Dovecot v2.2.31 released

The following information has been provided by the Dovecot-news mailing list.

https://dovecot.org/releases/2.2/dovecot-2.2.31.tar.gz
https://dovecot.org/releases/2.2/dovecot-2.2.31.tar.gz.sig

This should be a great and stable release for the summer 🙂 v2.2.32 is planned for the end of August. Hopefully soon afterwards we can get back to v2.3.

* LMTP: Removed “(Dovecot)” from added Received headers. Some
installations want to hide it, and there’s not really any good reason
for anyone to have it.

+ Add ssl_alt_cert and ssl_alt_key settings to add support for
having both RSA and ECDSA certificates.
+ dsync/imapc, pop3-migration plugin: Strip trailing whitespace from
headers when matching mails. This helps with migrations from Zimbra.
+ acl: Add acl_globals_only setting to disable looking up
per-mailbox dovecot-acl files.
+ Parse invalid message addresses better. This mainly affects the
generated IMAP ENVELOPE replies.
– v2.2.30 wasn’t fixing corrupted dovecot.index.cache files properly.
It could have deleted wrong mail’s cache or assert-crashed.
– v2.2.30 mail-crypt-acl plugin was assert-crashing
– v2.2.30 welcome plugin wasn’t working
– Various fixes to handling mailbox listing. Especially related to
handling nonexistent autocreated/autosubscribed mailboxes and ACLs.
– Global ACL file was parsed as if it was local ACL file. This caused
some of the ACL rule interactions to not work exactly as intended.
– auth: forward_* fields didn’t work properly: Only the first forward
field was working, and only if the first passdb lookup succeeded.
– Using mail_sort_max_read_count sometimes caused “Broken sort-*
indexes, resetting” errors.
– Using mail_sort_max_read_count may have caused very high CPU usage.
– Message address parsing could have crashed on invalid input.
– imapc_features=fetch-headers wasn’t always working correctly and
caused the full header to be fetched.
– imapc: Various bugfixes related to connection failure handling.
– quota=imapc sent unnecessary FETCH RFC822.SIZE to server when
expunging mails.
– quota=count: quota_warning = -storage=.. was never executed
– quota=count: Add support for “ns” parameter
– dsync: Fix incremental syncing for mails that don’t have Date or
Message-ID headers.
– imap: Fix hang when client sends pipelined SEARCH +
EXPUNGE/CLOSE/LOGOUT.
– oauth2: Token validation didn’t accept empty server responses.
– imap: NOTIFY command has been almost completely broken since the
beginning. I guess nobody has been trying to use it.

Released Pigeonhole v0.4.19 for Dovecot v2.2.31

The following information has been provided by the Dovecot-news mailing list.

Hello Dovecot users,

Here’s the definitive 0.4.19 release. There is one additional fix.

Changelog v0.4.19:

* This release adjusts Pigeonhole to several changes in the Dovecot API,
making it depend on Dovecot v2.2.31. Previous versions of Pigeonhole
will produce compile warnings with the recent Dovecot releases (but
still work ok).
– Fixed bug in handling of implicit keep in some cases. Implicit
side-effects, such as assigned flags, were not always applied
correctly. This is in essence a very old bug, but it was exposed by
recent changes.
– include extension: Fixed segfault that (sometimes) occurred when the
global script location was left unconfigured.

The release is available as follows:

https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.19.tar.gz
https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.19.tar.gz.sig

Refer to http://pigeonhole.dovecot.org and the Dovecot v2.x wiki for
more information. Have fun testing this release and don’t hesitate to
notify me when there are any problems.

Varnish Cache 4.1.7 released

The following information has been provided by the varnish-announce mailing list.

Dear Varnish community

We have now made available version 4.1.7, and it can be found here:

https://repo.varnish-cache.org/source/varnish-4.1.7.tar.gz

Packages will be made available in the official repositories today.

The long standing issue 1746 (see
https://github.com/varnishcache/varnish-cache/issues/1764) has been
fixed in the 4.1 branch, and this fix will change how Varnish behaves in
certain circumstances.

Before 4.1.7-beta1, the nuke_limit parameter was ignored, so a varnish
instance could nuke any number of objects to make room for a new big
object. From 4.1.7-beta1, only a limited number of object will be
nuked before Varnish gives up and decides there is no room for the new
object.

The default nuke_limit is 10, and this number is high enough to not
affect most users. However, if you want to make sure that the
behavior is not changed when upgrading, you should set the value much
higher.

