https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig
* CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This bug didn't affect Dovecot's Submission service.
- pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT - director: Kicking a user assert-crashes if login process is very slow - lda/lmtp: Fix assert-crash with some Sieve scripts when mail_attachment_detection_options=add-flags-on-save - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file - Snippet generation crashed with invalid Content-Type:multipart
Aki Tuomi Open-Xchange Oy
Aki,
What's the difference between 2.2.x and 2.3.x version of Dovecot? And why do you maintain both?
I stopped building RPM's of the 2.2.x version and now only build 2.3.x. Should I be maintaining both?
Eric
On 2/5/2019 6:01 AM, Aki Tuomi wrote:
https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig
* CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This bug didn't affect Dovecot's Submission service.
- pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT - director: Kicking a user assert-crashes if login process is very slow - lda/lmtp: Fix assert-crash with some Sieve scripts when mail_attachment_detection_options=add-flags-on-save - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file - Snippet generation crashed with invalid Content-Type:multipart
Aki Tuomi Open-Xchange Oy
-- Eric Broch White Horse Technical Consulting (WHTC)
Thank you!
On 2/5/2019 8:43 AM, Aki Tuomi wrote:
Hi,
as per our EOL statement 2.2.36 receives security and critical updates. That said, we decided to flush few annoying bugs with .1 release.
You do not need to build releases for 2.2.
Aki
On 05 February 2019 at 17:36 Eric Broch < ebroch@whitehorsetc.com <mailto:ebroch@whitehorsetc.com>> wrote:
Aki,
What's the difference between 2.2.x and 2.3.x version of Dovecot? And why do you maintain both?
I stopped building RPM's of the 2.2.x version and now only build 2.3.x. Should I be maintaining both?
Eric
On 2/5/2019 6:01 AM, Aki Tuomi wrote:
https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig * CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This bug didn't affect Dovecot's Submission service. - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT - director: Kicking a user assert-crashes if login process is very slow - lda/lmtp: Fix assert-crash with some Sieve scripts when mail_attachment_detection_options=add-flags-on-save - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file - Snippet generation crashed with invalid Content-Type:multipart
Aki Tuomi Open-Xchange Oy
-- Eric Broch White Horse Technical Consulting (WHTC)
Aki Tuomi
-- Eric Broch White Horse Technical Consulting (WHTC)
for some reason Aki's posts are not making it to my GMail account from this list.
Any idea why?
On Tue, Feb 5, 2019 at 10:04 AM Eric Broch <ebroch@whitehorsetc.com> wrote:
Thank you! On 2/5/2019 8:43 AM, Aki Tuomi wrote:
Hi,
as per our EOL statement 2.2.36 receives security and critical updates. That said, we decided to flush few annoying bugs with .1 release.
You do not need to build releases for 2.2.
Aki
On 05 February 2019 at 17:36 Eric Broch < ebroch@whitehorsetc.com> wrote:
Aki,
What's the difference between 2.2.x and 2.3.x version of Dovecot? And why do you maintain both?
I stopped building RPM's of the 2.2.x version and now only build 2.3.x. Should I be maintaining both?
Eric
On 2/5/2019 6:01 AM, Aki Tuomi wrote:
https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig
* CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This bug didn't affect Dovecot's Submission service. - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT - director: Kicking a user assert-crashes if login process is very
slow - lda/lmtp: Fix assert-crash with some Sieve scripts when mail_attachment_detection_options=add-flags-on-save - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file - Snippet generation crashed with invalid Content-Type:multipart
Aki Tuomi Open-Xchange Oy
-- Eric Broch White Horse Technical Consulting (WHTC)
Aki Tuomi
-- Eric Broch White Horse Technical Consulting (WHTC)
-- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 (c) E-Mail: larryrtx@gmail.com US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106
Hi,
It's probably because gmail. They refuse emails for random reasons occasionally.
