From: Wietse Venema <wietse@porcupine.org>
Date: Thu, 16 Jan 2014 05:00:00 +0000 (-0500)
Subject: postfix-2.8.17
X-Git-Tag: v2.8.17^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=658d27efe568290bdea054511ad6330c9bd222dc;p=thirdparty%2Fpostfix.git

postfix-2.8.17
---

diff --git a/postfix/HISTORY b/postfix/HISTORY
index cc8c363d1..af48d17e6 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -16938,3 +16938,36 @@ Apologies for any names omitted.
 	each smtpd(8) process.  The workaround turns off session
 	tickets. In 2.11 we'll enable session tickets properly.
 	Viktor Dukhovni. File: tls/tls_server.c.
+
+20131026
+
+	Future proofing: API changes in the PCRE library.  File:
+	util/dict_pcre.c.
+
+20131127
+
+	Bugfix (introduced: 20090106): the postconf '-#' option
+	erased prior options. File: postconf/postconf.c.
+
+20131129
+
+	Bugfix: Makefile example in MULTI_INSTANCE_README. Viktor
+	Dukhovni. File: proto/MULTI_INSTANCE_README.html.
+
+20131216
+
+	OpenSSL future proofing: tolerate disappearance of named
+	bug-workaround bits without invalidating tls_disable_workarounds
+	configurations.  When support for a bug workaround is removed
+	from OpenSSL, the corresponding bit is defined as zero (i.e.
+	NOOP) instead of causing programs to break. Viktor Dukhovni.
+	File: tls/tls_misc.c.
+
+20131220
+
+	Documentation: typo in SASL_README. Patrick Ben Koetter.
+	File: proto/SASL_README.html.
+
+20140104
+
+	Bugfix: malformed error message. File: conf/post-install.
diff --git a/postfix/README_FILES/MULTI_INSTANCE_README b/postfix/README_FILES/MULTI_INSTANCE_README
index 3ac94733f..8756a9d6f 100644
--- a/postfix/README_FILES/MULTI_INSTANCE_README
+++ b/postfix/README_FILES/MULTI_INSTANCE_README
@@ -177,7 +177,7 @@ database when none exists.
         generic: Makefile
     	    @echo Creating $@
     	    @rm -f $@.tmp
-    	    @printf '%s\t%s+root=%s\n' root $MTAADMIN `uname -n` > $@.tmp
+    	    @printf '%s\t%s+root=%s\n' root ${MTAADMIN} `uname -n` > $@.tmp
     	    @mv $@.tmp generic
 
         %.cdb: %
@@ -492,8 +492,8 @@ Shared among all instances:
     $readme_directory.
 
   * Entries in /etc/passwd and /etc/group for the $mail_owner user and
-    $setgid_group group. The the $mail_owner user provides the mail system with
-    a protected (non-root) execution context. The $setgid_group group is used
+    $setgid_group group. The $mail_owner user provides the mail system with a
+    protected (non-root) execution context. The $setgid_group group is used
     exclusively to support the setgid postdrop(1) and postqueue(1) utilities
     (it mmuusstt nnoott be the primary group or secondary group of any users,
     including the $mail_owner user).
diff --git a/postfix/README_FILES/SASL_README b/postfix/README_FILES/SASL_README
index 2ebd342cd..364330802 100644
--- a/postfix/README_FILES/SASL_README
+++ b/postfix/README_FILES/SASL_README
@@ -444,7 +444,7 @@ to a PostgreSQL server:
         sql_user: username
         sql_passwd: secret
         sql_database: dbname
-        sql_select: SELECT password FROM users WHERE user = '%u'@'%r'
+        sql_select: SELECT password FROM users WHERE user = '%u@%r'
 
     NNoottee
 
diff --git a/postfix/conf/post-install b/postfix/conf/post-install
index 743c69db3..13905b93a 100644
--- a/postfix/conf/post-install
+++ b/postfix/conf/post-install
@@ -464,7 +464,7 @@ test -n "$create" && {
 	case $type in
 	[hl]) continue;;
 	[df]) ;;
-	   *) echo unknown type $type for $path in $daemon_directory/postfix-files1>&2; exit 1;;
+	   *) echo unknown type $type for $path in $daemon_directory/postfix-files 1>&2; exit 1;;
 	esac
 	# Expand $name, and canonicalize null fields.
 	for name in path owner group flags
diff --git a/postfix/html/MULTI_INSTANCE_README.html b/postfix/html/MULTI_INSTANCE_README.html
index d4874bae9..c5e5f7e1d 100644
--- a/postfix/html/MULTI_INSTANCE_README.html
+++ b/postfix/html/MULTI_INSTANCE_README.html
@@ -233,7 +233,7 @@ creates a "generic" database when none exists. </p>
     generic: Makefile
 	    @echo Creating $@
 	    @rm -f $@.tmp
-	    @printf '%s\t%s+root=%s\n' root $MTAADMIN `uname -n` &gt; $@.tmp
+	    @printf '%s\t%s+root=%s\n' root ${MTAADMIN} `uname -n` &gt; $@.tmp
 	    @mv $@.tmp generic
 
