February 2019 - Dovecot-news

Re: [Dovecot-news] Release notify (2.2.36.1 and 2.3.4.1)
by Aki Tuomi 05 Feb '19

05 Feb '19

1 0

Re: [Dovecot-news] Release notify (2.2.36.1 and 2.3.4.1)
by Aki Tuomi 05 Feb '19

05 Feb '19

1 0

Re: [Dovecot-news] Dovecot v2.2.36.1 released (Pigeonhole 0.4.24.1)
by Stephan Bosch 05 Feb '19

05 Feb '19

Hi, Here is the associated release for Pigeonhole: https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1… https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1… Binary packages included in https://repo.dovecot.org/ + imapsieve: Added imapsieve_expunge_discarded setting which causes discarded messages to be expunged immediately. - Sieve scripts running in IMAPSIEVE or IMAP FILTER=SIEVE context that modify the message, store the message a second time, rather than replacing the originally stored unmodified message. - imapsieve: Fix crash when COPYing mails from a virtual mailbox when the source messages originate from more than a single real mailbox - imap_filter_sieve plugin: Implement the missing UID FILTER command. - imap_filter_sieve plugin: Fix FILTER to work with pipelining Regards, Stephan. Op 5-2-2019 om 14:01 schreef Aki Tuomi: > https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz > https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig > > * CVE-2019-3814: If imap/pop3/managesieve/submission client has > trusted certificate with missing username field > (ssl_cert_username_field), under some configurations Dovecot > mistakenly trusts the username provided via authentication instead > of failing. > * ssl_cert_username_field setting was ignored with external SMTP AUTH, > because none of the MTAs (Postfix, Exim) currently send the > cert_username field. This may have allowed users with trusted > certificate to specify any username in the authentication. This bug > didn't affect Dovecot's Submission service. > > - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT > - director: Kicking a user assert-crashes if login process is very slow > - lda/lmtp: Fix assert-crash with some Sieve scripts when > mail_attachment_detection_options=add-flags-on-save > - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file > - Snippet generation crashed with invalid Content-Type:multipart > > > --- > > Aki Tuomi > Open-Xchange Oy > >

1 0

Release notify (2.2.36.1 and 2.3.4.1)
by Aki Tuomi 05 Feb '19

05 Feb '19

Due to DMARC issues some people have failed to receive the latest security information, so here it is repeated for both releases: 2.3.4.1 https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig <https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig> Binary packages in https://repo.dovecot.org/ * CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This bug didn't affect Dovecot's Submission service. 2.2.36.1 https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig * CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This bug didn't affect Dovecot's Submission service. - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT - director: Kicking a user assert-crashes if login process is very slow - lda/lmtp: Fix assert-crash with some Sieve scripts when mail_attachment_detection_options=add-flags-on-save - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file - Snippet generation crashed with invalid Content-Type:multipart

1 0

Dovecot v2.3.4.1 released
by Aki Tuomi 05 Feb '19

05 Feb '19

https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig <https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig> Binary packages in https://repo.dovecot.org/ * CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This bug didn't affect Dovecot's Submission service. --- Aki Tuomi Open-Xchange oy

1 0

Dovecot v2.2.36.1 released
by Aki Tuomi 05 Feb '19

05 Feb '19

https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig * CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This bug didn't affect Dovecot's Submission service. - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT - director: Kicking a user assert-crashes if login process is very slow - lda/lmtp: Fix assert-crash with some Sieve scripts when mail_attachment_detection_options=add-flags-on-save - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file - Snippet generation crashed with invalid Content-Type:multipart --- Aki Tuomi Open-Xchange Oy

1 0