Revisions of dovecot23
Dominique Leuenberger (dimstar_suse)
accepted
request 834633
from
Marcus Rueckert (darix)
(revision 33)
- add dovecot-2.3.11.3-gssapi-nul.patch: Fix for bug introduced in v2.3.11.3. It appears GSSAPI can contain NUL. https://github.com/dovecot/core/pull/133
Dominique Leuenberger (dimstar_suse)
accepted
request 832820
from
Factory Maintainer (factory-maintainer)
(revision 32)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 826276
from
Marcus Rueckert (darix)
(revision 31)
- update to 2.3.11.3 and pigeonhole to 0.5.11 (boo#1174920 boo#1174922 boo#1174923)
Yuchen Lin (maxlin_factory)
accepted
request 809014
from
Factory Maintainer (factory-maintainer)
(revision 30)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 807017
from
Marcus Rueckert (darix)
(revision 29)
- update to 2.3.10.1 with security fixes for * CVE-2020-10957: lmtp/submission: A client can crash the server by sending a NOOP command with an invalid string parameter. (boo#1171457) * CVE-2020-10958: lmtp/submission: Sending many invalid or unknown commands can cause the server to access freed memory, which can lead to a server crash. (boo#1171458) * CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an address that has the empty quoted string as local-part causes the lmtp service to crash. (boo#1171456)
Dominique Leuenberger (dimstar_suse)
accepted
request 800837
from
Factory Maintainer (factory-maintainer)
(revision 28)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 785090
from
Dirk Mueller (dirkmueller)
(revision 27)
Dominique Leuenberger (dimstar_suse)
accepted
request 779422
from
Marcus Rueckert (darix)
(revision 26)
- Update dovecot-2.3.0-dont_use_etc_ssl_certs.patch: since we change CERTDIR to /etc/ssl/private, it is rather evil to then err out claiming /etc/ssl/certs would not exist. The error message should mention the directory it tested for. (forwarded request 779407 from dimstar)
Dominique Leuenberger (dimstar_suse)
accepted
request 774042
from
Marcus Rueckert (darix)
(revision 25)
- update to 2.3.9.3 * CVE-2020-7046: Truncated UTF-8 can be used to DoS submission-login and lmtp processes. * CVE-2020-7957: Specially crafted mail can crash snippet generation. (forwarded request 773697 from adkorte)
Dominique Leuenberger (dimstar_suse)
accepted
request 763048
from
Wolfgang Rosenauer (wrosenauer)
(revision 24)
Dominique Leuenberger (dimstar_suse)
accepted
request 748910
from
Factory Maintainer (factory-maintainer)
(revision 22)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 738214
from
Илья Индиго (13ilya)
(revision 21)
- update to 2.3.8 and pigeonhole to 0.5.8 Dovecot 2.3.8 + Added mail_delivery_started and mail_delivery_finished events, see https://doc.dovecot.org/admin_manual/list_of_events/ for details. + dsync-replication: Don't replicate users who have "noreplicate" extra field in userdb. + doveadm service status: Show total number of processes created. + When logging to syslog, use instance_name setting's value for the ident. This commonly is added as a log prefix. + Base64 encoding/decoding code was rewritten with additional features. It shouldn't cause any user visible changes. - v2.3.7 regression: If a folder only receives new mails without any other mail access, dovecot.index.log keeps growing forever and dovecot.index keeps being rewritten for every mail delivery. - dsync-replication may lose keywords after syncing mails restored from another replica. This only happened if the mail only had keywords and no system flags. - event filters: Non-textual event fields could not be filtered using wildcards. - auth: Scope parameter was missing from OAuth password grant request. - doveadm client-server communication may hang in some situations. It is also using unnecessarily small TCP/IP packet sizes. - doveadm who and kick did not flush protocol output correctly. - imap: SETMETADATA with literal value would delete the metadata value instead of updating it. - imap: When client issues FETCH PREVIEW (LAZY=FUZZY) command, the caching decisions should be updated so that newly saved mails will have the preview cached. - With mail_nfs_index=yes and/or mail_nfs_storage=yes setuid/setgid