dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has ??? ? trusted certificate with missing username field ??? ? (ssl_cert_username_field), under some configurations Dovecot ??? ? mistakenly trusts the username provided via authentication instead ??? ? of failing. ??? * ssl_cert_username_field setting was ignored with external SMTP AUTH, ??? ? because none of the MTAs (Postfix, Exim) currently send the ??? ? cert_username field. This may have allowed users with trusted ??? ? certificate to specify any username in the authentication. This bug ??? ? didn't affect Dovecot's Submission service. ??? - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT ??? - director: Kicking a user assert-crashes if login process is very slow ??? - lda/lmtp: Fix assert-crash with some Sieve scripts when ??? ? mail_attachment_detection_options=add-flags-on-save ??? - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file ??? - Snippet generation crashed with invalid Content-Type:multipart --- Aki Tuomi Open-Xchange Oy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: <dovecot.org/pipermail/dovecot/attachments/20190205/50f399fe/attachment.sig>
Aki, What's the difference between 2.2.x and 2.3.x version of Dovecot? And why do you maintain both? I stopped building RPM's of the 2.2.x version and now only build 2.3.x. Should I be maintaining both? Eric On 2/5/2019 6:01 AM, Aki Tuomi wrote:> dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz > dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig > > ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has > ??? ? trusted certificate with missing username field > ??? ? (ssl_cert_username_field), under some configurations Dovecot > ??? ? mistakenly trusts the username provided via authentication instead > ??? ? of failing. > ??? * ssl_cert_username_field setting was ignored with external SMTP AUTH, > ??? ? because none of the MTAs (Postfix, Exim) currently send the > ??? ? cert_username field. This may have allowed users with trusted > ??? ? certificate to specify any username in the authentication. This bug > ??? ? didn't affect Dovecot's Submission service. > > ??? - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT > ??? - director: Kicking a user assert-crashes if login process is very slow > ??? - lda/lmtp: Fix assert-crash with some Sieve scripts when > ??? ? mail_attachment_detection_options=add-flags-on-save > ??? - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file > ??? - Snippet generation crashed with invalid Content-Type:multipart > > > --- > > Aki Tuomi > Open-Xchange Oy > >-- Eric Broch White Horse Technical Consulting (WHTC)
<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> Hi, </div> <div> <br> </div> <div> as per our EOL statement 2.2.36 receives security and critical updates. That said, we decided to flush few annoying bugs with .1 release. </div> <div> <br> </div> <div> You do not need to build releases for 2.2. </div> <div> <br> </div> <div> Aki </div> <blockquote type="cite"> <div> On 05 February 2019 at 17:36 Eric Broch < <a href="mailto:ebroch@whitehorsetc.com">ebroch@whitehorsetc.com</a>> wrote: </div> <div> <br> </div> <div> <br> </div> <div> Aki, </div> <div> <br> </div> <div> What's the difference between 2.2.x and 2.3.x version of Dovecot? And </div> <div> why do you maintain both? </div> <div> <br> </div> <div> I stopped building RPM's of the 2.2.x version and now only build 2.3.x. </div> <div> Should I be maintaining both? </div> <div> <br> </div> <div> Eric </div> <div> <br> </div> <div> On 2/5/2019 6:01 AM, Aki Tuomi wrote: </div> <blockquote type="cite"> <div> <a href="dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz" rel="noopener" target="_blank">dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz</a> </div> <div> <a href="dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig" rel="noopener" target="_blank">dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig</a> </div> </blockquote> <blockquote type="cite"> <div> * CVE-2019-3814: If imap/pop3/managesieve/submission client has </div> <div> trusted certificate with missing username field </div> <div> (ssl_cert_username_field), under