[Dovecot-news] Pigeonhole v0.5.21 released

[Aki Tuomi via Dovecot-news]

Hi all!

We are pleased to release v0.5.21 of Pigeonhole.

https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.21.tar.gz
https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.21.tar.gz.sig
Binary packages in https://repo.dovecot.org/
Docker images in https://hub.docker.com/r/dovecot/dovecot

Regards,
Aki Tuomi
Open-Xchange oy
---

- sieve: Using the deleteheader action on a message with a broken/invalid
  header can cause the Sieve interpreter to crash with an assert panic.
  This can happen e.g. when the message is missing the empty EOH line
  between the headers and the body of the message. Fixes:
  Panic: file edit-mail.c: line 820 (edit_mail_headers_parse):
  assertion failed: (body_offset > 0).
- sieve: Pigeonhole added an extra Message-ID header during mail
  forwarding when the existing one was invalid. Now it adds the
  Message-ID only if it is entirely missing. Existing Message-ID(s) are
  left unchanged.


signature.asc
Description: PGP signature
___
Dovecot-news mailing list -- dovecot-news@dovecot.org
To unsubscribe send an email to dovecot-news-le...@dovecot.org

[Dovecot-news] Dovecot v2.3.21 released

[Aki Tuomi via Dovecot-news]

Hi all!

We are pleased to release v2.3.21 of Dovecot.

https://dovecot.org/releases/2.3/dovecot-2.3.21.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.3.21.tar.gz.sig
Binary packages in https://repo.dovecot.org/
Docker images in https://hub.docker.com/r/dovecot/dovecot

Regards,
Aki Tuomi
Open-Xchange oy
---

* lib-oauth2: Allow JWT tokens to be validated with missing typ field.
  The typ field is left out by some key issuers to conserve space,
  notably kubernetes. Now missing typ is tolerated, but if present, it
  still must be "jwt".
+ auth: Auth passdb and userdb reply can contain "event_=value"
  which will be added to login event and mail user event respectively.
+ lib-master: Set process title during various initialization stages to
  clearly describe what the process is waiting on.
+ lib-storage: The mail_temp_scan_interval is now fuzzed incrementing it
  by 0..30% based on username's hash to reduce the chance of load spikes
.
+ lib-storage: The temp file scan has been moved from the open of the
  mailbox to the close, to reduce the latency perceived by users.
+ stats: If metric has fields specified, all these fields are
  exported as counters to prometheus exposition.
  See https://doc.dovecot.org/configuration_manual/stats/openmetrics/.
- *-login: Processes might have crashed when a SSL connection disconnect
s
  uncleanly.
- acl: When plugin was loaded \HasChildren and \HasNoChildren flags
  were calculated incorrectly for mailboxes containing '*' and '%'
  in their names.
- auth: Crash occured if a connection to PostgreSQL database server
  failed during startup.
- auth: Logins with invalid passwords (e.g. unknown scheme) in passdb
  were failing with "password mismatch" instead of "internal error".
- auth: XOAUTH2 and OAUTHBEARER mechanisms were not giving out protocol
  specific error message on all errors. This especially broke OIDC
  discovery.
- dbox: When last_temp_file_scan header wasn't set (especially after
  dsync migration), the next mailbox open always triggers the temp file
  scan. This could have caused a load spike after migrations. Fixed by
  using the mailbox directory's atime when the header isn't set, which
  usually moves the scan time into the future.
- dict-redis: A crash would occur on transaction rollback.
- dsync: Infinite loop causing out of memory would occur when handling
  mailbox deletion from remote end and hierarchy separators would differ.
- dsync: Incremental dsync failed for folder names ending with '%',
  unless BROKENCHAR was set. Also folder names with '%' elsewhere in
  them caused each incremental dsync to unnecessarily rename the folder
  to a temporary name and back. v2.3.19 regression.
- imap-hibernate: If an IMAP client unhibernation timed out with
  "(version received)", the unhibernation could still have successfully
  finished later on and continued working normally. This was rather
  confusing, because imap-hibernate already logged that the client got
  disconnected. Avoid this by forcing the connection to shutdown on
  unhibernation timeout.
- imapc: Crashed when a folder mapped through the virtual plugin
  disappears from the storage.
- imapc: EXPUNGE, EXISTS or FETCH replies from a server for a previously
  selected mailbox could have been processed as if they belonged to the
  new mailbox currently being selected. This could have caused warnings.
- lib-http: Dovecot HTTP server (doveadm, stats/openmetrics) may have
  disconnected HTTP clients before the response is fully sent. This
  happened only on busy servers where kernel's socket buffers were
  rather full.
- lib-http: Fixed a potential crash on http-server if a client
  disconnected early. v2.3.18 regression.
- lib-index: Index file corruption could have caused a crash. Fixes:
  Panic: file mail-transaction-log-view.c: line 165 
(mail_transaction_log_view_set):
  assertion failed: (min_file_seq <= max_file_seq).
- lib-index: Purging an existing >1GB cache file can crash. Now cache
  files still above 1GB after purging are removed. Fixes:
  Panic: file mail-index-util.c: line 10 (mail_index_uint32_to_offset):
  assertion failed: (offset < 0x4000)
- lib-lua: A HTTP client could not resolve DNS names in mail processes,
  because it expected "the dns-client" socket to exist in the current
  directory.
- lib-oauth2: Dovecot would send client_id and client_secret as POST
  parameters to the introspection server. These need to be optionally in
  Basic auth instead.
- lib-oauth2: JWT aud validation was not performed if aud was missing
  from a token, but was configured on Dovecot.
- lib-oauth2: JWT key type check was too strict.
- lib-oauth2: JWT token audience was not validated against client_id as
  required by the specification.
- lib-ssl-iostream: Using the ssl_require_crl=yes setting may have caused
  CRL check failures for outgoing SSL/TLS connections, although it was
  supposed to affect checking CRLs only for client-side SSL
  certificates. v2.3.17 regression.
- lib-sql: MySQL 

[Dovecot-news] Pigeonhole v0.5.20 released

[Aki Tuomi via Dovecot-news]

We are pleased to release v0.5.20 of Pigeonhole.

https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.20.tar.gz
https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.20.tar.gz.sig
Binary packages in https://repo.dovecot.org/
Docker images in https://hub.docker.com/r/dovecot/dovecot

Regards,
Aki Tuomi
Open-Xchange oy

--

* No changes - release done to keep version numbers synced.


signature.asc
Description: PGP signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] Dovecot v2.3.20 released

[Aki Tuomi via Dovecot-news]

We are pleased to release v2.3.20 of Dovecot.

https://dovecot.org/releases/2.3/dovecot-2.3.20.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.3.20.tar.gz.sig
Binary packages in https://repo.dovecot.org/
Docker images in https://hub.docker.com/r/dovecot/dovecot

Regards,
Aki Tuomi
Open-Xchange oy

--

+ Add dsync_features=no-header-hashes. When this setting is enabled and
  one dsync side doesn't support mail GUIDs (i.e. imapc), there is no
  fallback to using header hashes. Instead, dsync assumes that all mails
  with identical IMAP UIDs contains the same mail contents. This can
  significantly improve dsync performance with some IMAP servers that
  don't support caching Date/Message-ID headers.
+ lua: HTTP client has more settings now, see
  https://doc.dovecot.org/admin_manual/lua/#dovecot.http.client
+ replicator: "doveadm replicator status" command now outputs when the
  next sync is expected for the user.
- LAYOUT=index: duplicate GUIDs were not cleaned out. Also the list
  recovery was not optimal.
- auth: Assert crash would occur when iterating multiple userdb
  backends.
- director: Logging into director using master user with
  auth_master_user_separator character redirected user to a wrong
  backend, unless master_user_separator setting was also set to the same
  value. Merged these into auth_master_user_separator.
- dsync: Couldn't always fix folder GUID conflicts automatically with
  Maildir format. This resulted in replication repeatedly failing
  with "Remote lost mailbox GUID".
- dsync: Failed to migrate INBOX when using namespace prefix=INBOX/,
  resulting in "Remote lost mailbox GUID" errors.
- dsync: INBOX was created too early with namespace prefix=INBOX/,
  resulting a GUID conflict. This may have been resolved automatically,
  but not always.
- dsync: v2.3.18 regression: Wrong imapc password with dsync caused
  Panic: file lib-event.c: line 506 (event_pop_global):
  assertion failed: (event == current_global_event)
- imapc: Requesting STATUS for a mailbox with imapc and INDEXPVT
  configured did not return correct (private) unseen counts.
- lib-dict: Process would crash when committing data to redis without
  dict proxy.
- lib-mail: Corrupted cached BODYSTRUCTURE caused panic during FETCH.
  Fixes: Panic: file message-part-data.c: line 579 (message_part_is_attachment):
  assertion failed: (data != NULL). v2.3.13 regression.
- lib-storage: mail_attribute_dict with dict-sql failed when it tried to
  lookup empty dict keys.
- lib: ioloop-kqueue was missing include breaking some BSD builds.
- lua-http: Dovecot Lua HTTP client could not resolve DNS names in mail
  processes, because it expected "dns-client" socket to exist in the
  current directory.
- oauth2: Using %{oauth2:name} variables could cause useless
  introspections.
- pop3: Sending POP3 command with ':' character caused an assert-crash.
  v2.3.18 regression.
- replicator: Replication queue had various issues, potentially causing
  replication requests to become stuck.
- stats: Invalid Prometheus label names were created with specific


signature.asc
Description: PGP signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

