Category: Uncategorized

https://dovecot.org/releases/2.2/dovecot-2.2.33.tar.gz
https://dovecot.org/releases/2.2/dovecot-2.2.33.tar.gz.sig

We’re getting close to the last v2.2.x releases. Hopefully we’ll have the first v2.3 beta releases out soon.

* doveadm director commands wait for the changes to be visible in the
whole ring before they return. This is especially useful in testing.
* Environments listed in import_environment setting are now set or
preserved when executing standalone commands (e.g. doveadm)

+ doveadm proxy: Support proxying logs. Previously the logs were
visible only in the backend’s logs.
+ Added %{if}, see https://wiki2.dovecot.org/Variables#Conditionals
+ Added a new notify_status plugin, which can be used to update dict
with current status of a mailbox when it changes. See
https://wiki2.dovecot.org/Plugins/NotifyStatus
+ Mailbox list index can be disabled for a namespace by appending
“:LISTINDEX=” to location setting.
+ dsync/imapc: Added dsync_hashed_headers setting to specify which
headers are used to match emails.
+ pop3-migration: Add pop3_migration_ignore_extra_uidls=yes to ignore
mails that are visible in POP3 but not IMAP. This could happen if
new mails were delivered during the migration run.
+ pop3-migration: Further improvements to help with Zimbra
+ pop3-migration: Cache POP3 UIDLs in imapc’s dovecot.index.cache
if indexes are enabled. These are used to optimize incremental syncs.
+ cassandra, dict-sql: Use prepared statements if protocol version>3.
+ auth: Added %{ldap_dn} variable for passdb/userdb ldap
– acl: The “create” (k) permission in global acl-file was sometimes
ignored, allowing users to create mailboxes when they shouldn’t have.
– sdbox: Mails were always opened when expunging, unless
mail_attachment_fs was explicitly set to empty.
– lmtp/doveadm proxy: hostip passdb field was ignored, which caused
unnecessary DNS lookups if host field wasn’t an IP
– lmtp proxy: Fix crash when receiving unexpected reply in RCPT TO
– quota_clone: Update also when quota is unlimited (broken in v2.2.31)
– mbox, zlib: Fix assert-crash when accessing compressed mbox
– doveadm director kick -f parameter didn’t work
– doveadm director flush resulted flushing all hosts, if
wasn’t an IP address.
– director: Various fixes to handling backend/director changes at
abnormal times, especially while ring was unsynced. These could have
resulted in crashes, non-optimal behavior or ignoring some of the
changes.
– director: Use less CPU in imap-login processes when moving/kicking
many users.
– lmtp: Session IDs were duplicated/confusing with multiple RCPT TOs
when lmtp_rcpt_check_quota=yes
– doveadm sync -1 fails when local mailboxes exist that do not exist
remotely. This commonly happened when lazy_expunge mailbox was
autocreated when incremental sync expunged mails.
– pop3: rawlog_dir setting didn’t work

_______________________________________________
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

Hello Dovecot users,

Here is the Pigeonhole hole release candidate that goes with the Dovecot
release candidate. Nothing really special going on, just a few changes
and fixes that accumulated over the last few months.

Changelog v0.4.21:

* redirect action: Always set the X-Sieve-Redirected-From header to
sieve_user_email if configured. Before, it would use the envelope
recipient instead if available, which makes no sense if the primary
e-mail address is available.
+ vacation extension: Allow ignoring the envelope sender while composing
the “To:” header for the reply. Normally, the “To:” header is composed
from the address found in the “Sender”, “Resent-From” or “From”
headers that is equal to the envelope sender. If none is then found,
the bare envelope sender is used. This change adds a new setting
“sieve_vacation_to_header_ignore_envelope”. With this setting enabled,
the “To:” header is always composed from those headers in the source
message. The new setting thus allows ignoring the envelope, which is
useful e.g. when SRS is used.
+ vacation extension: Compose the “To:” header from the full sender
address found in the first “Sender:”, “From:” or “Resent-From:”
header. Before, it would create a “To:” header without a phrase part.
The new behavior is nicer, since the reply will be addressed to the
sender by name if possible.
– LDA Sieve plugin: Fixed sequential execution of LDAP-based scripts. A
missing LDAP-based script could cause the script sequence to exit
earlier.
– sieve-filter: Removed the (now) duplicate utf8 to mutf7 mailbox name
conversion. This caused problems with mailbox names containing UTF-8
characters. The Dovecot API was changed years ago, but apparently
sieve-filter was never updated.

The release is available as follows:

http://pigeonhole.dovecot.org/releases/2.2/rc/dovecot-2.2-pigeonhole-0.4.21.rc1.tar.gz
http://pigeonhole.dovecot.org/releases/2.2/rc/dovecot-2.2-pigeonhole-0.4.21.rc1.tar.gz.sig

Refer to http://pigeonhole.dovecot.org and the Dovecot v2.x wiki for
more information. Have fun testing this release candidate and don’t
hesitate to notify me when there are any problems.

