From aki.tuomi at open-xchange.com Tue Feb 5 15:08:15 2019 From: aki.tuomi at open-xchange.com (Aki Tuomi) Date: Tue, 5 Feb 2019 15:08:15 +0200 Subject: [Dovecot-news] Dovecot v2.2.36.1 released Message-ID: https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has ??? ? trusted certificate with missing username field ??? ? (ssl_cert_username_field), under some configurations Dovecot ??? ? mistakenly trusts the username provided via authentication instead ??? ? of failing. ??? * ssl_cert_username_field setting was ignored with external SMTP AUTH, ??? ? because none of the MTAs (Postfix, Exim) currently send the ??? ? cert_username field. This may have allowed users with trusted ??? ? certificate to specify any username in the authentication. This bug ??? ? didn't affect Dovecot's Submission service. ??? - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT ??? - director: Kicking a user assert-crashes if login process is very slow ??? - lda/lmtp: Fix assert-crash with some Sieve scripts when ??? ? mail_attachment_detection_options=add-flags-on-save ??? - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file ??? - Snippet generation crashed with invalid Content-Type:multipart --- Aki Tuomi Open-Xchange Oy -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From aki.tuomi at open-xchange.com Tue Feb 5 15:08:35 2019 From: aki.tuomi at open-xchange.com (Aki Tuomi) Date: Tue, 5 Feb 2019 15:08:35 +0200 Subject: [Dovecot-news] Dovecot v2.3.4.1 released Message-ID: https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig Binary packages in https://repo.dovecot.org/ ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has ??? ? trusted certificate with missing username field ??? ? (ssl_cert_username_field), under some configurations Dovecot ??? ? mistakenly trusts the username provided via authentication instead ??? ? of failing. ??? * ssl_cert_username_field setting was ignored with external SMTP AUTH, ??? ? because none of the MTAs (Postfix, Exim) currently send the ??? ? cert_username field. This may have allowed users with trusted ??? ? certificate to specify any username in the authentication. This bug ??? ? didn't affect Dovecot's Submission service. --- Aki Tuomi Open-Xchange oy -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From aki.tuomi at open-xchange.com Tue Feb 5 19:31:47 2019 From: aki.tuomi at open-xchange.com (Aki Tuomi) Date: Tue, 5 Feb 2019 19:31:47 +0200 (EET) Subject: [Dovecot-news] Release notify (2.2.36.1 and 2.3.4.1) Message-ID: <979875061.1851.1549387908130@appsuite-dev-gw2.open-xchange.com> Due to DMARC issues some people have failed to receive the latest security information, so here it is repeated for both releases: 2.3.4.1 https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig Binary packages in https://repo.dovecot.org/ * CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This bug didn't affect Dovecot's Submission service. 2.2.36.1 https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig * CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This bug didn't affect Dovecot's Submission service. - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT - director: Kicking a user assert-crashes if login process is very slow - lda/lmtp: Fix assert-crash with some Sieve scripts when mail_attachment_detection_options=add-flags-on-save - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file - Snippet generation crashed with invalid Content-Type:multipart From stephan at rename-it.nl Tue Feb 5 20:07:12 2019 From: stephan at rename-it.nl (Stephan Bosch) Date: Tue, 5 Feb 2019 19:07:12 +0100 Subject: [Dovecot-news] Dovecot v2.2.36.1 released (Pigeonhole 0.4.24.1) In-Reply-To: <7b5e3616-01f9-41d8-8ee5-5b4207fdb62e@open-xchange.com> References: <7b5e3616-01f9-41d8-8ee5-5b4207fdb62e@open-xchange.com> Message-ID: Hi, Here is the associated release for Pigeonhole: https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz.sig Binary packages included in https://repo.dovecot.org/ + imapsieve: Added imapsieve_expunge_discarded setting which causes discarded messages to be expunged immediately. - Sieve scripts running in IMAPSIEVE or IMAP FILTER=SIEVE context that modify the message, store the message a second time, rather than replacing the originally stored unmodified message. - imapsieve: Fix crash when COPYing mails from a virtual mailbox when the source messages originate from more than a single real mailbox - imap_filter_sieve plugin: Implement the missing UID FILTER command. - imap_filter_sieve plugin: Fix FILTER to work with pipelining Regards, Stephan. Op 5-2-2019 om 14:01 schreef Aki Tuomi: > https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz > https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig > > ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has > ??? ? trusted certificate with missing username field > ??? ? (ssl_cert_username_field), under some configurations Dovecot > ??? ? mistakenly trusts the username provided via authentication instead > ??? ? of failing. > ??? * ssl_cert_username_field setting was ignored with external SMTP AUTH, > ??? ? because none of the MTAs (Postfix, Exim) currently send the > ??? ? cert_username field. This may have allowed users with trusted > ??? ? certificate to specify any username in the authentication. This bug > ??? ? didn't affect Dovecot's Submission service. > > ??? - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT > ??? - director: Kicking a user assert-crashes if login process is very slow > ??? - lda/lmtp: Fix assert-crash with some Sieve scripts when > ??? ? mail_attachment_detection_options=add-flags-on-save > ??? - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file > ??? - Snippet generation crashed with invalid Content-Type:multipart > > > --- > > Aki Tuomi > Open-Xchange Oy > > From aki.tuomi at open-xchange.com Tue Feb 5 22:24:06 2019 From: aki.tuomi at open-xchange.com (Aki Tuomi) Date: Tue, 5 Feb 2019 22:24:06 +0200 (EET) Subject: [Dovecot-news] Release notify (2.2.36.1 and 2.3.4.1) In-Reply-To: References: <979875061.1851.1549387908130@appsuite-dev-gw2.open-xchange.com> Message-ID: <477021197.1749.1549398247355@appsuite-dev-gw1.open-xchange.com> An HTML attachment was scrubbed... URL: From aki.tuomi at open-xchange.com Tue Feb 5 22:30:18 2019 From: aki.tuomi at open-xchange.com (Aki Tuomi) Date: Tue, 5 Feb 2019 22:30:18 +0200 (EET) Subject: [Dovecot-news] Release notify (2.2.36.1 and 2.3.4.1) In-Reply-To: References: <979875061.1851.1549387908130@appsuite-dev-gw2.open-xchange.com> <20190205202618.GB76009@doctor.nl2k.ab.ca> Message-ID: <21880649.1755.1549398618780@appsuite-dev-gw1.open-xchange.com> An HTML attachment was scrubbed... URL: