Hello community, here is the log from the commit of package postfix for openSUSE:Factory checked in at 2020-08-12 10:56:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/postfix (Old) and /work/SRC/openSUSE:Factory/.postfix.new.3399 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "postfix" Wed Aug 12 10:56:18 2020 rev:189 rq:825266 version:3.5.6 Changes: -------- --- /work/SRC/openSUSE:Factory/postfix/postfix.changes 2020-07-21 15:39:48.803480914 +0200 +++ /work/SRC/openSUSE:Factory/.postfix.new.3399/postfix.changes 2020-08-12 10:56:24.316740607 +0200 @@ -1,0 +2,17 @@ +Sun Aug 9 06:55:01 UTC 2020 - Arjen de Korte <[email protected]> + +- Use the correct signature file for source verification +- Rename postfix-3.5.6.tar.gz.sig to postfix-3.5.6.tar.gz.asc (to + prevent confusion, as the signature file from upstream with .sig + extension is incompatible with the build service) + +------------------------------------------------------------------- +Sun Jul 26 21:22:39 UTC 2020 - Michael Ströder <[email protected]> + +- Update to 3.5.6 with following fixes: + * Workaround for unexpected TLS interoperability problems when Postfix + runs on OS distributions with system-wide OpenSSL configurations. + * Memory leaks in the Postfix TLS library, the largest one + involving multiple kBytes per peer certificate. + +------------------------------------------------------------------- Old: ---- postfix-3.5.4.tar.gz postfix-3.5.4.tar.gz.sig New: ---- postfix-3.5.6.tar.gz postfix-3.5.6.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ postfix.spec ++++++ --- /var/tmp/diff_new_pack.mqfRHK/_old 2020-08-12 10:56:25.532741212 +0200 +++ /var/tmp/diff_new_pack.mqfRHK/_new 2020-08-12 10:56:25.532741212 +0200 @@ -53,14 +53,14 @@ %bcond_with libnsl %endif Name: postfix -Version: 3.5.4 +Version: 3.5.6 Release: 0 Summary: A fast, secure, and flexible mailer License: IPL-1.0 OR EPL-2.0 Group: Productivity/Networking/Email/Servers URL: http://www.postfix.org Source0: http://cdn.postfix.johnriley.me/mirrors/postfix-release/official/postfix-%{version}.tar.gz -Source1: http://cdn.postfix.johnriley.me/mirrors/postfix-release/official/postfix-%{version}.tar.gz.gpg2#/postfix-%{version}.tar.gz.sig +Source1: http://cdn.postfix.johnriley.me/mirrors/postfix-release/official/postfix-%{version}.tar.gz.gpg2#/postfix-%{version}.tar.gz.asc Source2: %{name}-SUSE.tar.gz Source3: %{name}-mysql.tar.bz2 #Source4: http://cdn.postfix.johnriley.me/mirrors/postfix-release/wietse.pgp#/postfix.keyring ++++++ postfix-3.5.4.tar.gz -> postfix-3.5.6.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.4/HISTORY new/postfix-3.5.6/HISTORY --- old/postfix-3.5.4/HISTORY 2020-06-27 23:18:55.000000000 +0200 +++ new/postfix-3.5.6/HISTORY 2020-07-26 20:28:09.000000000 +0200 @@ -24791,3 +24791,31 @@ for the expanded CNAME. Therefore, sending the correct SNI name should not break existing mail flows. Fixed by Viktor Dukhovni. File: src/tls/tls_client.c. + +20200710 + + Bugfix (introduced: Postfix 3.0): minor memory leaks in the + Postfix TLS library, found during tests. File: tls/tls_misc.c. + +20200712 + + Bugfix (introduced: Postfix 3.0): 4kbyte per session memory + leak in the Postfix TLS library, found during tests. File: + tls/tls_misc.c. + +20200724 + + Workaround for distros that override Postfix protocol + settings in a system-wide OpenSSL configuration file, causing + interoperability problems after an OS update. File: + tls/tls_client.c, tls/tls_server.c. + +20200726 + + Bugfix (introduced: Postfix 3.5.5): part of a memory leak + fix was backported to the wrong place. File: tls/tls_misc.c. + + The Postfix 3.5.5 workaround did not explicitly override + the system-wide OpenSSL configuration of allowed TLS protocol + versions, for sessions where the remote SMTP client sends + SNI. It's better to be safe than sorry. File: tls/tls_server.c. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.4/src/global/mail_version.h new/postfix-3.5.6/src/global/mail_version.h --- old/postfix-3.5.4/src/global/mail_version.h 2020-06-27 23:30:07.000000000 +0200 +++ new/postfix-3.5.6/src/global/mail_version.h 2020-07-26 20:14:48.000000000 +0200 @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20200627" -#define MAIL_VERSION_NUMBER "3.5.4" +#define MAIL_RELEASE_DATE "20200726" +#define MAIL_VERSION_NUMBER "3.5.6" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.4/src/tls/tls_client.c new/postfix-3.5.6/src/tls/tls_client.c --- old/postfix-3.5.4/src/tls/tls_client.c 2020-06-27 23:13:06.000000000 +0200 +++ new/postfix-3.5.6/src/tls/tls_client.c 2020-07-25 00:58:38.000000000 +0200 @@ -409,6 +409,11 @@ off |= tls_bug_bits(); SSL_CTX_set_options(client_ctx, off); + /* Enable all supported protocols */ +#if OPENSSL_VERSION_NUMBER >= 0x1010000fUL + SSL_CTX_set_min_proto_version(client_ctx, 0); +#endif + /* * Set the call-back routine for verbose logging. */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.4/src/tls/tls_misc.c new/postfix-3.5.6/src/tls/tls_misc.c --- old/postfix-3.5.4/src/tls/tls_misc.c 2020-06-10 21:04:03.000000000 +0200 +++ new/postfix-3.5.6/src/tls/tls_misc.c 2020-07-26 19:03:13.000000000 +0200 @@ -963,6 +963,8 @@ */ if (SSL_get_peer_signature_nid(ssl, &nid) && nid != NID_undef) peer_sig_dgst = OBJ_nid2sn(nid); + + X509_free(cert); } if (kex_name) { TLScontext->kex_name = mystrdup(kex_name); @@ -1158,6 +1160,22 @@ myfree(TLScontext->peer_cert_fprint); if (TLScontext->peer_pkey_fprint) myfree(TLScontext->peer_pkey_fprint); + if (TLScontext->kex_name) + myfree((void *) TLScontext->kex_name); + if (TLScontext->kex_curve) + myfree((void *) TLScontext->kex_curve); + if (TLScontext->clnt_sig_name) + myfree((void *) TLScontext->clnt_sig_name); + if (TLScontext->clnt_sig_curve) + myfree((void *) TLScontext->clnt_sig_curve); + if (TLScontext->clnt_sig_dgst) + myfree((void *) TLScontext->clnt_sig_dgst); + if (TLScontext->srvr_sig_name) + myfree((void *) TLScontext->srvr_sig_name); + if (TLScontext->srvr_sig_curve) + myfree((void *) TLScontext->srvr_sig_curve); + if (TLScontext->srvr_sig_dgst) + myfree((void *) TLScontext->srvr_sig_dgst); if (TLScontext->errorcert) X509_free(TLScontext->errorcert); if (TLScontext->untrusted) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.4/src/tls/tls_server.c new/postfix-3.5.6/src/tls/tls_server.c --- old/postfix-3.5.4/src/tls/tls_server.c 2020-03-08 15:59:13.000000000 +0100 +++ new/postfix-3.5.6/src/tls/tls_server.c 2020-07-26 19:46:34.000000000 +0200 @@ -527,6 +527,12 @@ SSL_CTX_set_options(server_ctx, off); + /* Enable all supported protocols */ +#if OPENSSL_VERSION_NUMBER >= 0x1010000fUL + SSL_CTX_set_min_proto_version(server_ctx, 0); + SSL_CTX_set_min_proto_version(sni_ctx, 0); +#endif + /* * Global protocol selection. */
