forked from pool/dovecot23
Marcus Rueckert
36e64eaff2
OBS-URL: https://build.opensuse.org/package/show/server:mail/dovecot23?expand=0&rev=11
148 lines
6.4 KiB
Plaintext
148 lines
6.4 KiB
Plaintext
-------------------------------------------------------------------
|
|
Wed Mar 7 12:10:44 UTC 2018 - mrueckert@suse.de
|
|
|
|
- update license to SPDX-3
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 6 19:28:49 UTC 2018 - mrueckert@suse.de
|
|
|
|
- update pigeonhole to 0.5.0.1
|
|
- imap4flags extension: Fix binary corruption occurring when
|
|
setflag/addflag/removeflag flag-list is a variable.
|
|
- sieve-extprograms plugin: Fix segfault occurring when used in
|
|
IMAPSieve context.
|
|
- drop 321a39be974deb2e7eff7b2a509a3ee6ff2e5ae1.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 6 17:54:58 UTC 2018 - mrueckert@suse.de
|
|
|
|
- pull backport patch dovecot-2.3.0.1-over-quota-lmtp-crash.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 6 13:48:50 UTC 2018 - mrueckert@suse.de
|
|
|
|
- update to 2.3.0.1
|
|
* CVE-2017-15130: TLS SNI config lookups may lead to excessive
|
|
memory usage, causing imap-login/pop3-login VSZ limit to be
|
|
reached and the process restarted. This happens only if Dovecot
|
|
config has local_name { } or local { } configuration blocks and
|
|
attacker uses randomly generated SNI servernames. (boo#1082828)
|
|
* CVE-2017-14461: Parsing invalid email addresses may cause a
|
|
crash or leak memory contents to attacker. For example, these
|
|
memory contents might contain parts of an email from another
|
|
user if the same imap process is reused for multiple users.
|
|
First discovered by Aleksandar Nikolic of Cisco Talos.
|
|
Independently also discovered by "flxflndy" via HackerOne.
|
|
(boo#1082826)
|
|
* CVE-2017-15132: Aborted SASL authentication leaks memory in
|
|
login process. (boo#1075608)
|
|
* Linux: Core dumping is no longer enabled by default via
|
|
PR_SET_DUMPABLE, because this may allow attackers to bypass
|
|
chroot/group restrictions. Found by cPanel Security Team.
|
|
Nowadays core dumps can be safely enabled by using "sysctl -w
|
|
fs.suid_dumpable=2". If the old behaviour is wanted, it can
|
|
still be enabled by setting:
|
|
import_environment=$import_environment PR_SET_DUMPABLE=1
|
|
- imap-login with SSL/TLS connections may end up in infinite loop
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Dec 25 22:39:53 UTC 2017 - jengelh@inai.de
|
|
|
|
- Replace %__-type macro indirections.
|
|
Replace xargs rm by built in -delete of find(1).
|
|
- Run ldconfig directly via %post -p.
|
|
- Check for users in %pre before creating them, and do not suppress
|
|
errors about it.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Dec 25 18:47:35 UTC 2017 - mrueckert@suse.de
|
|
|
|
- backport 321a39be974deb2e7eff7b2a509a3ee6ff2e5ae1.patch
|
|
fixes crash with imap sieve
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Dec 24 02:04:25 UTC 2017 - mrueckert@suse.de
|
|
|
|
- Move the example-config + mkcert.sh to /usr/share/dovecot
|
|
This makes the files no longer documentation and they actually
|
|
exist on e.g. our docker image, where rpms are installed without
|
|
documentation. (boo#1070871)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 20 10:32:23 UTC 2017 - mrueckert@suse.de
|
|
|
|
- starting 2.3 package based on the latest 2.2 branch
|
|
|
|
There are several new and exciting features in v2.3.0. I'm
|
|
especially happy about the new logging and statistics code, which
|
|
will allow us to generate statistics for just about everything.
|
|
We didn't have time to implement everything we wanted for them
|
|
yet, and there especially aren't all that many logging events yet
|
|
that can be used for statistics. We'll implement those to v2.3.1,
|
|
which might also mean that some of the APIs might still change in
|
|
v2.3.1 if that's required.
|
|
|
|
We also have new lib-smtp server code, which was used to
|
|
implement SMTP submission server and do a partial rewrite for
|
|
LMTP server.
|
|
|
|
Some of the larger changes:
|
|
|
|
* Various setting changes, see
|
|
|
|
https://wiki2.dovecot.org/Upgrading/2.3
|
|
|
|
If you upgrade from 2.2: Config file changes:
|
|
- Removed:
|
|
/etc/dovecot/conf.d/11-object-storage.conf
|
|
- Added:
|
|
/etc/dovecot/conf.d/20-submission.conf
|
|
|
|
* Logging rewrite started: Logging is now based on hierarchical
|
|
events. This makes it possible to do various things, like: 1)
|
|
giving consistent log prefixes, 2) enabling debug logging with
|
|
finer granularity, 3) provide logs in more machine readable
|
|
formats (e.g. json). Everything isn't finished yet, especially
|
|
a lot of the old logging code still needs to be translated to
|
|
the new way.
|
|
* Statistics rewrite started: Stats are now based on (log)
|
|
events. It's possible to gather statistics about any event
|
|
that is logged. See http://wiki2.dovecot.org/Statistics for
|
|
details
|
|
* ssl_dh setting replaces the old generated ssl-parameters.dat
|
|
* IMAP: When BINARY FETCH finds a broken mails, send [PARSE]
|
|
error instead of [UNKNOWNCTE]
|
|
* Linux: core dumping via PR_SET_DUMPABLE is no longer enabled
|
|
by default due to potential security reasons (found by cPanel
|
|
Security Team).
|
|
|
|
+ Added support for SMTP submission proxy server, which
|
|
includes support for BURL and CHUNKING extension.
|
|
+ LMTP rewrite. Supports now CHUNKING extension and mixing of
|
|
local/proxy recipients.
|
|
+ auth: Support libsodium to add support for ARGON2I and
|
|
ARGON2ID password schemes.
|
|
+ auth: Support BLF-CRYPT password scheme in all platforms
|
|
+ auth: Added LUA scripting support for passdb/userdb.
|
|
See https://wiki2.dovecot.org/AuthDatabase/Lua
|
|
- Input streams are more reliable now when there are errors or
|
|
when the maximum buffer size is reached. Previously in some
|
|
situations this could have caused Dovecot to try to read
|
|
already freed memory.
|
|
- Output streams weren't previously handling failures when
|
|
writing a trailer at the end of the stream. This mainly
|
|
affected encrypt and zlib compress ostreams, which could have
|
|
silently written truncated files if the last write happened to
|
|
fail (which shouldn't normally have ever happened).
|
|
- virtual plugin: Fixed panic when fetching mails from virtual
|
|
mailboxes with IMAP BINARY extension.
|
|
- doveadm-server: Fix potential hangs with SSL connections
|
|
- doveadm proxy: Reading commands' output from v2.2.33+ servers
|
|
could have caused the output to be corrupted or caused a
|
|
crash.
|
|
- Many other smaller fixes
|
|
- patches:
|
|
- dovecot-2.3.0-better_ssl_defaults.patch
|
|
- dovecot-2.3.0-dont_use_etc_ssl_certs.patch
|
|
|