     %.<a href="CDB_README.html">cdb</a>: %
@@ -620,7 +620,7 @@ $<a href="postconf.5.html#daemon_directory">daemon_directory</a>. </p>
 $<a href="postconf.5.html#manpage_directory">manpage_directory</a> and $<a href="postconf.5.html#readme_directory">readme_directory</a>. </p>
 
 <li><p> Entries in /etc/passwd and /etc/group for the $<a href="postconf.5.html#mail_owner">mail_owner</a> user and
-$<a href="postconf.5.html#setgid_group">setgid_group</a> group. The the $<a href="postconf.5.html#mail_owner">mail_owner</a> user provides the mail system
+$<a href="postconf.5.html#setgid_group">setgid_group</a> group. The $<a href="postconf.5.html#mail_owner">mail_owner</a> user provides the mail system
 with a protected (non-root) execution context. The $<a href="postconf.5.html#setgid_group">setgid_group</a> group
 is used exclusively to support the setgid <a href="postdrop.1.html">postdrop(1)</a> and <a href="postqueue.1.html">postqueue(1)</a>
 utilities (it <b>must not</b> be the primary group or secondary group
diff --git a/postfix/html/SASL_README.html b/postfix/html/SASL_README.html
index bd5fac0e4..e477c693b 100644
--- a/postfix/html/SASL_README.html
+++ b/postfix/html/SASL_README.html
@@ -739,7 +739,7 @@ and connects it to a PostgreSQL server: </p>
     sql_user: username
     sql_passwd: secret
     sql_database: dbname
-    sql_select: SELECT password FROM users WHERE user = '%u'@'%r'
+    sql_select: SELECT password FROM users WHERE user = '%u@%r'
 </pre>
 </blockquote>
 
diff --git a/postfix/proto/MULTI_INSTANCE_README.html b/postfix/proto/MULTI_INSTANCE_README.html
index 375c58cab..e6812e7b5 100644
--- a/postfix/proto/MULTI_INSTANCE_README.html
+++ b/postfix/proto/MULTI_INSTANCE_README.html
@@ -233,7 +233,7 @@ creates a "generic" database when none exists. </p>
     generic: Makefile
 	    @echo Creating $@
 	    @rm -f $@.tmp
-	    @printf '%s\t%s+root=%s\n' root $MTAADMIN `uname -n` &gt; $@.tmp
+	    @printf '%s\t%s+root=%s\n' root ${MTAADMIN} `uname -n` &gt; $@.tmp
 	    @mv $@.tmp generic
 
     %.cdb: %
@@ -620,7 +620,7 @@ $daemon_directory. </p>
 $manpage_directory and $readme_directory. </p>
 
 <li><p> Entries in /etc/passwd and /etc/group for the $mail_owner user and
-$setgid_group group. The the $mail_owner user provides the mail system
+$setgid_group group. The $mail_owner user provides the mail system
 with a protected (non-root) execution context. The $setgid_group group
 is used exclusively to support the setgid postdrop(1) and postqueue(1)
 utilities (it <b>must not</b> be the primary group or secondary group
diff --git a/postfix/proto/SASL_README.html b/postfix/proto/SASL_README.html
index 5ab745480..e165bb5a2 100644
--- a/postfix/proto/SASL_README.html
+++ b/postfix/proto/SASL_README.html
@@ -739,7 +739,7 @@ and connects it to a PostgreSQL server: </p>
     sql_user: username
     sql_passwd: secret
     sql_database: dbname
-    sql_select: SELECT password FROM users WHERE user = '%u'@'%r'
+    sql_select: SELECT password FROM users WHERE user = '%u@%r'
 </pre>
 </blockquote>
 
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 69a81afd3..cbaa151a5 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20130905"
-#define MAIL_VERSION_NUMBER	"2.8.16"
+#define MAIL_RELEASE_DATE	"20140116"
+#define MAIL_VERSION_NUMBER	"2.8.17"
 