Regards,

—
Stephan Bosch
stephan@rename-it.nl

_______________________________________________
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

https://dovecot.org/releases/2.2/rc/dovecot-2.2.33.rc1.tar.gz
https://dovecot.org/releases/2.2/rc/dovecot-2.2.33.rc1.tar.gz.sig

There are a couple more small changes still coming, but this should be very close to the final release. I’m especially interested in hearing if there are any problems with doveadm log proxying or with director. We’ve improved our automated director tests quite a lot now, and fixed some rarely occurring bugs.

* doveadm director commands wait for the changes to be visible in the
whole ring before they return. This is especially useful in testing.
* Environments listed in import_environment setting are now set or
preserved when executing standalone commands (e.g. doveadm)

+ doveadm proxy: Support proxying logs. Previously the logs were
visible only in the backend’s logs.
+ Added %{if}, see https://wiki2.dovecot.org/Variables#Conditionals
+ Added a new notify_status plugin, which can be used to update dict
with current status of a mailbox when it changes. See
https://wiki2.dovecot.org/Plugins/NotifyStatus
+ Mailbox list index can be disabled for a namespace by appending
“:LISTINDEX=” to location setting.
+ dsync/imapc: Added dsync_hashed_headers setting to specify which
headers are used to match emails.
+ pop3-migration: Add pop3_migration_ignore_extra_uidls=yes to ignore
mails that are visible in POP3 but not IMAP. This could happen if
new mails were delivered during the migration run.
+ pop3-migration: Further improvements to help with Zimbra
+ pop3-migration: Cache POP3 UIDLs in imapc’s dovecot.index.cache
if indexes are enabled. These are used to optimize incremental syncs.
+ cassandra, dict-sql: Use prepared statements if protocol version>3.
– sdbox: Mails were always opened when expunging, unless
mail_attachment_fs was explicitly set to empty.
– lmtp/doveadm proxy: hostip passdb field was ignored, which caused
unnecessary DNS lookups if host field wasn’t an IP
– lmtp proxy: Fix crash when receiving unexpected reply in RCPT TO
– quota_clone: Update also when quota is unlimited (broken in v2.2.31)
– mbox, zlib: Fix assert-crash when accessing compressed mbox
– doveadm director kick -f parameter didn’t work
– doveadm director flush resulted flushing all hosts, if
wasn’t an IP address.
– director: Various fixes to handling backend/director changes at
abnormal times, especially while ring was unsynced. These could have
resulted in crashes, non-optimal behavior or ignoring some of the
changes.
– director: Use less CPU in imap-login processes when moving/kicking
many users.
– lmtp: Session IDs were duplicated/confusing with multiple RCPT TOs
when lmtp_rcpt_check_quota=yes
– doveadm sync -1 fails when local mailboxes exist that do not exist
remotely. This commonly happened when lazy_expunge mailbox was
autocreated when incremental sync expunged mails.

