https://dovecot.org/releases/2.2/dovecot-2.2.34.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.34.tar.gz.sig
- CVE-2017-15130: TLS SNI config lookups may lead to excessive memory usage, causing imap-login/pop3-login VSZ limit to be reached and the process restarted. This happens only if Dovecot config has local_name { } or local { } configuration blocks and attacker uses randomly generated SNI servernames.
- CVE-2017-14461: Parsing invalid email addresses may cause a crash or leak memory contents to attacker. For example, these memory contents might contain parts of an email from another user if the same imap process is reused for multiple users. First discovered by Aleksandar Nikolic of Cisco Talos. Independently also discovered by "flxflndy" via HackerOne.
- CVE-2017-15132: Aborted SASL authentication leaks memory in login process.
- Linux: Core dumping is no longer enabled by default via PR_SET_DUMPABLE, because this may allow attackers to bypass chroot/group restrictions. Found by cPanel Security Team. Nowadays core dumps can be safely enabled by using "sysctl -w fs.suid_dumpable=2". If the old behaviour is wanted, it can still be enabled by setting: import_environment=$import_environment PR_SET_DUMPABLE=1
- doveconf output now includes the hostname.
- mail_attachment_detection_options setting controls when $HasAttachment and $HasNoAttachment keywords are set for mails.
- imap: Support fetching body snippets using FETCH (SNIPPET) or (SNIPPET (LAZY=FUZZY))
- fs-compress: Automatically detect whether input is compressed or not. Prefix the compression algorithm with "maybe-" to enable the detection, for example: "compress:maybe-gz:6:..."
- Added settings to change dovecot.index* files' optimization behavior. See https://wiki2.dovecot.org/IndexFiles#Settings
- Auth cache can now utilize auth workers to do password hash verification by setting auth_cache_verify_password_with_worker=yes.
- Added charset_alias plugin. See https://wiki2.dovecot.org/Plugins/CharsetAlias
- imap_logout_format and pop3_logout_format settings now support all of the generic variables (e.g. %{rip}, %{session}, etc.)
- Added auth_policy_check_before_auth, auth_policy_check_after_auth and auth_policy_report_after_auth settings.
- v2.2.33: doveadm-server: Various fixes related to log handling.
- v2.2.33: doveadm failed when trying to access UNIX socket that didn't require authentication.
- v2.2.33: doveadm log reopen stopped working
- v2.2.30+: IMAP stopped advertising SPECIAL-USE capability
- v2.2.30+: IMAP stopped sending untagged OK/NO storage notifications
- replication: dsync sends unnecessary replication notification for changes it does internally. NOTE: Folder creates, renames, deletes and subscribes still trigger unnecessary replication notifications, but these should be rather rare.
- mail_always/never_cache_fields setting changes weren't applied for existing dovecot.index.cache files.
- Fix compiling and other problems with OpenSSL v1.1
- auth policy: With master user logins, lookup using login username.
- FTS reindexed all mails unnecessarily after loss of dovecot.index.cache file
- mdbox rebuild repeatedly fails with "missing map extension"
- SSL connections may have been hanging with imapc or doveadm client.
- cassandra: Using protocol v3 (Cassandra v2.1) caused memory leaks and also timestamps weren't set to queries.
- fs-crypt silently ignored public/private keys specified in configuration (mail_crypt_global_public/private_key) and just emitted plaintext output.
- lock_method=dotlock caused crashes
- imapc: Reconnection may cause crashes and other errors
On 02/28/2018 10:20 PM, Timo Sirainen wrote:
- mail_attachment_detection_options setting controls when $HasAttachment and $HasNoAttachment keywords are set for mails.
Is this a new feature? I can't find any documentation about these keywords and configuration.
-- Aleksander 'A.L.E.C' Machniak Kolab Groupware Developer [http://kolab.org] Roundcube Webmail Developer [http://roundcube.net]
PGP: 19359DC1 # Blog: https://kolabian.wordpress.com
Il 01/03/2018 07:11, A.L.E.C ha scritto:
On 02/28/2018 10:20 PM, Timo Sirainen wrote:
- mail_attachment_detection_options setting controls when $HasAttachment and $HasNoAttachment keywords are set for mails. Is this a new feature? I can't find any documentation about these keywords and configuration.
Hi,
from
https://software.open-xchange.com/products/dovecot/doc/Release_Notes_for_Dov...
NEW FEATURE DOV-1221: Attachment indicator Mark email attachment presence using $HasAttachment / $HasNoAttachment keywords
-- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice
On 1 Mar 2018, at 11.17, Alessio Cecchi <alessio@skye.it> wrote:
Il 01/03/2018 07:11, A.L.E.C ha scritto:
On 02/28/2018 10:20 PM, Timo Sirainen wrote:
- mail_attachment_detection_options setting controls when $HasAttachment and $HasNoAttachment keywords are set for mails. Is this a new feature? I can't find any documentation about these keywords and configuration.
Hi,
from
https://software.open-xchange.com/products/dovecot/doc/Release_Notes_for_Dov...
NEW FEATURE DOV-1221: Attachment indicator Mark email attachment presence using $HasAttachment / $HasNoAttachment keywords
Also added https://wiki2.dovecot.org/AttachmentIndicator <https://wiki2.dovecot.org/AttachmentIndicator> - need to figure out where it should be linked from..