Re: [Dovecot-news] CVE-2022-30550: Privilege escalation possible in dovecot when similar master and non-master passdbs are used

[Aki Tuomi via Dovecot-news]

> On 06/07/2022 16:54 EEST Aki Tuomi via Dovecot-news 
>  wrote:
> 
>  
> Affected product: Dovecot IMAP Server 
> Internal reference: DOV-5320
> Vulnerability type: Improper Access Control (CWE-284) 
> Vulnerable version: 2.2
> Vulnerable component: submission 
> Report confidence: Confirmed 
> Solution status: Fixed in main
> Researcher credits: Julian Brook (julezman)
> Vendor notification: 2022-05-06 
> CVE reference: CVE-2022-30550
> CVSS: 6.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N) 
> 
> Vulnerability Details: 
> When two passdb configuration entries exist in Dovecot configuration, which 
> have the same driver and args settings, the incorrect username_filter and 
> mechanism settings can be applied to passdb definitions. These incorrectly 
> applied settings can lead to an unintended security configuration and can 
> permit privilege escalation with certain configurations involving master user 
> authentication.
> 
> Dovecot documentation does not advise against the use of passdb definitions 
> which have the same driver and args settings. One such configuration would be 
> where an administrator wishes to use the same pam configuration or passwd 
> file for both normal and master users but use the username_filter setting to 
> restrict which of the users is able to be a master user.
> 
> Risk: 
> If same passwd file or PAM is used for both normal and master users, it is 
> possible for attacker to become master user.
> 
> Workaround:
> Always authenticate master users from different source than regular users, 
> e.g. using a separate passwd file. Alternatively, you can use global ACLs to 
> ensure that only legimate master users have priviledged access.
> 
> Fix:
> This has been fixed in main branch. See 
> https://github.com/dovecot/core/compare/7bad6a24%5E..a1022072.patch

Two small corrections to this CVE notice... The service impacted is of course 
'auth' not 'submission', and the version impacted is from 2.2 to 2.3.19.1. 

Aki
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] CVE-2022-30550: Privilege escalation possible in dovecot when similar master and non-master passdbs are used

[Aki Tuomi via Dovecot-news]

Affected product: Dovecot IMAP Server 
Internal reference: DOV-5320
Vulnerability type: Improper Access Control (CWE-284) 
Vulnerable version: 2.2
Vulnerable component: submission 
Report confidence: Confirmed 
Solution status: Fixed in main
Researcher credits: Julian Brook (julezman)
Vendor notification: 2022-05-06 
CVE reference: CVE-2022-30550
CVSS: 6.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N) 

Vulnerability Details: 
When two passdb configuration entries exist in Dovecot configuration, which 
have the same driver and args settings, the incorrect username_filter and 
mechanism settings can be applied to passdb definitions. These incorrectly 
applied settings can lead to an unintended security configuration and can 
permit privilege escalation with certain configurations involving master user 
authentication.

Dovecot documentation does not advise against the use of passdb definitions 
which have the same driver and args settings. One such configuration would be 
where an administrator wishes to use the same pam configuration or passwd file 
for both normal and master users but use the username_filter setting to 
restrict which of the users is able to be a master user.

Risk: 
If same passwd file or PAM is used for both normal and master users, it is 
possible for attacker to become master user.

Workaround:
Always authenticate master users from different source than regular users, e.g. 
using a separate passwd file. Alternatively, you can use global ACLs to ensure 
that only legimate master users have priviledged access.

Fix:
This has been fixed in main branch. See 
https://github.com/dovecot/core/compare/7bad6a24%5E..a1022072.patch
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] v2.3.19.1 released

[Aki Tuomi via Dovecot-news]

Hi everyone!

Due to a severe bug in doveadm deduplicate, we are releasing patch release 
2.3.19.1. Please find it at locations below:

https://dovecot.org/releases/2.3/dovecot-2.3.19.1.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.3.19.1.tar.gz.sig
Binary packages in https://repo.dovecot.org/
Docker images in https://hub.docker.com/r/dovecot/dovecot

Aki Tuomi
Open-Xchange oy

---

- doveadm deduplicate: Non-duplicate mails were deleted. v2.3.19 regression.
- auth: Crash would occur when iterating multiple backends.
  Fixes: Panic: file userdb-blocking.c: line 125 (userdb_blocking_iter_next): 
assertion failed: (ctx->conn != NULL)


signature.asc
Description: PGP signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

Re: [Dovecot-news] Pigeonhole v0.5.19 released

[Aki Tuomi via Dovecot-news]

> On 10/05/2022 09:33 Aki Tuomi  wrote:
>
>
> Hi all!
>
> We are pleased to release v0.5.19 of Pigeonhole.
>
> This release is done to maintain parity with dovecot 2.3.19 release, so it 
> does not contain any news-worthy changes.
>
> https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.18.tar.gz
> https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.18.tar.gz
> Binary packages in https://repo.dovecot.org/
> Docker images in https://hub.docker.com/r/dovecot/dovecot
>


And of course a small typo was left there. The links are

https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.19.tar.gz
https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.19.tar.gz

Regards,
Aki Tuomi
Open-Xchange oy


signature.asc
Description: PGP signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] Pigeonhole v0.5.19 released

[Aki Tuomi via Dovecot-news]

Hi all!

We are pleased to release v0.5.19 of Pigeonhole.

This release is done to maintain parity with dovecot 2.3.19 release, so it does 
not contain any news-worthy changes.

https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.18.tar.gz
https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.18.tar.gz
Binary packages in https://repo.dovecot.org/
Docker images in https://hub.docker.com/r/dovecot/dovecot

Regards,
Aki Tuomi
Open-Xchange oy


signature.asc
Description: PGP signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] Dovecot v2.3.19 released

[Aki Tuomi via Dovecot-news]

Hi all!

We are pleased to release v2.3.19 of Dovecot.

The docker images have been upgraded to use bullseye as base image.

https://dovecot.org/releases/2.3/dovecot-2.3.19.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.3.19.tar.gz.sig
Binary packages in https://repo.dovecot.org/
Docker images in https://hub.docker.com/r/dovecot/dovecot

