Thank you!

On 2/5/2019 8:43 AM, Aki Tuomi wrote:

Hi,

as per our EOL statement 2.2.36 receives security and critical updates. That said, we decided to flush few annoying bugs with .1 release.

You do not need to build releases for 2.2.

Aki

On 05 February 2019 at 17:36 Eric Broch < ebroch@whitehorsetc.com> wrote:

Aki,

What's the difference between 2.2.x and 2.3.x version of Dovecot? And

why do you maintain both?

I stopped building RPM's of the 2.2.x version and now only build 2.3.x.

Should I be maintaining both?

Eric

On 2/5/2019 6:01 AM, Aki Tuomi wrote:

https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz

https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig

    * CVE-2019-3814: If imap/pop3/managesieve/submission client has

    trusted certificate with missing username field

    (ssl_cert_username_field), under some configurations Dovecot

    mistakenly trusts the username provided via authentication instead

    of failing.

    * ssl_cert_username_field setting was ignored with external SMTP AUTH,

    because none of the MTAs (Postfix, Exim) currently send the

    cert_username field. This may have allowed users with trusted

    certificate to specify any username in the authentication. This bug

    didn't affect Dovecot's Submission service.

    - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT

    - director: Kicking a user assert-crashes if login process is very slow

    - lda/lmtp: Fix assert-crash with some Sieve scripts when

    mail_attachment_detection_options=add-flags-on-save

    - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file

    - Snippet generation crashed with invalid Content-Type:multipart

>

---

Aki Tuomi

Open-Xchange Oy

>

--

Eric Broch

White Horse Technical Consulting (WHTC)

---
Aki Tuomi

-- 
Eric Broch
White Horse Technical Consulting (WHTC)