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff --git a/postfix/src/postconf/postconf.c b/postfix/src/postconf/postconf.c
index 319e2ea13..bd7986860 100644
--- a/postfix/src/postconf/postconf.c
+++ b/postfix/src/postconf/postconf.c
@@ -1157,7 +1157,7 @@ int     main(int argc, char **argv)
 	    break;
 #endif
 	case '#':
-	    cmd_mode = COMMENT_OUT;
+	    cmd_mode |= COMMENT_OUT;
 	    break;
 
 	case 'h':
diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c
index 005633edf..8f9607970 100644
--- a/postfix/src/tls/tls_misc.c
+++ b/postfix/src/tls/tls_misc.c
@@ -230,59 +230,72 @@ static const NAME_CODE protocol_table[] = {
 #define NAMEBUG(x)	#x, SSL_OP_##x
 static const LONG_NAME_MASK ssl_bug_tweaks[] = {
 
-#if defined(SSL_OP_MICROSOFT_SESS_ID_BUG)
-    NAMEBUG(MICROSOFT_SESS_ID_BUG),	/* 0x00000001L */
+#ifndef SSL_OP_MICROSOFT_SESS_ID_BUG
+#define SSL_OP_MICROSOFT_SESS_ID_BUG		0
 #endif
+    NAMEBUG(MICROSOFT_SESS_ID_BUG),
 
-#if defined(SSL_OP_NETSCAPE_CHALLENGE_BUG)
-    NAMEBUG(NETSCAPE_CHALLENGE_BUG),	/* 0x00000002L */
+#ifndef SSL_OP_NETSCAPE_CHALLENGE_BUG
+#define SSL_OP_NETSCAPE_CHALLENGE_BUG		0
 #endif
+    NAMEBUG(NETSCAPE_CHALLENGE_BUG),
 
-#if defined(SSL_OP_LEGACY_SERVER_CONNECT)
-    NAMEBUG(LEGACY_SERVER_CONNECT),	/* 0x00000004L */
+#ifndef SSL_OP_LEGACY_SERVER_CONNECT
+#define SSL_OP_LEGACY_SERVER_CONNECT		0
 #endif
+    NAMEBUG(LEGACY_SERVER_CONNECT),
 
-#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
-    NAMEBUG(NETSCAPE_REUSE_CIPHER_CHANGE_BUG),	/* 0x00000008L */
-    "CVE-2010-4180", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG,
+#ifndef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
+#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0
 #endif
+    NAMEBUG(NETSCAPE_REUSE_CIPHER_CHANGE_BUG),
+    "CVE-2010-4180", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG,
 
-#if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)
-    NAMEBUG(SSLREF2_REUSE_CERT_TYPE_BUG),	/* 0x00000010L */
+#ifndef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
+#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG	0
 #endif
+    NAMEBUG(SSLREF2_REUSE_CERT_TYPE_BUG),
 
-#if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
-    NAMEBUG(MICROSOFT_BIG_SSLV3_BUFFER),/* 0x00000020L	 */
+#ifndef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
+#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER	0
 #endif
+    NAMEBUG(MICROSOFT_BIG_SSLV3_BUFFER),
 
-#if defined(SSL_OP_MSIE_SSLV2_RSA_PADDING)
-    NAMEBUG(MSIE_SSLV2_RSA_PADDING),	/* 0x00000040L */
-    "CVE-2005-2969", SSL_OP_MSIE_SSLV2_RSA_PADDING,
+#ifndef SSL_OP_MSIE_SSLV2_RSA_PADDING
+#define SSL_OP_MSIE_SSLV2_RSA_PADDING		0
 #endif
+    NAMEBUG(MSIE_SSLV2_RSA_PADDING),
+    "CVE-2005-2969", SSL_OP_MSIE_SSLV2_RSA_PADDING,
 
-#if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG)
-    NAMEBUG(SSLEAY_080_CLIENT_DH_BUG),	/* 0x00000080L */
+#ifndef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
+#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG		0
 #endif
+    NAMEBUG(SSLEAY_080_CLIENT_DH_BUG),
 
-#if defined(SSL_OP_TLS_D5_BUG)
-    NAMEBUG(TLS_D5_BUG),		/* 0x00000100L	 */
+#ifndef SSL_OP_TLS_D5_BUG
+#define SSL_OP_TLS_D5_BUG			0
 #endif
+    NAMEBUG(TLS_D5_BUG),
 