some configurations Dovecot </div> <div> mistakenly trusts the username provided via authentication instead </div> <div> of failing. </div> <div> * ssl_cert_username_field setting was ignored with external SMTP AUTH, </div> <div> because none of the MTAs (Postfix, Exim) currently send the </div> <div> cert_username field. This may have allowed users with trusted </div> <div> certificate to specify any username in the authentication. This bug </div> <div> didn't affect Dovecot's Submission service. </div> </blockquote> <blockquote type="cite"> <div> - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT </div> <div> - director: Kicking a user assert-crashes if login process is very slow </div> <div> - lda/lmtp: Fix assert-crash with some Sieve scripts when </div> <div> mail_attachment_detection_options=add-flags-on-save </div> <div> - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file </div> <div> - Snippet generation crashed with invalid Content-Type:multipart </div> </blockquote> <div> > </div> <blockquote type="cite"> <div> --- </div> </blockquote> <blockquote type="cite"> <div> Aki Tuomi </div> <div> Open-Xchange Oy </div> </blockquote> <div> > </div> <div> -- </div> <div> Eric Broch </div> <div> White Horse Technical Consulting (WHTC) </div> </blockquote> <div> <br> </div> <div class="io-ox-signature"> --- <br>Aki Tuomi </div> </body> </html>
> On February 5, 2019 at 8:36 AM Eric Broch <ebroch at whitehorsetc.com> wrote: > > What's the difference between 2.2.x and 2.3.x version of Dovecot? And > why do you maintain both?dovecot.org/pipermail/dovecot-news/2018-August/000386.html michael
Hello Aki,> dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz > dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig > > - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUITis this in any way related to the problem that has first been reported in march last year: "Duplicate mails on pop3 expunge with dsync replication on 2.2.35 (2.2.33.2 works)" Thanks Gerald
On 5 Feb 2019, at 7.48, Gerald Galster <list+dovecot at gcore.biz> wrote:> > Hello Aki, > >> dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz >> dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig >> >> - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT > > is this in any way related to the problem that has first been reported in march last year: > > "Duplicate mails on pop3 expunge with dsync replication on 2.2.35 (2.2.33.2 works)"Unlikely.
Stephan Bosch
2019-Feb-05 18:07 UTC
[Dovecot-news] Dovecot v2.2.36.1 released (Pigeonhole 0.4.24.1)
Hi, Here is the associated release for Pigeonhole: pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz.sig Binary packages included in repo.dovecot.org + imapsieve: Added imapsieve_expunge_discarded setting which causes discarded messages to be expunged immediately. - Sieve scripts running in IMAPSIEVE or IMAP FILTER=SIEVE context that modify the message, store the message a second time, rather than replacing the originally stored unmodified message. - imapsieve: Fix crash when COPYing mails from a virtual mailbox when the source messages originate from more than a single real mailbox - imap_filter_sieve plugin: Implement the missing UID FILTER command. - imap_filter_sieve plugin: Fix FILTER to work with pipelining Regards, Stephan. Op 5-2-2019 om 14:01 schreef Aki Tuomi:> dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz > dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig > > ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has > ??? ? trusted certificate with missing username field > ??? ? (ssl_cert_username_field), under some configurations Dovecot > ??? ? mistakenly trusts the username provided via authentication instead > ??? ? of failing. > ??? * ssl_cert_username_field setting was ignored with external SMTP AUTH, > ??? ? because none of the MTAs (Postfix, Exim) currently send the > ??? ? cert_username field. This may have allowed users with trusted > ??? ? certificate to specify any username in the authentication. This bug > ??? ? didn't affect Dovecot's Submission service. > > ??? - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT > ??? - director: Kicking a user assert-crashes if login process is very slow > ??? - lda/lmtp: Fix assert-crash with some Sieve scripts when > ??? ? mail_attachment_detection_options=add-flags-on-save > ??? - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file > ??? - Snippet generation crashed with invalid Content-Type:multipart > > > --- > > Aki Tuomi > Open-Xchange Oy > >
