Version of Postfix in Fedora not kept up to date
kvantanet at seznam.cz
kvantanet at seznam.cz
Mon Sep 15 12:20:00 UTC 2008
Why is always Postfix a couple of versions behind?
The latest version of Postfix is now 2.5.5 and F10 includes only 2.5.1. (Released 2008-02-17)
Other distros like Debian always updates this package.
Fedora never updates this package after release.
Does this mean the we don't need to address the issues corrected in new versions of Postfix?
E.G. Latest 2 issues
---------------------------------------- SNIP -----------------------------------------------
20080814
Security: some systems have changed their link() semantics,
and will hardlink a symlink, contrary to POSIX and XPG4.
Sebastian Krahmer, SuSE. File: util/safe_open.c.
The solution introduces the following incompatible change:
when the target of mail delivery is a symlink, the parent
directory of that symlink must now be writable by root only
(in addition to the already existing requirement that the
symlink itself is owned by root). This change will break
legitimate configurations that deliver mail to a symbolic
link in a directory with less restrictive permissions.
20080826
Bugfix (introduced Postfix 2.4): epoll file descriptor leak.
With Postfix >= 2.4 on Linux >= 2.6, Postfix has an epoll
file descriptor leak when it executes non-Postfix commands
in, for example, user-controlled $HOME/.forward files. A
local user can access a leaked epoll file descriptor to
implement a denial of service attack on Postfix. Data
confidentiality and integrity are not affected. File:
util/events.c.
---------------------------------------- /SNIP -----------------------------------------------
More at : ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.5.5.HISTORY
Best
T.L. kvantanet
More information about the fedora-test-list
mailing list