dovecot - Feb 2019 - Dovecot v2.2.36.1 released

https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz
https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig

??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has
??? ? trusted certificate with missing username field
??? ? (ssl_cert_username_field), under some configurations Dovecot
??? ? mistakenly trusts the username provided via authentication instead
??? ? of failing.
??? * ssl_cert_username_field setting was ignored with external SMTP AUTH,
??? ? because none of the MTAs (Postfix, Exim) currently send the
??? ? cert_username field. This may have allowed users with trusted
??? ? certificate to specify any username in the authentication. This bug
??? ? didn't affect Dovecot's Submission service.

??? - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT
??? - director: Kicking a user assert-crashes if login process is very slow
??? - lda/lmtp: Fix assert-crash with some Sieve scripts when
??? ? mail_attachment_detection_options=add-flags-on-save
??? - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file
??? - Snippet generation crashed with invalid Content-Type:multipart


---

Aki Tuomi
Open-Xchange Oy


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20190205/50f399fe/attachment.sig>

Aki,

What's the difference between 2.2.x and 2.3.x version of Dovecot? And 
why do you maintain both?

I stopped building RPM's of the 2.2.x version and now only build 2.3.x. 
Should I be maintaining both?

Eric

On 2/5/2019 6:01 AM, Aki Tuomi wrote:
> https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz
> https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig
>
>  ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has
>  ??? ? trusted certificate with missing username field
>  ??? ? (ssl_cert_username_field), under some configurations Dovecot
>  ??? ? mistakenly trusts the username provided via authentication instead
>  ??? ? of failing.
>  ??? * ssl_cert_username_field setting was ignored with external SMTP AUTH,
>  ??? ? because none of the MTAs (Postfix, Exim) currently send the
>  ??? ? cert_username field. This may have allowed users with trusted
>  ??? ? certificate to specify any username in the authentication. This bug
>  ??? ? didn't affect Dovecot's Submission service.
>
>  ??? - pop3_no_flag_updates=no: Don't expunge RETRed messages without
QUIT
>  ??? - director: Kicking a user assert-crashes if login process is very
slow
>  ??? - lda/lmtp: Fix assert-crash with some Sieve scripts when
>  ??? ? mail_attachment_detection_options=add-flags-on-save
>  ??? - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file
>  ??? - Snippet generation crashed with invalid Content-Type:multipart
>
>
> ---
>
> Aki Tuomi
> Open-Xchange Oy
>
>
-- 
Eric Broch
White Horse Technical Consulting (WHTC)

<!doctype html>
<html>
 <head> 
  <meta charset="UTF-8"> 
 </head>
 <body>
  <div>
   Hi,
  </div>
  <div>
   <br>
  </div>
  <div>
   as per our EOL statement 2.2.36 receives security and critical updates. That
said, we decided to flush few annoying bugs with .1 release.
  </div>
  <div>
   <br>
  </div>
  <div>
   You do not need to build releases for 2.2.
  </div>
  <div>
   <br>
  </div>
  <div>
   Aki
  </div>
  <blockquote type="cite">
   <div>
    On 05 February 2019 at 17:36 Eric Broch <
    <a
href="mailto:ebroch@whitehorsetc.com">ebroch@whitehorsetc.com</a>>
wrote:
   </div>
   <div>
    <br>
   </div>
   <div>
    <br>
   </div>
   <div>
    Aki,
   </div>
   <div>
    <br>
   </div>
   <div>
    What's the difference between 2.2.x and 2.3.x version of Dovecot? And
   </div>
   <div>
    why do you maintain both?
   </div>
   <div>
    <br>
   </div>
   <div>
    I stopped building RPM's of the 2.2.x version and now only build 2.3.x.
   </div>
   <div>
    Should I be maintaining both?
   </div>
   <div>
    <br>
   </div>
   <div>
    Eric
   </div>
   <div>
    <br>
   </div>
   <div>
    On 2/5/2019 6:01 AM, Aki Tuomi wrote:
   </div>
   <blockquote type="cite">
    <div>
     <a
href="https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz"
rel="noopener"
target="_blank">https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz</a>
    </div>
    <div>
     <a
href="https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig"
rel="noopener"
target="_blank">https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig</a>
    </div>
   </blockquote>
   <blockquote type="cite">
    <div>
         * CVE-2019-3814: If imap/pop3/managesieve/submission client has
    </div>
    <div>
           trusted certificate with missing username field
    </div>
    <div>
           (ssl_cert_username_field), under some configurations Dovecot
    </div>
    <div>
           mistakenly trusts the username provided via authentication instead
    </div>
    <div>
           of failing.
    </div>
    <div>
         * ssl_cert_username_field setting was ignored with external SMTP AUTH,
    </div>
    <div>
           because none of the MTAs (Postfix, Exim) currently send the
    </div>
    <div>
           cert_username field. This may have allowed users with trusted
    </div>
    <div>
           certificate to specify any username in the authentication. This bug
    </div>
    <div>
           didn't affect Dovecot's Submission service.
    </div>
   </blockquote>
   <blockquote type="cite">
    <div>
         - pop3_no_flag_updates=no: Don't expunge RETRed messages without
QUIT
    </div>
    <div>
         - director: Kicking a user assert-crashes if login process is very slow
    </div>
    <div>
         - lda/lmtp: Fix assert-crash with some Sieve scripts when
    </div>
    <div>
           mail_attachment_detection_options=add-flags-on-save
    </div>
    <div>
         - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file
    </div>
    <div>
         - Snippet generation crashed with invalid Content-Type:multipart
    </div>
   </blockquote>
   <div>
    >
   </div>
   <blockquote type="cite">
    <div>
     ---
    </div>
   </blockquote>
   <blockquote type="cite">
    <div>
     Aki Tuomi
    </div>
    <div>
     Open-Xchange Oy
    </div>
   </blockquote>
   <div>
    >
   </div>
   <div>
    --
   </div>
   <div>
    Eric Broch
   </div>
   <div>
    White Horse Technical Consulting (WHTC)
   </div>
  </blockquote>
  <div>
   <br>
  </div>
  <div class="io-ox-signature">
   ---
   <br>Aki Tuomi
  </div> 
 </body>
</html>

