[Dovecot-news] v1.0.13 and v1.1.rc3 released

Timo Sirainen tss at iki.fi
Sun Mar 9 13:17:14 EET 2008


http://dovecot.org/releases/1.0/dovecot-1.0.13.tar.gz
http://dovecot.org/releases/1.0/dovecot-1.0.13.tar.gz.sig

http://dovecot.org/releases/1.1/rc/dovecot-1.1.rc3.tar.gz
http://dovecot.org/releases/1.1/rc/dovecot-1.1.rc3.tar.gz.sig

Note that the changes for the security hole fix were quite large. I
tested with several auth configurations myself and they seemed to work,
but it's possible I left a bug somewhere in there breaking someone's
configuration. So make sure to test that it works after upgrading.

Of course it would be really nice if Dovecot had a proper test suite
where testing all configurations could be automated and run before each
release. I've already started this with my imaptest tool
(http://imapwiki.org/ImapTest), but it only does IMAP tests and a lot of
things are still missing. Some help would be nice here.

	* Fixed a security hole in blocking passdbs (MySQL always. PAM, passwd
	  and shadow if blocking=yes) where user could specify extra fields
	  in the password. The main problem here is when specifying
	  "skip_password_check" introduced in v1.0.11 for fixing master user
	  logins, allowing the user to log in as anyone without a valid
	  password.

	- mail_privileged_group was broken in some systems (OS X, Solaris?)
	- IMAP THREAD: Fixed some correctness problems

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot-news/attachments/20080309/e09c2b65/attachment.bin 


More information about the Dovecot-news mailing list