permission bits in some files may have become dropped with some NFS servers. Changed NFS flushing to now use chmod() instead of chown(). - quota: warnings did not work if quota root was noenforcing - acl: Global ACL file ignored the last line if it didn't end with LF. - doveadm stats dump: With JSON formatter output numbers using the number type instead of as strings - lmtp_proxy: Ensure that real_* variables are correctly set when using lmtp_proxy. - event exporter: http-post driver had hardcoded timeout and did not support DNS lookups or TLS connections. - auth: Fix user iteration to work with userdb passwd with glibc v2.28. - auth: auth service can crash if auth-policy JSON response is invalid or returned too fast. - In some rare situations "ps" output could have shown a lot of "?" characters after Dovecot process titles. - When dovecot.index.pvt is empty, an unnecessary error is logged: Error: .../dovecot.index.pvt reset, view is now inconsistent - SMTP address encoder duplicated initial double quote character when the localpart of an address ended in '..'. For example "user+..@example.com" became ""user+.."@example.com in a sieve redirect. Pigeonhole 0.5.8 - Sieve may leak resources in rare cases when a redirect, vacation or report action fails to send the message. This mainly applies when Sieve is executed in IMAP context; i.e., for the IMAPSIEVE or FILTER=SIEVE capabilities.
Dominique Leuenberger (dimstar_suse)
accepted
request 726988
from
Marcus Rueckert (darix)
(revision 20)
- update to 2.3.7.2 * CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap memory writes. Found by Nick Roessler and Rafi Rubin. (boo#1145559) - update pigeonhole to 0.5.7.2 * CVE-2019-11500: ManageSieve protocol parser does not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap memory writes. Found by Nick Roessler and Rafi Rubin. (boo#1145559) - refreshed patches to apply cleanly again: dovecot-2.3.0-better_ssl_defaults.patch dovecot-2.3.0-dont_use_etc_ssl_certs.patch
Dominique Leuenberger (dimstar_suse)
accepted
request 718437
from
Илья Индиго (13ilya)
(revision 19)
- update to 2.3.7.1 and pigeonhole to 0.5.7.1 Dovecot 2.3.7.1 - Fix TCP_NODELAY errors being logged on non-Linux OSes - lmtp proxy: Fix assert-crash when client uses BODY=8BITMIME - Remove wrongly added checks in namespace prefix checking Pigeonhole 0.5.7.1 - dsync: Sieve script syncing failed if mailbox attributes weren't enabled. Dovecot 2.3.7 * fts-solr: Removed break-imap-search parameter + Added more events for the new statistics, see https://doc.dovecot.org/admin_manual/list_of_events/ + mail-lua: Add IMAP metadata accessors, see https://doc.dovecot.org/admin_manual/lua/ + Add event exporters that allow exporting raw events to log files and external systems, see https://doc.dovecot.org/configuration_manual/event_export/ + SNIPPET is now PREVIEW and size has been increased to 200 characters. + Add body option to fts_enforced. This triggers building FTS index only on body search, and an error using FTS index fails the search rather than reads through all the mails. - Submission/LMTP: Fixed crash when domain argument is invalid in a second EHLO/LHLO command. - Copying/moving mails using Maildir format loses IMAP keywords in the destination if the mail also has no system flags. - mail_attachment_detection_options=add-flags-on-save caused email body to be unnecessarily opened when FETCHing mail headers that were already cached. - mail attachment detection keywords not saved with maildir. - dovecot.index.cache may have grown excessively large in some situations. This happened especially when using autoexpunging with lazy_expunge folders. Also with mdbox format in general the cache file wasn't recreated as often as it should have. - Autoexpunged mails weren't immediately deleted from the disk. Instead, the deletion from disk happened the next time the folder was opened. This could have caused unnecessary delays if the opening was done by an interactive IMAP session. - Dovecot's TCP connections sometimes add extra 40ms latency due to not enabling TCP_NODELAY. HTTP and SMTP/LMTP connections weren't affected, but everything else was. This delay