Regards,
Aki Tuomi
Open-Xchange oy

--

+ Added mail_user_session_finished event, which is emitted when the mail
  user session is finished (e.g. imap, pop3, lmtp). It also includes
  fields with some process statistics information.
  See https://doc.dovecot.org/admin_manual/list_of_events/ for more
  information.
+ Added process_shutdown_filter setting. When an event matches the filter,
  the process will be shutdown after the current connection(s) have
  finished. This is intended to reduce memory usage of long-running imap
  processes that keep a lot of memory allocated instead of freeing it to
  the OS.
+ auth: Add cache hit indicator to auth passdb/userdb finished events.
  See https://doc.dovecot.org/admin_manual/list_of_events/ for more
  information.
+ doveadm deduplicate: Performance is improved significantly.
+ imapc: COPY commands were sent one mail at a time to the remote IMAP
  server. Now the copying is buffered, so multiple mails can be copied
  with a single COPY command.
+ lib-lua: Add a Lua interface to Dovecot's HTTP client library. See
  https://doc.dovecot.org/admin_manual/lua/ for more information.
- auth: Cache lookup would use incorrect cache key after username change.
- auth: Improve handling unexpected LDAP connection errors/hangs.
  Try to fix up these cases by reconnecting to the LDAP server and
  aborting LDAP requests earlier.
- auth: Process crashed if userdb iteration was attempted while auth-workers
  were already full handling auth requests.
- auth: db-oauth2: Using %{oauth2:name} variables caused unnecessary
  introspection requests.
- dict: Timeouts may have been leaked at deinit.
- director: Ring may have become unstable if a backend's tag was changed.
  It could also have caused director process to crash.
- doveadm kick: Numeric parameter was treated as IP address.
- doveadm: Proxying can panic when flushing print output. Fixes
  Panic: file ioloop.c: line 865 (io_loop_destroy): assertion failed:
  (ioloop == current_ioloop).
- doveadm sync: BROKENCHAR was wrongly changed to '_' character when
  migrating mailboxes. This was set by default to %, so any mailbox
  names containing % characters were modified to "_25".
- imapc: Copying or moving mails with doveadm to an imapc mailbox could
  have produced "Error: Syncing mailbox '[...]' failed" Errors. The
  operation itself succeeded but attempting to sync the destination
  mailbox failed.
- imapc: Prevent index log synchronization errors when two or more imapc
  sessions are adding messages to the same mailbox index files, i.e.
  INDEX=MEMORY is not used.
- indexer: Process was slowly leaking memory for each indexing request.
- lib-fts: fts header filters caused binary content to be sent to the
  indexer with non-default configuration.
- doveadm-server: Process could hang in some situations when printing
  output to TCP client, e.g. when printing doveadm sync state.
- lib-index: dovecot.index.log files were often read and parsed entirely,
  rather than only the parts that were actually necessary. This mainly
  increased CPU usage.
- lmtp-proxy: Session ID forwarding would cause same session IDs being
  used when delivering same mail to multiple backends.
- log: Log prefix update may have been lost if log process was busy.
  This could have caused log prefixes to be empty or in some cases
  reused between sessions, i.e. log lines could have been logged for the
  wrong user/session.
- mail_crypt: Plugin crashes if it's loaded only for some users. Fixes
  Panic: Module context mail_crypt_user_module missing.
- mail_crypt: When LMTP was delivering mails to both recipients with mail
  encryption enabled and not enabled, the non-encrypted recipients may
  have gotten mails encrypted anyway. This happened when the first
  recipient was encrypted (mail_crypt_save_version=2) and the 2nd
  recipient was not encrypted (mail_crypt_save_version=0).
- pop3: Session would crash if empty line was sent.
- stats: HTTP server leaked memory.
- submission-login: Long credentials, such as OAUTH2 tokens, were refused
  during SASL interactive due to submission server applying line length
  limits.
- submission-login: When proxying to remote host, authentication was not
  using interactive SASL when logging in using long credentials such as
  OAUTH2 tokens. This caused authentication to fail due to line length
  constraints in SMTP protocol.
- submission: Terminating the client connection with QUIT command after
  mail transaction is started with MAIL command and before it is
  finished with DATA/BDAT can cause a segfault crash.
- virtual: doveadm search queries with mailbox-guid as the only parameter
  

[Dovecot-news] Notification about branch and versioning changes

[Aki Tuomi via Dovecot-news]

Dear subscribers,

This year we will be releasing a new Dovecot major release. In preparations for 
this, we are doing some repository changes,
which will affect you if you are using our git repositories. These changes will 
become effective after 14th of February.

Following branch name changes are going to be implemented:
  - main  => this is going to be the main branch in future
  - master => release-2.3

Note that Dovecot version number on main branch is going to change. The next 
major CE release will be 2.4.x.

The change to a main branch and its version numbering also apply to Pigeonhole. 
We will also align Pigeonhole release version to match Dovecot, ie. the next 
major is 2.4.x and not 0.6.

We will send more information about the upcoming major release as it progresses.

Regards,
Aki Tuomi
Open-Xchange oy


signature.asc
Description: PGP signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] Pigeonhole v0.5.18 released

[Aki Tuomi via Dovecot-news]

Hi all!

We are pleased to release v0.5.18 of Pigeonhole.

Debian/Stretch support has now been dropped.

CentOS 8 packages have been replaced with RedHat Enterprise Linux 8 packages. 
These should be compatible with all the various variants.

https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.18.tar.gz
https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.18.tar.gz
Binary packages in https://repo.dovecot.org/
Docker images in https://hub.docker.com/r/dovecot/dovecot

Regards,
Aki Tuomi
Open-Xchange oy

--

- duplicate: Users without a home directory can crash with Sieve when
  using duplicate database. v2.3.17 regression.
- imapsieve: When mail was expunged when processing imapsieve events, a
  crash could occur. Fixes Panic: file mail-index-map.c:
  line 558 (mail_index_map_lookup_seq_range): assertion failed: (first_uid > 0)
- managesieve-login: Proxy didn't support forwarding the forward_* passdb 
fields.
- redirect: Sieve would crash if redirect after keep-equivalent action failed.
- sieve: Interpreter crashes when the Sieve index extension is used with
  index zero.
- vnd.dovecot.filter: Envelope sender string may become corrupted when
  Sieve scripts are using vnd.dovecot.filter. This could end up
  corrupting mbox's From line and return wrong envelope sender string in


signature.asc
Description: PGP signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] Dovecot v2.3.18 released

[Aki Tuomi via Dovecot-news]

Hi all!

We are pleased to release v2.3.18 of Dovecot.

Debian/Stretch support has now been dropped.

CentOS 8 packages have been replaced with RedHat Enterprise Linux 8 packages. 
These should be compatible with all the various variants.

https://dovecot.org/releases/2.3/dovecot-2.3.18.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.3.18.tar.gz.sig
Binary packages in https://repo.dovecot.org/
Docker images in https://hub.docker.com/r/dovecot/dovecot

Regards,
Aki Tuomi
Open-Xchange oy

--

* Removed mail_cache_lookup_finished event. This event wasn't especially
  useful, but it increased CPU usage significantly.
* fts: Don't index inline base64 encoded content in FTS indexes using
  the generic tokenizer. This reduces the FTS index sizes by removing
  input that is very unlikely to be searched for. See
  https://doc.dovecot.org/configuration_manual/fts/tokenization for
  details on how base64 is detected. Only applies when using libfts.
* lmtp: Session IDs are now preserved through proxied connections, so
  LMTP sessions can be tracked. This slightly changes the LMTP session
  ID format by appending ":Tn" (transaction), ":Pn" (proxy connection)
  and ":Rn" (recipient) counters after the session ID prefix.
+ Events now have "reason_code" field, which can provide a list of
  reasons why the event is happening. See
  https://doc.dovecot.org/admin_manual/event_reasons/
+ New events are added. See https://doc.dovecot.org/admin_manual/list_of_events/
+ fts: Added fts_header_excludes and fts_header_includes settings to
  specify which headers to index. See
  
https://doc.dovecot.org/settings/plugin/fts-plugin#plugin-fts-setting-fts-header-excludes
  for configuration details.
+ fts: Initialize the textcat language detection library only once per
  process. This can reduce CPU usage if fts_languages setting has multiple
  languages listed and service indexer-worker { service_count } isn't 1.
  Only applies when using libfts.
+ lib-storage: Reduced CPU usage significantly for some operations that
  accessed lots of emails (e.g. fetching all flags in a folder, SORT, ...)
+ lib: DOVECOT_PREREQ() - Add micro version which enables compiling
  external plugins against different versions of Dovecot.
+ lmtp: Added new lmtp_verbose_replies setting that makes errors sent to
  the LMTP client much more verbose with details about why exactly
  backend proxy connections or commands are failing.
+ submission: Support implicit SASL EXTERNAL with
  submission_client_workarounds=implicit-auth-external. This allows
  automatically logging in when SSL client certificate is present.
- *-login: Statistics were disabled if stats process connection was lost.
- auth: Authentication master user login fails with SCRAM-* SASL mechanisms.
- auth: With auth_cache_verify_password_with_worker=yes, passdb extra
  fields in the auth cache got lost.
- doveadm: Fixed crash if zlib_save_level setting was specified,
  but zlib_save was unset. v2.3.15 regression.
- doveadm: Proxying can panic when flushing print output. v2.3.17
  regression. Fixes:
  Panic: file ioloop.c: line 865 (io_loop_destroy): assertion failed:
  (ioloop == current_ioloop)
- doveadm: stats add --group-by parameter didn't work.
- fts: Using email-address fts tokenizer could result in excessive memory
  usage with garbage email input. This could cause the indexer-worker
  processes to fail due to reaching the VSZ memory size limit.
  Only applies when using libfts.
- imap: A SEARCH command timing out while fts returns indexes may timeout
  returning "NO [SERVERBUG]", while it should return "NO [INUSE]" instead.
- imap: LIST-EXTENDED doesn't return STATUS for all folders. Sending
  LIST .. RETURN (SUBSCRIBED STATUS (...)) did not return STATUS for
  folders that are not subscribed when they have a child folder that is
  subscribed as mandated by IMAP RFCs.
- imapc: Mailbox vsize calculation crashed with
  Panic: file index-mailbox-size.c: line 344 
(index_mailbox_vsize_hdr_add_missing):
  assertion failed: (mails_left > 0)
- indexer: If indexer-worker crashes, the request it was processing gets
  stuck in the indexer process. This stops indexing for the folder until
  indexer process is restarted. v2.3.14 regression.
- indexer: Process was slowly leaking memory for each indexing request.
- lib-event: Unnamed events were wrongly filtered out for event/metric
  filters like "event=abc OR something_independent_of_event_name".
- lib-index: 64-bit big endian CPUs handle last_used field in
  dovecot.index.cache wrong.
- lib-ssl-iostream: Fix buggy OpenSSL error handling without assert-crashing.
  If there is no error available, log it as an error instead of crashing.
  The previous fix for this in v2.3.11 was incomplete. Fixes
  Panic: file istream-openssl.c: line 51 (i_stream_ssl_read_real):
  assertion failed: (errno != 0)
- lmtp: Out-of-memory issues can happen when proxying large messages to
  LMTP backend servers that accept the message data too slow.
- master: HAProxy header 