_______________________________________________
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

VGhlIFVidW50dSB0ZWFtIGlzIHBsZWFzZWQgdG8gYW5ub3VuY2UgdGhlIGZpbmFsIGJldGEgcmVs
ZWFzZSBvZiB0aGUKVWJ1bnR1IDE3LjEwIERlc2t0b3AsIFNlcnZlciwgYW5kIENsb3VkIHByb2R1
Y3RzLgoKQ29kZW5hbWVkICJBcnRmdWwgQWFyZHZhcmsiLCAxNy4xMCBjb250aW51ZXMgVWJ1bnR1
J3MgcHJvdWQgdHJhZGl0aW9uCm9mIGludGVncmF0aW5nIHRoZSBsYXRlc3QgYW5kIGdyZWF0ZXN0
IG9wZW4gc291cmNlIHRlY2hub2xvZ2llcyBpbnRvIGEKaGlnaC1xdWFsaXR5LCBlYXN5LXRvLXVz
ZSBMaW51eCBkaXN0cmlidXRpb24uICBUaGUgdGVhbSBoYXMgYmVlbiBoYXJkCmF0IHdvcmsgdGhy
b3VnaCB0aGlzIGN5Y2xlLCBpbnRyb2R1Y2luZyBuZXcgZmVhdHVyZXMgYW5kIGZpeGluZyBidWdz
LgoKVGhpcyBiZXRhIHJlbGVhc2UgaW5jbHVkZXMgaW1hZ2VzIGZyb20gbm90IG9ubHkgdGhlIFVi
dW50dSBEZXNrdG9wLApTZXJ2ZXIsIGFuZCBDbG91ZCBwcm9kdWN0cywgYnV0IGFsc28gdGhlIEt1
YnVudHUsIEx1YnVudHUsIFVidW50dQpCdWRnaWUsIFVidW50dUt5bGluLCBVYnVudHUgTUFURSwg
VWJ1bnR1IFN0dWRpbywgYW5kIFh1YnVudHUgZmxhdm91cnMuCgpUaGUgYmV0YSBpbWFnZXMgYXJl
IGtub3duIHRvIGJlIHJlYXNvbmFibHkgZnJlZSBvZiBzaG93c3RvcHBlciBDRApidWlsZCBvciBp
bnN0YWxsZXIgYnVncywgd2hpbGUgcmVwcmVzZW50aW5nIGEgdmVyeSByZWNlbnQgc25hcHNob3Qg
b2YKMTcuMTAgdGhhdCBzaG91bGQgYmUgcmVwcmVzZW50YXRpdmUgb2YgdGhlIGZlYXR1cmVzIGlu
dGVuZGVkIHRvIHNoaXAKd2l0aCB0aGUgZmluYWwgcmVsZWFzZSBleHBlY3RlZCBvbiBPY3RvYmVy
IDE5dGgsIDIwMTcuICBXaXRoIHRoYXQKYmVpbmcgc2FpZCwgcmVtZW1iZXIgd2UgYXJlIHN0aWxs
IGluIGFjdGl2ZSBkZXZlbG9wbWVudCBzbyBiZSBzdXJlIHRvCmZhbWlsaWFyaXplIHdpdGggdGhl
IGN1cnJlbnRseSBrbm93biBpc3N1ZXMgYXMgbGlzdGVkIG9uIHRoZSBvZmZpY2lhbApyZWxlYXNl
IG5vdGVzIHBhZ2UuCgpVYnVudHUsIFVidW50dSBTZXJ2ZXIsIENsb3VkIEltYWdlczoKICBBcnRm
dWwgRmluYWwgQmV0YSBpbmNsdWRlcyB1cGRhdGVkIHZlcnNpb25zIG9mIG1vc3Qgb2Ygb3VyIGNv
cmUgc2V0CiAgb2YgcGFja2FnZXMsIGluY2x1ZGluZyBhIGN1cnJlbnQgNC4xMyBrZXJuZWwsIGFu
ZCBtdWNoIG1vcmUuCgogIFRvIHVwZ3JhZGUgdG8gVWJ1bnR1IDE3LjEwIEZpbmFsIEJldGEgZnJv
bSBVYnVudHUgMTcuMDQsIGZvbGxvdyB0aGVzZQogIGluc3RydWN0aW9uczoKCiAgaHR0cHM6Ly9o
ZWxwLnVidW50dS5jb20vY29tbXVuaXR5L0FydGZ1bFVwZ3JhZGVzCgogIFRoZSBVYnVudHUgMTcu
MTAgRmluYWwgQmV0YSBpbWFnZXMgY2FuIGJlIGRvd25sb2FkZWQgYXQ6CgogIGh0dHA6Ly9yZWxl
YXNlcy51YnVudHUuY29tLzE3LjEwLyAoVWJ1bnR1IGFuZCBVYnVudHUgU2VydmVyIG9uIHg4NikK
CiAgQWRkaXRpb25hbCBpbWFnZXMgY2FuIGJlIGZvdW5kIGF0IHRoZSBmb2xsb3dpbmcgbGlua3M6
CgogIGh0dHA6Ly9jbG91ZC1pbWFnZXMudWJ1bnR1LmNvbS9kYWlseS9zZXJ2ZXIvYXJ0ZnVsL2N1
