dovecot - Apr 2019 - Dovecot release v2.3.6

Hi!

We are pleased to release Dovecot v2.3.6.

Tarball is available at

https://dovecot.org/releases/2.3/dovecot-2.3.6.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.3.6.tar.gz.sig

Binary packages are available at https://repo.dovecot.org/

Changes
-------

* CVE-2019-11494: Submission-login crashed with signal 11 due to null pointer
access when authentication was aborted by disconnecting.
* CVE-2019-11499: Submission-login crashed when authentication was started over
TLS secured channel and invalid authentication message was sent.
* auth: Support password grant with passdb oauth2.
+ Use system default CAs for outbound TLS connections.
+ Simplify array handling with new helper macros.
+ fts_solr: Enable configuring batch_size and soft_commit features.
- lmtp/submission: Fixed various bugs in XCLIENT handling, including a hang when
XCLIENT commands were sent infinitely to the remote server.
- lmtp/submission: Forwarded multi-line replies were erroneously sent as two
replies to the client.
- lib-smtp: client: Message was not guaranteed to contain CRLF consistently when
CHUNKING was used.
- fts_solr: Plugin was no longer compatible with Solr 7.
- Make it possible to disable certificate checking without setting
ssl_client_ca_* settings.
- pop3c: SSL support was broken.
- mysql: Closing connection twice lead to crash on some systems.
- auth: Multiple oauth2 passdbs crashed auth process on deinit.
- HTTP client connection errors infrequently triggered a segmentation fault when
the connection was idle and not used for a particular client instance.

---
Aki Tuomi
Open-Xchange oy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 475 bytes
Desc: not available
URL:
<https://dovecot.org/pipermail/dovecot-news/attachments/20190430/e2a5c58f/attachment.sig>

On 30/04/2019 14:21, Aki Tuomi via dovecot wrote:
> https://dovecot.org/releases/2.3/dovecot-2.3.6.tar.gz
Trivial but...

"mail-index-transaction-update.c", line 198: void function cannot
return
value


Thanks.
-------------- next part --------------
--- ../original/src/lib-index/mail-index-transaction-update.c	2019-04-30
13:25:06.000000000 +0000
+++ src/lib-index/mail-index-transaction-update.c	2019-04-30 14:49:09.517684762
+0000
@@ -195,7 +195,8 @@
 				   uint32_t first_uid,
 				   ARRAY_TYPE(seq_range) *uids_r)
 {
-	return mail_index_append_finish_uids_full(t, first_uid, first_uid, uids_r);
+	mail_index_append_finish_uids_full(t, first_uid, first_uid, uids_r);
+	return;
 }
 
 void mail_index_append_finish_uids_full(struct mail_index_transaction *t,

> On 30 April 2019 17:20 James via dovecot <dovecot at dovecot.org>
wrote:
> 
>  
> On 30/04/2019 14:21, Aki Tuomi via dovecot wrote:
> 
> > https://dovecot.org/releases/2.3/dovecot-2.3.6.tar.gz
> 
> Trivial but...
> 
> "mail-index-transaction-update.c", line 198: void function cannot
return
> value
> 
> 
> Thanks.
Thanks!

Aki

On 30 Apr 2019, at 07:21, Aki Tuomi via dovecot <dovecot at dovecot.org>
wrote:
> We are pleased to release Dovecot v2.3.6.
pkg adult shows the following, not mentioned in the changes:

dovecot-2.3.5.1 is vulnerable:
dovecot -- json encoder crash
CVE: CVE-2019-10691
WWW: https://vuxml.FreeBSD.org/freebsd/a64aa22f-61ec-11e9-85b9-a4badb296695.html


(just curious)


-- 
'Things either exist or they don't,' said Jeremy. 'I am very
clear about
that. I have medicine.' --The Thief of Time

<!doctype html>
<html>
 <head> 
  <meta charset="UTF-8"> 
 </head>
 <body>
  <div>
   <br>
  </div>
  <blockquote type="cite">
   <div>
    On 30 April 2019 21:06 @lbutlr via dovecot <
    <a
href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>>
wrote:
   </div>
   <div>
    <br>
   </div>
   <div>
    <br>
   </div>
   <div>
    On 30 Apr 2019, at 07:21, Aki Tuomi via dovecot <
    <a
href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>>
wrote:
   </div>
   <blockquote type="cite">
    <div>
     We are pleased to release Dovecot v2.3.6.
    </div>
   </blockquote>
   <div>
    pkg adult shows the following, not mentioned in the changes:
   </div>
   <div>
    <br>
   </div>
   <div>
    dovecot-2.3.5.1 is vulnerable:
   </div>
   <div>
    dovecot -- json encoder crash
   </div>
   <div>
    CVE: CVE-2019-10691
   </div>
   <div>
    WWW: 
    <a
href="https://vuxml.FreeBSD.org/freebsd/a64aa22f-61ec-11e9-85b9-a4badb296695.html"
rel="noopener"
target="_blank">https://vuxml.FreeBSD.org/freebsd/a64aa22f-61ec-11e9-85b9-a4badb296695.html</a>
   </div>
   <div>
    <br>
   </div>
   <div>
    <br>
   </div>
   <div>
    (just curious)
   </div>
   <div>
    <br>
   </div>
   <div>
    <br>
   </div>
   <div>
    --
   </div>
   <div>
    'Things either exist or they don't,' said Jeremy. 'I am very
clear about
   </div>
   <div>
    that. I have medicine.' --The Thief of Time
   </div>
  </blockquote>
  <div>
   <br>
  </div>
  <div>
   We don't usually mention fixes for previous releases again.
  </div>
  <div class="io-ox-signature">
   <pre>---
Aki Tuomi</pre>
  </div> 
 </body>
</html>

> On April 30, 2019 at 12:06 PM "@lbutlr via dovecot" <dovecot
at dovecot.org> wrote:
> 
> pkg adult shows the following, not mentioned in the changes:
> 
> dovecot-2.3.5.1 is vulnerable:
> dovecot -- json encoder crash
> CVE: CVE-2019-10691
> WWW:
https://vuxml.FreeBSD.org/freebsd/a64aa22f-61ec-11e9-85b9-a4badb296695.html
https://dovecot.org/pipermail/dovecot-news/2019-April/000407.html

michael