On Mon, Jul 06, 2026 at 03:58:06PM -0400, Wietse Venema via Postfix-users wrote:
> In addition to updated releases for the supported Postfix versions > 3.8-3.11, releases will also be available for the out-of-support > Postfix versions 3.5-3.7. Now also at https://github.com/vdukhovni/postfix for anyone tracking the releases there. > NOTE: these do not include the patches for out-of-support Postfix > versions that have been issued for "large SMTP inputs (June 2026)", > "TLSA parsing (June 2026)", and "SMTP smuggling fixes". Those patches > still need to be applied. Note, the github branches only cover release tarballs, the standalone patches are not applied. For those you'll need to go one of the Postfix mirrors. > Memory corruption: > > * Bug (defect introduced: Postfix 2.3, date: 20060611): double > ldap_msgfree(resloop) call during error handling when > special_result_attribute is configured. An attacker who controls > the LDAP server or can play attacker-in-the-middle could corrupt > heap memory. Reported by Qualys, assisted by Claude Mythos > Preview. I'll accept belated responsibility for this one. I refactored the LDAP code to replace the timeout-unsafe synchronous ldap_search_st() with separate calls to issue the query and collect the results. In the process I failed to notice that the original code relied on ldap_search_st() unconditionally zeroing the output message pointer. This was no longer true in the timeout-safe LDAP API, which can leave the pointer unchanged under some error conditions. FWIW, the original timeout handling via longjump() on an alarm signal was also unsafe, be it in a different manner. Sadly the subtle dependency of the original code on ldap_search_st() behaviour was not noticed. -- Viktor. 🇺🇦 Слава Україні! _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
