[An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-2.8.3.html]
Postfix releases 2.8.3, 2.7.4, 2.6.10 and 2.5.13 are available. These contain a fix for CVE-2011-1720 which affects Postfix SMTP server configurations that use Cyrus SASL authentication. Besides full releases, patches are available for Postfix 1.1 and later.
This defect was introduced with the Postfix SASL patch, and is present in all Postfix versions where the command "postconf mail_release_date" reports a value of 20000314 (March 14, 2000) or greater.
Note: CVE-2011-1720 does not affect Postfix SMTP servers that use Dovecot SASL authentication. It also does not affect the common Postfix SMTP server configurations that use only Cyrus SASL mechanisms PLAIN and LOGIN.
More details will be available at http://www.postfix.org/CVE-2011-1720.html.
You can find the updated Postfix source code at the mirrors listed at http://www.postfix.org/.