Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <afkJdKvDnAbK1ODc@eldamar.lan>
Date: Mon, 4 May 2026 23:02:44 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Fwd: [pfx] Postfix stable release 3.11.2 and
 legacy releases 3.10.9, 3.9.10, 3.8.16

Hi,

On Mon, May 04, 2026 at 05:35:38PM +0100, Sam James wrote:
> The most significant one here seems to be the first entry under "Fixed
> in Postfix 3.8, 3.9, 3.10:".
[...]
> Fixed in Postfix 3.8, 3.9, 3.10:
> 
>   * Bugfix (defect introduced: Postfix 2.3, date: 20050323): buffer
>     over-read when Postfix an enhanced status code is not followed
>     by other text. For example, "5.7.2" without text after the
>     three-number code. This CANNOT be triggered with an SMTP or
>     LMTP server response; is confirmed with an access(5) table and
>     likely with a policy server response; can possibly be triggered
>     with pipe-to-command output, header_checks(5), body_checks(5),
>     an error(8) transport in transport_maps, or a milter response;
>     and is confirmed with a DNSBL server TXT response while Postfix
>     is configured with "$rbl_code $rbl_text" in rbl_reply_maps or
>     default_rbl_reply. This could result in process termination.
>     Problem reported by Kamil Frankowicz.

This one got https://www.cve.org/CVERecord?id=CVE-2026-43964 assigned.

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.