[Dovecot] v1.0.10 released
http://dovecot.org/releases/1.0/dovecot-1.0.10.tar.gz http://dovecot.org/releases/1.0/dovecot-1.0.10.tar.gz.sig
v1.0.8 and v1.0.9 were a bit bad releases. Hopefully one day I've managed to have written a proper test suite which can be run before doing any releases..
* Security hole with LDAP+auth cache: If base setting contained
%variables they weren't included in auth cache key, which broke
caching. This could have caused different users with same passwords
to log in as each other.
- LDAP: Fixed potential infinite looping when connection to LDAP
server was lost and there were queued requests.
- mbox: More changes to fix problems caused by v1.0.8 and v1.0.9.
- Maildir: Fixed a UIDLIST_IS_LOCKED() assert-crash in some conditions
(caused by changes in v1.0.9)
- If protocols=none, don't require imap executables to exist
On Dec 29, 2007, at 1:13 AM, Timo Sirainen wrote:
http://dovecot.org/releases/1.0/dovecot-1.0.10.tar.gz http://dovecot.org/releases/1.0/dovecot-1.0.10.tar.gz.sig
Timo: is dovecot-sieve-1.0.2 still the latest and good-to-go with
v1.0.10?
Thank you very much. B. Bodger New York
On 29.12.2007, at 13.40, Bruce Bodger wrote:
On Dec 29, 2007, at 1:13 AM, Timo Sirainen wrote:
http://dovecot.org/releases/1.0/dovecot-1.0.10.tar.gz http://dovecot.org/releases/1.0/dovecot-1.0.10.tar.gz.sig
Timo: is dovecot-sieve-1.0.2 still the latest and good-to-go with
v1.0.10?
Yes.
Hello Timo!
What was exactly wrong in v1.0.8 and v1.0.9 with mbox handling?
Ciao, Gerhard
On Sat, 29 Dec 2007, Timo Sirainen wrote:
http://dovecot.org/releases/1.0/dovecot-1.0.10.tar.gz http://dovecot.org/releases/1.0/dovecot-1.0.10.tar.gz.sig
v1.0.8 and v1.0.9 were a bit bad releases. Hopefully one day I've managed to have written a proper test suite which can be run before doing any releases..
- Security hole with LDAP+auth cache: If base setting contained %variables they weren't included in auth cache key, which broke caching. This could have caused different users with same passwords to log in as each other.
- LDAP: Fixed potential infinite looping when connection to LDAP server was lost and there were queued requests.
- mbox: More changes to fix problems caused by v1.0.8 and v1.0.9.
- Maildir: Fixed a UIDLIST_IS_LOCKED() assert-crash in some conditions (caused by changes in v1.0.9)
- If protocols=none, don't require imap executables to exist
On Sat, 2007-12-29 at 17:54 +0100, Gerhard Wiesinger wrote:
Hello Timo!
What was exactly wrong in v1.0.8 and v1.0.9 with mbox handling?
v1.0.8 added optimizations to get message's full size without reading through the entire message. This helped performance a lot with large messages, especially if they were being FETCHed in small blocks.
This optimization exposed bugs in mbox file reading, causing a FETCH to sometimes return the next message's contents and maybe disconnect with "got too little data" error.
All of this is related to how input streams work internally.. They layer on top of each others, so that when IMAP reads data it goes through multiple input streams:
- Header filter stream to drop some mbox headers
- Limit stream to make stream's virtual offset=0 point to beginning of the mbox message (and not to beginning of mbox file)
- mbox raw stream to return EOF when reaching the next "From " line
- File stream to actually read the data from mbox file
The problem was then that some data was first read by header filter stream, but in the middle of it mbox raw stream was accessed to get the message's size. Header filter stream didn't know about this and still returned data which pointed to raw stream's buffer, which at this point contained wrong data.
I fixed this with some kludges for v1.0. For v1.1 I did larger stream changes to make sure the streams know about changes in each others.
participants (3)
-
Bruce Bodger
-
Gerhard Wiesinger
-
Timo Sirainen