Re: [pfx] Postfix stable release 3.11.2 and legacy releases 3.10.9, 3.9.10, 3.8.16

[Solar Designer <solar () openwall com>]

On Mon, May 04, 2026 at 05:38:55PM +0100, Sam James wrote:
> Sam James <sam () gentoo org> writes:
>
> > The most significant one here seems to be the first entry under "Fixed
> > in Postfix 3.8, 3.9, 3.10:".
> >
> > -------------------- Start of forwarded message --------------------
> > To: Postfix announce <postfix-announce () postfix org>
> > Date: Sun, 3 May 2026 19:43:27 -0400 (EDT)
> > CC: Postfix users <postfix-users () postfix org>
> > Subject: [pfx] Postfix stable release 3.11.2 and legacy releases 3.10.9, 3.9.10, 3.8.16
> > From: Wietse Venema via Postfix-users <postfix-users () postfix org>
> >
> > [An on-line version of this announcement will be available at
> > https://www.postfix.org/announcements/postfix-3.11.2.html]
> >
> > [...]
>
> I am interested in feedback on whether using my own judgement is
> acceptable for bringing these to oss-security, where I believe they may
> of interest (releases with fixes that appear security-related, as the
> volume is increasing with the current wave of new tooling (*)),
> or whether there are some guidelines I should apply.
>
> Thanks in advance.
>
> (*) I of course only plan to bring such things where I plan to treat
> them at least in part as a security bug downstream.

Yes, I think your judgement fits what many of us would like to see on
this list.  Thank you!

As to this specific issue, I guess Wietse called it a bug and not a
vulnerability deliberately.  I trust his judgement on this, but I don't
mind downstreams being cautious.  Per my reading, exposure is limited to
other trusted components and impact is not directly security relevant
(if only a child process crashes and will be respawned).

Alexander