Postfix stable release 3.11.3 and legacy releases 3.10.10, 3.9.11, 3.8.17

[An on-line version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.11.3.html]

Fixed in Postfix 3.8-3.11:

• Bitrot: builds with musl libc broke, because they were using an obsolete NO_SNPRINTF code path that had not been updated for Claude Code findings.

• Two fixes for a signed integer overshift condition (a left shift into the sign bit). This "works" on contemporary CPUs, but may break in the future. One reported by Kamil Frankowicz, and one by Robert Sayre.

• Viktor Dukhovni fixed an 'uninitialized value' error in the 'collate.pl' script.

Fixed in Postfix 3.11:

• Test code fixes by Viktor Dukhovni for a deprecation warning with OpenSSL 4.0, and for a race condition that caused a test script to fail.

You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/.

Fixes and improvements

RTSP

• fix compatibility with Verint.Vms.MediaGateway (#5292) (bluenviron/gortsplib#1061)
• fix crash when stream is closing (bluenviron/gortsplib#1062) when ServerStream.Close() is called, stream readers might have their setuppedTransport set to nil, causing the server to crash. Prevent this.
• fix race condition when tearing down connection (bluenviron/gortsplib#1063) ServerConn.session was not properly protected.
• fix leak in case of failure during multicast initialization (bluenviron/gortsplib#1064)

RTMP

• prevent nil / unconfigured tracks from appearing (bluenviron/gortmplib#66) (#5724) (#5729)

HLS

• fix error 500 caused by in-stream params (bluenviron/gohlslib#355) (#5728) (#5745) PR bluenviron/gohlslib#344 caused a regression. Many codecs (AV1, H264, H265, VP9) use in-stream parameters, that were not taken into consideration anymore when generating init.mp4 and playlists. This has been solved.

WebRTC

• fix checking POST responses (#5758)
• support interacting with servers with no trickle ICE (#5273) (#5757)
• support WHIP ICE restarts (https://github.com/bluenviron/mediamtx/issues/5183) (#5770)

RPI Camera

• support changing text overlay dynamically (#5270) (#5748)

Dependencies

• code.cloudfoundry.org/bytefmt updated from v0.70.0 to v0.72.0
• github.com/Masterminds/semver/v3 updated from v3.4.0 to v3.5.0
• github.com/bluenviron/gohlslib/v2 updated from v2.3.1 to v2.3.2
• github.com/bluenviron/gortmplib updated from v0.3.1 to v0.3.2
• github.com/bluenviron/gortsplib/v5 updated from v5.5.2 to v5.5.3
• github.com/datarhei/gosrt updated from v0.10.0 to v0.11.0
• github.com/fsnotify/fsnotify updated from v1.10.0 to v1.10.1
• github.com/go-git/go-billy/v5 updated from v5.8.0 to v5.9.0
• github.com/go-git/go-git/v5 updated from v5.18.0 to v5.19.0
• github.com/gookit/color updated from v1.6.0 to v1.6.1
• github.com/matthewhartstonge/argon2 updated from v1.5.2 to v1.5.3
• github.com/pion/rtp updated from v1.10.1 to v1.10.2
• golang.org/x/crypto updated from v0.50.0 to v0.51.0
• golang.org/x/net updated from v0.53.0 to v0.54.0
• golang.org/x/sys updated from v0.43.0 to v0.44.0
• golang.org/x/term updated from v0.42.0 to v0.43.0
• github.com/cyphar/filepath-securejoin updated from v0.4.1 to v0.6.1
• github.com/pjbgf/sha1cd updated from v0.3.2 to v0.6.0
• golang.org/x/text updated from v0.36.0 to v0.37.0
• github.com/bluenviron/mediamtx-rpicamera updated from v2.5.6 to v2.5.7

Security

Binaries are compiled from source code by the Release workflow, which is a fully-visible process that prevents any change or external interference in produced artifacts.

Checksums of binaries are also published in a public blockchain by using GitHub Attestations, and they can be verified by running:

ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx

You can verify checksums of binaries by downloading checksums.sha256 and running:

cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check

How well do you know Éire? Our team is hard at work creating the Isle of Ireland for Euro Truck Simulator 2, and we’ve got some early work in progress screenshots to share with you!