FortiTester 3.0.0

FortiTester 3.0.0 B0005 and release notes are available for download from the Support site : https://support.fortinet.com

This concerns the following models:

  • FTS_2000D_HWID_01, FTS_3000E_HWID_01, FTS_VM_HWID_01

Source: Fortinet Firmware

Apache HTTP Server 2.4.26 Released

The following information has obtained from: http://www.apache.org/dist/httpd/Announcement2.4.html

June 19, 2017

The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.4.26 of the Apache HTTP Server (“Apache”). This version of Apache is our latest GA release of the new generation 2.4.x branch of Apache HTTPD and represents fifteen years of innovation by the project, and is recommended over all previous releases. This release of Apache is a security, feature, and bug fix release.

We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade.

Apache HTTP Server 2.4.26 is available for download from:

http://httpd.apache.org/download.cgi

Please see the CHANGES_2.4 file, linked from the download page, for a full list of changes. A condensed list, CHANGES_2.4.26 includes only those changes introduced since the prior 2.4 release. A summary of all of the security vulnerabilities addressed in this and earlier releases is available:

http://httpd.apache.org/security/vulnerabilities_24.html

This release requires the Apache Portable Runtime (APR), minimum version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may require the 1.6.x version of both APR and APR-Util. The APR libraries must be upgraded for all features of httpd to operate correctly.

Apache HTTP Server 2.4 provides a number of improvements and enhancements over the 2.2 version. A listing and description of these features is available via:

http://httpd.apache.org/docs/2.4/new_features_2_4.html

This release builds on and extends the Apache 2.2 API. Modules written for Apache 2.2 will need to be recompiled in order to run with Apache 2.4, and require minimal or no source code changes.

http://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/VERSIONING

When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs (other than the Prefork MPM), you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe.

Please note that Apache Web Server Project will only provide maintenance releases of the 2.2.x flavor through June of 2017, and will provide some security patches beyond this date through at least December of 2017. Minimal maintenance patches of 2.2.x are expected throughout this period, and users are strongly encouraged to promptly complete their transitions to the the 2.4.x flavor of httpd to benefit from a much larger assortment of minor security and bug fixes as well as new features.

CVE-2017-0077

CVE: CVE-2017-0077
Published: 2017-05-12T14:29Z
Vendor: microsoft
Products: windows_10
Versions: 1607, 1511, -, 1703,
windows_server_2012
Versions: r2, -,
windows_8.1
Versions: *,
windows_server_2008
Versions: r2, *,
windows_server_2016
Versions: -,
windows_rt_8.1
Versions: *,
windows_7
Versions: *,
Description Language: en
Description: The kernel-mode drivers in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allow a local authenticated attacker to execute a specially crafted application to obtain information, or in Windows 7 and later, cause denial of service, aka “Win32k Information Disclosure Vulnerability.”
References:
http://www.securityfocus.com/bid/98114
http://www.securitytracker.com/id/1038454
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0077

CVE-2017-0064

CVE: CVE-2017-0064
Published: 2017-05-12T14:29Z
Vendor: microsoft
Products: internet_explorer
Versions: 9, 11, 10,
Description Language: en
Description: A security feature bypass vulnerability exists in Internet Explorer that allows for bypassing Mixed Content warnings, aka “Internet Explorer Security Feature Bypass Vulnerability.”
References:
http://www.securityfocus.com/bid/98121
http://www.securitytracker.com/id/1038447
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0064

CVE-2017-0058

CVE: CVE-2017-0058
Published: 2017-04-12T14:59Z
Vendor: microsoft
Products: windows_server_2012
Versions: r2, *,
windows_10
Versions: 1607, *, 1703, 1511,
windows_8.1
Versions: *,
windows_server_2008
Versions: r2, *,
windows_server_2016
Versions: *,
windows_rt_8.1
Versions: *,
windows_vista
Versions: *,
windows_7
Versions: *,
Description Language: en
Description: A Win32k information disclosure vulnerability exists in Microsoft Windows when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system, aka “Win32k Information Disclosure Vulnerability.”
References:
http://www.securityfocus.com/bid/97462
http://www.securitytracker.com/id/1038239
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0058
https://www.exploit-db.com/exploits/41879/

CVE-2017-0082

CVE: CVE-2017-0082
Published: 2017-03-17T00:59Z
Vendor: microsoft
Products: windows_10
Versions: 1511, -,
Description Language: en
Description: The kernel-mode drivers in Microsoft Windows 10 Gold and 1511 allow local users to gain privileges via a crafted application, aka “Win32k Elevation of Privilege Vulnerability.” This vulnerability is different from those described in CVE-2017-0024, CVE-2017-0026, CVE-2017-0056, CVE-2017-0078, CVE-2017-0079, CVE-2017-0080, and CVE-2017-0081.
References:
http://www.securityfocus.com/bid/96635
http://www.securitytracker.com/id/1038017
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0082