On 03/01/2018 10:56 AM, Timo Sirainen wrote:
NEW FEATURE DOV-1221: Attachment indicator Mark email attachment presence using $HasAttachment / $HasNoAttachment keywords
Also added https://wiki2.dovecot.org/AttachmentIndicator - need to figure out where it should be linked from..
Thanks, the feature sounds useful. I created a feature request for Roundcube https://github.com/roundcube/roundcubemail/issues/6201
-- Aleksander 'A.L.E.C' Machniak Kolab Groupware Developer [http://kolab.org] Roundcube Webmail Developer [http://roundcube.net]
PGP: 19359DC1 # Blog: https://kolabian.wordpress.com
Citát "A.L.E.C" <alec@alec.pl>:
On 03/01/2018 10:56 AM, Timo Sirainen wrote:
NEW FEATURE DOV-1221: Attachment indicator Mark email attachment presence using $HasAttachment /
$HasNoAttachment keywordsAlso added https://wiki2.dovecot.org/AttachmentIndicator - need to
figure out where it should be linked from..Thanks, the feature sounds useful. I created a feature request for Roundcube https://github.com/roundcube/roundcubemail/issues/6201
-- Aleksander 'A.L.E.C' Machniak Kolab Groupware Developer [http://kolab.org] Roundcube Webmail Developer [http://roundcube.net]
PGP: 19359DC1 # Blog: https://kolabian.wordpress.com
I created a feature request for Horde/IMP: https://bugs.horde.org/ticket/14788
- Timo Sirainen <tss@iki.fi>:
https://dovecot.org/releases/2.2/dovecot-2.2.34.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.34.tar.gz.sig
Currently, I'm not getting any updates for prebuilt packages (I'm on Ubuntu Xenial 16.04.4) - I'm stuck on 2.2.22:
ii dovecot-core 1:2.2.22-1ubuntu2.6 amd64 secure POP3/IMAP server - core files ii dovecot-imapd 1:2.2.22-1ubuntu2.6 amd64 secure POP3/IMAP server - IMAP daemon ii dovecot-lmtpd 1:2.2.22-1ubuntu2.6 amd64 secure POP3/IMAP server - LMTP server using these /etc/apt/sources.list entry:
# Dovecot 2.2 deb http://xi.dovecot.fi/debian/ stable-auto/dovecot-2.2 main
What is the current apt repository I could use?
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | https://www.charite.de
On 01.03.2018 12:43, Ralf Hildebrandt wrote:
- Timo Sirainen <tss@iki.fi>:
https://dovecot.org/releases/2.2/dovecot-2.2.34.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.34.tar.gz.sig Currently, I'm not getting any updates for prebuilt packages (I'm on Ubuntu Xenial 16.04.4) - I'm stuck on 2.2.22:
ii dovecot-core 1:2.2.22-1ubuntu2.6 amd64 secure POP3/IMAP server - core files ii dovecot-imapd 1:2.2.22-1ubuntu2.6 amd64 secure POP3/IMAP server - IMAP daemon ii dovecot-lmtpd 1:2.2.22-1ubuntu2.6 amd64 secure POP3/IMAP server - LMTP server
using these /etc/apt/sources.list entry:
# Dovecot 2.2 deb http://xi.dovecot.fi/debian/ stable-auto/dovecot-2.2 main
What is the current apt repository I could use?
We do not provide official packages for 2.2.x versions, only 2.3 and later. XI is not intended for production usage. For ubuntu you can try opening a backport ticket?
Aki
Aki
- Aki Tuomi <aki.tuomi@dovecot.fi>:
What is the current apt repository I could use?
We do not provide official packages for 2.2.x versions, only 2.3 and later.
I switched to 2.3 now.
XI is not intended for production usage.
Most of the time it works ok (it's only for backup purposes)
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | https://www.charite.de
Op 1-3-2018 om 11:43 schreef Ralf Hildebrandt:
- Timo Sirainen <tss@iki.fi>:
https://dovecot.org/releases/2.2/dovecot-2.2.34.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.34.tar.gz.sig Currently, I'm not getting any updates for prebuilt packages (I'm on Ubuntu Xenial 16.04.4) - I'm stuck on 2.2.22:
ii dovecot-core 1:2.2.22-1ubuntu2.6 amd64 secure POP3/IMAP server - core files ii dovecot-imapd 1:2.2.22-1ubuntu2.6 amd64 secure POP3/IMAP server - IMAP daemon ii dovecot-lmtpd 1:2.2.22-1ubuntu2.6 amd64 secure POP3/IMAP server - LMTP server
using these /etc/apt/sources.list entry:
# Dovecot 2.2 deb http://xi.dovecot.fi/debian/ stable-auto/dovecot-2.2 main
What is the current apt repository I could use?
http://xi.dovecot.fi/debian/dists/stable-auto/dovecot-2.2/main/binary-amd64/... contains 2:2.2.35~alpha0-1~auto+0.
Before that, the last update was about a week ago. That is due to the fact that github isn't updated regularly at the moment.
Regards,
Stephan
participants (7)
-
A.L.E.C
-
Aki Tuomi
-
Alessio Cecchi
-
azurit@pobox.sk
-
Ralf Hildebrandt
-
Stephan Bosch
-
Timo Sirainen