The following contributors got their Debian Developer accounts in the last two months:

• Filip Strömbäck (fstromback)
• Arthur Diniz (arthurbd)
• Manuel Traut (manut)
• Xiyue Deng (manphiz)
• kpcyrd (kpcyrd)

The following contributors were added as Debian Maintainers in the last two months:

• Chris Talbot
• Gabriel Filion
• Mate Kukri

Congratulations!

1.6.6 (2026-05-15)

Features

• Mail: Sync onboarding completion state across devices so the welcome flow only runs once per account (#285)
• Mail: Distinct icons for Shared, Important, Memos, Scheduled, and Snoozed folders (#288)
• Compose: Raise HTML identity signature length cap to 50,000 characters
• Compose: Allow <img> tags in HTML identity signatures for inline logos and banners

Fixes

• Files: Hide Files settings entry and sidebar nav when the filesEnabled policy is off (#291)
• Admin: Honor the cookieSameSite admin config override instead of always defaulting (#284)
• UI: Standardize punctuation in tooltips and inline comments across locales

i18n

• Add Danish localization
• Clean up Danish locale wiring and sort the language picker alphabetically (#286)

I just tested out the ssh-keysign-pwn exploit [1] on Debian kernel 6.12.74+deb13+1-amd64 which was released before these exploits.

When sshkeysign_pwn is run as user_t the following is logged in the audit log and it fails to exploit anything:

type=SYSCALL msg=audit(1778831599.951:22353257): arch=c000003e syscall=438 success=no exit=-1 a0=3 a1=c a2=0 a3=1b8020 items=0 ppid=5632 pid=6654 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=144 comm="sshkeysign_pwn" exe="/home/test/a/ssh-keysign-pwn/sshkeysign_pwn" subj=user_u:user_r:user_t:s0 key=(null)ARCH=x86_64 SYSCALL=pidfd_getfd AUID="test" UID="test" GID="test" EUID="test" SUID="test" FSUID="test" EGID="test" SGID="test" FSGID="test"
type=PROCTITLE msg=audit(1778831599.951:22353257): proctitle="./sshkeysign_pwn"
type=AVC msg=audit(1778831599.951:22353258): avc:  denied  { ptrace } for  pid=6654 comm="sshkeysign_pwn" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=process permissive=0

When it is run as unconfined_t the contents of the /etc/ssh/ssh_host_ecdsa_key file are correctly displayed on standard out in about 10ms, the file in question is only readable by root and a non-root user can use this exploit to read it.

It wouldn’t be uncommon to have a system configured to allow users to trace their own processes. The following policy addition grants access for the user to trace their own processes:

allow user_t self:process ptrace;

With that in place the sshkeysign_pwn exploit still doesn’t work and there are logs like the following:

type=AVC msg=audit(1778833455.726:57355191): avc:  denied  { read } for  pid=6941 comm="ssh-keysign" name="ssh_host_rsa_key" dev="vda" ino=15492 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:sshd_key_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1778833455.726:57355191): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=55eadec43061 a2=0 a3=0 items=0 ppid=6933 pid=6941 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=144 comm="ssh-keysign" exe="/usr/lib/openssh/ssh-keysign" subj=user_u:user_r:user_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID="test" UID="test" GID="test" EUID="root" SUID="root" FSUID="root" EGID="test" SGID="test" FSGID="test"

So if you could find some secret data in a file that’s only restricted by Unix permissions and user_t is granted ptrace access then a variant of that exploit could work.

When user_t is allowed ptrace access the chage_pwn exploit fails with the following log entries, so any binary that runs in a different domain can’t be used in that situation.

type=AVC msg=audit(1778833908.020:57434896): avc:  denied  { ptrace } for  pid=7037 comm="chage_pwn" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:passwd_t:s0 tclass=process permissive=0
type=SYSCALL msg=audit(1778833908.020:57434896): arch=c000003e syscall=438 success=no exit=-1 a0=3 a1=5 a2=0 a3=1b7e00000000 items=0 ppid=5632 pid=7037 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=144 comm="chage_pwn" exe="/home/test/a/ssh-keysign-pwn/chage_pwn" subj=user_u:user_r:user_t:s0 key=(null)ARCH=x86_64 SYSCALL=pidfd_getfd AUID="test" UID="test" GID="test" EUID="test" SUID="test" FSUID="test" EGID="test" SGID="test" FSGID="test"

Conclusion

In a “strict” configuration with users having the user_t domain a Debian system is not vulnerable to these exploits unless there is some configuration error or some unusual configuration choices. Users with the unconfined_t domain can successfully run the exploits.

