Andreas Schiermeier:
> Hi,
>
> our latest external PCI scan found SSL-enabled Postfix SMTP servers
> (2.7.0 running on Ubuntu 10.04 LTS) vulnerable to SSL CRIME attacks
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4929>.
>
> I've ported Apache httpd patch
> <https://issues.apache.org/bugzilla/show_bug.cgi?id=53219> to Postfix
> 2.10. Please can you have a look at it?
As of Postfix version 2.8, OpenSSL workarounds are handled via
tls_disable_workarounds (Postfix 2.8 and later); all workarounds
are enabled by default. No patching should be needed.
Wietse
