31 May
2017
31 May
'17
4:32 p.m.
Le 30/05/2017 à 20:16, Timo Sirainen a écrit :
https://dovecot.org/releases/2.2/dovecot-2.2.30.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.30.tar.gz.sig
- auth: Use timing safe comparisons for everything related to passwords. It's unlikely that these could have been used for practical attacks, especially because Dovecot delays and flushes all failed authentications in 2 second intervals. Also it could have worked only when passwords were stored in plaintext in the passdb.
- master process sends SIGQUIT to all running children at shutdown, which instructs them to close all the socket listeners immediately. This way restarting Dovecot should no longer fail due to some processes keeping the listeners open for a long time.
- auth: Add passdb { mechanisms=none } to match separate passdb lookup
- auth: Add passdb { username_filter } to use passdb only if user matches the filter. See https://wiki2.dovecot.org/PasswordDatabase Shouldn't the wiki be corrected ? we have: mechanisms: Skip, if non-empty and the current auth mechanism is listed here.
but the intended meaning is: mechanisms: Skip, if non-empty and the current auth mechanism is not listed here.
Isn't it?
Emmanuel.