We are pleased to release v2.3.20 of Dovecot.
https://dovecot.org/releases/2.3/dovecot-2.3.20.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.20.tar.gz.sig Binary packages in https://repo.dovecot.org/ Docker images in https://hub.docker.com/r/dovecot/dovecot
Regards, Aki Tuomi Open-Xchange oy
--
- Add dsync_features=no-header-hashes. When this setting is enabled and one dsync side doesn't support mail GUIDs (i.e. imapc), there is no fallback to using header hashes. Instead, dsync assumes that all mails with identical IMAP UIDs contains the same mail contents. This can significantly improve dsync performance with some IMAP servers that don't support caching Date/Message-ID headers.
- lua: HTTP client has more settings now, see https://doc.dovecot.org/admin_manual/lua/#dovecot.http.client
- replicator: "doveadm replicator status" command now outputs when the next sync is expected for the user.
- LAYOUT=index: duplicate GUIDs were not cleaned out. Also the list recovery was not optimal.
- auth: Assert crash would occur when iterating multiple userdb backends.
- director: Logging into director using master user with auth_master_user_separator character redirected user to a wrong backend, unless master_user_separator setting was also set to the same value. Merged these into auth_master_user_separator.
- dsync: Couldn't always fix folder GUID conflicts automatically with Maildir format. This resulted in replication repeatedly failing with "Remote lost mailbox GUID".
- dsync: Failed to migrate INBOX when using namespace prefix=INBOX/, resulting in "Remote lost mailbox GUID" errors.
- dsync: INBOX was created too early with namespace prefix=INBOX/, resulting a GUID conflict. This may have been resolved automatically, but not always.
- dsync: v2.3.18 regression: Wrong imapc password with dsync caused Panic: file lib-event.c: line 506 (event_pop_global): assertion failed: (event == current_global_event)
- imapc: Requesting STATUS for a mailbox with imapc and INDEXPVT configured did not return correct (private) unseen counts.
- lib-dict: Process would crash when committing data to redis without dict proxy.
- lib-mail: Corrupted cached BODYSTRUCTURE caused panic during FETCH. Fixes: Panic: file message-part-data.c: line 579 (message_part_is_attachment): assertion failed: (data != NULL). v2.3.13 regression.
- lib-storage: mail_attribute_dict with dict-sql failed when it tried to lookup empty dict keys.
- lib: ioloop-kqueue was missing include breaking some BSD builds.
- lua-http: Dovecot Lua HTTP client could not resolve DNS names in mail processes, because it expected "dns-client" socket to exist in the current directory.
- oauth2: Using %{oauth2:name} variables could cause useless introspections.
- pop3: Sending POP3 command with ':' character caused an assert-crash. v2.3.18 regression.
- replicator: Replication queue had various issues, potentially causing replication requests to become stuck.
- stats: Invalid Prometheus label names were created with specific
22.12.22, 09:06 +0100, Aki Tuomi:
[...]
- replicator: Replication queue had various issues, potentially causing replication requests to become stuck.
- stats: Invalid Prometheus label names were created with specific [End Of Message]
Is there something missing at the end?
-- Regards mks
On 22/12/2022 11:30 EET Markus Schönhaber dovecot@list-post.mks-mail.de wrote:
22.12.22, 09:06 +0100, Aki Tuomi:
[...]
- replicator: Replication queue had various issues, potentially causing replication requests to become stuck.
- stats: Invalid Prometheus label names were created with specific [End Of Message]
Is there something missing at the end?
-- Regards mks
" histogram group_by configurations. Prometheus rejected these labels."
At least the NEWS file etc, have the full text.
Aki
On 23/12/2022 11:47 EET Eray Aslan eraya@a21an.org wrote:
On Thu, Dec 22, 2022 at 10:06:16AM +0200, Aki Tuomi wrote:
We are pleased to release v2.3.20 of Dovecot.
Can you confirm that CVE-2022-30550 is patched in dovecot-2.3.20? Thank you.
-- Eray
Hi!
We've decided to fix it for 2.4 release only, so it's not fixed in 2.3.20.
Aki
On Fri, Dec 23, 2022 at 11:59:54AM +0200, Aki Tuomi wrote:
On 23/12/2022 11:47 EET Eray Aslan eraya@a21an.org wrote: On Thu, Dec 22, 2022 at 10:06:16AM +0200, Aki Tuomi wrote:
We are pleased to release v2.3.20 of Dovecot.
Can you confirm that CVE-2022-30550 is patched in dovecot-2.3.20? Thank you.
We've decided to fix it for 2.4 release only, so it's not fixed in 2.3.20.
That is a surprising decision.
One more question regarding openssl. I am getting test failures when building against openssl-3 but not when building against openssl-1.1.1s. Can you confirm if openssl-3 is supported?
