Dovecot v18.104.22.168 released
ebroch at whitehorsetc.com
Tue Feb 5 17:36:18 EET 2019
What's the difference between 2.2.x and 2.3.x version of Dovecot? And
why do you maintain both?
I stopped building RPM's of the 2.2.x version and now only build 2.3.x.
Should I be maintaining both?
On 2/5/2019 6:01 AM, Aki Tuomi wrote:
> * CVE-2019-3814: If imap/pop3/managesieve/submission client has
> trusted certificate with missing username field
> (ssl_cert_username_field), under some configurations Dovecot
> mistakenly trusts the username provided via authentication instead
> of failing.
> * ssl_cert_username_field setting was ignored with external SMTP AUTH,
> because none of the MTAs (Postfix, Exim) currently send the
> cert_username field. This may have allowed users with trusted
> certificate to specify any username in the authentication. This bug
> didn't affect Dovecot's Submission service.
> - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT
> - director: Kicking a user assert-crashes if login process is very slow
> - lda/lmtp: Fix assert-crash with some Sieve scripts when
> - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file
> - Snippet generation crashed with invalid Content-Type:multipart
> Aki Tuomi
> Open-Xchange Oy
White Horse Technical Consulting (WHTC)
More information about the dovecot