CVE-2017-0081

CVE: CVE-2017-0081
Published: 2017-03-17T00:59Z
Vendor: microsoft
Products: windows_10
Versions: 1607, 1511, -,
windows_server_2012
Versions: r2, -,
windows_8.1
Versions: *,
windows_server_2016
Versions: *,
windows_rt_8.1
Versions: *,
Description Language: en
Description: The kernel-mode drivers in Microsoft Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allow local users to gain privileges via a crafted application, aka “Win32k Elevation of Privilege Vulnerability.” This vulnerability is different from those described in CVE-2017-0024, CVE-2017-0026, CVE-2017-0056, CVE-2017-0078, CVE-2017-0079, CVE-2017-0080, CVE-2017-0082.
References:
http://www.securityfocus.com/bid/96634
http://www.securitytracker.com/id/1038017
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0081

CVE-2017-0080

CVE: CVE-2017-0080
Published: 2017-03-17T00:59Z
Vendor: microsoft
Products: windows_10
Versions: 1607, 1511, -,
windows_server_2016
Versions: *,
Description Language: en
Description: The kernel-mode drivers in Microsoft Windows 10 Gold, 1511, and 1607 and Windows Server 2016 allow local users to gain privileges via a crafted application, aka “Win32k Elevation of Privilege Vulnerability.” This vulnerability is different from those described in CVE-2017-0024, CVE-2017-0026, CVE-2017-0056, CVE-2017-0078, CVE-2017-0079, CVE-2017-0081, and CVE-2017-0082.
References:
http://www.securityfocus.com/bid/96633
http://www.securitytracker.com/id/1038017
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0080

CVE-2017-0079

CVE: CVE-2017-0079
Published: 2017-03-17T00:59Z
Vendor: microsoft
Products: windows_10
Versions: 1607, 1511, -,
windows_server_2012
Versions: r2,
windows_8.1
Versions: *,
windows_rt_8.1
Versions: *,
Description Language: en
Description: The kernel-mode drivers in Windows 8.1; Windows Server 2012 R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allow local users to gain privileges via a crafted application, aka “Win32k Elevation of Privilege Vulnerability.” This vulnerability is different from those described in CVE-2017-0024, CVE-2017-0026, CVE-2017-0056, CVE-2017-0078, CVE-2017-0080, CVE-2017-0081, and CVE-2017-0082.
References:
http://www.securityfocus.com/bid/96632
http://www.securitytracker.com/id/1038017
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0079

CVE-2017-0078

CVE: CVE-2017-0078
Published: 2017-03-17T00:59Z
Vendor: microsoft
Products: windows_10
Versions: 1607, 1511, -,
windows_server_2012
Versions: r2, -,
windows_8.1
Versions: *,
windows_server_2016
Versions: *,
windows_rt_8.1
Versions: *,
Description Language: en
Description: The kernel-mode drivers in Microsoft Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allow local users to gain privileges via a crafted application, aka “Win32k Elevation of Privilege Vulnerability.” This vulnerability is different from those described in CVE-2017-0024, CVE-2017-0026, CVE-2017-0056, CVE-2017-0079, CVE-2017-0080, CVE-2017-0081, CVE-2017-0082.
References:
http://www.securityfocus.com/bid/96631
http://www.securitytracker.com/id/1038017
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0078

CVE-2017-0076

CVE: CVE-2017-0076
Published: 2017-03-17T00:59Z
Vendor: microsoft
Products: windows_10
Versions: 1607, *, 1511,
windows_server_2012
Versions: r2, *,
windows_vista
Versions: *,
windows_8.1
Versions: *,
windows_server_2008
Versions: *, r2,
windows_server_2016
Versions: *,
windows_7
Versions: *,
Description Language: en
Description: Hyper-V in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and 2008 R2; Windows 7 SP1; Windows 8.1; Windows Server 2012 and R2; Windows 10, 1511, and 1607; and Windows Server 2016 allows guest OS users, running as virtual machines, to cause a denial of service via a crafted application, aka “Hyper-V Denial of Service Vulnerability.” This vulnerability is different from those described in CVE-2017-0098, CVE-2017-0074, CVE-2017-0097, and CVE-2017-0099.
References:
http://www.securityfocus.com/bid/96636
http://www.securitytracker.com/id/1037999
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0076

CVE-2017-0075

CVE: CVE-2017-0075
Published: 2017-03-17T00:59Z
Vendor: microsoft
Products: windows_10
Versions: 1607, 1511, -,
windows_server_2012
Versions: r2, -,
windows_vista
Versions: *,
windows_8.1
Versions: *,
windows_server_2008
Versions: r2, *,
windows_server_2016
Versions: *,
windows_7
Versions: *,
Description Language: en
Description: Hyper-V in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows guest OS users to execute arbitrary code on the host OS via a crafted application, aka “Hyper-V Remote Code Execution Vulnerability.” This vulnerability is different from that described in CVE-2017-0109.
References:
http://www.securityfocus.com/bid/96698
http://www.securitytracker.com/id/1037999
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0075