cnJlbnQvIChDbG91ZCBJbWFnZXMpCiAgaHR0cDovL2NkaW1hZ2UudWJ1bnR1LmNvbS9yZWxlYXNl
cy8xNy4xMC9iZXRhLTIvIChOb24teDg2IFNlcnZlcikKICBodHRwOi8vY2RpbWFnZS51YnVudHUu
Y29tL25ldGJvb3QvMTcuMTAvIChOZXRib290KQoKICBBcyBmaXhlcyB3aWxsIGJlIGluY2x1ZGVk
IGluIG5ldyBpbWFnZXMgYmV0d2VlbiBub3cgYW5kIHJlbGVhc2UsIGFueQogIGRhaWx5IGNsb3Vk
IGltYWdlIGZyb20gdG9kYXkgb3IgbGF0ZXIgKGkuZS4gYSBzZXJpYWwgb2YgMjAxNzA5MjYgb3IK
ICBoaWdoZXIpIHNob3VsZCBiZSBjb25zaWRlcmVkIGEgYmV0YSBpbWFnZS4gIEJ1Z3MgZm91bmQg
c2hvdWxkIGJlIGZpbGVkCiAgYWdhaW5zdCB0aGUgYXBwcm9wcmlhdGUgcGFja2FnZXMgb3IsIGZh
aWxpbmcgdGhhdCwgdGhlIGNsb3VkLWltYWdlcwogIHByb2plY3QgaW4gTGF1bmNocGFkLgoKICBU
aGUgZnVsbCByZWxlYXNlIG5vdGVzIGZvciBVYnVudHUgMTcuMTAgRmluYWwgQmV0YSBjYW4gYmUg
Zm91bmQgYXQ6CgogIGh0dHBzOi8vd2lraS51YnVudHUuY29tL0FydGZ1bEFhcmR2YXJrL1JlbGVh
c2VOb3RlcwoKS3VidW50dToKICBLdWJ1bnR1IGlzIHRoZSBLREUgYmFzZWQgZmxhdm91ciBvZiBV
YnVudHUuIEl0IHVzZXMgdGhlIFBsYXNtYSBkZXNrdG9wCiAgYW5kIGluY2x1ZGVzIGEgd2lkZSBz
ZWxlY3Rpb24gb2YgdG9vbHMgZnJvbSB0aGUgS0RFIHByb2plY3QuCgogIFRoZSBGaW5hbCBCZXRh
IGltYWdlcyBjYW4gYmUgZG93bmxvYWRlZCBhdDoKICBodHRwOi8vY2RpbWFnZS51YnVudHUuY29t
L2t1YnVudHUvcmVsZWFzZXMvMTcuMTAvYmV0YS0yLwoKICBNb3JlIGluZm9ybWF0aW9uIG9uIEt1
YnVudHUgRmluYWwgQmV0YSBjYW4gYmUgZm91bmQgaGVyZToKICBodHRwczovL3dpa2kudWJ1bnR1
LmNvbS9BcnRmdWxBYXJkdmFyay9CZXRhMi9LdWJ1bnR1CgpMdWJ1bnR1OgogIEx1YnVudHUgaXMg
YSBmbGF2b3Igb2YgVWJ1bnR1IHRoYXQgdGFyZ2V0cyB0byBiZSBsaWdodGVyLCBsZXNzCiAgcmVz
b3VyY2UgaHVuZ3J5IGFuZCBtb3JlIGVuZXJneS1lZmZpY2llbnQgYnkgdXNpbmcgbGlnaHR3ZWln
aHQKICBhcHBsaWNhdGlvbnMgYW5kIExYREUsIFRoZSBMaWdodHdlaWdodCBYMTEgRGVza3RvcCBF
bnZpcm9ubWVudCwKICBhcyBpdHMgZGVmYXVsdCBHVUkuCgogIFRoZSBGaW5hbCBCZXRhIGltYWdl
cyBjYW4gYmUgZG93bmxvYWRlZCBhdDoKICBodHRwOi8vY2RpbWFnZS51YnVudHUuY29tL2x1YnVu
dHUvcmVsZWFzZXMvMTcuMTAvYmV0YS0yLwoKICBNb3JlIGluZm9ybWF0aW9uIG9uIEx1YnVudHUg
RmluYWwgQmV0YSBjYW4gYmUgZm91bmQgaGVyZToKICBodHRwczovL3dpa2kudWJ1bnR1LmNvbS9B
cnRmdWxBYXJkdmFyay9CZXRhMi9MdWJ1bnR1CgogIEFsc28gaW4gdGhpcyBtaWxlc3RvbmUgaXMg
THVidW50dSBOZXh0LCBhbiBleHBlcmltZW50YWwgZmxhdm9yIG9mCiAgVWJ1bnR1IGJhc2VkIG9u
IExYUXQgYW5kIGZvY3VzZWQgb24gcHJvdmlkaW5nIGEgbW9kZXJuLCBsaWdodHdlaWdodCwKICBR
dC1iYXNlZCBkaXN0cmlidXRpb24uCgogIFRoZSBMdWJ1bnR1IE5leHQgMTcuMTAgRmluYWwgQmV0
YSBpbWFnZXMgY2FuIGJlIGRvd25sb2FkZWQgZnJvbToKICBodHRwOi8vY2RpbWFnZS51YnVudHUu
Y29tL2x1YnVudHUtbmV4dC9yZWxlYXNlcy8xNy4xMC9iZXRhLTIvCgogIE1vcmUgaW5mb3JtYXRp
