Dovecot v2.2.36.1 released (Pigeonhole 0.4.24.1)

Michael Marley michael at michaelmarley.com
Tue Feb 5 21:27:37 EET 2019 

On 2019-02-05 13:07, Stephan Bosch via dovecot wrote:
> Hi,
> 
> Here is the associated release for Pigeonhole:
> 
> https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz
> https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz.sig
> Binary packages included in https://repo.dovecot.org/
> 
>     + imapsieve: Added imapsieve_expunge_discarded setting which causes
>       discarded messages to be expunged immediately.
>     - Sieve scripts running in IMAPSIEVE or IMAP FILTER=SIEVE context 
> that
>       modify the message, store the message a second time, rather than
>       replacing the originally stored unmodified message.
>     - imapsieve: Fix crash when COPYing mails from a virtual mailbox 
> when
>       the source messages originate from more than a single real 
> mailbox
>     - imap_filter_sieve plugin: Implement the missing UID FILTER 
> command.
>     - imap_filter_sieve plugin: Fix FILTER to work with pipelining
> 
> 
> Regards,
> 
> Stephan.
> 
> Op 5-2-2019 om 14:01 schreef Aki Tuomi:
>> https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz
>> https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig
>> 
>>      * CVE-2019-3814: If imap/pop3/managesieve/submission client has
>>        trusted certificate with missing username field
>>        (ssl_cert_username_field), under some configurations Dovecot
>>        mistakenly trusts the username provided via authentication 
>> instead
>>        of failing.
>>      * ssl_cert_username_field setting was ignored with external SMTP 
>> AUTH,
>>        because none of the MTAs (Postfix, Exim) currently send the
>>        cert_username field. This may have allowed users with trusted
>>        certificate to specify any username in the authentication. This 
>> bug
>>        didn't affect Dovecot's Submission service.
>> 
>>      - pop3_no_flag_updates=no: Don't expunge RETRed messages without 
>> QUIT
>>      - director: Kicking a user assert-crashes if login process is 
>> very slow
>>      - lda/lmtp: Fix assert-crash with some Sieve scripts when
>>        mail_attachment_detection_options=add-flags-on-save
>>      - fs-compress: Using maybe-gz assert-crashed when reading 0 sized 
>> file
>>      - Snippet generation crashed with invalid Content-Type:multipart
>> 
>> 
>> ---
>> 
>> Aki Tuomi
>> Open-Xchange Oy
>> 
>> 
Is there going to be an equivalent 0.5.4.1 release with the same 
functionality but for Dovecot 2.3.x?

Michael

More information about the dovecot mailing list