http://dovecot.org/releases/1.0/dovecot-1.0.13.tar.gz http://dovecot.org/releases/1.0/dovecot-1.0.13.tar.gz.sig http://dovecot.org/releases/1.1/rc/dovecot-1.1.rc3.tar.gz http://dovecot.org/releases/1.1/rc/dovecot-1.1.rc3.tar.gz.sig Note that the changes for the security hole fix were quite large. I tested with several auth configurations myself and they seemed to work, but it's possible I left a bug somewhere in there breaking someone's configuration. So make sure to test that it works after upgrading. Of course it would be really nice if Dovecot had a proper test suite where testing all configurations could be automated and run before each release. I've already started this with my imaptest tool (http://imapwiki.org/ImapTest), but it only does IMAP tests and a lot of things are still missing. Some help would be nice here. * Fixed a security hole in blocking passdbs (MySQL always. PAM, passwd and shadow if blocking=yes) where user could specify extra fields in the password. The main problem here is when specifying "skip_password_check" introduced in v1.0.11 for fixing master user logins, allowing the user to log in as anyone without a valid password. - mail_privileged_group was broken in some systems (OS X, Solaris?) - IMAP THREAD: Fixed some correctness problems