** Description changed: + [Impact] + + "postfix tls deploy-server-cert" did not handle a missing optional + argument which makes users get a "can't shift that many..." error. + + In this SRU we are proposing a microrelease update in Focal from version + 3.4.10 to 3.4.13 since the changes are self contained. Moreover, there + is a Postfix SRU exception which allows microreleases if the bug is + fixed in the current development series: + + https://wiki.ubuntu.com/StableReleaseUpdates#Postfix + + And according to the described process there is no need to define a Test + Case and a Regression Potential sections. Upstream has been doing a good + work regarding those stable version bug fixes. + + Here is the upstream changelog change between 3.4.10 and 3.4.13: + + 20200416 + + Workaround for broken builds after an incompatible change + in GCC 10. Files: makedefs, Makefile.in. + + Workaround for broken DANE support after an incompatible + change in GLIBC 2.31. This avoids the need for new options + in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c. + + 20200419 + + Bugfix: segfault in the tlsproxy client role when the server + role was disabled. This typically happens on systems that + do not receive mail, after configuring connection reuse for + outbound TLS. Found during program maintenance. File: + tlsproxy/tlsproxy.c. + + 20200420 + + Noise suppression: shut up a compiler that special-cases + string literals. Viktor Dukhovni. File milter/milter.c. + + 20200422 + + Security: disable DANE support on Alpine Linux because + libc-musl provides no indication whether DNS responses are + authentic. This broke DANE support without a clear explanation. + File: makedefs. + + 20200505 + + Noise suppression: shut up a compiler that special-cases + string literals. Viktor Dukhovni. File smtpd/smtpd_check.c. + + 20200509 + + Bugfix (introduced: Postfix 3.5): maillog_file_rotate_suffix + default value used the minute instead of the month. Reported + by Larry Stone. Files: conf/postfix-tls-script, + proto/MAILLOG_README.html, proto/postconf.proto. + global/mail_params.h, postfix/postfix.c. + + 20200510 + + Bitrot: avoid U_FILE_ACCESS_ERROR after chroot(), by + initializing the ICU library before making the chroot() + call. Files: util/midna_domain.[hc], global/mail_params.c. + + 20200511 + + Noise suppression: avoid "SSL_Shutdown:shutdown while in + init" warnings. File: tls/tls_session.c. + + 20200515 + + Bugfix (introduced: Postfix 2.2): a TLS error for a PostgreSQL + client caused a false 'lost connection' error for an SMTP + over TLS session in the same Postfix process. Reported by + Alexander Vasarab, diagnosed by Viktor Dukhovni. File: + tls/tls_bio_ops.c. + + Bugfix (introduced: Postfix 2.8): a TLS error for one TLS + session may cause a false 'lost connection' error for a + concurrent TLS session in the same tlsproxy process. File: + tlsproxy/tlsproxy.c. + + 20200530 + + Bugfix (introduced: Postfix 3.1): "postfix tls deploy-server-cert" + did not handle a missing optional argument. File: + conf/postfix-tls-script. + + 20200610 + + Bugfix (introduced: Postfix 3.4): in the Postfix SMTP server, + the SNI callback reported an error when it was called a + second time. This happened after the server-side TLS engine + sent a TLSv1.3 HelloRetryRequest (HRR) to a remote SMTP + client. Reported by Ján Máté, fixed by Viktor Dukhovni. + File: tls/tls_misc.c. + + This new microrelease fixes the dane issue and the build against GCC 10 + which makes us drop a patch applied in version 3.4.7-1 + (80_glibc2.30-ftbfs.diff). + + [Original Description] + lsb_release -rd Description: Ubuntu 18.04.4 LTS Release: 18.04 postfix: - Installed: 3.3.0-1ubuntu0.2 - Candidate: 3.3.0-1ubuntu0.2 - Version table: - *** 3.3.0-1ubuntu0.2 500 - 500 http://us-west-2.ec2.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages - 100 /var/lib/dpkg/status - 3.3.0-1 500 - 500 http://us-west-2.ec2.archive.ubuntu.com/ubuntu bionic/main amd64 Packages + Installed: 3.3.0-1ubuntu0.2 + Candidate: 3.3.0-1ubuntu0.2 + Version table: + *** 3.3.0-1ubuntu0.2 500 + 500 http://us-west-2.ec2.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages + 100 /var/lib/dpkg/status + 3.3.0-1 500 + 500 http://us-west-2.ec2.archive.ubuntu.com/ubuntu bionic/main amd64 Packages - - Attempting to deploy server certificates with - postfix tls deploy-server-cert certificate.crt keyfile.key + Attempting to deploy server certificates with + postfix tls deploy-server-cert certificate.crt keyfile.key Expected to deploy new certificates - What happened - command fails with - /usr/lib/postfix/sbin/postfix-tls-script: 780: shift: can't shift that many + What happened - command fails with + /usr/lib/postfix/sbin/postfix-tls-script: 780: shift: can't shift that many The issue appears to be that the function "deploy-server-cert" in /usr/lib/postfix/sbin/postfix-tls-script expects that there will be three arguments: /usr/lib/postfix/sbin/postfix-tls-script line 777 - deploy_server_cert() { - certfile=$1; shift - keyfile=$1; shift - deploy=$1; shift - ... + deploy_server_cert() { + certfile=$1; shift + keyfile=$1; shift + deploy=$1; shift + ... This works when the function is called by the function new_server_cert, which calls the function with the arguments: - deploy_server_cert "${certfile}" "${keyfile}" "${deploy}" || return 1 + deploy_server_cert "${certfile}" "${keyfile}" "${deploy}" || return 1 But when this function is invoked directly in line 1154, it is called with only 2 arguments - deploy_server_cert "${certfile}" "${keyfile}" || exit 1 + deploy_server_cert "${certfile}" "${keyfile}" || exit 1
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1881196 Title: postfix tls deploy-server-cert fails with "can't shift that many" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1881196/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
