[Dovecot-news] Dovecot release v2.3.6

Aki Tuomi aki.tuomi at open-xchange.com
Tue Apr 30 16:21:01 EEST 2019


Hi!

We are pleased to release Dovecot v2.3.6.

Tarball is available at

https://dovecot.org/releases/2.3/dovecot-2.3.6.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.3.6.tar.gz.sig

Binary packages are available at https://repo.dovecot.org/

Changes
-------

* CVE-2019-11494: Submission-login crashed with signal 11 due to null pointer access when authentication was aborted by disconnecting.
* CVE-2019-11499: Submission-login crashed when authentication was started over TLS secured channel and invalid authentication message was sent.
* auth: Support password grant with passdb oauth2.
+ Use system default CAs for outbound TLS connections.
+ Simplify array handling with new helper macros.
+ fts_solr: Enable configuring batch_size and soft_commit features.
- lmtp/submission: Fixed various bugs in XCLIENT handling, including a hang when XCLIENT commands were sent infinitely to the remote server.
- lmtp/submission: Forwarded multi-line replies were erroneously sent as two replies to the client.
- lib-smtp: client: Message was not guaranteed to contain CRLF consistently when CHUNKING was used.
- fts_solr: Plugin was no longer compatible with Solr 7.
- Make it possible to disable certificate checking without setting ssl_client_ca_* settings.
- pop3c: SSL support was broken.
- mysql: Closing connection twice lead to crash on some systems.
- auth: Multiple oauth2 passdbs crashed auth process on deinit.
- HTTP client connection errors infrequently triggered a segmentation fault when the connection was idle and not used for a particular client instance.

---
Aki Tuomi
Open-Xchange oy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 475 bytes
Desc: not available
URL: <https://dovecot.org/pipermail/dovecot-news/attachments/20190430/e2a5c58f/attachment.sig>


More information about the Dovecot-news mailing list