b24gYWJvdXQgTHVidW50dSBOZXh0IDE3LjEwIEFscGhhIDEgY2FuIGJlIGZvdW5kIGhlcmU6CiAg
aHR0cHM6Ly93aWtpLnVidW50dS5jb20vQXJ0ZnVsQWFyZHZhcmsvQmV0YTIvTHVidW50dU5leHQK
ClVidW50dSBCdWRnaWU6CiAgVWJ1bnR1IEJ1ZGdpZSBpcyBjb21tdW5pdHkgZGV2ZWxvcGVkIGRl
c2t0b3AsIGludGVncmF0aW5nIEJ1ZGdpZQogIERlc2t0b3AgRW52aXJvbm1lbnQgd2l0aCBVYnVu
dHUgYXQgaXRzIGNvcmUuCgogIFRoZSBGaW5hbCBCZXRhIGltYWdlcyBjYW4gYmUgZG93bmxvYWRl
ZCBhdDoKICBodHRwOi8vY2RpbWFnZS51YnVudHUuY29tL3VidW50dS1idWRnaWUvcmVsZWFzZXMv
MTcuMTAvYmV0YS0yLwoKICBNb3JlIGluZm9ybWF0aW9uIG9uIFVidW50dSBCdWRnaWUgRmluYWwg
QmV0YSBjYW4gYmUgZm91bmQgaGVyZToKICBodHRwczovL3VidW50dWJ1ZGdpZS5vcmcvYmxvZy8y
MDE3LzA5LzI1LzE3LTEwLXJlbGVhc2Utbm90ZXMKClVidW50dUt5bGluOgogIFVidW50dUt5bGlu
IGlzIGEgZmxhdm9yIG9mIFVidW50dSB0aGF0IGlzIG1vcmUgc3VpdGFibGUgZm9yIENoaW5lc2UK
ICB1c2Vycy4KCiAgVGhlIEZpbmFsIEJldGEgaW1hZ2VzIGNhbiBiZSBkb3dubG9hZGVkIGF0Ogog
IGh0dHA6Ly9jZGltYWdlLnVidW50dS5jb20vdWJ1bnR1a3lsaW4vcmVsZWFzZXMvMTcuMTAvYmV0
YS0yLwoKICBNb3JlIGluZm9ybWF0aW9uIG9uIFVidW50dUt5bGluIEZpbmFsIEJldGEgY2FuIGJl
IGZvdW5kIGhlcmU6CiAgaHR0cHM6Ly93aWtpLnVidW50dS5jb20vQXJ0ZnVsQWFyZHZhcmsvUmVs
ZWFzZU5vdGVzL1VidW50dUt5bGluCgpVYnVudHUgTUFURToKICBVYnVudHUgTUFURSBpcyBhIGZs
YXZvciBvZiBVYnVudHUgZmVhdHVyaW5nIHRoZSBNQVRFIGRlc2t0b3AKICBlbnZpcm9ubWVudC4K
CiAgVGhlIEZpbmFsIEJldGEgaW1hZ2VzIGNhbiBiZSBkb3dubG9hZGVkIGF0OgogIGh0dHA6Ly9j
ZGltYWdlLnVidW50dS5jb20vdWJ1bnR1LW1hdGUvcmVsZWFzZXMvMTcuMTAvYmV0YS0yLwoKICBN
b3JlIGluZm9ybWF0aW9uIG9uIFVidW50dU1BVEUgRmluYWwgQmV0YSBjYW4gYmUgZm91bmQgaGVy
ZToKICBodHRwczovL3VidW50dS1tYXRlLm9yZy9ibG9nL3VidW50dS1tYXRlLWFydGZ1bC1iZXRh
Mi8KClVidW50dSBTdHVkaW86CiAgVWJ1bnR1IFN0dWRpbyBpcyBhIGZsYXZvciBvZiBVYnVudHUg
dGhhdCBwcm92aWRlcyBhIGZ1bGwgcmFuZ2Ugb2YKICBtdWx0aW1lZGlhIGNvbnRlbnQgY3JlYXRp
b24gYXBwbGljYXRpb25zIGZvciBlYWNoIGtleSB3b3JrZmxvd3M6CiAgYXVkaW8sIGdyYXBoaWNz
LCB2aWRlbywgcGhvdG9ncmFwaHkgYW5kIHB1Ymxpc2hpbmcuCgogIFRoZSBGaW5hbCBCZXRhIGlt
YWdlcyBjYW4gYmUgZG93bmxvYWRlZCBhdDoKICBodHRwOi8vY2RpbWFnZS51YnVudHUuY29tL3Vi
dW50dXN0dWRpby9yZWxlYXNlcy8xNy4xMC9iZXRhLTIvCgogIE1vcmUgaW5mb3JtYXRpb24gYWJv
dXQgVWJ1bnR1IFN0dWRpbyBGaW5hbCBCZXRhIGNhbiBiZSBmb3VuZCBoZXJlOgogIGh0dHBzOi8v
d2lraS51YnVudHUuY29tL0FydGZ1bEFhcmR2YXJrL0JldGEyL1VidW50dVN0dWRpbwoKWHVidW50
dToKICBYdWJ1bnR1IGlzIGEgZmxhdm9yIG9mIFVidW50dSB0aGF0IGNvbWVzIHdpdGggWGZjZSwg
d2hpY2ggaXMgYSBzdGFibGUsCiAgbGlnaHQgYW5kIGNvbmZpZ3VyYWJsZSBkZXNrdG9wIGVudmly