[...] test-crypto.c:827: Assert failed: ret == TRUE Panic: file dcrypt-openssl.c: line 2639 (dcrypt_openssl_private_to_public_key): assertion failed: (priv_key != NULL && pub_key_r != NULL) Error: Raw backtrace: ./test-crypto(backtrace_append+0x42) [0x560ff72000b2] -> ./test-crypto(backtrace_get+0x1e) [0x560ff72001fe] -> ./test-crypto(+0x26952) [0x560ff71dd952] -> ./test-crypto(+0x26991) [0x560ff71dd991] -> ./test-crypto(+0x14e03) [0x560ff71cbe03] -> .libs/libdcrypt_openssl.so(+0x5f25) [0x7f5b1b499f25] -> ./test-crypto(+0x1f071) [0x560ff71d6071] -> ./test-crypto(+0x227cf) [0x560ff71d97cf] -> ./test-crypto(test_run+0x4a) [0x560ff71da2da] -> ./test-crypto(main+0x4f) [0x560ff71d032f] -> /lib64/libc.so.6(+0x232ca) [0x7f5b1b5322ca] -> /lib64/libc.so.6(__libc_start_main+0x85) [0x7f5b1b532385] -> ./test-crypto(_start+0x21) [0x560ff71d0451] make[3]: *** [Makefile:1137: check-local] Error 1 [...] $ openssl version OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
Thank you
Eray
On 23/12/2022 14:23 EET Eray Aslan eraya@a21an.org wrote:
On Fri, Dec 23, 2022 at 11:59:54AM +0200, Aki Tuomi wrote:
On 23/12/2022 11:47 EET Eray Aslan eraya@a21an.org wrote: On Thu, Dec 22, 2022 at 10:06:16AM +0200, Aki Tuomi wrote:
We are pleased to release v2.3.20 of Dovecot.
Can you confirm that CVE-2022-30550 is patched in dovecot-2.3.20? Thank you.
We've decided to fix it for 2.4 release only, so it's not fixed in 2.3.20.
That is a surprising decision.
The bug does not, in fact, affect that many setups, and we do not consider it to be practically that severe bug.
One more question regarding openssl. I am getting test failures when building against openssl-3 but not when building against openssl-1.1.1s. Can you confirm if openssl-3 is supported?
[...] test-crypto.c:827: Assert failed: ret == TRUE Panic: file dcrypt-openssl.c: line 2639 (dcrypt_openssl_private_to_public_key): assertion failed: (priv_key != NULL && pub_key_r != NULL) Error: Raw backtrace: ./test-crypto(backtrace_append+0x42) [0x560ff72000b2] -> ./test-crypto(backtrace_get+0x1e) [0x560ff72001fe] -> ./test-crypto(+0x26952) [0x560ff71dd952] -> ./test-crypto(+0x26991) [0x560ff71dd991] -> ./test-crypto(+0x14e03) [0x560ff71cbe03] -> .libs/libdcrypt_openssl.so(+0x5f25) [0x7f5b1b499f25] -> ./test-crypto(+0x1f071) [0x560ff71d6071] -> ./test-crypto(+0x227cf) [0x560ff71d97cf] -> ./test-crypto(test_run+0x4a) [0x560ff71da2da] -> ./test-crypto(main+0x4f) [0x560ff71d032f] -> /lib64/libc.so.6(+0x232ca) [0x7f5b1b5322ca] -> /lib64/libc.so.6(__libc_start_main+0x85) [0x7f5b1b532385] -> ./test-crypto(_start+0x21) [0x560ff71d0451] make[3]: *** [Makefile:1137: check-local] Error 1 [...] $ openssl version OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
Thank you
Eray
OpenSSL 3.0 support is also planned for 2.4.
Aki
On 24/12/22 01:25, Aki Tuomi wrote:
Can you confirm that CVE-2022-30550 is patched in dovecot-2.3.20? Thank you.
We've decided to fix it for 2.4 release only, so it's not fixed in 2.3.20.
That is a surprising decision.
The bug does not, in fact, affect that many setups, and we do not consider it to be practically that severe bug.
OpenSSL 3.0 support is also planned for 2.4.
If you're running RHEL or one of the clones then the Ghettoforge builds have both the CVE-2022-30550 and OpenSSL 3.0 support patched in. The packages are dovecot23 in the gf-plus repository and are available for EL7, 8 and 9.
If you're running a different distribution then you can still get the patches by unpacking the src.rpm file (or you can dig them up from the dovecot github) and add them to your own build:
http://mirror.ghettoforge.org/distributions/gf/el/9/plus/SRPMS/dovecot23-2.3...
Peter
participants (5)
-
Aki Tuomi
-
Aki Tuomi
-
Eray Aslan
-
Markus Schönhaber
-
Peter