[Dovecot-news] CVE-2019-19722: Critical vulnerability in Dovecot

[Aki Tuomi via Dovecot-news]

Open-Xchange Security Advisory 2019-12-13
 
Product: Dovecot IMAP/POP3 Server
Vendor: OX Software GmbH
 
Internal reference: DOV-3719
Vulnerability type: NULL Pointer Dereference (CWE-476)
Vulnerable version: 2.3.9
Vulnerable component: push notification driver
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.3.9.1
Researcher credits: Frederik Schwan, Michael Stilkerich
Vendor notification: 2019-12-10
Solution date: 2019-12-12
Public disclosure: 2019-12-13
CVE reference: CVE-2019-19722
CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F/RL:O/RC:C)
 
Vulnerability Details:
Mail with group address as sender will cause a signal 11 crash in push
notification drivers. Group address as recipient can cause crash in some
drivers.
 
Risk:
Repeated delivery attempts are made for the problematic mail, causing
queueing in MTA.
 
Steps to reproduce:
1. Configure dovecot with push notifications enabled, such as OX push
notification driver. This can also be observed with 3rd party plugin XAPS.
2. Send mail a group address as sender
 
Solution:
Operators should update to the latest Patch Release.




signature.asc
Description: OpenPGP digital signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] Dovecot v2.3.9.1 released

[Aki Tuomi via Dovecot-news]

Hi all!

We are pleased to release v2.3.9.1 of Dovecot. Please find it from
locations below

https://dovecot.org/releases/2.3/dovecot-2.3.9.1.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.3.9.1.tar.gz.sig
Binary packages in https://repo.dovecot.org/
Docker images in https://hub.docker.com/r/dovecot/dovecot

---

* CVE-2019-19722: Mails with group addresses in From or To fields caused
crash in push notification drivers.

---

Aki Tuomi
Open-Xchange oy



signature.asc
Description: OpenPGP digital signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] Pigeonhole v0.5.9 released

[Aki Tuomi via Dovecot-news]

Hi all!

We are pleased to release v0.5.9 of Pigeonhole. Please find it from
locations below

---

Aki Tuomi
Open-Xchange oy

https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.9.tar.gz
https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.9.tar.gz.sig
Binary packages in https://repo.dovecot.org/
Docker images in https://hub.docker.com/r/dovecot/dovecot

---

+ Added events for Sieve and ManageSieve, see
  https://doc.dovecot.org/admin_manual/list_of_events/#pigeonhole
+ Pigeonhole: Implement the Sieve "special-use" extension described in
  RFC 8579.
- duplicate: Test only compared the handles which would cause
  different values to be cached as the same duplicate test. Fix to also
  compare the actual hashes.
- imap_sieve_filter: IMAP FILTER Command had various bugs in error
  handling. Errors may have been duplicated for each email, errors
  may have been missing entirely, command tag and ERRORS/WARNINGS
  parameters were swapped.




signature.asc
Description: OpenPGP digital signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] v2.3.9 released

[Aki Tuomi via Dovecot-news]

Hi all!

We are pleased to release v2.3.9 of Dovecot. Please find it from
locations below

---

Aki Tuomi
Open-Xchange oy

https://dovecot.org/releases/2.3/dovecot-2.3.9.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.3.9.tar.gz.sig
Binary packages in https://repo.dovecot.org/
Docker images in https://hub.docker.com/r/dovecot/dovecot

---

* Changed several event field names for consistency and to avoid
  conflicts in parent-child event relationships:
   * SMTP server command events: Renamed "name" to "cmd_name"
   * Events inheriting from a mailbox: Renamed "name" to "mailbox"
   * Server connection events have only "remote_ip", "remote_port",
 "local_ip" and "local_port".
   * Removed duplicate "client_ip", "ip" and "port".
   * Mail storage events: Removed "service" field.
 Use "service:" category instead.
   * HTTP client connection events: Renamed "host" to "dest_host" and
 "port" to "dest_port"
* auth: Drop Postfix socketmap support. It hasn't been working
  with recent Postfix versions for a while now.
* push-notification-lua: The "subject" field is now decoded to UTF8
  instead of kept as MIME-encoded.
+ push-notification-lua: Added new "from_address", "from_display_name",
  "to_address" and "to_display_name" fields. The display names are
  decoded to UTF8.
+ Added various new fields to existing events.
  See http://doc.dovecot.net/admin_manual/list_of_events.html
+ Add lmtp_add_received_header setting. It can be used to prevent LMTP
  from adding "Received:" headers.
+ doveadm: Support SSL/STARTTLS for proxied doveadm connections based on
  doveadm_ssl setting and proxy ssl/tls settings.
+ Log filters support now "service:", which matches all events for
  the given service. It can also be used as a category.
+ lib: Use libunwind to get abort backtraces with function names
  where available.
+ lmtp: When the LMTP proxy changes the username (from passdb lookup)
  add an appropriate ORCPT parameter.
- lmtp: Add lmtp_client_workarounds setting to implement workarounds for
  clients that send MAIL and RCPT commands with additional spaces before
  the path and for clients that omit <> brackets around the path.
  See example-config/conf.d/20-lmtp.conf.
- lda/lmtp: Invalid MAIL FROM addresses were rejcted too aggressively.
  Now mails from addresses with unicode characters are delivered, but
  their Return-Path header will be <> instead of the given MAIL FROM
  address.
- lmtp: The lmtp_hdr_delivery_address setting is ignored.
- imap: imap_command_finished event's "args" and "human_args" parameters
  were always empty.
- mbox: Seeking in zlib and bzip2 compressed input streams didn't work
  correctly.
- imap-hibernate: Process crashed when client got destroyed while it was
  attempted to be unhibernated, and the unhibernation fails.
- *-login: Proxying may have crashed if SSL handshake to the backend
  failed immediately. This was unlikely to happen in normal operation.
- *-login: If TLS handshake to upstream server failed during proxying,
  login process could crash due to invalid memory access.
- *-login: v2.3 regression: Using SASL authentication without initial
  response may have caused SSL connections to hang. This happened often
  at least with PHP's IMAP library.
- *-login: When login processes are flooded with authentication attempts
  it starts logging errors about "Authentication server sent unknown id".
  This is still expected. However, it also caused the login process to
  disconnect from auth server and potentially log some user's password
  in the error message.
- dict-sql: SQL prepared statements were not shared between sessions.
  This resulted in creating a lot of prepared statements, which was
  especially inefficient when using Cassandra backend with a lot of
  Cassandra nodes.
- auth: auth_request_finished event didn't have success=yes parameter
  set for successful authentications.
- auth: userdb dict - Trying to list users crashed.
- submission: Service could be configured to allow anonymous
  authentication mechanism and anonymous user access.
- LAYOUT=index: Corrupted dovecot.list.index caused folder creation to
  panic.
- doveadm: HTTP server crashes if request target starts with double "/".
- dsync: Remote dsync started hanging if the initial doveadm
  "dsync-server" command was sent in the same TCP packet as the
  following dsync handshake. v2.3.8 regression.
- lib: Several "input streams" had a bug that in some rare situations
  might cause it to access freed memory. This could lead to crashes or
  corruption.
  The only currently known effect of this is that using zlib plugin with
  external mail attachments (mail_attachment_dir) could cause fetching
  the mail to return a few bytes of garbage data at the beginning of the
  header. Note that the mail wasn't saved corrupted, but fetching it
  caused corrupted mail to be sent to the client.
- lib-storage: If a mail only has quoted content, use the quoted text
  for generating message snippet (IMAP PREVIEW) 

Re: [Dovecot-news] Buster packages available

[Aki Tuomi via Dovecot-news]

On 9.10.2019 9.01, Aki Tuomi via Dovecot-news wrote:
> Hi!
>
> We have now buster packages available starting from 2.3.8. You can find
> them from https://repo.dovecot.org/
>
> In related news, we are planning on dropping packages for Debian Jessie,
> Ubuntu 18 and CentOS6 starting from 2.3.9.
>
> ---
> Aki Tuomi
> Open-Xchange oy

And of course we are talking about Ubuntu 14.04, and not Ubuntu 18.

