tls_enforce_sts_mx_patterns = yes" in Postfix, and with
     TLSRPT support enabled in a TLS policy plugin. It will log a
     successful match only when verbose logging is enabled.
   - Bugfix: SMTP client null pointer crash when an STS policy plugin
     sends no policy_string or no mx_pattern attributes.
     This can happen only during tests with a fake STS plugin.
   - Bugfix: segfault when a duplicate parameter name is given to
     "postconf -X" or "postconf -#'.
   - Documentation: removed incorrect text from the parameter description for
     smtp_cname_overrides_servername
 .
   [ Aaron Thompson ]
   * debian-postfix-chroot-cmd.patch: Fix non-ASCII whitespace typo
   * configure-instance.in: fix typo
   * d/README.Debian: minor copyediting
   * Fix some cosmetic typos
Checksums-Sha1:
 0d2415230dab1f022ecdf7d2fe39bee580ead56e 3301 postfix_3.10.10-0+deb13u1.dsc
 82b72f19661cdd29ba663899c26ff5b1b4c291d1 5042502 postfix_3.10.10.orig.tar.gz
 ce4fc0380b70354d092f8ebf242f3cc51192c5ac 220 postfix_3.10.10.orig.tar.gz.asc
 6c2b7cda6536334743895704ac5770843ce7faaa 201208 
postfix_3.10.10-0+deb13u1.debian.tar.xz
 fcc124cb7f20029e17610565f74931225013c73f 6717 
postfix_3.10.10-0+deb13u1_source.buildinfo
Checksums-Sha256:
 3317e0bdaea57ccd22eee576a1d2958baca3590a3b81c6f58c930962490555a0 3301 
postfix_3.10.10-0+deb13u1.dsc
 3b7197e00a98f7fe4624cf51a00ad805674256eff624e678529ccfbf2c7707a4 5042502 
postfix_3.10.10.orig.tar.gz
 427d679a70f68aaf99f5e1fa9309fb878dfcff374dc6ccd8ba7b552bdb1b4a6c 220 
postfix_3.10.10.orig.tar.gz.asc
 71ee98a0facb331ba8f64b949c9d70c6fd9f43fc244d8ebcb8257f90fb35de5e 201208 
postfix_3.10.10-0+deb13u1.debian.tar.xz
 6cabe6895175df7201ac36aa81122ba025ec72c7745f9e49667fe5f01fcf3a5b 6717 
postfix_3.10.10-0+deb13u1_source.buildinfo
Files:
 c2c11bfa15d04980fe7860d7e9321c9a 3301 mail optional 
postfix_3.10.10-0+deb13u1.dsc
 09502ef9ab55d4f16fc7bcb6d9aed9bc 5042502 mail optional 
postfix_3.10.10.orig.tar.gz
 b8ea4a28308c95a4f15dd95e022d07fc 220 mail optional 
postfix_3.10.10.orig.tar.gz.asc
 4dfc13abd87b0859bcd396d1d99ffa87 201208 mail optional 
postfix_3.10.10-0+deb13u1.debian.tar.xz
 adb90008f0939c52e1ee766bbdaae258 6717 mail optional 
postfix_3.10.10-0+deb13u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

wsG7BAEBCgBvBYJqKlwNCRCCqkokOx6UeEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmf6FLGel1g7FopHMaWyJcAtX3kV55YYcxDH2SgDcxkl
4BYhBGSqKrUx1WkDNmv++YKqSiQ7HpR4AABX4xAAkn3ZhPXx+TlM4LI6uJxqcMZ6
eT4gLYMAFjvX23wtW4VrKnlTGqyBhSYRVw0Dh86Z+jR3NdE8zgt8E82sgWhFyA4h
7MOoG8gMtHS8gIMx5D6XZnMoH4Cga6R6wr1qFJquW/qeQLkgv16EpToqUIRrUhEf
XEKP98cRS/dZWT3oi98ugn+ZoZd1rolgmtNFrhhaydjHrXKYjvrhdQuPaViapDrL
xu2USgxiQYNGcOCz6WGDtMYMExc24zUZzBmpPDBUHxco9i3bJ51WAkokivnJ28l2
vx1U2efFkWrgq3jgBUNxedh1635ceUYLTbEDWB8LxI5YfPr1R5PToDjfwtYuuRpS
Q4Wp9y3CPgUM0TpszPTHrPROiEa4hqHZBFdFOOnwt4868GCgRbVirLLD2N5X/D2B
2LRejKtYl43Ndx625H+AUr352uh1/PXyGALisEIglmM+Ga7lnUe4irQ8lEmmguQd
ZGEDUcsXyz60xGyQVL/EDI3xgjLaPy3c1mKxmnbwDdyOdkbrEJRpVqHEJSP2iAy9
cZD9U7h1c0LkvF4iQlFlArx9h+bw2xWX1H4lV6+1MraVERDb4DNTJtQpfU3QRKlW
CI62rfC77KvIrXzV8IpNHZfutj2uKf9vrUUVbcXGf9S/NZgSc/eYbB5B+B34kfBl
jJCuP1WVtl+dqrr7pO0=
=hNVH
-----END PGP SIGNATURE-----

Attachment: pgpzGdDTUc7S9.pgp
Description: PGP signature

Reply via email to