v2.2.28 released
Aki Tuomi
aki.tuomi at dovecot.fi
Fri Mar 10 09:03:55 UTC 2017
On 07.03.2017 11:08, Aki Tuomi wrote:
>
> On 07.03.2017 10:52, Nagy, Attila wrote:
>> On 03/06/2017 11:30 PM, Timo Sirainen wrote:
>>> On 6 Mar 2017, at 9.17, Tom Sommer <mail at tomsommer.dk> wrote:
>>>> On 2017-02-24 14:34, Timo Sirainen wrote:
>>>>> http://dovecot.org/releases/2.2/dovecot-2.2.28.tar.gz
>>>>> http://dovecot.org/releases/2.2/dovecot-2.2.28.tar.gz.sig
>>>> Are there any plans to do a bugfix-release, that includes the few
>>>> issues seen in the mailing-list, or do you consider 2.2.28 safe to
>>>> upgrade to?
>>> I don't see anything critical. A couple of bugs that might or might
>>> not affect you. We'll have 2.2.29 soon enough, so no plans for other
>>> releases before that.
>> Truncating passwords with dict protocol* seems quite critical to me. :-O
>> Or is it just me, who's affected by that?
>>
>> *: http://dovecot.org/list/dovecot/2017-February/107265.html
> Hi!
>
> The password is not actually truncated, it's actually subjected to
> var_expand, which is silly. We are working on a patch for this and let
> y'all know when it's ready. The only truncation happens with % as last
> character.
>
> Aki
Also, this only happens if you configure the lookup key to be password,
that is:
key passdb { key = %w format = json }
So, passwords are not truncated in general, only in this particular use
case.
Aki
More information about the dovecot
mailing list