Aki




signature.asc
Description: OpenPGP digital signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] Buster packages available

[Aki Tuomi via Dovecot-news]

Hi!

We have now buster packages available starting from 2.3.8. You can find
them from https://repo.dovecot.org/

In related news, we are planning on dropping packages for Debian Jessie,
Ubuntu 18 and CentOS6 starting from 2.3.9.

---
Aki Tuomi
Open-Xchange oy



signature.asc
Description: OpenPGP digital signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] Dovecot v2.3.8 released

[Aki Tuomi via Dovecot-news]

https://dovecot.org/releases/2.3/dovecot-2.3.8.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.3.8.tar.gz.sig
Binary packages in https://repo.dovecot.org/

Changes

+ Added mail_delivery_started and mail_delivery_finished events, see
https://doc.dovecot.org/admin_manual/list_of_events/ for details.
+ dsync-replication: Don't replicate users who have "noreplicate" extra
field in userdb.
+ doveadm service status: Show total number of processes created.
+ When logging to syslog, use instance_name setting's value for the
ident. This commonly is added as a log prefix.
+ Base64 encoding/decoding code was rewritten with additional features.
It shouldn't cause any user visible changes.
- v2.3.7 regression: If a folder only receives new mails without any
other mail access, dovecot.index.log keeps growing forever and
dovecot.index keeps being rewritten for every mail delivery.
- dsync-replication may lose keywords after syncing mails restored from
another replica. This only happened if the mail only had keywords and no
system flags.
- event filters: Non-textual event fields could not be filtered using
wildcards.
- auth: Scope parameter was missing from OAuth password grant request.
- doveadm client-server communication may hang in some situations. It is
also using unnecessarily small TCP/IP packet sizes.
- doveadm who and kick did not flush protocol output correctly.
- imap: SETMETADATA with literal value would delete the metadata value
instead of updating it.
- imap: When client issues FETCH PREVIEW (LAZY=FUZZY) command, the
caching decisions should be updated so that newly saved mails will have
the preview cached.
- With mail_nfs_index=yes and/or mail_nfs_storage=yes setuid/setgid
permission bits in some files may have become dropped with some NFS
servers. Changed NFS flushing to now use chmod() instead of chown().
- quota: warnings did not work if quota root was noenforcing
- acl: Global ACL file ignored the last line if it didn't end with LF.
- doveadm stats dump: With JSON formatter output numbers using the
number type instead of as strings
- lmtp_proxy: Ensure that real_* variables are correctly set when using
lmtp_proxy.
- event exporter: http-post driver had hardcoded timeout and did not
support DNS lookups or TLS connections.
- auth: Fix user iteration to work with userdb passwd with glibc v2.28.
- auth: auth service can crash if auth-policy JSON response is invalid
or returned too fast.
- In some rare situations "ps" output could have shown a lot of "?"
characters after Dovecot process titles.
- When dovecot.index.pvt is empty, an unnecessary error is logged:
  Error: .../dovecot.index.pvt reset, view is now inconsistent
- SMTP address encoder duplicated initial double quote character when
the localpart of an address ended in '..'. For example
"user...@example.com" became ""user+.."@example.com in a
  sieve redirect.

---
Aki Tuomi
Open-Xchange Oy



signature.asc
Description: OpenPGP digital signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] CVE-2019-11500:

[Aki Tuomi via Dovecot-news]

Dear subscribers, we have been made aware of critical vulnerability in
Dovecot and Pigeonhole.

---

Open-Xchange Security Advisory 2019-08-14
 
Product: Dovecot
Vendor: OX Software GmbH
 
Internal reference: DOV-3278
Vulnerability type: Improper input validation (CWE-20)
Vulnerable version: All versions prior to 2.3.7.2 and 2.2.36.4
Vulnerable component: IMAP and ManageSieve protocol parsers (before and
after login)
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.3.7.2, 2.2.36.4
Researcher credits: Nick Roessler and Rafi Rubin, University of Pennsylvania
Vendor notification: 2019-04-13
Solution date: 2019-06-05
Public disclosure: 2019-08-28
CVE reference: CVE-2019-11500
CVSS: 8.1 (CVSS3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
 
Vulnerability Details:

IMAP and ManageSieve protocol parsers do not properly handle NUL byte
when scanning data in quoted strings, leading to out of bounds heap
memory writes.

Risk:

This vulnerability allows for out-of-bounds writes to objects stored on
the heap up to 8096 bytes in pre-login phase, and 65536 bytes post-login
phase, allowing sufficiently skilled attacker to perform complicated
attacks that can lead to leaking private information or remote code
execution. Abuse of this bug is very difficult to observe, as it does
not necessarily cause a crash. Attempts to abuse this bug are not
directly evident from logs.

Steps to reproduce:

This bug is best observed using valgrind to see the out of bounds read
with following snippet:

perl -e 'print "a id (\"foo\" \"".("x"x1021)."\\A\" \"bar\"
\"\000".("x"x1020)."\\A\")\n"' | nc localhost 143


Solution:

Operators should update to the latest Patch Release. There is no
workaround for the issue.

---

Aki Tuomi

Open-Xchange oy






signature.asc
Description: OpenPGP digital signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] Pigeonhole release v0.5.7.2

[Aki Tuomi via Dovecot-news]

Hi!

We are pleased to release Pigeonhole release v0.5.7.2

Tarball is available at

https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.7.2.tar.gz
https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.7.2.tar.gz.sig

Binary packages are available at https://repo.dovecot.org/

Changes
---
* CVE-2019-11500: ManageSieve protocol parser does not properly handle
NUL byte
  when scanning data in quoted strings, leading to out of bounds heap
  memory writes. Found by Nick Roessler and Rafi Rubin.

---
Aki Tuomi
Open-Xchange oy




signature.asc
Description: OpenPGP digital signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] Dovecot release v2.2.36.4

[Aki Tuomi via Dovecot-news]

Hi!

We are pleased to release Dovecot release v2.2.36.4

Tarball is available at

https://dovecot.org/releases/2.2/dovecot-2.2.36.4.tar.gz
https://dovecot.org/releases/2.2/dovecot-2.3.36.4.tar.gz.sig

Binary packages are available at https://repo.dovecot.org/

Changes
---
* CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
  when scanning data in quoted strings, leading to out of bounds heap
  memory writes. Found by Nick Roessler and Rafi Rubin.

---
Aki Tuomi
Open-Xchange oy




signature.asc
Description: OpenPGP digital signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] Dovecot release v2.3.7.2

[Aki Tuomi via Dovecot-news]

Hi!

We are pleased to release Dovecot release v2.3.7.2

Tarball is available at

https://dovecot.org/releases/2.3/dovecot-2.3.7.2.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.3.7.2.tar.gz.sig

Binary packages are available at https://repo.dovecot.org/

Changes
---
* CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
  when scanning data in quoted strings, leading to out of bounds heap
  memory writes. Found by Nick Roessler and Rafi Rubin.

---
Aki Tuomi
Open-Xchange oy





signature.asc
Description: OpenPGP digital signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] Dovecot release v2.3.7

[Aki Tuomi via Dovecot-news]

Hi!

We are pleased to release Dovecot release v2.3.7.