-#if defined(SSL_OP_TLS_BLOCK_PADDING_BUG)
-    NAMEBUG(TLS_BLOCK_PADDING_BUG),	/* 0x00000200L */
+#ifndef SSL_OP_TLS_BLOCK_PADDING_BUG
+#define SSL_OP_TLS_BLOCK_PADDING_BUG		0
 #endif
+    NAMEBUG(TLS_BLOCK_PADDING_BUG),
 
-#if defined(SSL_OP_TLS_ROLLBACK_BUG)
-    NAMEBUG(TLS_ROLLBACK_BUG),		/* 0x00000400L */
+#ifndef SSL_OP_TLS_ROLLBACK_BUG
+#define SSL_OP_TLS_ROLLBACK_BUG			0
 #endif
+    NAMEBUG(TLS_ROLLBACK_BUG),
 
-#if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
-    NAMEBUG(DONT_INSERT_EMPTY_FRAGMENTS),	/* 0x00000800L */
+#ifndef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS	0
 #endif
+    NAMEBUG(DONT_INSERT_EMPTY_FRAGMENTS),
 
-#if defined(SSL_OP_CRYPTOPRO_TLSEXT_BUG)
-    NAMEBUG(CRYPTOPRO_TLSEXT_BUG),	/* 0x80000000L */
+#ifndef SSL_OP_CRYPTOPRO_TLSEXT_BUG
+#define SSL_OP_CRYPTOPRO_TLSEXT_BUG		0
 #endif
+    NAMEBUG(CRYPTOPRO_TLSEXT_BUG),
     0, 0,
 };
 
@@ -802,7 +815,8 @@ long    tls_bug_bits(void)
     long    bits = SSL_OP_ALL;		/* Work around all known bugs */
     long    mask;
 
-#if OPENSSL_VERSION_NUMBER >= 0x00908000L
+#if OPENSSL_VERSION_NUMBER >= 0x00908000L && \
+	OPENSSL_VERSION_NUMBER < 0x10000000L
     long    lib_version = SSLeay();
 
     /*
@@ -828,6 +842,10 @@ long    tls_bug_bits(void)
 	bits &= ~long_name_mask_opt(VAR_TLS_BUG_TWEAKS, ssl_bug_tweaks,
 				    var_tls_bug_tweaks, NAME_MASK_ANY_CASE |
 				    NAME_MASK_NUMBER | NAME_MASK_WARN);
+#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
+	/* Not relevant to SMTP */
+	bits &= ~SSL_OP_SAFARI_ECDHE_ECDSA_BUG;
+#endif
     }
     return (bits);
 }
diff --git a/postfix/src/util/dict_pcre.c b/postfix/src/util/dict_pcre.c
index 2f1f3906d..0c420a3a9 100644
--- a/postfix/src/util/dict_pcre.c
+++ b/postfix/src/util/dict_pcre.c
@@ -59,6 +59,15 @@
 #include "mac_parse.h"
 #include "pcre.h"
 
+ /*
+  * Backwards compatibility.
+  */
+#ifdef PCRE_STUDY_JIT_COMPILE
+#define DICT_PCRE_FREE_STUDY(x)	pcre_free_study(x)
+#else
+#define DICT_PCRE_FREE_STUDY(x)	pcre_free((char *) (x))
+#endif
+
  /*
   * Support for IF/ENDIF based on an idea by Bert Driehuis.
   */
@@ -387,7 +396,7 @@ static void dict_pcre_close(DICT *dict)
 	    if (match_rule->pattern)
 		myfree((char *) match_rule->pattern);
 	    if (match_rule->hints)
-		myfree((char *) match_rule->hints);
+		DICT_PCRE_FREE_STUDY(match_rule->hints);
 	    if (match_rule->replacement)
 		myfree((char *) match_rule->replacement);
 	    break;
@@ -396,7 +405,7 @@ static void dict_pcre_close(DICT *dict)
 	    if (if_rule->pattern)
 		myfree((char *) if_rule->pattern);
 	    if (if_rule->hints)
-		myfree((char *) if_rule->hints);
+		DICT_PCRE_FREE_STUDY(if_rule->hints);
 	    break;
 	case DICT_PCRE_OP_ENDIF:
 	    break;
@@ -677,7 +686,7 @@ static DICT_PCRE_RULE *dict_pcre_parse_rule(const char *mapname, int lineno,
 	    if (engine.pattern)
 		myfree((char *) engine.pattern);
 	    if (engine.hints)
-		myfree((char *) engine.hints);
+		DICT_PCRE_FREE_STUDY(engine.hints);
 	    CREATE_MATCHOP_ERROR_RETURN(0);
 	}
 #endif
