<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>
</p>
<div class="moz-text-plain" wrap="true" style="font-family:
-moz-fixed; font-size: 12px;" lang="x-unicode">
<pre class="moz-quote-pre" wrap=""><a class="moz-txt-link-freetext" href="https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz">https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz</a>
<a class="moz-txt-link-freetext" href="https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig">https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig</a>
* CVE-2019-3814: If imap/pop3/managesieve/submission client has
trusted certificate with missing username field
(ssl_cert_username_field), under some configurations Dovecot
mistakenly trusts the username provided via authentication instead
of failing.
* ssl_cert_username_field setting was ignored with external SMTP AUTH,
because none of the MTAs (Postfix, Exim) currently send the
cert_username field. This may have allowed users with trusted
certificate to specify any username in the authentication. This bug
didn't affect Dovecot's Submission service.
- pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT
- director: Kicking a user assert-crashes if login process is very slow
- lda/lmtp: Fix assert-crash with some Sieve scripts when
mail_attachment_detection_options=add-flags-on-save
- fs-compress: Using maybe-gz assert-crashed when reading 0 sized file
- Snippet generation crashed with invalid Content-Type:multipart
---
Aki Tuomi
Open-Xchange Oy
</pre>
</div>
</body>
</html>