Dovecot v2.3.15 released

[Laura Steynes]

I know I'm blonde so might be silly question, but this libsystemd
dependency,  does this mean dovecot need it mandatory even if we do not use
a systemd infected OS ? Or is it only needed if we use one of those systemd
infected OS's?

My question is because our linux does not use systemd
Thanks

On Mon, Jun 21, 2021 at 9:19 PM Timo Sirainen <timo at sirainen.com> wrote:

> Hi,
>
> Here's a new release with some security fixes and quite a lot of other
> changes as well.
>
> https://dovecot.org/releases/2.3/dovecot-2.3.15.tar.gz
> https://dovecot.org/releases/2.3/dovecot-2.3.15.tar.gz.sig
>
> Binary packages in https://repo.dovecot.org/
> Docker images in https://hub.docker.com/r/dovecot/dovecot
>
>  * CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
>    JWT tokens. This may be used to supply attacker controlled keys to
>    validate tokens, if attacker has local access.
>  * CVE-2021-33515: On-path attacker could have injected plaintext commands
>    before STARTTLS negotiation that would be executed after STARTTLS
>    finished with the client.
>  * Disconnection log messages are now more standardized across services.
>    They also always now start with "Disconnected" prefix.
>  * Dovecot now depends on libsystemd for systemd integration.
>  * Removed support for Lua 5.2. Use version 5.1 or 5.3 instead.
>  * config: Some settings are now marked as "hidden". It's discouraged to
>    change these settings. They will no longer be visible in doveconf
>    output, except if they have been changed or if doveconf -s parameter
>    is used. See https://doc.dovecot.org/settings/advanced/ for details.
>  * imap-compress: Compression level is now algorithm specific.
>    See https://doc.dovecot.org/settings/plugin/compress-plugin/
>  * indexer-worker: Convert "Indexed" info logs to an event named
>    "indexer_worker_indexing_finished". See
>
> https://doc.dovecot.org/admin_manual/list_of_events/#indexer-worker-indexing-finished
>  + Add TSLv1.3 support to min_protocols.
>  + Allow configuring ssl_cipher_suites. (for TLSv1.3+)
>  + acl: Add acl_ignore_namespace setting which allows to entirely ignore
>    ACLs for the listed namespaces.
>  + imap: Support official RFC8970 preview/snippet syntax. Old methods of
>    retrieving preview information via IMAP commands ("SNIPPET and PREVIEW
>    with explicit algorithm selection") have been deprecated.
>  + imapc: Support INDEXPVT for imapc storage to enable private
>    message flags for cluster wide shared mailboxes.
>  + lib-storage: Add new events: mail_opened, mail_expunge_requested,
>    mail_expunged, mail_cache_lookup_finished. See
>    https://doc.dovecot.org/admin_manual/list_of_events/#mail
>  + zlib, imap-compression, fs-compress: Support compression levels that
>    the algorithm supports. Before, we would allow hardcoded value between
>    1 to 9 and would default to 6. Now we allow using per-algorithm value
>    range and default to whatever default the algorithm specifies.
>  - *-login: Commands pipelined together with and just after the
> authenticate
>    command cause these commands to be executed twice. This applies to all
>    protocols that involve user login, which currently comprises of imap,
>    pop3, submisision and managesieve.
>  - *-login: Processes are supposed to disconnect the oldest non-logged in
>    connection when process_limit was reached. This didn't actually happen
>    with the default "high-security mode" (with service_count=1) where each
>    connection is handled by a separate process.
>  - *-login: When login process reaches client/process limits, oldest
>    client connections are disconnected. If one of these was still doing
>    anvil lookup, this caused a crash. This could happen only if the login
>    process limits were very low or if the server was overloaded.
>  - Fixed building with link time optimizations (-flto).
>  - auth: Userdb iteration with passwd driver does not always return all
>    users with some nss drivers.
>  - dsync: Shared INBOX not synced when "mail_shared_explicit_inbox" was
>    disabled. If a user has a shared mailbox which is another user's INBOX,
>    dsync didn't include the mailbox in syncing unless explicit naming is
>    enabled with "mail_shared_explicit_inbox" set to "yes".
>  - dsync: Shared namespaces were not synced with "-n" flag.