On 2019-02-05 13:07, Stephan Bosch via dovecot wrote:> Hi, > > Here is the associated release for Pigeonhole: > > pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz > pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz.sig > Binary packages included in repo.dovecot.org > > + imapsieve: Added imapsieve_expunge_discarded setting which causes > discarded messages to be expunged immediately. > - Sieve scripts running in IMAPSIEVE or IMAP FILTER=SIEVE context > that > modify the message, store the message a second time, rather than > replacing the originally stored unmodified message. > - imapsieve: Fix crash when COPYing mails from a virtual mailbox > when > the source messages originate from more than a single real > mailbox > - imap_filter_sieve plugin: Implement the missing UID FILTER > command. > - imap_filter_sieve plugin: Fix FILTER to work with pipelining > > > Regards, > > Stephan. > > Op 5-2-2019 om 14:01 schreef Aki Tuomi: >> dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz >> dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig >> >> ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has >> ??? ? trusted certificate with missing username field >> ??? ? (ssl_cert_username_field), under some configurations Dovecot >> ??? ? mistakenly trusts the username provided via authentication >> instead >> ??? ? of failing. >> ??? * ssl_cert_username_field setting was ignored with external SMTP >> AUTH, >> ??? ? because none of the MTAs (Postfix, Exim) currently send the >> ??? ? cert_username field. This may have allowed users with trusted >> ??? ? certificate to specify any username in the authentication. This >> bug >> ??? ? didn't affect Dovecot's Submission service. >> >> ??? - pop3_no_flag_updates=no: Don't expunge RETRed messages without >> QUIT >> ??? - director: Kicking a user assert-crashes if login process is >> very slow >> ??? - lda/lmtp: Fix assert-crash with some Sieve scripts when >> ??? ? mail_attachment_detection_options=add-flags-on-save >> ??? - fs-compress: Using maybe-gz assert-crashed when reading 0 sized >> file >> ??? - Snippet generation crashed with invalid Content-Type:multipart >> >> >> --- >> >> Aki Tuomi >> Open-Xchange Oy >> >>Is there going to be an equivalent 0.5.4.1 release with the same functionality but for Dovecot 2.3.x? Michael
Hi, Stephan Bosch via dovecot, 05.02.19:> Here is the associated release for Pigeonhole:With the line deb xi.dovecot.fi/debian stable-auto/dovecot-2.2 main in my /etc/apt/sources.list, apt update fails with a Hash sum mismatch: Err:14 xi.dovecot.fi/debian stable-auto/dovecot-2.2/main amd64 Packages Hash Sum mismatch Hashes of expected file: - Filesize:20770 [weak] - SHA512:e2272b4dc431f5fae85f96f80170f20e5e2e955bc288b1ac28d447ad06eaf9336bf5131ea9cdf178e36fc46e5986b5baff4eabdd562c665b97e762c4f44c0b06 - SHA256:936acd204d9b147225f763fb136e3a673d9003960a2104319b414a6602bb28a5 - SHA1:363e915b19b242b4011c01e6d2dc177e06414733 [weak] - MD5Sum:0f56fd080c93b5257e39e979335e5582 [weak] Hashes of received file: - SHA512:76306aaddd2f48a526a9a3b8cb8c4cf1b3b10f3f13cdd8fcf50d1969f95e0c0a6e44df94fc0f36b7efcf8ad1718f4dd78b6db97d962a192a72f700e99e7647a8 - SHA256:5b31992a7ed1a356c666dacf08d3e45fe5de527d177ecfb4c0079fc238d6d3f3 - SHA1:9dfb0af157863b2d916eedb8faf16739151698c1 [weak] - MD5Sum:4f047a8fc01ba5b7645ef63244972068 [weak] - Filesize:17109 [weak] Last modification reported: Tue, 05 Feb 2019 14:48:20 +0000 Release file created at: Tue, 05 Feb 2019 14:35:10 +0000 Could you please check this? TIA & Regards, Christian -- No signature available. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5419 bytes Desc: S/MIME Cryptographic Signature URL: <dovecot.org/pipermail/dovecot/attachments/20190207/08e6e969/attachment.p7s>