Tarball is available at

https://dovecot.org/releases/2.3/dovecot-2.3.7.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.3.7.tar.gz.sig

Binary packages are available at https://repo.dovecot.org/

Changes
---

* fts-solr: Removed break-imap-search parameter
+ Added more events for the new statistics, see
  https://doc.dovecot.org/admin_manual/list_of_events/
+ mail-lua: Add IMAP metadata accessors, see
  https://doc.dovecot.org/admin_manual/lua/
+ Add event exporters that allow exporting raw events to log files and
  external systems, see
  https://doc.dovecot.org/configuration_manual/event_export/
+ SNIPPET is now PREVIEW and size has been increased to 200 characters.
+ Add body option to fts_enforced. This triggers building FTS index only
  on body search, and an error using FTS index fails the search rather
  than reads through all the mails.
- Submission/LMTP: Fixed crash when domain argument is invalid in a
  second EHLO/LHLO command.
- Copying/moving mails using Maildir format loses IMAP keywords in the
  destination if the mail also has no system flags.
- mail_attachment_detection_options=add-flags-on-save caused email body
  to be unnecessarily opened when FETCHing mail headers that were
  already cached.
- mail attachment detection keywords not saved with maildir.
- dovecot.index.cache may have grown excessively large in some
  situations. This happened especially when using autoexpunging with
  lazy_expunge folders. Also with mdbox format in general the cache file
  wasn't recreated as often as it should have.
- Autoexpunged mails weren't immediately deleted from the disk. Instead,
  the deletion from disk happened the next time the folder was opened.
  This could have caused unnecessary delays if the opening was done by
  an interactive IMAP session.
- Dovecot's TCP connections sometimes add extra 40ms latency due to not
  enabling TCP_NODELAY. HTTP and SMTP/LMTP connections weren't
  affected, but everything else was. This delay wasn't always visible -
  only in some situations with some message/packet sizes.
- imapc: Fix various crash conditions
- Dovecot builds were not always reproducible.
- login-proxy: With shutdown_clients=no after config reload the
  existing connections could no longer be listed or kicked with doveadm.
- "doveadm proxy kick" with -f parameter caused a crash in some
  situations.
- Auth policy can cause segmentation fault crash during auth process
  shutdown if all auth requests have not been finished.
- Fix various minor bugs leading into incorrect behaviour in mailbox
  list index handling. These rarely caused noticeable problems.
- LDAP auth: Iteration accesses freed memory, possibly crashing
  auth-worker
- local_name { .. } filter in dovecot.conf does not correctly support
  multiple names and wildcards were matched incorrectly.
- replicator: dsync assert-crashes if it can't connect to remote TCP
  server.
- config: Memory leak in config process when ssl_dh setting wasn't
  set and there was no ssl-parameters.dat file.
  This caused config process to die once in a while
  with "out of memory".

---
Aki Tuomi
Open-Xchange oy



signature.asc
Description: OpenPGP digital signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] Pigeonhole release 0.5.6

[Aki Tuomi via Dovecot-news]

Hi!

We are pleased to release Pigeonhole 0.5.6 for Dovecot 2.3.6.

Tarball
https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.6.tar.gz
https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.6.tar.gz.sig

Binary packages can be found from https://repo.dovecot.org/

Changes
+ sieve: Redirect loop prevention is sometimes ineffective. Improve existing 
loop detection by also recognizing the X-Sieve-Redirected-From header in 
incoming messages and dropping redirect actions when it points to the sending 
account. This header is already added by the redirect action, so this 
improvement only adds an additional use of this header.
- sieve: Prevent execution of implicit keep upon temporary failure occurring at 
runtime.

---
Aki Tuomi
Open-Xchange oy


signature.asc
Description: PGP signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] CVE-2019-11499: Submission-login crashes when authentication is started over TLS secured channel and invalid authentication message is sent

[Aki Tuomi via Dovecot-news]

Open-Xchange Security Advisory 2019-04-30
Product: Dovecot
Vendor: OX Software GmbH

Internal reference: DOV-3223 (Bug ID)
Vulnerability type: CWE-617
Vulnerable version: 2.3.0 - 2.3.5.2
Vulnerable component: submission-login
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.3.6
Vendor notification: 2019-03-11
Solution date: 2019-04-23
Public disclosure: 2019-04-30
CVE reference: CVE-2019-11499
CVSS: 7.5 (CVSS3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Vulnerability Details:
Submission-login crashes when authentication is started over TLS secured 
channel and invalid authentication message is sent. This can lead to 
denial-of-service attack by persistent attacker(s).

Workaround:
Authentication crash can be avoided if authentication is done without TLS.

Solution:
Operators should upgrade to a fixed version.


signature.asc
Description: PGP signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] CVE-2019-11494: Submission-login crashes with signal 11 due to null pointer access when authentication is aborted by disconnecting.

[Aki Tuomi via Dovecot-news]

Open-Xchange Security Advisory 2019-04-30
Product: Dovecot
Vendor: OX Software GmbH

Internal reference: DOV-3212 (Bug ID)
Vulnerability type: CWE-476
Vulnerable version: 2.3.0 - 2.3.5.2
Vulnerable component: submission-login
Report confidence: Confirmed
Researcher credits: Marcelo Coelho
Solution status: Fixed by Vendor
Fixed version: 2.3.6
Vendor notificatio: 2019-03-11
Solution date: 2019-04-23
Public disclosure: 2019-04-30
CVE reference: CVE-2019-11494
CVSS: 7.5 (CVSS3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Vulnerability Details:
Submission-login crashes with signal 11 due to null pointer access when 
authentication is aborted by disconnecting. This can lead to denial-of-service 
attack by persistent attacker(s).

Workaround:
There is no available workaround for this issue.

Solution:
Operators should upgrade to a fixed version.


signature.asc
Description: PGP signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] Dovecot release v2.3.6

[Aki Tuomi via Dovecot-news]

Hi!

We are pleased to release Dovecot v2.3.6.

Tarball is available at

https://dovecot.org/releases/2.3/dovecot-2.3.6.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.3.6.tar.gz.sig

Binary packages are available at https://repo.dovecot.org/

Changes
---

* CVE-2019-11494: Submission-login crashed with signal 11 due to null pointer 
access when authentication was aborted by disconnecting.
* CVE-2019-11499: Submission-login crashed when authentication was started over 
TLS secured channel and invalid authentication message was sent.
* auth: Support password grant with passdb oauth2.
+ Use system default CAs for outbound TLS connections.
+ Simplify array handling with new helper macros.
+ fts_solr: Enable configuring batch_size and soft_commit features.
- lmtp/submission: Fixed various bugs in XCLIENT handling, including a hang 
when XCLIENT commands were sent infinitely to the remote server.
- lmtp/submission: Forwarded multi-line replies were erroneously sent as two 
replies to the client.
- lib-smtp: client: Message was not guaranteed to contain CRLF consistently 
when CHUNKING was used.
- fts_solr: Plugin was no longer compatible with Solr 7.
- Make it possible to disable certificate checking without setting 
ssl_client_ca_* settings.
- pop3c: SSL support was broken.
- mysql: Closing connection twice lead to crash on some systems.
- auth: Multiple oauth2 passdbs crashed auth process on deinit.
- HTTP client connection errors infrequently triggered a segmentation fault 
when the connection was idle and not used for a particular client instance.

---
Aki Tuomi
Open-Xchange oy


signature.asc
Description: PGP signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] v2.3.5.2 released

[Aki Tuomi via Dovecot-news]

Lets try again, put wrong changelog to the mail. Sorry about this.

https://dovecot.org/releases/2.3/dovecot-2.3.5.2.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.3.5.2.tar.gz.sig
Binary packages in https://repo.dovecot.org/

    * CVE-2019-10691: Trying to login with 8bit username containing
      invalid UTF8 input causes auth process to crash if auth policy is
      enabled. This could be used rather easily to cause a DoS. Similar
      crash also happens during mail delivery when using invalid UTF8 in
      From or Subject header when OX push notification driver is used.

