On Mon, May 04, 2026 at 05:38:55PM +0100, Sam James wrote: > Sam James <[email protected]> writes: > > > The most significant one here seems to be the first entry under "Fixed > > in Postfix 3.8, 3.9, 3.10:". > > > > -------------------- Start of forwarded message -------------------- > > To: Postfix announce <[email protected]> > > Date: Sun, 3 May 2026 19:43:27 -0400 (EDT) > > CC: Postfix users <[email protected]> > > Subject: [pfx] Postfix stable release 3.11.2 and legacy releases 3.10.9, > > 3.9.10, 3.8.16 > > From: Wietse Venema via Postfix-users <[email protected]> > > > > [An on-line version of this announcement will be available at > > https://www.postfix.org/announcements/postfix-3.11.2.html] > > > > [...] > > I am interested in feedback on whether using my own judgement is > acceptable for bringing these to oss-security, where I believe they may > of interest (releases with fixes that appear security-related, as the > volume is increasing with the current wave of new tooling (*)), > or whether there are some guidelines I should apply. > > Thanks in advance. > > (*) I of course only plan to bring such things where I plan to treat > them at least in part as a security bug downstream.
Yes, I think your judgement fits what many of us would like to see on this list. Thank you! As to this specific issue, I guess Wietse called it a bug and not a vulnerability deliberately. I trust his judgement on this, but I don't mind downstreams being cautious. Per my reading, exposure is limited to other trusted components and impact is not directly security relevant (if only a child process crashes and will be respawned). Alexander
