./mail/dovecot2, Secure IMAP and POP3 server

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 2.3.9.3, Package name: dovecot-2.3.9.3, Maintainer: adam

Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems,
written with security primarily in mind. Dovecot is an excellent choice for both
small and large installations. It's fast, simple to set up, requires no special
administration and it uses very little memory.


Required to run:
[shells/bash] [security/openssl] [archivers/lz4]

Required to build:
[pkgtools/cwrappers]

Package options: kqueue, pam, ssl, tcpwrappers

Master sites:

SHA1: b1ab4fc2dcb6f4854b6f0cab535e35ac0bb977f5
RMD160: 970d17c225e1cd480b9cf7ab0420cd12f44852a5
Filesize: 7013.361 KB

Version history: (Expand)


CVS history: (Expand)


   2020-02-12 15:01:59 by Takahiro Kambe | Files touched by this commit (4) | Package updated
Log message:
mail/dovecot2: update to 2.3.9.3

Update dovecot2 to 2.3.9.3, security release.

v2.3.9.3 2019-02-12  Aki Tuomi <aki.tuomi@open-xchange.com>

	* CVE-2020-7046: Truncated UTF-8 can be used to DoS
	  submission-login and lmtp processes.
	* CVE-2020-7957: Specially crafted mail can crash snippet generation.
   2020-01-25 11:45:12 by Jonathan Perkin | Files touched by this commit (24)
Log message:
*: Remove obsolete BUILDLINK_API_DEPENDS.openssl.
   2020-01-18 22:51:16 by Jonathan Perkin | Files touched by this commit (1836)
Log message:
*: Recursive revision bump for openssl 1.1.1.
   2019-12-13 16:32:15 by Takahiro Kambe | Files touched by this commit (2) | Package updated
Log message:
mail/dovecot2: update to 2.3.9.2

Update doveot2 to 2.3.9.2, previous fix for CVE-2019-19722 was partial fix.

v2.3.9.2 2019-12-13  Aki Tuomi <aki.tuomi@open-xchange.com>

	- Mails with empty From/To headers can also cause crash
	  in push notification drivers.
   2019-12-13 14:06:11 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
dovecot2: updated to 2.3.9.1

2.3.9.1:
* CVE-2019-19722: Mails with group addresses in From or To fields caused
  crash in push notification drivers.
   2019-12-05 10:34:06 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
dovecot2: updated to 2.3.9

v2.3.9:
* Changed several event field names for consistency and to avoid
  conflicts in parent-child event relationships:
   * SMTP server command events: Renamed "name" to "cmd_name"
   * Events inheriting from a mailbox: Renamed "name" to \ 
"mailbox"
   * Server connection events have only "remote_ip", \ 
"remote_port",
     "local_ip" and "local_port".
   * Removed duplicate "client_ip", "ip" and "port".
   * Mail storage events: Removed "service" field.
     Use "service:<name>" category instead.
   * HTTP client connection events: Renamed "host" to \ 
"dest_host" and
     "port" to "dest_port"
* auth: Drop Postfix socketmap support. It hasn't been working
  with recent Postfix versions for a while now.
* push-notification-lua: The "subject" field is now decoded to UTF8
  instead of kept as MIME-encoded.
+ push-notification-lua: Added new "from_address", \ 
"from_display_name",
  "to_address" and "to_display_name" fields. The display \ 
names are
  decoded to UTF8.
+ Added various new fields to existing events.
  See http://doc.dovecot.net/admin_manual/list_of_events.html
+ Add lmtp_add_received_header setting. It can be used to prevent LMTP
  from adding "Received:" headers.
+ doveadm: Support SSL/STARTTLS for proxied doveadm connections based on
  doveadm_ssl setting and proxy ssl/tls settings.
+ Log filters support now "service:<name>", which matches all \ 
events for
  the given service. It can also be used as a category.
+ lib: Use libunwind to get abort backtraces with function names
  where available.
+ lmtp: When the LMTP proxy changes the username (from passdb lookup)
  add an appropriate ORCPT parameter.
- lmtp: Add lmtp_client_workarounds setting to implement workarounds for
  clients that send MAIL and RCPT commands with additional spaces before
  the path and for clients that omit <> brackets around the path.
  See example-config/conf.d/20-lmtp.conf.
- lda/lmtp: Invalid MAIL FROM addresses were rejcted too aggressively.
  Now mails from addresses with unicode characters are delivered, but
  their Return-Path header will be <> instead of the given MAIL FROM
  address.
- lmtp: The lmtp_hdr_delivery_address setting is ignored.
- imap: imap_command_finished event's "args" and \ 
"human_args" parameters
  were always empty.
- mbox: Seeking in zlib and bzip2 compressed input streams didn't work
  correctly.
- imap-hibernate: Process crashed when client got destroyed while it was
  attempted to be unhibernated, and the unhibernation fails.
- *-login: Proxying may have crashed if SSL handshake to the backend
  failed immediately. This was unlikely to happen in normal operation.
- *-login: If TLS handshake to upstream server failed during proxying,
  login process could crash due to invalid memory access.
- *-login: v2.3 regression: Using SASL authentication without initial
  response may have caused SSL connections to hang. This happened often
  at least with PHP's IMAP library.
- *-login: When login processes are flooded with authentication attempts
  it starts logging errors about "Authentication server sent unknown id".
  This is still expected. However, it also caused the login process to
  disconnect from auth server and potentially log some user's password
  in the error message.
- dict-sql: SQL prepared statements were not shared between sessions.
  This resulted in creating a lot of prepared statements, which was
  especially inefficient when using Cassandra backend with a lot of
  Cassandra nodes.
- auth: auth_request_finished event didn't have success=yes parameter
  set for successful authentications.
- auth: userdb dict - Trying to list users crashed.
- submission: Service could be configured to allow anonymous
  authentication mechanism and anonymous user access.
- LAYOUT=index: Corrupted dovecot.list.index caused folder creation to
  panic.
- doveadm: HTTP server crashes if request target starts with double "/".
- dsync: Remote dsync started hanging if the initial doveadm
  "dsync-server" command was sent in the same TCP packet as the
  following dsync handshake. v2.3.8 regression.
- lib: Several "input streams" had a bug that in some rare situations
  might cause it to access freed memory. This could lead to crashes or
  corruption.
  The only currently known effect of this is that using zlib plugin with
  external mail attachments (mail_attachment_dir) could cause fetching
  the mail to return a few bytes of garbage data at the beginning of the
  header. Note that the mail wasn't saved corrupted, but fetching it
  caused corrupted mail to be sent to the client.
- lib-storage: If a mail only has quoted content, use the quoted text
  for generating message snippet (IMAP PREVIEW) instead of returning
  empty snippet.
- lib-storage: When vsize header was rebuilt, newly calculated message
  sizes were added to dovecot.index.cache instead of being directly
  saved into vsize records in dovecot.index.
- lib: JSON generator was escaping UTF-8 characters unnecessarily.
   2019-10-22 15:23:33 by Takahiro Kambe | Files touched by this commit (4) | Package updated
Log message:
mail/dovecot2: update to 2.3.8