b25tZW50LgoKICBUaGUgRmluYWwgQmV0YSBpbWFnZXMgY2FuIGJlIGRvd25sb2FkZWQgYXQ6CiAg
aHR0cDovL2NkaW1hZ2UudWJ1bnR1LmNvbS94dWJ1bnR1L3JlbGVhc2VzLzE3LjEwL2JldGEtMi8K
CiAgTW9yZSBpbm9ybWF0aW9uIGFib3V0IFh1YnVudHUgRmluYWwgQmV0YSBjYW4gYmUgZm91bmQg
aGVyZToKICBodHRwOi8vd2lraS54dWJ1bnR1Lm9yZy9yZWxlYXNlcy8xNy4xMC9yZWxlYXNlLW5v
dGVzCgpSZWd1bGFyIGRhaWx5IGltYWdlcyBmb3IgVWJ1bnR1LCBhbmQgYWxsIGZsYXZvdXJzLCBj
YW4gYmUgZm91bmQgYXQ6CiAgaHR0cDovL2NkaW1hZ2UudWJ1bnR1LmNvbQoKVWJ1bnR1IGlzIGEg
ZnVsbC1mZWF0dXJlZCBMaW51eCBkaXN0cmlidXRpb24gZm9yIGNsaWVudHMsIHNlcnZlcnMgYW5k
CmNsb3Vkcywgd2l0aCBhIGZhc3QgYW5kIGVhc3kgaW5zdGFsbGF0aW9uIGFuZCByZWd1bGFyIHJl
bGVhc2VzLiAgQQp0aWdodGx5LWludGVncmF0ZWQgc2VsZWN0aW9uIG9mIGV4Y2VsbGVudCBhcHBs
aWNhdGlvbnMgaXMgaW5jbHVkZWQsCmFuZCBhbiBpbmNyZWRpYmxlIHZhcmlldHkgb2YgYWRkLW9u
IHNvZnR3YXJlIGlzIGp1c3QgYSBmZXcgY2xpY2tzCmF3YXkuCgpQcm9mZXNzaW9uYWwgdGVjaG5p
Y2FsIHN1cHBvcnQgaXMgYXZhaWxhYmxlIGZyb20gQ2Fub25pY2FsIExpbWl0ZWQgYW5kCmh1bmRy
ZWRzIG9mIG90aGVyIGNvbXBhbmllcyBhcm91bmQgdGhlIHdvcmxkLiAgRm9yIG1vcmUgaW5mb3Jt
YXRpb24KYWJvdXQgc3VwcG9ydCwgdmlzaXQgaHR0cDovL3d3dy51YnVudHUuY29tL3N1cHBvcnQK
CklmIHlvdSB3b3VsZCBsaWtlIHRvIGhlbHAgc2hhcGUgVWJ1bnR1LCB0YWtlIGEgbG9vayBhdCB0
aGUgbGlzdCBvZgp3YXlzIHlvdSBjYW4gcGFydGljaXBhdGUgYXQ6Cmh0dHA6Ly93d3cudWJ1bnR1
LmNvbS9jb21tdW5pdHkvcGFydGljaXBhdGUKCllvdXIgY29tbWVudHMsIGJ1ZyByZXBvcnRzLCBw
YXRjaGVzIGFuZCBzdWdnZXN0aW9ucyByZWFsbHkgaGVscCB1cyB0bwppbXByb3ZlIHRoaXMgYW5k
IGZ1dHVyZSByZWxlYXNlcyBvZiBVYnVudHUuICAgSW5zdHJ1Y3Rpb25zIGNhbiBiZQpmb3VuZCBh
dDogaHR0cHM6Ly9oZWxwLnVidW50dS5jb20vY29tbXVuaXR5L1JlcG9ydGluZ0J1Z3MKCllvdSBj
YW4gZmluZCBvdXQgbW9yZSBhYm91dCBVYnVudHUgYW5kIGFib3V0IHRoaXMgYmV0YSByZWxlYXNl
IG9uIG91cgp3ZWJzaXRlLCBJUkMgY2hhbm5lbCBhbmQgd2lraS4KClRvIHNpZ24gdXAgZm9yIGZ1
dHVyZSBVYnVudHUgYW5ub3VuY2VtZW50cywgcGxlYXNlIHN1YnNjcmliZSB0bwpVYnVudHUncyB2
ZXJ5IGxvdyB2b2x1bWUgYW5ub3VuY2VtZW50IGxpc3QgYXQ6CgogIGh0dHA6Ly9saXN0cy51YnVu
dHUuY29tL21haWxtYW4vbGlzdGluZm8vdWJ1bnR1LWFubm91bmNlCgpPbiBiZWhhbGYgb2YgdGhl
IFVidW50dSBSZWxlYXNlIFRlYW0sCgotLSAKxYF1a2FzeiAnc2lsMjEwMCcgWmVtY3phawogRm91
bmRhdGlvbnMgVGVhbQogbHVrYXN6LnplbWN6YWtAY2Fub25pY2FsLmNvbQogd3d3LmNhbm9uaWNh
bC5jb20KCi0tIAp1YnVudHUtYW5ub3VuY2UgbWFpbGluZyBsaXN0CnVidW50dS1hbm5vdW5jZUBs
aXN0cy51YnVudHUuY29tCk1vZGlmeSBzZXR0aW5ncyBvciB1bnN1YnNjcmliZSBhdDogaHR0cHM6
Ly9saXN0cy51YnVudHUuY29tL21haWxtYW4vbGlzdGluZm8vdWJ1bnR1LWFubm91bmNlCg==

