On Mon, Jul 06, 2026 at 03:58:06PM -0400, Wietse Venema via Postfix-users wrote:

> In addition to updated releases for the supported Postfix versions
> 3.8-3.11, releases will also be available for the out-of-support
> Postfix versions 3.5-3.7.

Now also at https://github.com/vdukhovni/postfix for anyone tracking the
releases there.

> NOTE: these do not include the patches for out-of-support Postfix
> versions that have been issued for "large SMTP inputs (June 2026)",
> "TLSA parsing (June 2026)", and "SMTP smuggling fixes". Those patches
> still need to be applied.

Note, the github branches only cover release tarballs, the standalone
patches are not applied.  For those you'll need to go one of the Postfix
mirrors.

> Memory corruption:
> 
>   * Bug (defect introduced: Postfix 2.3, date: 20060611): double
>     ldap_msgfree(resloop) call during error handling when
>     special_result_attribute is configured. An attacker who controls
>     the LDAP server or can play attacker-in-the-middle could corrupt
>     heap memory. Reported by Qualys, assisted by Claude Mythos
>     Preview.

I'll accept belated responsibility for this one.  I refactored the LDAP
code to replace the timeout-unsafe synchronous ldap_search_st() with
separate calls to issue the query and collect the results.  In the
process I failed to notice that the original code relied on
ldap_search_st() unconditionally zeroing the output message pointer.
This was no longer true in the timeout-safe LDAP API, which can leave
the pointer unchanged under some error conditions.  FWIW, the original
timeout handling via longjump() on an alarm signal was also unsafe, be
it in a different manner.  Sadly the subtle dependency of the original
code on ldap_search_st() behaviour was not noticed.

-- 
    Viktor.  🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to