Hi! We are pleased to release Dovecot v2.3.6. Tarball is available at https://dovecot.org/releases/2.3/dovecot-2.3.6.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.6.tar.gz.sig Binary packages are available at https://repo.dovecot.org/ Changes ------- * CVE-2019-11494: Submission-login crashed with signal 11 due to null pointer access when authentication was aborted by disconnecting. * CVE-2019-11499: Submission-login crashed when authentication was started over TLS secured channel and invalid authentication message was sent. * auth: Support password grant with passdb oauth2. + Use system default CAs for outbound TLS connections. + Simplify array handling with new helper macros. + fts_solr: Enable configuring batch_size and soft_commit features. - lmtp/submission: Fixed various bugs in XCLIENT handling, including a hang when XCLIENT commands were sent infinitely to the remote server. - lmtp/submission: Forwarded multi-line replies were erroneously sent as two replies to the client. - lib-smtp: client: Message was not guaranteed to contain CRLF consistently when CHUNKING was used. - fts_solr: Plugin was no longer compatible with Solr 7. - Make it possible to disable certificate checking without setting ssl_client_ca_* settings. - pop3c: SSL support was broken. - mysql: Closing connection twice lead to crash on some systems. - auth: Multiple oauth2 passdbs crashed auth process on deinit. - HTTP client connection errors infrequently triggered a segmentation fault when the connection was idle and not used for a particular client instance. --- Aki Tuomi Open-Xchange oy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 475 bytes Desc: not available URL: <https://dovecot.org/pipermail/dovecot-news/attachments/20190430/e2a5c58f/attachment.sig>
On 30/04/2019 14:21, Aki Tuomi via dovecot wrote:> https://dovecot.org/releases/2.3/dovecot-2.3.6.tar.gzTrivial but... "mail-index-transaction-update.c", line 198: void function cannot return value Thanks. -------------- next part -------------- --- ../original/src/lib-index/mail-index-transaction-update.c 2019-04-30 13:25:06.000000000 +0000 +++ src/lib-index/mail-index-transaction-update.c 2019-04-30 14:49:09.517684762 +0000 @@ -195,7 +195,8 @@ uint32_t first_uid, ARRAY_TYPE(seq_range) *uids_r) { - return mail_index_append_finish_uids_full(t, first_uid, first_uid, uids_r); + mail_index_append_finish_uids_full(t, first_uid, first_uid, uids_r); + return; } void mail_index_append_finish_uids_full(struct mail_index_transaction *t,
> On 30 April 2019 17:20 James via dovecot <dovecot at dovecot.org> wrote: > > > On 30/04/2019 14:21, Aki Tuomi via dovecot wrote: > > > https://dovecot.org/releases/2.3/dovecot-2.3.6.tar.gz > > Trivial but... > > "mail-index-transaction-update.c", line 198: void function cannot return > value > > > Thanks.Thanks! Aki
On 30 Apr 2019, at 07:21, Aki Tuomi via dovecot <dovecot at dovecot.org> wrote:> We are pleased to release Dovecot v2.3.6.pkg adult shows the following, not mentioned in the changes: dovecot-2.3.5.1 is vulnerable: dovecot -- json encoder crash CVE: CVE-2019-10691 WWW: https://vuxml.FreeBSD.org/freebsd/a64aa22f-61ec-11e9-85b9-a4badb296695.html (just curious) -- 'Things either exist or they don't,' said Jeremy. 'I am very clear about that. I have medicine.' --The Thief of Time
<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> <br> </div> <blockquote type="cite"> <div> On 30 April 2019 21:06 @lbutlr via dovecot < <a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>> wrote: </div> <div> <br> </div> <div> <br> </div> <div> On 30 Apr 2019, at 07:21, Aki Tuomi via dovecot < <a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>> wrote: </div> <blockquote type="cite"> <div> We are pleased to release Dovecot v2.3.6. </div> </blockquote> <div> pkg adult shows the following, not mentioned in the changes: </div> <div> <br> </div> <div> dovecot-2.3.5.1 is vulnerable: </div> <div> dovecot -- json encoder crash </div> <div> CVE: CVE-2019-10691 </div> <div> WWW: <a href="https://vuxml.FreeBSD.org/freebsd/a64aa22f-61ec-11e9-85b9-a4badb296695.html" rel="noopener" target="_blank">https://vuxml.FreeBSD.org/freebsd/a64aa22f-61ec-11e9-85b9-a4badb296695.html</a> </div> <div> <br> </div> <div> <br> </div> <div> (just curious) </div> <div> <br> </div> <div> <br> </div> <div> -- </div> <div> 'Things either exist or they don't,' said Jeremy. 'I am very clear about </div> <div> that. I have medicine.' --The Thief of Time </div> </blockquote> <div> <br> </div> <div> We don't usually mention fixes for previous releases again. </div> <div class="io-ox-signature"> <pre>--- Aki Tuomi</pre> </div> </body> </html>
> On April 30, 2019 at 12:06 PM "@lbutlr via dovecot" <dovecot at dovecot.org> wrote: > > pkg adult shows the following, not mentioned in the changes: > > dovecot-2.3.5.1 is vulnerable: > dovecot -- json encoder crash > CVE: CVE-2019-10691 > WWW: https://vuxml.FreeBSD.org/freebsd/a64aa22f-61ec-11e9-85b9-a4badb296695.htmlhttps://dovecot.org/pipermail/dovecot-news/2019-April/000407.html michael