The CentOS Atomic SIG has released an updated version
(https://wiki.centos.org/SpecialInterestGroup/Atomic/Download) of
CentOS Atomic Host (7.1708), a lean operating system designed to run
Docker containers, built from standard CentOS 7 RPMs, and tracking the
component versions included in Red Hat Enterprise Linux Atomic Host.

This release, which is based on the RHEL 7.4 source code
(https://seven.centos.org/2017/08/centos-linux-7-1708-based-on-rhel-7-4-source-code/),
includes an updated kernel that supports overlayfs container storage,
among other enhancements.

CentOS Atomic Host includes these core component versions:

* atomic-1.18.1-3.1.git0705b1b.el7.x86_64
* cloud-init-0.7.9-9.el7.centos.2.x86_64
* docker-1.12.6-48.git0fdc778.el7.centos.x86_64
* etcd-3.1.9-2.el7.x86_64
* flannel-0.7.1-2.el7.x86_64
* kernel-3.10.0-693.2.2.el7.x86_64
* kubernetes-node-1.5.2-0.7.git269f928.el7.x86_64
* ostree-2017.7-1.el7.x86_64
* rpm-ostree-client-2017.6-6.atomic.el7.x86_64

## OverlayFS Storage

In previous releases of CentOS Atomic Host, SELinux had to be in
permissive or disabled mode for OverlayFS storage to work. Now you can
run the OverlayFS file system with SELinux in enforcing mode. CentOS
Atomic Host still defaults to devicemapper storage, but you can switch
to OverlayFS using the following commands:

$ systemctl stop docker
$ atomic storage reset
# Reallocate space to the root VG – tweak how much to your liking
$ lvm lvextend -r -l +50%FREE atomicos/root
$ atomic storage modify –driver overlay2
$ systemctl start docker

For more information on storage management options, see the upstream
RHEL documentation
(https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html-single/managing_containers/#overlay_graph_driver).

## Containerized Master

CentOS Atomic Host ships without the kubernetes-master package built
into the image. For information on how to run these kubernetes
components as system containers, consult the CentOS wiki
(https://wiki.centos.org/SpecialInterestGroup/Atomic/Download).

If you prefer to run Kubernetes from installed rpms, you can layer the
master components onto your Atomic Host image using rpm-ostree package
layering with the command: atomic host install kubernetes-master -r.

## Download CentOS Atomic Host

CentOS Atomic Host is available as a VirtualBox or libvirt-formatted
Vagrant box, or as an installable ISO, qcow2 or Amazon Machine image.
For links to media, see the CentOS wiki
(https://wiki.centos.org/SpecialInterestGroup/Atomic/Download).

## Upgrading

If you’re running a previous version of CentOS Atomic Host, you can
upgrade to the current image by running the following command:

$ sudo atomic host upgrade

## Release Cycle

The CentOS Atomic Host image follows the upstream Red Hat Enterprise
Linux Atomic Host cadence. After sources are released, they’re rebuilt
and included in new images. After the images are tested by the SIG and
deemed ready, we announce them.

## Getting Involved

CentOS Atomic Host is produced by the CentOS Atomic SIG
(http://wiki.centos.org/SpecialInterestGroup/Atomic), based on
upstream work from Project Atomic (http://www.projectatomic.io/). If
you’d like to work on testing images, help with packaging,
documentation — join us!

The SIG meets every two weeks on Tuesday at 04:00 UTC in
#centos-devel, and on the alternating weeks, meets as part of the
Project Atomic community meeting at 16:00 UTC on Monday in the #atomic
channel. You’ll often find us in #atomic and/or #centos-devel if you
have questions. You can also join the atomic-devel
(https://lists.projectatomic.io/mailman/listinfo/atomic-devel) mailing
list if you’d like to discuss the direction of Project Atomic, its
components, or have other questions.

## Getting Help

If you run into any problems with the images or components, feel free
to ask on the centos-devel
(http://lists.centos.org/mailman/listinfo/centos-devel) mailing list.

Have questions about using Atomic? See the atomic
(https://lists.projectatomic.io/mailman/listinfo/atomic) mailing list
or find us in the #atomic channel on Freenode.
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

–===============1845581788974842030==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary=”_000_DM2PR0501MB100219690EEC4C905368F849B9600DM2PR0501MB1002_”

–_000_DM2PR0501MB100219690EEC4C905368F849B9600DM2PR0501MB1002_
Content-Type: text/plain; charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

– ———————————————————————–

VMware Security Advisory

Advisory ID: VMSA-2017-0015.2
Severity: Critical
Synopsis: VMware ESXi, vCenter Server, Fusion & Workstation updates
resolve multiple security vulnerabilities
Issue date: 2017-09-14
Updated on: 2017-09-18
CVE number: CVE-2017-4924, CVE-2017-4925, CVE-2017-4926

1. Summary

VMware ESXi, vCenter Server, Fusion and Workstation updates resolve
multiple security vulnerabilities.

2. Relevant Products

VMware ESXi (ESXi)
VMware vCenter Server
VMware Fusion Pro / Fusion (Fusion)
VMware Workstation Pro / Player (Workstation)

3. Problem Description

a. Out-of-bounds write vulnerability in SVGA

VMware ESXi, Workstation & Fusion contain an out-of-bounds write
vulnerability in SVGA device. This issue may allow a guest to
execute code on the host.