• [1] https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn

Debian Contributions: 2026-04

Contributing to Debian is part of Freexian’s mission. This article covers the latest achievements of Freexian and their collaborators. All of this is made possible by organizations subscribing to our Long Term Support contracts and consulting services.

Undeclared file conflicts, by Helmut Grohne

The duplication checker, the Multi-Arch hinter, and the /usr-move analyzer share significant parts of their code. While the /usr-move transition is complete, the other tools needed a bit of love. Helmut added Python type annotations, slightly improved the performance of the duplication website and shared more code between these tools.

Building upon this Helmut looked into file conflicts of various kinds such as unrelated packages installing overlapping files, file type conflicts, mismatching directory metadata and shared files of Multi-Arch: same packages with varying content. Implementing reliable detection proved to be difficult due to the amount of corner cases. So Helmut semi-manually filed bugs. In that process, it became apparent that binNMUs do not reproduce SOURCE_DATE_EPOCH across architectures and therefore some shared files embedding the build date would vary in content. Additionally, a significant number of reports required further correspondence.

contributors.debian.org mini-sprint, by Enrico Zini

Enrico Zini met with Mattia Rizzolo to continue the work started at DebConf 25 on crediting contributions done via salsa, and to catch up with accumulated site issues.

Building on the same kind of infrastructure used to notify tag2upload, salsa.debian.org triggers a webping on pushes and merge request activity, which causes a small JSON payload to be queued in a private directory on contributors.debian.org.

We worked on processing, filtering and aggregating the files in the queue into a private, staging database table. When configuring a data source on the site, it is now possible to configure automated submission of contributions from information in the staging table. This makes it significantly simpler to credit contributors for all teams that use Salsa as their code repository and coordination tool, as the site can take care of the data mining for you.

See more details in the sprint report posted to debian-devel-announce.

MiniDebConf Campinas, by Lucas Kanashiro, Santiago Ruano Rincón and Antonio Terceiro

MiniDebConf Campinas was held between April 23rd and 25th, at the State University of Campinas, and was preceded by a MiniDebcamp between April 20th and 22nd. Freexian was Gold sponsor for the event, and Freexian collaborators were active contributors to the conference success.

Lucas and Santiago delivered a talk about Debian LTS during MiniDebConf Campinas 2026, where they described how the LTS project benefits Debian users and developers, while strengthening Debian itself.

Lucas and Antonio delivered a talk about internship programs in Debian during MiniDebConf Campinas 2026, with the goal of getting students interested in working in and with Debian.

Lucas took part in the MiniDebConf Campinas content team, reviewing/accepting talks and building the schedule.

Antonio led a session where he invited the audience to weigh in on current controversies in Debian. The session presented playful elements as colored signs to denote agree/disagree, and was not recorded, to help people feel more comfortable about speaking up. He might be convinced to lead a similar session at the next DebConf.

Antonio also organized a debate to discuss the consequences of new Brazilian regulation for the protection of children and adolescents in digital spaces for Debian and other free operating systems, but also for the free software community in general. This session was very fruitful and will lead into further actions, as one of the main outcomes was the realization that the free software community must follow the discussion leading up to similar regulations more closely to avoid being caught by surprise when they come into effect.

security-tracker performance, by Helmut Grohne and Emilio Pozuelo Monfort

Prompted by spontaneous influx of web requests on Freexian’s security-tracker back in February, we considered the options for managing that demand. One of our mitigations was making it faster. To that end, Helmut sent two MRs towards improving the situation. There are four notable improvements. The use of Python’s str.translate generally speeds up rendering of larger templates. Indexing the CVE names avoids a costly sequential table scan. Avoiding FFI calls while sorting and reducing the queryset speeds up the source package view. Emilio reviewed and deployed the changes on to the Debian instance. Together these changes provide a twofold speedup on both Freexian’s and Debian’s instance on average.

dput-ng data loss bug, by Colin Watson

Ian Jackson (not affiliated with Freexian) reported that dput-ng could lose data when using the local install method, which could cause misleading results in tests of other packages; they also filed an initial merge request to fix it. Colin improved this to isolate its tests properly, and uploaded it.