---
Aki Tuomi
Open-Xchange oy



signature.asc
Description: OpenPGP digital signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

Re: [Dovecot-news] v2.2.36.3 released

[Aki Tuomi via Dovecot-news]

On 28.3.2019 13.41, Aki Tuomi via dovecot wrote:
> https://dovecot.org/releases/2.3/dovecot-2.2.36.3.tar.gz
> https://dovecot.org/releases/2.3/dovecot-2.2.36.3.tar.gz.sig
>
>     * CVE-2019-7524: Missing input buffer size validation leads into
>   arbitrary buffer overflow when reading fts or pop3 uidl header
>   from Dovecot index. Exploiting this requires direct write access to
>   the index files.
>
> ---
> Aki Tuomi
> Open-Xchange oy
>
Small mistake in the URLs, please use these.

https://dovecot.org/releases/2.2/dovecot-2.2.36.3.tar.gz
https://dovecot.org/releases/2.2/dovecot-2.2.36.3.tar.gz.sig

Aki





signature.asc
Description: OpenPGP digital signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] v2.3.5.1 released

[Aki Tuomi via Dovecot-news]

https://dovecot.org/releases/2.3/dovecot-2.3.5.1.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.3.5.1.tar.gz.sig
Binary packages in https://repo.dovecot.org/

    * CVE-2019-7524: Missing input buffer size validation leads into
  arbitrary buffer overflow when reading fts or pop3 uidl header
  from Dovecot index. Exploiting this requires direct write access to
  the index files.

---
Aki Tuomi
Open-Xchange oy



signature.asc
Description: OpenPGP digital signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] CVE-2019-7524: Buffer overflow when reading extension header from dovecot index files

[Aki Tuomi via Dovecot-news]

Product: Dovecot
Vendor: OX Software GmbH
Internal reference: DOV-2964 (Bug ID)
Vulnerability type: CWE-120
Vulnerable version: 2.0.14 - 2.3.5
Vulnerable component: fts, pop3-uidl-plugin
Report confidence: Confirmed
Researcher credits: Found in internal testing
Solution status: Fixed by Vendor
Fixed version: 2.3.5.1, 2.2.36.3
Vendor notification: 2019-02-05
Solution date: 2019-03-21
Public disclosure: 2019-03-28
CVE reference: CVE-2019-7524
CVSS: 3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C (8.8)
 
Vulnerability Details:
When reading FTS or POP3-UIDL header from dovecot index, the input
buffer size is not bound, and data is copied to target structure causing
stack overflow.

Risk:
This can be used for local root privilege escalation or executing
arbitrary code in dovecot process context. This requires ability to
directly modify dovecot indexes.
Steps to reproduce:
Produce dovecot.index.log entry that creates an FTS header which has
more than 12 bytes of data.
Trigger dovecot indexer-worker or run doveadm index.
Dovecot will crash.

Mitigations:
Since 2.3.0 dovecot has been compiled with stack smash protection, ASLR,
read-only GOT tables and other techniques that make exploiting this bug
much harder.

Solution:
Operators should update to the latest Patch Release. The only workaround
is to disable FTS and pop3-uidl plugin.

--
Aki Tuomi
Open-Xchange Oy



signature.asc
Description: OpenPGP digital signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] v2.2.36.3 released

[Aki Tuomi via Dovecot-news]

https://dovecot.org/releases/2.3/dovecot-2.2.36.3.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.2.36.3.tar.gz.sig

    * CVE-2019-7524: Missing input buffer size validation leads into
  arbitrary buffer overflow when reading fts or pop3 uidl header
  from Dovecot index. Exploiting this requires direct write access to
  the index files.

---
Aki Tuomi
Open-Xchange oy

___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] Pigeonhole v0.5.5 released

[Aki Tuomi via Dovecot-news]

Hi!

We are happy to release pigeonhole v0.5.5 for dovecot v2.3.5.

Please find sources at

https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.5.tar.gz
https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.5.tar.gz.sig

(Please note that the signing key has been changed for 0.5.5, see 
https://pigeonhole.dovecot.org/download.html for details.)

You can find precompiled binaries at

https://repo.dovecot.org/

NEWS:

+ IMAPSieve: Add new plugin/imapsieve_expunge_discarded setting which causes 
messages discarded by an IMAPSieve script to be expunged immediately, rather 
than only being marked as "\Deleted" (which is still the default behavior).
- IMAPSieve: Fix panic crash occurring when a COPY command copies
messages from a virtual mailbox where the source messages originate from more 
than a single real mailbox.
- imap4flags extension: Fix deleting all keywords. When the action
resulted in all keywords being removed, no changes were actually
applied.
- variables extension: Fix truncation of UTF-8 variable content. The maximum 
size of Sieve variables was enforced by truncating the
variable string content bluntly at the limit, but this does not
consider UTF-8 code point boundaries. This resulted in broken UTF-8 strings. 
This problem also surfaced for variable modifiers, such as the ":encodeurl" 
modifier provided by the Sieve "enotify" extension. In that case, the resulting 
URI escaping could also be truncated inappropriately.
- IMAPSieve, IMAP FILTER=SIEVE: Fix replacing a modified message. Sieve scripts 
running in IMAPSIEVE or IMAP FILTER=SIEVE context that modify the message, 
stored the message a second time, rather than replacing the originally stored 
unmodified message.
- Fix segmentation fault occurring when both the sieve_extprograms
plugin (for the Sieve interpreter) and the imap_filter_sieve plugin (for IMAP) 
are loaded at the same time. A symbol was defined by both plugins, causing a 
clash when both were loaded.

---
Aki Tuomi
Open-Xchange Oy


signature.asc
Description: PGP signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] Dovecot v2.3.5 released

[Aki Tuomi via Dovecot-news]

Hi!

We are happy to release dovecot v2.3.5.

Please find sources at

https://dovecot.org/releases/2.3/dovecot-2.3.5.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.3.5.tar.gz.sig

You can find precompiled binaries at

https://repo.dovecot.org/

NEWS:

+ Lua push notification driver: mail keywords and flags are provided in 
MessageNew and MessageAppend events.
+ submission: Implement support for plugins.
+ auth: When auth_policy_log_only=yes, only log what the policy server response 
would do without actually doing it.
+ auth: Always log policy server decisions with auth_verbose=yes
- v2.3.[34]: doveadm log errors: Output was missing user/session
- lda: Debug log lines could have shown slightly corrupted
- login proxy: Login processes may have crashed in various ways when 
login_proxy_max_disconnect_delay was set.
- imap: Fix crash with Maildir+zlib if client disconnects during APPEND
- lmtp proxy: Fix potential assert-crash
- lmtp/submission: Fix crash when SMTP client transaction times out
- submission: Split large XCLIENT commands to 512 bytes per command, so Postfix 
accepts them.
- submission: Fix crash when client sends invalid BURL command
- submission: relay backend: VRFY command: Avoid forwarding 500 and 502 replies 
back to client.
- lib-http: Fix potential assert-crash when DNS lookup fails
- lib-fts: Fix search query generation when one language ignores a token (e.g. 
via stopwords).

---
Aki Tuomi
Open-Xchange Oy


signature.asc
Description: PGP signature
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

Re: [Dovecot-news] Release notify (2.2.36.1 and 2.3.4.1)

[Aki Tuomi via Dovecot-news]

 
 
  
   Did I say so? It's known issue and will be fixed in future release.
  
  
   
  
  
   Aki
  
  
   
On 05 February 2019 at 22:27 Odhiambo Washington via dovecot <
dove...@dovecot.org> wrote:
   
   

   
   

   
   
Oh, so manual compile should NOT work and it's okay or am I missing
   
   
something?
   
   

   
   
On Tue, 5 Feb 2019 at 23:26, The Doctor <
doc...@doctor.nl2k.ab.ca> wrote:
   
   

   
   

 On Tue, Feb 05, 2019 at 11:18:45PM +0300, Odhiambo Washington via dovecot


 wrote:


 
  On Tue, 5 Feb 2019 at 20:32, Aki Tuomi via dovecot <
  dove...@dovecot.org>
 
 
  wrote:
 


 
  
   Due to DMARC issues some people have failed to receive the latest
  
 


 security


 
  
   information, so here it is repeated for both releases:
  
 
 
  
   2.3.4.1
  
 
 
  
   https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz
  
  
   https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig
  
  
   <
   https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig>
  
  
   Binary packages in 
   https://repo.dovecot.org/
  
 
 
  
   * CVE-2019-3814: If imap/pop3/managesieve/submission client has
  
  
   trusted certificate with missing username field
  
  
   (ssl_cert_username_field), under some configurations Dovecot
  
  
   mistakenly trusts the username provided via authentication
  
 


 instead


 
  
   of failing.
  
  
   * ssl_cert_username_field setting was ignored with external SMTP
  
 


 AUTH,


 
  
   because none of the MTAs (Postfix, Exim) currently send the
  
  
   cert_username field. This may have allowed users with trusted
  
  
   certificate to specify any username in the authentication. This
  
 


 bug


 
  
   didn't affect Dovecot's Submission service.
  
