similar to: v2.2.36.3 released

https://dovecot.org/releases/2.3/dovecot-2.3.5.1.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.5.1.tar.gz.sig Binary packages in https://repo.dovecot.org/ ??? * CVE-2019-7524: Missing input buffer size validation leads into ????? arbitrary buffer overflow when reading fts or pop3 uidl header ????? from Dovecot index. Exploiting this requires direct write access to ????? the index files.

https://dovecot.org/releases/2.3/dovecot-2.3.5.1.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.5.1.tar.gz.sig Binary packages in https://repo.dovecot.org/ ??? * CVE-2019-7524: Missing input buffer size validation leads into ????? arbitrary buffer overflow when reading fts or pop3 uidl header ????? from Dovecot index. Exploiting this requires direct write access to ????? the index files.

Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-2964 (Bug ID) Vulnerability type: CWE-120 Vulnerable version: 2.0.14 - 2.3.5 Vulnerable component: fts, pop3-uidl-plugin Report confidence: Confirmed Researcher credits: Found in internal testing Solution status: Fixed by Vendor Fixed version: 2.3.5.1, 2.2.36.3 Vendor notification: 2019-02-05 Solution date: 2019-03-21 Public

Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-2964 (Bug ID) Vulnerability type: CWE-120 Vulnerable version: 2.0.14 - 2.3.5 Vulnerable component: fts, pop3-uidl-plugin Report confidence: Confirmed Researcher credits: Found in internal testing Solution status: Fixed by Vendor Fixed version: 2.3.5.1, 2.2.36.3 Vendor notification: 2019-02-05 Solution date: 2019-03-21 Public

Hello Aki, I'm currently stuck with 2.2.33.2 as 2.2.36 still duplicates mails after pop3 deletion on a two node dsync cluster. Therefore I've created a small patch and it seems only these two files are affected: dovecot-2.2.36.3/src/lib-storage/index/index-pop3-uidl.c dovecot-2.2.36.3/src/plugins/fts/fts-api.c Please correct me if I have missed something. Best regards Gerald

https://dovecot.org/releases/2.3/dovecot-2.3.5.2.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.5.2.tar.gz.sig Binary packages in https://repo.dovecot.org/ * CVE-2019-7524: Missing input buffer size validation leads into arbitrary buffer overflow when reading fts or pop3 uidl header from Dovecot index. Exploiting this requires direct write access to the index files. --- Aki

Hi, Why didn?t you apply this patch to v2.3.5.1? commit df8addd41d87e61113de22a21a0e61506a8d74c2 Author: Stephan Bosch <stephan.bosch at dovecot.fi> Date: Tue Mar 12 03:18:33 2019 +0100 submission-login: client-authenticate - Fix crash occurring when client disconnects during authentication. diff --git a/src/submission-login/client-authenticate.c

https://dovecot.org/releases/2.3/dovecot-2.3.5.2.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.5.2.tar.gz.sig Binary packages in https://repo.dovecot.org/ * CVE-2019-7524: Missing input buffer size validation leads into arbitrary buffer overflow when reading fts or pop3 uidl header from Dovecot index. Exploiting this requires direct write access to the index files. --- Aki

> On 12. May 2020, at 19.18, Benny Pedersen <me at junc.eu> wrote: > > On 2020-05-12 17:54, Robert Schetterer wrote: > >> At the end the subject question makes no sense... > > lets play football then :) > > i just wish that dovecot could be next generation exchange server, no kidding Our parent company Open-Xchange offers one. It's called App Suite.

Hi all, Today I can finally announce that Dovecot Oy company has merged with Open-Xchange AG. This helps us to get more Dovecot developers, support people and so on. Most importantly, eventually it should allow me to get back to doing what I like the most: Designing new and interesting stuff for Dovecot and perfecting the old stuff :) OX is a great match to Dovecot going forward. They also really

Hi all, Today I can finally announce that Dovecot Oy company has merged with Open-Xchange AG. This helps us to get more Dovecot developers, support people and so on. Most importantly, eventually it should allow me to get back to doing what I like the most: Designing new and interesting stuff for Dovecot and perfecting the old stuff :) OX is a great match to Dovecot going forward. They also really

Hi! We are excited to announce that we are now providing packages for Ubuntu 18.04 (Bionic). Please find instructions on how to use them at https://repo.dovecot.org/ Aki Tuomi Open-Xchange Oy

Don't need to block anyone like in the "Re: Dovecot Oy merger with Open-Xchange AG" thread, but when I have my vacation recipie active, I'd like it to NOT reply to certain addresses. I tried the following, you can see the section with if header :contains "addressIdontwant at repliedtoo.tld" is commented out, once I'd added that section, no Vacation messages

Hi I am new to the mailing List, and was hoping to get some assistance migrating from an Old Cucipop + Sendmail server (running on a old Redhat v 7) to a new Dovecot setup. My new installation is Dovecot + Postfix. All is setup and working, however I want to trasnsfer the contents of the mailboxes from my old server to this new Dovecot setup. Please let me know what information will be required

Hi! We have now buster packages available starting from 2.3.8. You can find them from https://repo.dovecot.org/ In related news, we are planning on dropping packages for Debian Jessie, Ubuntu 18 and CentOS6 starting from 2.3.9. --- Aki Tuomi Open-Xchange oy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size:

We are pleased to release v2.3.9.2 of Dovecot. Please find it from locations below https://dovecot.org/releases/2.3/dovecot-2.3.9.2.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.9.2.tar.gz.sig Binary packages in https://repo.dovecot.org/ Docker images in https://hub.docker.com/r/dovecot/dovecot --- - Mails with empty From/To headers can also cause crash in push notification drivers. ---

We are happy to announce that we have CentOS 8 packages available starting from v2.3.11.3. You can find these packages at https://repo.dovecot.org/ Regards, Aki Tuomi Open-Xchange oy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL:

Hi! We have pushed new versions for these packages that now support tcpwrappers. They were inadvertendly left out from last time, but now they have been restored. Sorry for the inconvenience. Regards, Aki Tuomi Open-Xchange oy

Hi! We have now buster packages available starting from 2.3.8. You can find them from https://repo.dovecot.org/ In related news, we are planning on dropping packages for Debian Jessie, Ubuntu 18 and CentOS6 starting from 2.3.9. --- Aki Tuomi Open-Xchange oy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size:

We are pleased to release v2.3.9.2 of Dovecot. Please find it from locations below https://dovecot.org/releases/2.3/dovecot-2.3.9.2.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.9.2.tar.gz.sig Binary packages in https://repo.dovecot.org/ Docker images in https://hub.docker.com/r/dovecot/dovecot --- - Mails with empty From/To headers can also cause crash in push notification drivers. ---