<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
Hi,
</div>
<div>
<br>
</div>
<div>
as per our EOL statement 2.2.36 receives security and critical updates. That
said, we decided to flush few annoying bugs with .1 release.
</div>
<div>
<br>
</div>
<div>
You do not need to build releases for 2.2.
</div>
<div>
<br>
</div>
<div>
Aki
</div>
<blockquote type="cite">
<div>
On 05 February 2019 at 17:36 Eric Broch <
<a
href="mailto:ebroch@whitehorsetc.com">ebroch@whitehorsetc.com</a>>
wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
Aki,
</div>
<div>
<br>
</div>
<div>
What's the difference between 2.2.x and 2.3.x version of Dovecot? And
</div>
<div>
why do you maintain both?
</div>
<div>
<br>
</div>
<div>
I stopped building RPM's of the 2.2.x version and now only build 2.3.x.
</div>
<div>
Should I be maintaining both?
</div>
<div>
<br>
</div>
<div>
Eric
</div>
<div>
<br>
</div>
<div>
On 2/5/2019 6:01 AM, Aki Tuomi wrote:
</div>
<blockquote type="cite">
<div>
<a
href="https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz"
rel="noopener"
target="_blank">https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz</a>
</div>
<div>
<a
href="https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig"
rel="noopener"
target="_blank">https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig</a>
</div>
</blockquote>
<blockquote type="cite">
<div>
* CVE-2019-3814: If imap/pop3/managesieve/submission client has
</div>
<div>
trusted certificate with missing username field
</div>
<div>
(ssl_cert_username_field), under some configurations Dovecot
</div>
<div>
mistakenly trusts the username provided via authentication instead
</div>
<div>
of failing.
</div>
<div>
* ssl_cert_username_field setting was ignored with external SMTP AUTH,
</div>
<div>
because none of the MTAs (Postfix, Exim) currently send the
</div>
<div>
cert_username field. This may have allowed users with trusted
</div>
<div>
certificate to specify any username in the authentication. This bug
</div>
<div>
didn't affect Dovecot's Submission service.
</div>
</blockquote>
<blockquote type="cite">
<div>
- pop3_no_flag_updates=no: Don't expunge RETRed messages without
QUIT
</div>
<div>
- director: Kicking a user assert-crashes if login process is very slow
</div>
<div>
- lda/lmtp: Fix assert-crash with some Sieve scripts when
</div>
<div>
mail_attachment_detection_options=add-flags-on-save
</div>
<div>
- fs-compress: Using maybe-gz assert-crashed when reading 0 sized file
</div>
<div>
- Snippet generation crashed with invalid Content-Type:multipart
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
---
</div>
</blockquote>
<blockquote type="cite">
<div>
Aki Tuomi
</div>
<div>
Open-Xchange Oy
</div>
</blockquote>
<div>
>
</div>
<div>
--
</div>
<div>
Eric Broch
</div>
<div>
White Horse Technical Consulting (WHTC)
</div>
</blockquote>
<div>
<br>
</div>
<div class="io-ox-signature">
---
<br>Aki Tuomi
</div>
</body>
</html>
Thank you! On 2/5/2019 8:43 AM, Aki Tuomi wrote:> Hi, > > as per our EOL statement 2.2.36 receives security and critical > updates. That said, we decided to flush few annoying bugs with .1 > release. > > You do not need to build releases for 2.2. > > Aki >> On 05 February 2019 at 17:36 Eric Broch < ebroch at whitehorsetc.com >> <mailto:ebroch at whitehorsetc.com>> wrote: >> >> >> Aki, >> >> What's the difference between 2.2.x and 2.3.x version of Dovecot? And >> why do you maintain both? >> >> I stopped building RPM's of the 2.2.x version and now only build 2.3.x. >> Should I be maintaining both? >> >> Eric >> >> On 2/5/2019 6:01 AM, Aki Tuomi wrote: >>> https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz >>> https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig >>> ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has >>> ??? ? trusted certificate with missing username field >>> ??? ? (ssl_cert_username_field), under some configurations Dovecot >>> ??? ? mistakenly trusts the username provided via authentication >>> instead >>> ??? ? of failing. >>> ??? * ssl_cert_username_field setting was ignored with external SMTP >>> AUTH, >>> ??? ? because none of the MTAs (Postfix, Exim) currently send the >>> ??? ? cert_username field. This may have allowed users with trusted >>> ??? ? certificate to specify any username in the authentication. >>> This bug >>> ??? ? didn't affect Dovecot's Submission service. >>> ??? - pop3_no_flag_updates=no: Don't expunge RETRed messages without >>> QUIT >>> ??? - director: Kicking a user assert-crashes if login process is >>> very slow >>> ??? - lda/lmtp: Fix assert-crash with some Sieve scripts when >>> mail_attachment_detection_options=add-flags-on-save >>> ??? - fs-compress: Using maybe-gz assert-crashed when reading 0 >>> sized file >>> ??? - Snippet generation crashed with invalid Content-Type:multipart >> > >>> --- >>> Aki Tuomi >>> Open-Xchange Oy >> > >> -- >> Eric Broch >> White Horse Technical Consulting (WHTC) > > --- > Aki Tuomi-- Eric Broch White Horse Technical Consulting (WHTC) -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190205/a03092fb/attachment.html>
for some reason Aki's posts are not making it to my GMail account from this list. Any idea why? On Tue, Feb 5, 2019 at 10:04 AM Eric Broch <ebroch at whitehorsetc.com> wrote:> Thank you! > On 2/5/2019 8:43 AM, Aki Tuomi wrote: > > Hi, > > as per our EOL statement 2.2.36 receives security and critical updates. > That said, we decided to flush few annoying bugs with .1 release. > > You do not need to build releases for 2.2. > > Aki > > On 05 February 2019 at 17:36 Eric Broch < ebroch at whitehorsetc.com> wrote: > > > Aki, > > What's the difference between 2.2.x and 2.3.x version of Dovecot? And > why do you maintain both? > > I stopped building RPM's of the 2.2.x version and now only build 2.3.x. > Should I be maintaining both? > > Eric > > On 2/5/2019 6:01 AM, Aki Tuomi wrote: > > https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz > https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig > > * CVE-2019-3814: If imap/pop3/managesieve/submission client has > trusted certificate with missing username field > (ssl_cert_username_field), under some configurations Dovecot > mistakenly trusts the username provided via authentication instead > of failing. > * ssl_cert_username_field setting was ignored with external SMTP AUTH, > because none of the MTAs (Postfix, Exim) currently send the > cert_username field. This may have allowed users with trusted > certificate to specify any username in the authentication. This bug > didn't affect Dovecot's Submission service. > > - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT > - director: Kicking a user assert-crashes if login process is very > slow > - lda/lmtp: Fix assert-crash with some Sieve scripts when > mail_attachment_detection_options=add-flags-on-save > - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file > - Snippet generation crashed with invalid Content-Type:multipart > > > > > --- > > Aki Tuomi > Open-Xchange Oy > > > > -- > Eric Broch > White Horse Technical Consulting (WHTC) > > > --- > Aki Tuomi > > -- > Eric Broch > White Horse Technical Consulting (WHTC) > >-- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 (c) E-Mail: larryrtx at gmail.com US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106 -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190205/d67d9334/attachment-0001.html>