 


 
  FreeBSD-11.2 (amd64):
 


 
  gmake[2]: Entering directory
 
 
  '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
 
 
  gcc -DHAVE_CONFIG_H -I. -I../.. -I../../src/lib -I../../src/lib-dns
 
 
  -I../../src/lib-test -I../../src/lib-settings
 


 -I../../src/lib-ssl-iostream


 
  -DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\"
 
 
  -DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\"
 
 
  -DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\"
 
 
  -DBINDIR=\""/opt/dovecot2.3/bin"\" -std=gnu99 -g -O2
 
 
  -fstack-protector-strong -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W
 
 
  -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith
 
 
  -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime
 
 
  -Wstrict-aliasing=2 -I/usr/local/include -MT test-event-stats.o -MD -MP
 
 
  -MF .deps/test-event-stats.Tpo -c -o test-event-stats.o
 


 test-event-stats.c


 
  test-event-stats.c: In function 'kill_stats_child':
 
 
  test-event-stats.c:101:2: warning: implicit declaration of function
 


 'kill'


 
  [-Wimplicit-function-declaration]
 
 
  (void)kill(stats_pid, SIGKILL);
 
 
  ^
 
 
  test-event-stats.c:101:24: error: 'SIGKILL' undeclared (first use in this
 
 
  function)
 
 
  (void)kill(stats_pid, SIGKILL);
 
 
  ^
 
 
  test-event-stats.c:101:24: note: each undeclared identifier is reported
 
 
  only once for each function it appears in
 
 
  gmake[2]: *** [Makefile:638: test-event-stats.o] Error 1
 
 
  gmake[2]: Leaving directory
 
 
  '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
 
 
  gmake[1]: *** [Makefile:565: install-recursive] Error 1
 
 
  gmake[1]: Leaving directory
 
 
  '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src'
 
 
  gmake: *** [Makefile:683: install-recursive] Error 1
 


 >

   
   
>
   
   

 Ports wokred for me.

   
   


 >


 
  FreeBSD-9.3:
 


 
  gmake[3]: Entering directory
 
 
  '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
 
 
  gcc -DHAVE_CONFIG_H -I. -I../.. -I../../src/lib -I../../src/lib-dns
 
 
  -I../../src/lib-test -I../../src/lib-settings
 


 -I../../src/lib-ssl-iostream


 
  

Re: [Dovecot-news] Release notify (2.2.36.1 and 2.3.4.1)

[Aki Tuomi via Dovecot-news]

 
 
  
   
  
  
   
On 05 February 2019 at 22:18 Odhiambo Washington via dovecot <
dove...@dovecot.org> wrote:
   
   

   
   

   
   
On Tue, 5 Feb 2019 at 20:32, Aki Tuomi via dovecot <
dove...@dovecot.org>
   
   
wrote:
   
   

   
   

 Due to DMARC issues some people have failed to receive the latest security


 information, so here it is repeated for both releases:

   
   

 2.3.4.1

   
   

 https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz


 https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig


 <
 https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig>


 Binary packages in 
 https://repo.dovecot.org/

   
   

 * CVE-2019-3814: If imap/pop3/managesieve/submission client has


 trusted certificate with missing username field


 (ssl_cert_username_field), under some configurations Dovecot


 mistakenly trusts the username provided via authentication instead


 of failing.


 * ssl_cert_username_field setting was ignored with external SMTP AUTH,


 because none of the MTAs (Postfix, Exim) currently send the


 cert_username field. This may have allowed users with trusted


 certificate to specify any username in the authentication. This bug


 didn't affect Dovecot's Submission service.

   
   

   
   
FreeBSD-11.2 (amd64):
   
   

   
   
gmake[2]: Entering directory
   
   
'/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
   
   
gcc -DHAVE_CONFIG_H -I. -I../.. -I../../src/lib -I../../src/lib-dns
   
   
-I../../src/lib-test -I../../src/lib-settings -I../../src/lib-ssl-iostream
   
   
-DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\"
   
   
-DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\"
   
   
-DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\"
   
   
-DBINDIR=\""/opt/dovecot2.3/bin"\" -std=gnu99 -g -O2
   
   
-fstack-protector-strong -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W
   
   
-Wmissing-prototypes -Wmissing-declarations -Wpointer-arith
   
   
-Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime
   
   
-Wstrict-aliasing=2 -I/usr/local/include -MT test-event-stats.o -MD -MP
   
   
-MF .deps/test-event-stats.Tpo -c -o test-event-stats.o test-event-stats.c
   
   
test-event-stats.c: In function 'kill_stats_child':
   
   
test-event-stats.c:101:2: warning: implicit declaration of function 'kill'
   
   
[-Wimplicit-function-declaration]
   
   
(void)kill(stats_pid, SIGKILL);
   
   
^
   
   
test-event-stats.c:101:24: error: 'SIGKILL' undeclared (first use in this
   
   
function)
   
   
(void)kill(stats_pid, SIGKILL);
   
   
^
   
   
test-event-stats.c:101:24: note: each undeclared identifier is reported
   
   
only once for each function it appears in
   
   
gmake[2]: *** [Makefile:638: test-event-stats.o] Error 1
   
   
gmake[2]: Leaving directory
   
   
'/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
   
   
gmake[1]: *** [Makefile:565: install-recursive] Error 1
   
   
gmake[1]: Leaving directory
   
   
'/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src'
   
   
gmake: *** [Makefile:683: install-recursive] Error 1
   
   

   
   
  
  
   Yes. 2.3 4.1 has only single fix.
  
  
   
  
  
   Aki
  
  
   
  
  
   
   
FreeBSD-9.3:
   
   

   
   
gmake[3]: Entering directory
   
   
'/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
   
   
gcc -DHAVE_CONFIG_H -I. -I../.. -I../../src/lib -I../../src/lib-dns
   
   
-I../../src/lib-test -I../../src/lib-settings -I../../src/lib-ssl-iostream
   
   
-DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\"
   
   
-DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\"
   
   
-DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\"
   
   
-DBINDIR=\""/opt/dovecot2.3/bin"\" -std=gnu99 -g -O2 -fstack-protector
   
   
-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W -Wmissing-prototypes
   
   
-Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2
   
   
-Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2
   
   
-I/usr/local/include -MT test-event-stats.o -MD -MP -MF
   
   
.deps/test-event-stats.Tpo -c -o test-event-stats.o test-event-stats.c
   
   
test-event-stats.c: In function 'kill_stats_child':
   
   
test-event-stats.c:101: warning: implicit declaration of function 'kill'
   
   
test-event-stats.c:101: error: 'SIGKILL' undeclared (first use in this
   
   
function)
   
   
test-event-stats.c:101: error: (Each undeclared identifier is reported only
   
   
once
   
   
test-event-stats.c:101: error: for each function it appears in.)
  

[Dovecot-news] Release notify (2.2.36.1 and 2.3.4.1)

[Aki Tuomi via Dovecot-news]

Due to DMARC issues some people have failed to receive the latest security 
information, so here it is repeated for both releases:

2.3.4.1

https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig

Binary packages in https://repo.dovecot.org/

* CVE-2019-3814: If imap/pop3/managesieve/submission client has
  trusted certificate with missing username field
  (ssl_cert_username_field), under some configurations Dovecot
  mistakenly trusts the username provided via authentication instead
  of failing.
* ssl_cert_username_field setting was ignored with external SMTP AUTH,
  because none of the MTAs (Postfix, Exim) currently send the
  cert_username field. This may have allowed users with trusted
  certificate to specify any username in the authentication. This bug
  didn't affect Dovecot's Submission service.




2.2.36.1

https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz
https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig

* CVE-2019-3814: If imap/pop3/managesieve/submission client has
  trusted certificate with missing username field
  (ssl_cert_username_field), under some configurations Dovecot
  mistakenly trusts the username provided via authentication instead
  of failing.
* ssl_cert_username_field setting was ignored with external SMTP AUTH,
  because none of the MTAs (Postfix, Exim) currently send the
  cert_username field. This may have allowed users with trusted
  certificate to specify any username in the authentication. This bug
  didn't affect Dovecot's Submission service.

- pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT
- director: Kicking a user assert-crashes if login process is very slow
- lda/lmtp: Fix assert-crash with some Sieve scripts when
  mail_attachment_detection_options=add-flags-on-save
- fs-compress: Using maybe-gz assert-crashed when reading 0 sized file
- Snippet generation crashed with invalid Content-Type:multipart
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news