Thank you!
On 2/5/2019 8:43 AM, Aki Tuomi wrote:
Hi,
as per our EOL statement 2.2.36 receives security and critical
updates. That said, we decided to flush few annoying bugs with .1
release.
You do not need to build releases for 2.2.
Aki
On 05 February 2019 at 17:36 Eric Broch < ebr...@whitehorsetc.com
<mailto:ebr...@whitehorsetc.com>> wrote:
Aki,
What's the difference between 2.2.x and 2.3.x version of Dovecot? And
why do you maintain both?
I stopped building RPM's of the 2.2.x version and now only build 2.3.x.
Should I be maintaining both?
Eric
On 2/5/2019 6:01 AM, Aki Tuomi wrote:
https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz
https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig
* CVE-2019-3814: If imap/pop3/managesieve/submission client has
trusted certificate with missing username field
(ssl_cert_username_field), under some configurations Dovecot
mistakenly trusts the username provided via authentication
instead
of failing.
* ssl_cert_username_field setting was ignored with external SMTP
AUTH,
because none of the MTAs (Postfix, Exim) currently send the
cert_username field. This may have allowed users with trusted
certificate to specify any username in the authentication.
This bug
didn't affect Dovecot's Submission service.
- pop3_no_flag_updates=no: Don't expunge RETRed messages without
QUIT
- director: Kicking a user assert-crashes if login process is
very slow
- lda/lmtp: Fix assert-crash with some Sieve scripts when
mail_attachment_detection_options=add-flags-on-save
- fs-compress: Using maybe-gz assert-crashed when reading 0
sized file
- Snippet generation crashed with invalid Content-Type:multipart
>
---
Aki Tuomi
Open-Xchange Oy
>
--
Eric Broch
White Horse Technical Consulting (WHTC)
---
Aki Tuomi
--
Eric Broch
White Horse Technical Consulting (WHTC)