CVE-2017-0074

CVE: CVE-2017-0074
Published: 2017-03-17T00:59Z
Vendor: microsoft
Products: windows_10
Versions: 1607, *, 1511,
windows_server_2012
Versions: r2, *,
windows_vista
Versions: *,
windows_8.1
Versions: *,
windows_server_2008
Versions: *, r2,
windows_server_2016
Versions: *,
windows_7
Versions: *,
Description Language: en
Description: Hyper-V in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and 2008 R2; Windows 7 SP1; Windows 8.1; Windows Server 2012 and R2; Windows 10, 1511, and 1607; and Windows Server 2016 allows guest OS users, running as virtual machines, to cause a denial of service via a crafted application, aka “Hyper-V Denial of Service Vulnerability.” This vulnerability is different from those described in CVE-2017-0098, CVE-2017-0076, CVE-2017-0097, and CVE-2017-0099.
References:
http://www.securityfocus.com/bid/96641
http://www.securitytracker.com/id/1037999
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0074

CVE-2017-0073

CVE: CVE-2017-0073
Published: 2017-03-17T00:59Z
Vendor: microsoft
Products: windows_10
Versions: 1607, 1511, -,
windows_server_2012
Versions: r2, -,
windows_vista
Versions: *,
windows_8.1
Versions: *,
windows_server_2008
Versions: r2, *,
windows_rt_8.1
Versions: *,
windows_7
Versions: *,
Description Language: en
Description: The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows remote attackers to obtain sensitive information from process memory via a crafted web site, aka “Windows GDI+ Information Disclosure Vulnerability.” This vulnerability is different from those described in CVE-2017-0060 and CVE-2017-0062.
References:
http://www.securityfocus.com/bid/96637
http://www.securitytracker.com/id/1038002
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0073

CVE-2017-0072

CVE: CVE-2017-0072
Published: 2017-03-17T00:59Z
Vendor: microsoft
Products: windows_vista
Versions: *,
windows_server_2008
Versions: r2, *,
windows_7
Versions: *,
Description Language: en
Description: Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows remote attackers to execute arbitrary code via a crafted web site, aka “Uniscribe Remote Code Execution Vulnerability.” This vulnerability is different from those described in CVE-2017-0083, CVE-2017-0084, CVE-2017-0086, CVE-2017-0087, CVE-2017-0088, CVE-2017-0089, and CVE-2017-0090.
References:
http://www.securityfocus.com/bid/96599
http://www.securitytracker.com/id/1037992
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0072
https://www.exploit-db.com/exploits/41654/

CVE-2017-0071

CVE: CVE-2017-0071
Published: 2017-03-17T00:59Z
Vendor: microsoft
Products: edge
Versions: -,
Description Language: en
Description: A remote code execution vulnerability exists in the way affected Microsoft scripting engines render when handling objects in memory in Microsoft browsers. These vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This vulnerability is different from those described in CVE-2017-0010, CVE-2017-0015, CVE-2017-0032, CVE-2017-0035, CVE-2017-0067, CVE-2017-0070, CVE-2017-0094, CVE-2017-0131, CVE-2017-0132, CVE-2017-0133, CVE-2017-0134, CVE-2017-0136, CVE-2017-0137, CVE-2017-0138, CVE-2017-0141, CVE-2017-0150, and CVE-2017-0151.
References:
http://www.securityfocus.com/bid/96681
http://www.securitytracker.com/id/1038006
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0071

CVE-2017-0070

CVE: CVE-2017-0070
Published: 2017-03-17T00:59Z
Vendor: microsoft
Products: edge
Versions: -,
Description Language: en
Description: A remote code execution vulnerability exists in the way affected Microsoft scripting engines render when handling objects in memory in Microsoft browsers. These vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This vulnerability is different from those described in CVE-2017-0010, CVE-2017-0015, CVE-2017-0032, CVE-2017-0035, CVE-2017-0067, CVE-2017-0071, CVE-2017-0094, CVE-2017-0131, CVE-2017-0132, CVE-2017-0133, CVE-2017-0134, CVE-2017-0136, CVE-2017-0137, CVE-2017-0138, CVE-2017-0141, CVE-2017-0150, and CVE-2017-0151.
References:
http://www.securityfocus.com/bid/96690
http://www.securitytracker.com/id/1038006
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0070
https://www.exploit-db.com/exploits/41623/