Hi!
We are pleased to release Dovecot v2.3.6.
Tarball is available at
https://dovecot.org/releases/2.3/dovecot-2.3.6.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.6.tar.gz.sig
Binary packages are available at https://repo.dovecot.org/
Changes
- CVE-2019-11494: Submission-login crashed with signal 11 due to null pointer access when authentication was aborted by disconnecting.
- CVE-2019-11499: Submission-login crashed when authentication was started over TLS secured channel and invalid authentication message was sent.
- auth: Support password grant with passdb oauth2.
- Use system default CAs for outbound TLS connections.
- Simplify array handling with new helper macros.
- fts_solr: Enable configuring batch_size and soft_commit features.
- lmtp/submission: Fixed various bugs in XCLIENT handling, including a hang when XCLIENT commands were sent infinitely to the remote server.
- lmtp/submission: Forwarded multi-line replies were erroneously sent as two replies to the client.
- lib-smtp: client: Message was not guaranteed to contain CRLF consistently when CHUNKING was used.
- fts_solr: Plugin was no longer compatible with Solr 7.
- Make it possible to disable certificate checking without setting ssl_client_ca_* settings.
- pop3c: SSL support was broken.
- mysql: Closing connection twice lead to crash on some systems.
- auth: Multiple oauth2 passdbs crashed auth process on deinit.
- HTTP client connection errors infrequently triggered a segmentation fault when the connection was idle and not used for a particular client instance.
Aki Tuomi Open-Xchange oy
On 30/04/2019 14:21, Aki Tuomi via dovecot wrote:
Trivial but...
"mail-index-transaction-update.c", line 198: void function cannot return value
Thanks.
On 30 April 2019 17:20 James via dovecot <dovecot@dovecot.org> wrote:
On 30/04/2019 14:21, Aki Tuomi via dovecot wrote:
Trivial but...
"mail-index-transaction-update.c", line 198: void function cannot return value
Thanks.
Thanks!
Aki
On 30 Apr 2019, at 07:21, Aki Tuomi via dovecot <dovecot@dovecot.org> wrote:
We are pleased to release Dovecot v2.3.6.
pkg adult shows the following, not mentioned in the changes:
dovecot-2.3.5.1 is vulnerable: dovecot -- json encoder crash CVE: CVE-2019-10691 WWW: https://vuxml.FreeBSD.org/freebsd/a64aa22f-61ec-11e9-85b9-a4badb296695.html
(just curious)
-- 'Things either exist or they don't,' said Jeremy. 'I am very clear about that. I have medicine.' --The Thief of Time
On 30 Apr 2019, at 12:11, Aki Tuomi via dovecot <dovecot@dovecot.org> wrote:
On 30 April 2019 21:06 @lbutlr via dovecot < dovecot@dovecot.org> wrote:
dovecot-2.3.5.1 is vulnerable: dovecot -- json encoder crash CVE: CVE-2019-10691
We don't usually mention fixes for previous releases again.
Ah, I missed that note then.
-- Age is only important if you're cheese.
On April 30, 2019 at 12:06 PM "@lbutlr via dovecot" <dovecot@dovecot.org> wrote:
pkg adult shows the following, not mentioned in the changes:
dovecot-2.3.5.1 is vulnerable: dovecot -- json encoder crash CVE: CVE-2019-10691 WWW: https://vuxml.FreeBSD.org/freebsd/a64aa22f-61ec-11e9-85b9-a4badb296695.html
https://dovecot.org/pipermail/dovecot-news/2019-April/000407.html
michael
participants (4)
-
@lbutlr
-
Aki Tuomi
-
James
-
Michael Slusarz