Bug#1059230: Proposed Postfix SUA Text
Looks good to me. Thanks, Scott K On December 29, 2023 11:29:21 AM UTC, Jonathan Wiltshire wrote: >On Thu, Dec 28, 2023 at 03:31:55PM -0500, Scott Kitterman wrote: >> Postfix is a High-performance mail transport agent. >> >> Upstream published versions 3.5.23 and 3.7.9. >> >> These are bug-fix releases. The changes are not currently required for >> operation, but upstream strongly recommends that users update. >> >> Changes since 3.5.18 and 3.7.6 currently in bullseye and bookworm include >> fixes >> for multiple implementation defects identified since these packages were >> last >> updated, see debian/changelog for details. Of particular note is a new >> optional feature to prevent 'SMTP Smuggling' attacks. It is disabled by >> default. A configuration change is required to enable this protection [1]. >> >> If you use postfix, we recommend that you install this update. >> >> [1] https://www.postfix.org/smtp-smuggling.html > >The important part is the CVE fix with config change requirement, no? How >about this, rephrasing to shift the emphasis: > >| Postfix is a high-performance mail transport agent. >| >| This update consists of recommended upstream bug fixes since the versions >| in bullseye and bookworm. In particular, a fix for CVE-2023-51764 (SMTP >| smuggling) requires a configuration change to take full effect. >| >| The configuration change is not done automatically to avoid causing >| issues with existing installations. Users should consult the relevant >| Postfix documentation [1] before setting "smtpd_forbid_bare_newline = yes" >| in the main.cf file. >| >| 1: https://www.postfix.org/smtp-smuggling.html > >If you are able to comment before 13:00 UTC I can get it out this >afternoon. > >Thanks, > >
Bug#1059230: Proposed Postfix SUA Text
On Thu, Dec 28, 2023 at 03:31:55PM -0500, Scott Kitterman wrote: > Postfix is a High-performance mail transport agent. > > Upstream published versions 3.5.23 and 3.7.9. > > These are bug-fix releases. The changes are not currently required for > operation, but upstream strongly recommends that users update. > > Changes since 3.5.18 and 3.7.6 currently in bullseye and bookworm include > fixes > for multiple implementation defects identified since these packages were last > updated, see debian/changelog for details. Of particular note is a new > optional feature to prevent 'SMTP Smuggling' attacks. It is disabled by > default. A configuration change is required to enable this protection [1]. > > If you use postfix, we recommend that you install this update. > > [1] https://www.postfix.org/smtp-smuggling.html The important part is the CVE fix with config change requirement, no? How about this, rephrasing to shift the emphasis: | Postfix is a high-performance mail transport agent. | | This update consists of recommended upstream bug fixes since the versions | in bullseye and bookworm. In particular, a fix for CVE-2023-51764 (SMTP | smuggling) requires a configuration change to take full effect. | | The configuration change is not done automatically to avoid causing | issues with existing installations. Users should consult the relevant | Postfix documentation [1] before setting "smtpd_forbid_bare_newline = yes" | in the main.cf file. | | 1: https://www.postfix.org/smtp-smuggling.html If you are able to comment before 13:00 UTC I can get it out this afternoon. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1059230: Proposed Postfix SUA Text
Postfix is a High-performance mail transport agent. Upstream published versions 3.5.23 and 3.7.9. These are bug-fix releases. The changes are not currently required for operation, but upstream strongly recommends that users update. Changes since 3.5.18 and 3.7.6 currently in bullseye and bookworm include fixes for multiple implementation defects identified since these packages were last updated, see debian/changelog for details. Of particular note is a new optional feature to prevent 'SMTP Smuggling' attacks. It is disabled by default. A configuration change is required to enable this protection [1]. If you use postfix, we recommend that you install this update. [1] https://www.postfix.org/smtp-smuggling.html signature.asc Description: This is a digitally signed message part.