Miscellaneous contributions

• Lucas coordinated the src:valkey update to version 9 in unstable with a potential co-maintainer.
• Lucas provided a security update for src:valkey targeting “trixie”.
• Thorsten did two uploads of foo2zjs, one to fix a bug and one to improve packaging. As there have been several CVEs published for cups he also did an upload of a new upstream version. Unfortunately this introduces a regression and another upload was needed to take care of a crash. The patch for one CVE also broke a test script, which is used by lots of printing packages in Debian. As a result some autopkgtest runs failed. This could be fixed as well and the only remaining issue that needs some more investigation is related to cups-pdf. It is also worth mentioning that some issues related to the apparmor configuration of cups could be resolved.
• Helmut sent patches for 11 cross build failures.
• Helmut sent a MR for enabling the new mainline YT6801 ethernet Linux driver and it is now working fine with Debian’s 7.x kernels.
• Helmut upgraded a crossqa.debian.net autobuilder to “trixie”.
• Carles using po-debconf-manager, improved Catalan translations: reviewed 2 packages, submitted 3 packages, deleted 5 packages.
• Carles did further code developments for check-relations: steps towards making it production ready when the initial round of reports are analyzed. New “show-package” (information) command, improvements for “report_missing” cases, added support for ignoring packages for specific reasons, added unit tests, added CI. Used it to open 39 new bugs. Also followed up different open bugs
• Raphaël completed the French translation of Zulip for the release of version 12.0. Zulip is a nice 100% free software threaded communication platform for distributed teams.
• Stefano did routine uploads of python-pipx, python-mitogen, platformdirs, python-authlib, python-discovery, distro-info-data, python-virtualenv, python-certifi, python-wheel, pypy3.
• Stefano uploaded distro-info-data updates to stable and oldstable proposed updates, with the latest Ubuntu release.
• Stefano took part in DebConf 26 preparation meetings.
• Stefano prepared DebConf’s online video streaming infrastructure for MiniDebConf Campinas, and configured the Debian reimbursement system to handle their travel bursary claims.
• Stefano helped MiniDebConf Hamburg prepare their website for 2027.
• Stefano did some sysadmin work on debian.social infrastructure.
• Stefano reviewed Matthias’ python3.15 packaging and rebased his work on top of it.
• Antonio implemented several improvements to the Debian CI platform, including but not limited to adding support for dark mode, dropping compatibility with ActiveRecord < 7 which is no longer shipped in Debian stable, and generating content-based links to static assets, in two parts.
• Antonio debugged a general slowness in salsa, caused by loss of IPv6 connectivity between the salsa host and the remote object storage in “the cloud”, which is a problem due to an open upstream bug in gitlab.
• Santiago reviewed different changes to the Salsa CI pipeline, including the new uscan test job, prepared by Thaís Rebouças Araujo, and the final review to introduce faketime testing, made by Áquila Macedo.
• Santiago continued helping the DebConf 26 local team to prepare the conference.
• Emilio updated libxpm to address a security issue.
• Colin finished upgrading groff to 1.24.1; 1.24.0 and 1.24.1 were the first upstream releases since 2023 and had extensive changes, so this took some time to get right.
• Colin released “bookworm” and “trixie” fixes for CVE-2026-3497 in openssh, and issued the corresponding BSA-130 for trixie-backports.
• Colin upgraded openssh to 10.3p1.
• Anupa worked on the accounting tasks for MiniDebConf Kanpur and prepared and submitted a report to the fiscal host.

• [p]Fixed various holes in map[/p][/*]
• [p]Fixed surfacetypes for various materials.[/p][/*]
• [p]Added grating to some windows to make them block bullets.[/p][/*]
• [p]Tweaks to player and grenade clipping.[/p][/*]

• [p]Fixed a case where it was possible to cancel a grenade throw after the throw was started near the end of the pin pull animation.[/p][/*]
• [p]Miscellaneous stability improvements.[/p][/*]

• [p]Fixed bug that prevented the asset in use from being selected when model browser was opened.[/p][/*]
• [p]Fixed bug with layered materials with same surface property on all layers. [/p][/*]

• [p]Added roundmvpanthem_02 for all NIGHTMODE II music kits which plays at 1:5 ratio.[/p][/*]