Update dovecot2 and friends to 2.3.8.

2.3.8 2019-10-08

Changes

+ Added mail_delivery_started and mail_delivery_finished events, see
  https://doc.dovecot.org/admin_manual/list_of_events/ for details.
+ dsync-replication: Don't replicate users who have "noreplicate" extra
  field in userdb.
+ doveadm service status: Show total number of processes created.
+ When logging to syslog, use instance_name setting's value for the
  ident. This commonly is added as a log prefix.
+ Base64 encoding/decoding code was rewritten with additional features.
  It shouldn't cause any user visible changes.
- v2.3.7 regression: If a folder only receives new mails without any
  other mail access, dovecot.index.log keeps growing forever and
  dovecot.index keeps being rewritten for every mail delivery.
- dsync-replication may lose keywords after syncing mails restored from
  another replica. This only happened if the mail only had keywords and no
  system flags.
- event filters: Non-textual event fields could not be filtered using
  wildcards.
- auth: Scope parameter was missing from OAuth password grant request.
- doveadm client-server communication may hang in some situations. It is
  also using unnecessarily small TCP/IP packet sizes.
- doveadm who and kick did not flush protocol output correctly.
- imap: SETMETADATA with literal value would delete the metadata value
  instead of updating it.
- imap: When client issues FETCH PREVIEW (LAZY=FUZZY) command, the
  caching decisions should be updated so that newly saved mails will have
  the preview cached.
- With mail_nfs_index=yes and/or mail_nfs_storage=yes setuid/setgid
  permission bits in some files may have become dropped with some NFS
  servers. Changed NFS flushing to now use chmod() instead of chown().
- quota: warnings did not work if quota root was noenforcing
- acl: Global ACL file ignored the last line if it didn't end with LF.
- doveadm stats dump: With JSON formatter output numbers using the
  number type instead of as strings
- lmtp_proxy: Ensure that real_* variables are correctly set when using
  lmtp_proxy.
- event exporter: http-post driver had hardcoded timeout and did not
  support DNS lookups or TLS connections.
- auth: Fix user iteration to work with userdb passwd with glibc v2.28.
- auth: auth service can crash if auth-policy JSON response is invalid
  or returned too fast.
- In some rare situations "ps" output could have shown a lot of \ 
"?"
  characters after Dovecot process titles.
- When dovecot.index.pvt is empty, an unnecessary error is logged:
  Error: .../dovecot.index.pvt reset, view is now inconsistent
- SMTP address encoder duplicated initial double quote character when
  the localpart of an address ended in '..'. For example
  "user+..@example.com" became ""user+.."@example.com in a
  sieve redirect.
   2019-08-29 03:05:20 by Takahiro Kambe | Files touched by this commit (2) | Package updated
Log message:
mail/dovecot2: update to 2.3.7.2

Update dovecot2 and related packages to 2.3.7.2.

Changes
-------
* CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
  when scanning data in quoted strings, leading to out of bounds heap
  memory writes. Found by Nick Roessler and Rafi Rubin.