Hi, This is an "important fixes only" release in case you don't want to upgrade to v2.3.15. There is no matching Pigeonhole release - use the same v2.3.14 instead. https://dovecot.org/releases/2.3/dovecot-2.3.14.1.tar.gz <https://dovecot.org/releases/2.3/dovecot-2.3.14.1.tar.gz> https://dovecot.org/releases/2.3/dovecot-2.3.14.1.tar.gz.sig <https://dovecot.org/releases/2.3/dovecot-2.3.14.1.tar.gz.sig> Binary packages in https://repo.dovecot.org/ <https://repo.dovecot.org/> Docker images in https://hub.docker.com/r/dovecot/dovecot <https://hub.docker.com/r/dovecot/dovecot> * CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens, if attacker has local access. * CVE-2021-33515: On-path attacker could have injected plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client. - lib-index: Corrupted mime.parts in dovecot.index.cache may have resulted in Panic: file imap-bodystructure.c: line 206 (part_write_body): assertion failed: (text == ((part->flags & MESSAGE_PART_FLAG_TEXT) != 0)) - imap: SETMETADATA could not be used to unset metadata values. Instead NIL was handled as a "NIL" string. v2.3.14 regression. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot-news/attachments/20210621/3c63262d/attachment.html>
On Jun 21, 2021, at 7:21 AM, Timo Sirainen <timo at sirainen.com> wrote:> This is an "important fixes only" release in case you don't want to upgrade to v2.3.15. There is no matching Pigeonhole release - use the same v2.3.14 instead.Need this small patch to build on newer MacOS: --- src/lib/ioloop-notify-kqueue.c.orig 2021-06-14 07:56:46.000000000 -0400 +++ src/lib/ioloop-notify-kqueue.c 2021-06-21 12:10:16.000000000 -0400 @@ -11,6 +11,7 @@ #include "ioloop-private.h" #include "llist.h" +#include "time-util.h" #include <unistd.h> #include <fcntl.h> #include <sys/types.h> or it will error with: ioloop-notify-kqueue.c:70:2: error: implicit declaration of function 'i_gettimeofday' is invalid in C99 [-Werror,-Wimplicit-function-declaration] i_gettimeofday(&ioloop_timeval); ^ -- Daniel J. Luke
On Mon, Jun 21, 2021 at 1:24 PM Timo Sirainen <timo at sirainen.com> wrote:> Binary packages in https://repo.dovecot.org/The repository https://repo.dovecot.org/ce-2.3.14 does not contain the latest binary package for version 2.3.14.1, as one would expect. The only way to get this package seems to be by changing to the more specific repository `ce-2.3.14.1`? `ce-2.3-latest` only provides 2.3.15, so using that repository with pinning also does not seem like an alternative. Will 2.3.14.1 become available in https://repo.dovecot.org/ce-2.3.14 or is there another repository one should use if you want security updates whilst staying on a specific version? - Eirik