VMware would like to thank Nico Golde and Ralf-Philipp Weinmann of
Comsecuris UG (haftungsbeschraenkt) working with ZDI for reporting
this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2017-4924 to this issue.

Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/ Mitigation
Product Version on Severity Apply patch Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=
=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
ESXi 6.5 ESXi Critical ESXi650-201707101-SG None
ESXi 6.0 ESXi N/A Not affected N/A
ESXi 5.5 ESXi N/A Not affected N/A
Workstation 12.x Any Critical 12.5.7 None
Fusion 8.x OS X Critical 8.5.8 None

b. Guest RPC NULL pointer dereference vulnerability

VMware ESXi, Workstation & Fusion contain a NULL pointer dereference
vulnerability. This issue occurs when handling guest RPC requests.
Successful exploitation of this issue may allow attackers with
normal user privileges to crash their VMs.

VMware would like to thank Zhang Haitao for reporting this issue
to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2017-4925 to this issue.

Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/ Mitigation
Product Version on Severity Apply patch Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=
=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
ESXi 6.5 ESXi Moderate ESXi650-201707101-SG None
ESXi 6.0 ESXi Moderate ESXi600-201706101-SG None
ESXi 5.5 ESXi Moderate ESXi550-201709101-SG None
Workstation 12.x Any Moderate 12.5.3 None
Fusion 8.x OS X Moderate 8.5.4 None

c. Stored XSS in H5 Client

vCenter Server H5 Client contains a vulnerability that may allow for
stored cross-site scripting (XSS). An attacker with VC user
privileges can inject malicious java-scripts which will get executed
when other VC users access the page.

VMware would like to thank Thomas Ornetzeder for reporting this
issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2017-4926 to this issue.

Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/ Mitigation
Product Version on Severity Apply patch Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D =3D=3D=
=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
vCenter Server 6.5 Any Moderate 6.5 U1 None
vCenter Server 6.0 Any N/A Not affected N/A
vCenter Server 5.5 Any N/A Not affected N/A

4. Solution

Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.

ESXi 6.5
————-
Downloads:
https://www.vmware.com/patchmgr/findPatch.portal
Documentation:
http://kb.vmware.com/kb/2149933

ESXi 6.0
————-
Downloads:
https://www.vmware.com/patchmgr/findPatch.portal
Documentation:
http://kb.vmware.com/kb/2149960

ESXi 5.5
————
Downloads:
https://www.vmware.com/patchmgr/findPatch.portal
Documentation:
http://kb.vmware.com/kb/2150876

VMware vCenter Server 6.5 U1
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=3DVC65U1
&productId=3D614&rPId=3D17343
Documentation:
https://docs.vmware.com/en/VMware-vSphere/index.html

VMware Workstation Pro 12.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://www.vmware.com/support/pubs/ws_pubs.html

VMware Workstation Player 12.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://www.vmware.com/support/pubs/player_pubs.html

VMware Workstation Pro 12.5.3
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://www.vmware.com/support/pubs/ws_pubs.html

VMware Workstation Player 12.5.3
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://www.vmware.com/support/pubs/player_pubs.html

VMware Fusion Pro / Fusion 8.5.8
Downloads and Documentation
https://www.vmware.com/go/downloadfusion
https://www.vmware.com/support/pubs/fusion_pubs.html

VMware Fusion Pro / Fusion 8.5.4
Downloads and Documentation
https://www.vmware.com/go/downloadfusion
https://www.vmware.com/support/pubs/fusion_pubs.html

5. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-4924
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-4925
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-4926

– ————————————————————————

6. Change log

2017-09-14 VMSA-2017-0015
Initial security advisory in conjunction with the release of VMware
ESXi 5.5 patches on 2017-09-14

2017-09-15 VMSA-2017-0015.1 Corrected the underlying component
affected from SVGA driver to device.

2017-09-18 VMSA-2017-0015.2 Updated the security advisory to reflect
the correct platform for the XSS issue 3(c).

– ————————————————————————
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org

E-mail: security@vmware.com
PGP key at: https://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog
https://blogs.vmware.com/security

Twitter
Tweets by VMwareSRC

Copyright 2017 VMware Inc. All rights reserved.

—–BEGIN PGP SIGNATURE—–
Version: Encryption Desktop 10.4.1 (Build 490)
Charset: utf-8

wj8DBQFZwKbaDEcm8Vbi9kMRArZ4AJ4x3UZXWhnMjiM6bWm3+AbVOWL1/gCeME1g
Zm6b0n/dE8r06O+chFE3E9k=3D
=3DNJvM
—–END PGP SIGNATURE—–

–_000_DM2PR0501MB100219690EEC4C905368F849B9600DM2PR0501MB1002_
Content-Type: text/html; charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable

–_000_DM2PR0501MB100219690EEC4C905368F849B9600DM2PR0501MB1002_–

–===============1845581788974842030==
Content-Type: text/plain; charset=”us-ascii”
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Security-announce mailing list
Security-announce@lists.vmware.com
https://lists.vmware.com/mailman/listinfo/security-announce

–===============1845581788974842030==–