Thank you!
On 2/5/2019 8:43 AM, Aki Tuomi wrote:
Hi,
as per our EOL statement 2.2.36 receives security and critical updates. That said, we decided to flush few annoying bugs with .1 release.
You do not need to build releases for 2.2.
Aki
On 05 February 2019 at 17:36 Eric Broch < ebroch@whitehorsetc.com mailto:ebroch@whitehorsetc.com> wrote:
Aki,
What's the difference between 2.2.x and 2.3.x version of Dovecot? And why do you maintain both?
I stopped building RPM's of the 2.2.x version and now only build 2.3.x. Should I be maintaining both?
Eric
On 2/5/2019 6:01 AM, Aki Tuomi wrote:
https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig * CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This bug didn't affect Dovecot's Submission service. - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT - director: Kicking a user assert-crashes if login process is very slow - lda/lmtp: Fix assert-crash with some Sieve scripts when mail_attachment_detection_options=add-flags-on-save - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file - Snippet generation crashed with invalid Content-Type:multipart
Aki Tuomi Open-Xchange Oy
-- Eric Broch White Horse Technical Consulting (WHTC)
Aki Tuomi
-- Eric Broch White Horse Technical Consulting (WHTC)