Re: Release notify (2.2.36.1 and 2.3.4.1)

On Tue, 5 Feb 2019 at 20:32, Aki Tuomi via dovecot dovecot@dovecot.org wrote:

Due to DMARC issues some people have failed to receive the latest security information, so here it is repeated for both releases:

2.3.4.1

https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig Binary packages in https://repo.dovecot.org/

* CVE-2019-3814: If imap/pop3/managesieve/submission client has
  trusted certificate with missing username field
  (ssl_cert_username_field), under some configurations Dovecot
  mistakenly trusts the username provided via authentication instead
  of failing.
* ssl_cert_username_field setting was ignored with external SMTP AUTH,
  because none of the MTAs (Postfix, Exim) currently send the
  cert_username field. This may have allowed users with trusted
  certificate to specify any username in the authentication. This bug
  didn't affect Dovecot's Submission service.

FreeBSD-11.2 (amd64):

gmake[2]: Entering directory '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master' gcc -DHAVE_CONFIG_H -I. -I../.. -I../../src/lib -I../../src/lib-dns -I../../src/lib-test -I../../src/lib-settings -I../../src/lib-ssl-iostream -DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\" -DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\" -DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\" -DBINDIR=\""/opt/dovecot2.3/bin"\" -std=gnu99 -g -O2 -fstack-protector-strong -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2 -I/usr/local/include -MT test-event-stats.o -MD -MP -MF .deps/test-event-stats.Tpo -c -o test-event-stats.o test-event-stats.c test-event-stats.c: In function 'kill_stats_child': test-event-stats.c:101:2: warning: implicit declaration of function 'kill' [-Wimplicit-function-declaration] (void)kill(stats_pid, SIGKILL); ^ test-event-stats.c:101:24: error: 'SIGKILL' undeclared (first use in this function) (void)kill(stats_pid, SIGKILL); ^ test-event-stats.c:101:24: note: each undeclared identifier is reported only once for each function it appears in gmake[2]: *** [Makefile:638: test-event-stats.o] Error 1 gmake[2]: Leaving directory '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master' gmake[1]: *** [Makefile:565: install-recursive] Error 1 gmake[1]: Leaving directory '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src' gmake: *** [Makefile:683: install-recursive] Error 1

FreeBSD-9.3:

gmake[3]: Entering directory '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master' gcc -DHAVE_CONFIG_H -I. -I../.. -I../../src/lib -I../../src/lib-dns -I../../src/lib-test -I../../src/lib-settings -I../../src/lib-ssl-iostream -DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\" -DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\" -DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\" -DBINDIR=\""/opt/dovecot2.3/bin"\" -std=gnu99 -g -O2 -fstack-protector -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2 -I/usr/local/include -MT test-event-stats.o -MD -MP -MF .deps/test-event-stats.Tpo -c -o test-event-stats.o test-event-stats.c test-event-stats.c: In function 'kill_stats_child': test-event-stats.c:101: warning: implicit declaration of function 'kill' test-event-stats.c:101: error: 'SIGKILL' undeclared (first use in this function) test-event-stats.c:101: error: (Each undeclared identifier is reported only once test-event-stats.c:101: error: for each function it appears in.) test-event-stats.c: In function 'test_no_merging2': test-event-stats.c:361: warning: format '%lu' expects type 'long unsigned int', but argument 2 has type 'uint64_t' test-event-stats.c: In function 'test_no_merging3': test-event-stats.c:387: warning: format '%lu' expects type 'long unsigned int', but argument 2 has type 'uint64_t' test-event-stats.c:387: warning: format '%lu' expects type 'long unsigned int', but argument 4 has type 'uint64_t' test-event-stats.c:387: warning: format '%lu' expects type 'long unsigned int', but argument 6 has type 'uint64_t' test-event-stats.c: In function 'test_merge_events2': test-event-stats.c:452: warning: format '%lu' expects type 'long unsigned int', but argument 2 has type 'uint64_t' test-event-stats.c: In function 'test_skip_parents': test-event-stats.c:484: warning: format '%lu' expects type 'long unsigned int', but argument 2 has type 'uint64_t' test-event-stats.c:484: warning: format '%lu' expects type 'long unsigned int', but argument 4 has type 'uint64_t' test-event-stats.c:484: warning: format '%lu' expects type 'long unsigned int', but argument 6 has type 'uint64_t' test-event-stats.c: In function 'test_merge_events_skip_parents': test-event-stats.c:526: warning: format '%lu' expects type 'long unsigned int', but argument 2 has type 'uint64_t' test-event-stats.c:526: warning: format '%lu' expects type 'long unsigned int', but argument 4 has type 'uint64_t' test-event-stats.c:526: warning: format '%lu' expects type 'long unsigned int', but argument 6 has type 'uint64_t' Makefile:638: recipe for target 'test-event-stats.o' failed gmake[3]: *** [test-event-stats.o] Error 1 gmake[3]: Leaving directory '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master' Makefile:565: recipe for target 'all-recursive' failed gmake[2]: *** [all-recursive] Error 1 gmake[2]: Leaving directory '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src' Makefile:683: recipe for target 'all-recursive' failed gmake[1]: *** [all-recursive] Error 1 gmake[1]: Leaving directory '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1' Makefile:527: recipe for target 'all' failed gmake: *** [all] Error 2 [wash@gw ~/Tools/Dovecot/2.3/dovecot-2.3.4.1]$

