Re: [Dovecot-news] Dovecot v2.2.36.1 released (Pigeonhole


Here is the associated release for Pigeonhole:
Binary packages included in

+ imapsieve: Added imapsieve_expunge_discarded setting which causes
discarded messages to be expunged immediately.
– Sieve scripts running in IMAPSIEVE or IMAP FILTER=SIEVE context that
modify the message, store the message a second time, rather than
replacing the originally stored unmodified message.
– imapsieve: Fix crash when COPYing mails from a virtual mailbox when
the source messages originate from more than a single real mailbox
– imap_filter_sieve plugin: Implement the missing UID FILTER command.
– imap_filter_sieve plugin: Fix FILTER to work with pipelining



Op 5-2-2019 om 14:01 schreef Aki Tuomi:
>     * CVE-2019-3814: If imap/pop3/managesieve/submission client has
>       trusted certificate with missing username field
>       (ssl_cert_username_field), under some configurations Dovecot
>       mistakenly trusts the username provided via authentication instead
>       of failing.
>     * ssl_cert_username_field setting was ignored with external SMTP AUTH,
>       because none of the MTAs (Postfix, Exim) currently send the
>       cert_username field. This may have allowed users with trusted
>       certificate to specify any username in the authentication. This bug
>       didn’t affect Dovecot’s Submission service.
>     – pop3_no_flag_updates=no: Don’t expunge RETRed messages without QUIT
>     – director: Kicking a user assert-crashes if login process is very slow
>     – lda/lmtp: Fix assert-crash with some Sieve scripts when
>       mail_attachment_detection_options=add-flags-on-save
>     – fs-compress: Using maybe-gz assert-crashed when reading 0 sized file
>     – Snippet generation crashed with invalid
> —
> Aki Tuomi
> Open-Xchange Oy

Dovecot-news mailing list