<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="">Hi,</div><div class=""><br class=""></div><div class="">Pigeonhole release for Dovecot v2.3.15.</div><div class=""><br class=""></div><div class="">One thing we noticed a bit before release is that if you're using imap_sieve_filter plugin, the IMAP FILTER command may trigger the new excessive resource usage check since it can be processing many messages rapidly. You may want to prevent this with protocol imap { sieve_max_cpu_time=0 }</div><div class=""><br class=""></div><a href="https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.15.tar.gz" class="">https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.15.tar.gz</a><br class=""><a href="https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.15.tar.gz.sig" class="">https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.15.tar.gz.sig</a><div class=""><br class=""></div><div class="">Binary packages in <a href="https://repo.dovecot.org/" class="">https://repo.dovecot.org/</a></div><div class="">Docker images in <a href="https://hub.docker.com/r/dovecot/dovecot" class="">https://hub.docker.com/r/dovecot/dovecot</a><div class=""><br class=""></div></div><div class=""><div class=""> * CVE-2020-28200: Sieve interpreter is not protected against abusive</div><div class=""> scripts that claim excessive resource usage. Fixed by limiting the</div><div class=""> user CPU time per single script execution and cumulatively over</div><div class=""> several script runs within a configurable timeout period. Sufficiently</div><div class=""> large CPU time usage is summed in the Sieve script binary and execution</div><div class=""> is blocked when the sum exceeds the limit within that time. The block</div><div class=""> is lifted when the script is updated after the resource usage times out.</div><div class=""> * Disconnection log messages are now more standardized across services.</div><div class=""> They also always now start with "Disconnected" prefix.</div><div class=""> - managesieve: Commands pipelined together with and just after the</div><div class=""> authenticate command cause these commands to be executed twice.</div></div><div class=""><br class=""></div></body></html>