** Description changed: [Impact] "postfix tls deploy-server-cert" did not handle a missing optional argument which makes users get a "can't shift that many..." error. - In this SRU we are proposing a microrelease update in Focal from version - 3.4.10 to 3.4.13 since the changes are self contained. Moreover, there - is a Postfix SRU exception which allows microreleases if the bug is - fixed in the current development series: - - https://wiki.ubuntu.com/StableReleaseUpdates#Postfix - - And according to the described process there is no need to define a Test - Case and a Regression Potential sections. Upstream has been doing a good - work regarding those stable version bug fixes. - - Here is the upstream changelog change between 3.4.10 and 3.4.13: - - 20200416 - - Workaround for broken builds after an incompatible change - in GCC 10. Files: makedefs, Makefile.in. - - Workaround for broken DANE support after an incompatible - change in GLIBC 2.31. This avoids the need for new options - in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c. - - 20200419 - - Bugfix: segfault in the tlsproxy client role when the server - role was disabled. This typically happens on systems that - do not receive mail, after configuring connection reuse for - outbound TLS. Found during program maintenance. File: - tlsproxy/tlsproxy.c. - - 20200420 - - Noise suppression: shut up a compiler that special-cases - string literals. Viktor Dukhovni. File milter/milter.c. - - 20200422 - - Security: disable DANE support on Alpine Linux because - libc-musl provides no indication whether DNS responses are - authentic. This broke DANE support without a clear explanation. - File: makedefs. - - 20200505 - - Noise suppression: shut up a compiler that special-cases - string literals. Viktor Dukhovni. File smtpd/smtpd_check.c. - - 20200509 - - Bugfix (introduced: Postfix 3.5): maillog_file_rotate_suffix - default value used the minute instead of the month. Reported - by Larry Stone. Files: conf/postfix-tls-script, - proto/MAILLOG_README.html, proto/postconf.proto. - global/mail_params.h, postfix/postfix.c. - - 20200510 - - Bitrot: avoid U_FILE_ACCESS_ERROR after chroot(), by - initializing the ICU library before making the chroot() - call. Files: util/midna_domain.[hc], global/mail_params.c. - - 20200511 - - Noise suppression: avoid "SSL_Shutdown:shutdown while in - init" warnings. File: tls/tls_session.c. - - 20200515 - - Bugfix (introduced: Postfix 2.2): a TLS error for a PostgreSQL - client caused a false 'lost connection' error for an SMTP - over TLS session in the same Postfix process. Reported by - Alexander Vasarab, diagnosed by Viktor Dukhovni. File: - tls/tls_bio_ops.c. - - Bugfix (introduced: Postfix 2.8): a TLS error for one TLS - session may cause a false 'lost connection' error for a - concurrent TLS session in the same tlsproxy process. File: - tlsproxy/tlsproxy.c. + In order to fix the issue the following upstream patch is going to be + backported to Bionic and Xenial: 20200530 - Bugfix (introduced: Postfix 3.1): "postfix tls deploy-server-cert" - did not handle a missing optional argument. File: - conf/postfix-tls-script. + Bugfix (introduced: Postfix 3.1): "postfix tls deploy-server-cert" + did not handle a missing optional argument. File: + conf/postfix-tls-script. - 20200610 + [Test Case] - Bugfix (introduced: Postfix 3.4): in the Postfix SMTP server, - the SNI callback reported an error when it was called a - second time. This happened after the server-side TLS engine - sent a TLSv1.3 HelloRetryRequest (HRR) to a remote SMTP - client. Reported by Ján Máté, fixed by Viktor Dukhovni. - File: tls/tls_misc.c. + Install postfix and try to deploy a server certificate: - This new microrelease fixes the dane issue and the build against GCC 10 - which makes us drop a patch applied in version 3.4.7-1 - (80_glibc2.30-ftbfs.diff). + $ lxc launch ubuntu-daily:bionic postfix-cert + $ lxc shell postfix-cert + # apt-get update && apt-get upgrade -y + # apt install postfix ssl-cert + # postfix tls deploy-server-cert /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key + /usr/lib/postfix/sbin/postfix-tls-script: 780: shift: can't shift that many + + If you try the commands above in a Xenial container you'll get the same + error. + + [Regression Potential] + + The proposed change is one line and self contained, so no regression is + expected. But if a regression is going to happen it will be in the + "postfix tls deploy-server-cert" command. [Original Description] lsb_release -rd Description: Ubuntu 18.04.4 LTS Release: 18.04 postfix: Installed: 3.3.0-1ubuntu0.2 Candidate: 3.3.0-1ubuntu0.2 Version table: *** 3.3.0-1ubuntu0.2 500 500 http://us-west-2.ec2.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 3.3.0-1 500 500 http://us-west-2.ec2.archive.ubuntu.com/ubuntu bionic/main amd64 Packages Attempting to deploy server certificates with postfix tls deploy-server-cert certificate.crt keyfile.key Expected to deploy new certificates What happened - command fails with /usr/lib/postfix/sbin/postfix-tls-script: 780: shift: can't shift that many The issue appears to be that the function "deploy-server-cert" in /usr/lib/postfix/sbin/postfix-tls-script expects that there will be three arguments: /usr/lib/postfix/sbin/postfix-tls-script line 777 deploy_server_cert() { certfile=$1; shift keyfile=$1; shift deploy=$1; shift ... This works when the function is called by the function new_server_cert, which calls the function with the arguments: deploy_server_cert "${certfile}" "${keyfile}" "${deploy}" || return 1 But when this function is invoked directly in line 1154, it is called with only 2 arguments deploy_server_cert "${certfile}" "${keyfile}" || exit 1
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1881196 Title: [SRU] postfix tls deploy-server-cert fails with "can't shift that many" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1881196/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
