as per our EOL statement 2.2.36 receives security and critical updates. That said, we decided to flush few annoying bugs with .1 release.
Aki,
What's the difference between 2.2.x and 2.3.x version of Dovecot? And
why do you maintain both?
I stopped building RPM's of the 2.2.x version and now only build 2.3.x.
Should I be maintaining both?
Eric
On 2/5/2019 6:01 AM, Aki Tuomi wrote:
* CVE-2019-3814: If imap/pop3/managesieve/submission client has
trusted certificate with missing username field
(ssl_cert_username_field), under some configurations Dovecot
mistakenly trusts the username provided via authentication instead
of failing.
* ssl_cert_username_field setting was ignored with external SMTP AUTH,
because none of the MTAs (Postfix, Exim) currently send the
cert_username field. This may have allowed users with trusted
certificate to specify any username in the authentication. This bug
didn't affect Dovecot's Submission service.
- pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT
- director: Kicking a user assert-crashes if login process is very slow
- lda/lmtp: Fix assert-crash with some Sieve scripts when
mail_attachment_detection_options=add-flags-on-save
- fs-compress: Using maybe-gz assert-crashed when reading 0 sized file
- Snippet generation crashed with invalid Content-Type:multipart
>
---
Aki Tuomi
Open-Xchange Oy
>
--
Eric Broch
White Horse Technical Consulting (WHTC)