similar to: CVE-2019-3814: Suitable client certificate can be used to login as other user

https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has ??? ? trusted certificate with missing username field ??? ? (ssl_cert_username_field), under some configurations Dovecot ??? ? mistakenly trusts the username provided via authentication instead ??? ? of failing.

https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig <https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig> Binary packages in https://repo.dovecot.org/ ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has ??? ? trusted certificate with missing username field ??? ? (ssl_cert_username_field), under some

for some reason Aki's posts are not making it to my GMail account from this list. Any idea why? On Tue, Feb 5, 2019 at 10:04 AM Eric Broch <ebroch at whitehorsetc.com> wrote: > Thank you! > On 2/5/2019 8:43 AM, Aki Tuomi wrote: > > Hi, > > as per our EOL statement 2.2.36 receives security and critical updates. > That said, we decided to flush few annoying bugs

https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig <https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig> Binary packages in https://repo.dovecot.org/ ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has ??? ? trusted certificate with missing username field ??? ? (ssl_cert_username_field), under some

Thank you! On 2/5/2019 8:43 AM, Aki Tuomi wrote: > Hi, > > as per our EOL statement 2.2.36 receives security and critical > updates. That said, we decided to flush few annoying bugs with .1 > release. > > You do not need to build releases for 2.2. > > Aki >> On 05 February 2019 at 17:36 Eric Broch < ebroch at whitehorsetc.com >> <mailto:ebroch at

https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has ??? ? trusted certificate with missing username field ??? ? (ssl_cert_username_field), under some configurations Dovecot ??? ? mistakenly trusts the username provided via authentication instead ??? ? of failing.

https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has ??? ? trusted certificate with missing username field ??? ? (ssl_cert_username_field), under some configurations Dovecot ??? ? mistakenly trusts the username provided via authentication instead ??? ? of failing.

<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> Hi, </div> <div> <br> </div> <div> as per our EOL statement 2.2.36 receives security and critical updates. That said, we decided to flush few annoying bugs with .1 release. </div> <div> <br>

On Tue, 5 Feb 2019 at 20:32, Aki Tuomi via dovecot <dovecot at dovecot.org> wrote: > Due to DMARC issues some people have failed to receive the latest security > information, so here it is repeated for both releases: > > 2.3.4.1 > > https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz > https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig >

On Tue, 5 Feb 2019 at 20:32, Aki Tuomi via dovecot <dovecot at dovecot.org> wrote: > Due to DMARC issues some people have failed to receive the latest security > information, so here it is repeated for both releases: > > 2.3.4.1 > > https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz > https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig >

Hi, Here is the associated release for Pigeonhole: https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz.sig Binary packages included in https://repo.dovecot.org/ + imapsieve: Added imapsieve_expunge_discarded setting which causes discarded messages to be expunged

Aki, What's the difference between 2.2.x and 2.3.x version of Dovecot? And why do you maintain both? I stopped building RPM's of the 2.2.x version and now only build 2.3.x. Should I be maintaining both? Eric On 2/5/2019 6:01 AM, Aki Tuomi wrote: > https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz > https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig > >

Hi, Here is the associated release for Pigeonhole: https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz.sig Binary packages included in https://repo.dovecot.org/ + imapsieve: Added imapsieve_expunge_discarded setting which causes discarded messages to be expunged

On 2019-02-05 13:07, Stephan Bosch via dovecot wrote: > Hi, > > Here is the associated release for Pigeonhole: > > https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz > https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz.sig > Binary packages included in https://repo.dovecot.org/ > > + imapsieve: Added

Oh, so manual compile should NOT work and it's okay or am I missing something? On Tue, 5 Feb 2019 at 23:26, The Doctor <doctor at doctor.nl2k.ab.ca> wrote: > On Tue, Feb 05, 2019 at 11:18:45PM +0300, Odhiambo Washington via dovecot > wrote: > > On Tue, 5 Feb 2019 at 20:32, Aki Tuomi via dovecot <dovecot at dovecot.org> > > wrote: > > > > > Due to

Oh, so manual compile should NOT work and it's okay or am I missing something? On Tue, 5 Feb 2019 at 23:26, The Doctor <doctor at doctor.nl2k.ab.ca> wrote: > On Tue, Feb 05, 2019 at 11:18:45PM +0300, Odhiambo Washington via dovecot > wrote: > > On Tue, 5 Feb 2019 at 20:32, Aki Tuomi via dovecot <dovecot at dovecot.org> > > wrote: > > > > > Due to

I have always been able to compile manually, even from RCs so I believe I should be able to compile from the tarball as well. Something is broken, On Tue, 5 Feb 2019 at 23:29, Larry Rosenman <larryrtx at gmail.com> wrote: > pull the patches from the port..... > > > On Tue, Feb 5, 2019 at 2:28 PM Odhiambo Washington via dovecot < > dovecot at dovecot.org> wrote: >

Noted. I will wait for dovecot-2.3.4.2 tarball then. In all the servers I listed (+2 more), I never use the mail/dovecot port. I rely on mail/dovecot port on my own prototype (FreeBSD 12) which I have built in preparation for the upgrade of all the servers I currently have (except the 11.2). So for now, they have to run with 2.3.4, because of that reason - I am not using the port. And yes, I

Bueno. I don't even remember well. Wasn't that issue about mysql-8.0.12 to 8.0.13?? On Tue, 5 Feb 2019 at 23:46, Larry Rosenman <larryrtx at gmail.com> wrote: > 2.3.4 had the same compile issues.... > > > On Tue, Feb 5, 2019 at 2:44 PM Odhiambo Washington <odhiambo at gmail.com> > wrote: > >> Noted. >> >> I will wait for dovecot-2.3.4.2

Due to DMARC issues some people have failed to receive the latest security information, so here it is repeated for both releases: 2.3.4.1 https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig <https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig> Binary packages in https://repo.dovecot.org/ * CVE-2019-3814: If