> On February 5, 2019 at 8:36 AM Eric Broch <ebroch at
whitehorsetc.com> wrote:
> 
> What's the difference between 2.2.x and 2.3.x version of Dovecot? And 
> why do you maintain both?
https://dovecot.org/pipermail/dovecot-news/2018-August/000386.html

michael

Hello Aki,
> https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz
> https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig
> 
>     - pop3_no_flag_updates=no: Don't expunge RETRed messages without
QUIT
is this in any way related to the problem that has first been reported in march
last year:

"Duplicate mails on pop3 expunge with dsync replication on 2.2.35 (2.2.33.2
works)"

Thanks
Gerald

On 5 Feb 2019, at 7.48, Gerald Galster <list+dovecot at gcore.biz>
wrote:
> 
> Hello Aki,
> 
>> https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz
>> https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig
>> 
>>    - pop3_no_flag_updates=no: Don't expunge RETRed messages without
QUIT
> 
> is this in any way related to the problem that has first been reported in
march last year:
> 
> "Duplicate mails on pop3 expunge with dsync replication on 2.2.35
(2.2.33.2 works)"
Unlikely.

Hi,

Here is the associated release for Pigeonhole:

https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz
https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz.sig
Binary packages included in https://repo.dovecot.org/

     + imapsieve: Added imapsieve_expunge_discarded setting which causes
       discarded messages to be expunged immediately.
     - Sieve scripts running in IMAPSIEVE or IMAP FILTER=SIEVE context that
       modify the message, store the message a second time, rather than
       replacing the originally stored unmodified message.
     - imapsieve: Fix crash when COPYing mails from a virtual mailbox when
       the source messages originate from more than a single real mailbox
     - imap_filter_sieve plugin: Implement the missing UID FILTER command.
     - imap_filter_sieve plugin: Fix FILTER to work with pipelining


Regards,

Stephan.

Op 5-2-2019 om 14:01 schreef Aki Tuomi:
> https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz
> https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig
>
>  ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has
>  ??? ? trusted certificate with missing username field
>  ??? ? (ssl_cert_username_field), under some configurations Dovecot
>  ??? ? mistakenly trusts the username provided via authentication instead
>  ??? ? of failing.
>  ??? * ssl_cert_username_field setting was ignored with external SMTP AUTH,
>  ??? ? because none of the MTAs (Postfix, Exim) currently send the
>  ??? ? cert_username field. This may have allowed users with trusted
>  ??? ? certificate to specify any username in the authentication. This bug
>  ??? ? didn't affect Dovecot's Submission service.
>
>  ??? - pop3_no_flag_updates=no: Don't expunge RETRed messages without
QUIT
>  ??? - director: Kicking a user assert-crashes if login process is very
slow
>  ??? - lda/lmtp: Fix assert-crash with some Sieve scripts when
>  ??? ? mail_attachment_detection_options=add-flags-on-save
>  ??? - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file
>  ??? - Snippet generation crashed with invalid Content-Type:multipart
>
>
> ---
>
> Aki Tuomi
> Open-Xchange Oy
>
>