Sami
On 5 Feb 2019, at 17.06, Larry Rosenman <larryrtx@gmail.com> wrote:
for some reason Aki's posts are not making it to my GMail account from this list.
Any idea why?
On Tue, Feb 5, 2019 at 10:04 AM Eric Broch <ebroch@whitehorsetc.com <mailto:ebroch@whitehorsetc.com>> wrote: Thank you!
On 2/5/2019 8:43 AM, Aki Tuomi wrote:
Hi,
as per our EOL statement 2.2.36 receives security and critical updates. That said, we decided to flush few annoying bugs with .1 release.
You do not need to build releases for 2.2.
Aki
On 05 February 2019 at 17:36 Eric Broch < ebroch@whitehorsetc.com <mailto:ebroch@whitehorsetc.com>> wrote:
Aki,
What's the difference between 2.2.x and 2.3.x version of Dovecot? And why do you maintain both?
I stopped building RPM's of the 2.2.x version and now only build 2.3.x. Should I be maintaining both?
Eric
On 2/5/2019 6:01 AM, Aki Tuomi wrote:
https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz <https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz> https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig <https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig> * CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This bug didn't affect Dovecot's Submission service. - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT - director: Kicking a user assert-crashes if login process is very slow - lda/lmtp: Fix assert-crash with some Sieve scripts when mail_attachment_detection_options=add-flags-on-save - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file - Snippet generation crashed with invalid Content-Type:multipart
Aki Tuomi Open-Xchange Oy
-- Eric Broch White Horse Technical Consulting (WHTC)
Aki Tuomi
Eric Broch White Horse Technical Consulting (WHTC)
-- Larry Rosenman http://www.lerctr.org/~ler <http://www.lerctr.org/~ler> Phone: +1 214-642-9640 (c) E-Mail: larryrtx@gmail.com <mailto:larryrtx@gmail.com> US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106
On February 5, 2019 at 8:36 AM Eric Broch <ebroch@whitehorsetc.com> wrote:
What's the difference between 2.2.x and 2.3.x version of Dovecot? And why do you maintain both?
https://dovecot.org/pipermail/dovecot-news/2018-August/000386.html
michael
Hello Aki,
https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig
- pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT
is this in any way related to the problem that has first been reported in march last year:
"Duplicate mails on pop3 expunge with dsync replication on 2.2.35 (2.2.33.2 works)"
Thanks Gerald
On 5 Feb 2019, at 7.48, Gerald Galster <list+dovecot@gcore.biz> wrote:
Hello Aki,
https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig
- pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT
is this in any way related to the problem that has first been reported in march last year:
"Duplicate mails on pop3 expunge with dsync replication on 2.2.35 (2.2.33.2 works)"
Unlikely.
Hi,
Here is the associated release for Pigeonhole:
https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.... https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.... Binary packages included in https://repo.dovecot.org/
+ imapsieve: Added imapsieve_expunge_discarded setting which causes
discarded messages to be expunged immediately.
- Sieve scripts running in IMAPSIEVE or IMAP FILTER=SIEVE context that
modify the message, store the message a second time, rather than
replacing the originally stored unmodified message.
- imapsieve: Fix crash when COPYing mails from a virtual mailbox when
the source messages originate from more than a single real mailbox
- imap_filter_sieve plugin: Implement the missing UID FILTER command.
- imap_filter_sieve plugin: Fix FILTER to work with pipelining
Regards,
Stephan.
Op 5-2-2019 om 14:01 schreef Aki Tuomi:
https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig
* CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This bug didn't affect Dovecot's Submission service.
- pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT - director: Kicking a user assert-crashes if login process is very slow - lda/lmtp: Fix assert-crash with some Sieve scripts when mail_attachment_detection_options=add-flags-on-save - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file - Snippet generation crashed with invalid Content-Type:multipart
Aki Tuomi Open-Xchange Oy
On 2019-02-05 13:07, Stephan Bosch via dovecot wrote:
Hi,
Here is the associated release for Pigeonhole:
https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.... https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.... Binary packages included in https://repo.dovecot.org/
+ imapsieve: Added imapsieve_expunge_discarded setting which causes discarded messages to be expunged immediately. - Sieve scripts running in IMAPSIEVE or IMAP FILTER=SIEVE context
that modify the message, store the message a second time, rather than replacing the originally stored unmodified message. - imapsieve: Fix crash when COPYing mails from a virtual mailbox when the source messages originate from more than a single real mailbox - imap_filter_sieve plugin: Implement the missing UID FILTER command. - imap_filter_sieve plugin: Fix FILTER to work with pipelining
Regards,
Stephan.
Op 5-2-2019 om 14:01 schreef Aki Tuomi:
https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig
* CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This bug didn't affect Dovecot's Submission service.
- pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT - director: Kicking a user assert-crashes if login process is very slow - lda/lmtp: Fix assert-crash with some Sieve scripts when mail_attachment_detection_options=add-flags-on-save - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file - Snippet generation crashed with invalid Content-Type:multipart
Aki Tuomi Open-Xchange Oy
Is there going to be an equivalent 0.5.4.1 release with the same functionality but for Dovecot 2.3.x?
Michael
Op 05/02/2019 om 20:27 schreef Michael Marley via dovecot:
On 2019-02-05 13:07, Stephan Bosch via dovecot wrote:
Hi,
Here is the associated release for Pigeonhole:
https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1....
https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1....
Binary packages included in https://repo.dovecot.org/
Is there going to be an equivalent 0.5.4.1 release with the same functionality but for Dovecot 2.3.x?
No. The current plan is to release a 2.3.5/0.5.5 later this month.
Regards,
Stephan.
Hi,
Stephan Bosch via dovecot, 05.02.19:
Here is the associated release for Pigeonhole:
With the line deb http://xi.dovecot.fi/debian/ stable-auto/dovecot-2.2 main in my /etc/apt/sources.list, apt update fails with a Hash sum mismatch:
Err:14 http://xi.dovecot.fi/debian stable-auto/dovecot-2.2/main amd64 Packages Hash Sum mismatch Hashes of expected file: - Filesize:20770 [weak] - SHA512:e2272b4dc431f5fae85f96f80170f20e5e2e955bc288b1ac28d447ad06eaf9336bf5131ea9cdf178e36fc46e5986b5baff4eabdd562c665b97e762c4f44c0b06 - SHA256:936acd204d9b147225f763fb136e3a673d9003960a2104319b414a6602bb28a5 - SHA1:363e915b19b242b4011c01e6d2dc177e06414733 [weak] - MD5Sum:0f56fd080c93b5257e39e979335e5582 [weak] Hashes of received file: - SHA512:76306aaddd2f48a526a9a3b8cb8c4cf1b3b10f3f13cdd8fcf50d1969f95e0c0a6e44df94fc0f36b7efcf8ad1718f4dd78b6db97d962a192a72f700e99e7647a8 - SHA256:5b31992a7ed1a356c666dacf08d3e45fe5de527d177ecfb4c0079fc238d6d3f3 - SHA1:9dfb0af157863b2d916eedb8faf16739151698c1 [weak] - MD5Sum:4f047a8fc01ba5b7645ef63244972068 [weak] - Filesize:17109 [weak] Last modification reported: Tue, 05 Feb 2019 14:48:20 +0000 Release file created at: Tue, 05 Feb 2019 14:35:10 +0000
Could you please check this?
TIA & Regards, Christian
-- No signature available.
participants (11)
-
Aki Tuomi
-
bOnK
-
Christian Schmidt
-
Eric Broch
-
Gerald Galster
-
Larry Rosenman
-
Michael Marley
-
Michael Slusarz
-
Sami Ketola
-
Stephan Bosch
-
Timo Sirainen