>  - dsync: Syncing shared INBOX failed if mail_attribute_dict was not set.
>    If a user has a shared mailbox that is another user's INBOX, dsync
>    failed to export the mailbox if mail attributes are disabled.
>  - fts-solr, fts-tika: Using both Solr FTS and Tika may have caused HTTP
>    requests to assert-crash: Panic: file http-client-request.c: line 1232
>    (http_client_request_send_more): assertion failed: (req->payload_input
> != NULL)
>  - fts-tika: 5xx errors returned by Tika server as indexing failures.
>    However, Tika can return 5xx for some attachments every time.
>    So the 5xx error should be retried once, but treated as success if it
>    happens on the retry as well. v2.3 regression.
>  - fts-tika: v2.3.11 regression: Indexing messages with fts-tika may have
>    resulted in Panic: file message-parser.c: line 802
> (message_parser_deinit_from_parts):
>    assertion failed: (ctx->nested_parts_count == 0 ||
> i_stream_have_bytes_left(ctx->input))
>  - imap: SETMETADATA could not be used to unset metadata values.
>    Instead NIL was handled as a "NIL" string. v2.3.14 regression.
>  - imap: IMAP BINARY FETCH crashes at least on empty base64 body:
>    Panic: file index-mail-binary.c: line 358 (blocks_count_lines):
>    assertion failed: (block_count == 0 || block_idx+1 == block_count)
>  - imap: If IMAP client using the NOTIFY command was disconnected while
>    sending FETCH notifications to the client, imap could crash with
>    Panic: Trying to close mailbox INBOX with open transactions.
>  - imap: Using IMAP COMPRESS extension can cause IMAP connection to hang
>    when IMAP commands are >8 kB long.
>  - imapc: If remote server sent BYE but didn't immediately disconnect, it
>    could cause infinite busy-loop.
>  - lib-index: Corrupted cache record size in dovecot.index.cache file
>    could have caused a crash (segfault) when accessing it.
>  - lib-oauth2: JWT token time validation now works correctly with
>    32-bit systems.
>  - lib-ssl-iostream: Checking hostnames against an SSL certificate was
>    case-sensitive.
>  - lib-storage: Corrupted mime.parts in dovecot.index.cache may have
>    resulted in Panic: file imap-bodystructure.c: line 206
> (part_write_body):
>    assertion failed: (text == ((part->flags & MESSAGE_PART_FLAG_TEXT) !=
> 0))
>  - lib-storage: Index rebuilding (e.g. via doveadm force-resync) didn't
>    preserve the "hdr-pop3-uidl" header. Because of this, the next pop3
>    session could have accessed all of the emails' metadata to read their
>    POP3 UIDL (opening dbox files).
>  - listescape: When using the listescape plugin and a shared namespace
>    the plugin didn't work properly anymore resulting in errors like:
>    "Invalid mailbox name: Name must not have '/' character."
>  - lmtp: Connection crashes if connection gets disconnected due to
>    multiple bad commands and the last bad command is BDAT.
>  - lmtp: The Dovecot-specific LMTP parameter XRCPTFORWARD was blindly
>    forwarded by LMTP proxy without checking that the backend has support.
>    This caused a command parameter error from the backend if it was
>    running an older Dovecot release. This could only occur in more complex
>    setups where the message was proxied twice; when the proxy generated
>    the XRCPTFORWARD parameter itself the problem did not occur, so this
>    only happened when it was forwarded.
>  - lmtp: The LMTP proxy crashes with a panic when the remote server
>    replies with an error while the mail is still being forwarded through
>    a DATA/BDAT command.
>  - lmtp: Username may have been missing from lmtp log line prefixes when
>    it was performing autoexpunging.
>  - master: Dovecot would incorrectly fail with haproxy 2.0.14 service
>    checks.
>  - master: Systemd service: Dovecot announces readiness for accepting
>    connections earlier than it should. The following environment variables
>    are now imported automatically and can be omitted from
>    import_environment setting: NOTIFY_SOCKET LISTEN_FDS LISTEN_PID.
>  - master: service { process_min_avail } was launching processes too
>    slowly when master was forking a lot of processes.
>  - util: Make the health-check.sh example script POSIX shell compatible.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20210621/93b4edd0/attachment-0001.html>