FreeBSD-8.4:

Making all in lib-master source='test-event-stats.c' object='test-event-stats.o' libtool=no DEPDIR=.deps depmode=none /bin/bash ../../depcomp gcc -DHAVE_CONFIG_H -I. -I../.. -I../../src/lib -I../../src/lib-dns -I../../src/lib-test -I../../src/lib-settings -I../../src/lib-ssl-iostream -DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\" -DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\" -DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\" -DBINDIR=\""/opt/dovecot2.3/bin"\" -std=gnu99 -g -O2 -fstack-protector -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2 -I/usr/local/include -c -o test-event-stats.o test-event-stats.c test-event-stats.c: In function 'kill_stats_child': test-event-stats.c:101: warning: implicit declaration of function 'kill' test-event-stats.c:101: error: 'SIGKILL' undeclared (first use in this function) test-event-stats.c:101: error: (Each undeclared identifier is reported only once test-event-stats.c:101: error: for each function it appears in.) test-event-stats.c: In function 'test_no_merging2': test-event-stats.c:361: warning: format '%lu' expects type 'long unsigned int', but argument 2 has type 'uint64_t' test-event-stats.c: In function 'test_no_merging3': test-event-stats.c:387: warning: format '%lu' expects type 'long unsigned int', but argument 2 has type 'uint64_t' test-event-stats.c:387: warning: format '%lu' expects type 'long unsigned int', but argument 4 has type 'uint64_t' test-event-stats.c:387: warning: format '%lu' expects type 'long unsigned int', but argument 6 has type 'uint64_t' test-event-stats.c: In function 'test_merge_events2': test-event-stats.c:452: warning: format '%lu' expects type 'long unsigned int', but argument 2 has type 'uint64_t' test-event-stats.c: In function 'test_skip_parents': test-event-stats.c:484: warning: format '%lu' expects type 'long unsigned int', but argument 2 has type 'uint64_t' test-event-stats.c:484: warning: format '%lu' expects type 'long unsigned int', but argument 4 has type 'uint64_t' test-event-stats.c:484: warning: format '%lu' expects type 'long unsigned int', but argument 6 has type 'uint64_t' test-event-stats.c: In function 'test_merge_events_skip_parents': test-event-stats.c:526: warning: format '%lu' expects type 'long unsigned int', but argument 2 has type 'uint64_t' test-event-stats.c:526: warning: format '%lu' expects type 'long unsigned int', but argument 4 has type 'uint64_t' test-event-stats.c:526: warning: format '%lu' expects type 'long unsigned int', but argument 6 has type 'uint64_t' *** Error code 1

Stop. make: stopped in /usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master *** Error code 1

Stop. make: stopped in /usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src *** Error code 1

Stop. make: stopped in /home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1 Makefile:527: recipe for target 'all' failed gmake: *** [all] Error 1 (23:18:46 <~/Tools/Dovecot/2.3/dovecot-2.3.4.1>) 0 $

-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)