wasn't always visible - only in some situations with some message/packet sizes. - imapc: Fix various crash conditions - Dovecot builds were not always reproducible. - login-proxy: With shutdown_clients=no after config reload the existing connections could no longer be listed or kicked with doveadm. - "doveadm proxy kick" with -f parameter caused a crash in some situations. - Auth policy can cause segmentation fault crash during auth process shutdown if all auth requests have not been finished. - Fix various minor bugs leading into incorrect behaviour in mailbox list index handling. These rarely caused noticeable problems. - LDAP auth: Iteration accesses freed memory, possibly crashing auth-worker - local_name { .. } filter in dovecot.conf does not correctly support multiple names and wildcards were matched incorrectly. - replicator: dsync assert-crashes if it can't connect to remote TCP server. - config: Memory leak in config process when ssl_dh setting wasn't set and there was no ssl-parameters.dat file. This caused config process to die once in a while with "out of memory". - bsc#1134242 - upgrade from 42.3 to 15.1: dovecot shows Unknown protocol 'SSLv2' * remove !SSLv2 from existing ssl_protocols configuration during upgrade
Dominique Leuenberger (dimstar_suse)
accepted
request 699690
from
Marcus Rueckert (darix)
(revision 18)
- update pigeonhole to 0.5.6 + sieve: Redirect loop prevention is sometimes ineffective. Improve existing loop detection by also recognizing the X-Sieve-Redirected-From header in incoming messages and dropping redirect actions when it points to the sending account. This header is already added by the redirect action, so this improvement only adds an additional use of this header. - sieve: Prevent execution of implicit keep upon temporary failure occurring at runtime. - update to 2.3.6: (boo#1133624 boo#1133625) * CVE-2019-11494: Submission-login crashed with signal 11 due to null pointer access when authentication was aborted by disconnecting. * CVE-2019-11499: Submission-login crashed when authentication was started over TLS secured channel and invalid authentication message was sent. * auth: Support password grant with passdb oauth2. + Use system default CAs for outbound TLS connections. + Simplify array handling with new helper macros. + fts_solr: Enable configuring batch_size and soft_commit features. - lmtp/submission: Fixed various bugs in XCLIENT handling, including a hang when XCLIENT commands were sent infinitely to the remote server. - lmtp/submission: Forwarded multi-line replies were erroneously sent as two replies to the client. - lib-smtp: client: Message was not guaranteed to contain CRLF consistently when CHUNKING was used. - fts_solr: Plugin was no longer compatible with Solr 7. - Make it possible to disable certificate checking without setting ssl_client_ca_* settings. - pop3c: SSL support was broken. - mysql: Closing connection twice lead to crash on some systems. - auth: Multiple oauth2 passdbs crashed auth process on deinit. - HTTP client connection errors infrequently triggered a segmentation fault when the connection was idle and not used for a particular client instance.
Dominique Leuenberger (dimstar_suse)
accepted
request 695556
from
Marcus Rueckert (darix)
(revision 17)
- update to 2.3.5.2 (boo#1132501) * CVE-2019-10691: Trying to login with 8bit username containing invalid UTF8 input causes auth process to crash if auth policy is enabled. This could be used rather easily to cause a DoS. Similar crash also happens during mail delivery when using invalid UTF8 in From or Subject header when OX push notification driver is used. - update to 2.3.5.1 (boo#1130116)
Dominique Leuenberger (dimstar_suse)
accepted
request 689340
from
Marcus Rueckert (darix)
(revision 16)
- update to 2.3.5.1
Stephan Kulow (coolo)
accepted
request 671912
from
Marcus Rueckert (darix)
(revision 15)
- update to 2.3.4.1 (boo#1123022) * CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This bug didn't affect Dovecot's Submission service.
Dominique Leuenberger (dimstar_suse)
accepted
request 667410
from
Jan Engelhardt (jengelh)
(revision 14)
Displaying revisions 21 - 40 of 53