https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz
https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig
??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has
??? ? trusted certificate with missing username field
??? ? (ssl_cert_username_field), under some configurations Dovecot
??? ? mistakenly trusts the username provided via authentication instead
??? ? of failing.
??? * ssl_cert_username_field setting was ignored with external SMTP AUTH,
??? ? because none of the MTAs (Postfix, Exim) currently send the
??? ? cert_username field. This may have allowed users with trusted
??? ? certificate to specify any username in the authentication. This bug
??? ? didn't affect Dovecot's Submission service.
??? - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT
??? - director: Kicking a user assert-crashes if login process is very slow
??? - lda/lmtp: Fix assert-crash with some Sieve scripts when
??? ? mail_attachment_detection_options=add-flags-on-save
??? - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file
??? - Snippet generation crashed with invalid Content-Type:multipart
---
Aki Tuomi
Open-Xchange Oy
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot-news/attachments/20190205/b2a6af4f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL:
<https://dovecot.org/pipermail/dovecot-news/attachments/20190205/b2a6af4f/attachment.sig>