On 2019-02-05 13:07, Stephan Bosch via dovecot wrote:
> Hi,
> 
> Here is the associated release for Pigeonhole:
> 
>
https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz
>
https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz.sig
> Binary packages included in https://repo.dovecot.org/
> 
>     + imapsieve: Added imapsieve_expunge_discarded setting which causes
>       discarded messages to be expunged immediately.
>     - Sieve scripts running in IMAPSIEVE or IMAP FILTER=SIEVE context 
> that
>       modify the message, store the message a second time, rather than
>       replacing the originally stored unmodified message.
>     - imapsieve: Fix crash when COPYing mails from a virtual mailbox 
> when
>       the source messages originate from more than a single real 
> mailbox
>     - imap_filter_sieve plugin: Implement the missing UID FILTER 
> command.
>     - imap_filter_sieve plugin: Fix FILTER to work with pipelining
> 
> 
> Regards,
> 
> Stephan.
> 
> Op 5-2-2019 om 14:01 schreef Aki Tuomi:
>> https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz
>> https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig
>> 
>>  ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has
>>  ??? ? trusted certificate with missing username field
>>  ??? ? (ssl_cert_username_field), under some configurations Dovecot
>>  ??? ? mistakenly trusts the username provided via authentication 
>> instead
>>  ??? ? of failing.
>>  ??? * ssl_cert_username_field setting was ignored with external SMTP 
>> AUTH,
>>  ??? ? because none of the MTAs (Postfix, Exim) currently send the
>>  ??? ? cert_username field. This may have allowed users with trusted
>>  ??? ? certificate to specify any username in the authentication. This 
>> bug
>>  ??? ? didn't affect Dovecot's Submission service.
>> 
>>  ??? - pop3_no_flag_updates=no: Don't expunge RETRed messages
without
>> QUIT
>>  ??? - director: Kicking a user assert-crashes if login process is 
>> very slow
>>  ??? - lda/lmtp: Fix assert-crash with some Sieve scripts when
>>  ??? ? mail_attachment_detection_options=add-flags-on-save
>>  ??? - fs-compress: Using maybe-gz assert-crashed when reading 0 sized 
>> file
>>  ??? - Snippet generation crashed with invalid Content-Type:multipart
>> 
>> 
>> ---
>> 
>> Aki Tuomi
>> Open-Xchange Oy
>> 
>> 
Is there going to be an equivalent 0.5.4.1 release with the same 
functionality but for Dovecot 2.3.x?

Michael

Hi,

Stephan Bosch via dovecot, 05.02.19:
> Here is the associated release for Pigeonhole:
With the line
deb http://xi.dovecot.fi/debian/ stable-auto/dovecot-2.2 main
in my /etc/apt/sources.list, apt update fails with a Hash sum mismatch:

Err:14 http://xi.dovecot.fi/debian stable-auto/dovecot-2.2/main amd64 
Packages
   Hash Sum mismatch
   Hashes of expected file:
    - Filesize:20770 [weak]
    - 
SHA512:e2272b4dc431f5fae85f96f80170f20e5e2e955bc288b1ac28d447ad06eaf9336bf5131ea9cdf178e36fc46e5986b5baff4eabdd562c665b97e762c4f44c0b06
    - 
SHA256:936acd204d9b147225f763fb136e3a673d9003960a2104319b414a6602bb28a5
    - SHA1:363e915b19b242b4011c01e6d2dc177e06414733 [weak]
    - MD5Sum:0f56fd080c93b5257e39e979335e5582 [weak]
   Hashes of received file:
    - 
SHA512:76306aaddd2f48a526a9a3b8cb8c4cf1b3b10f3f13cdd8fcf50d1969f95e0c0a6e44df94fc0f36b7efcf8ad1718f4dd78b6db97d962a192a72f700e99e7647a8
    - 
SHA256:5b31992a7ed1a356c666dacf08d3e45fe5de527d177ecfb4c0079fc238d6d3f3
    - SHA1:9dfb0af157863b2d916eedb8faf16739151698c1 [weak]
    - MD5Sum:4f047a8fc01ba5b7645ef63244972068 [weak]
    - Filesize:17109 [weak]
   Last modification reported: Tue, 05 Feb 2019 14:48:20 +0000
   Release file created at: Tue, 05 Feb 2019 14:35:10 +0000

Could you please check this?

TIA & Regards,
Christian

-- 
No signature available.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5419 bytes
Desc: S/MIME Cryptographic Signature
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20190207/08e6e969/attachment.p7s>