Re: [Dovecot-news] Dovecot v2.3.15 released

2021-06-21 Thread James
On 21/06/2021 17:39, Daniel J. Luke wrote: On Jun 21, 2021, at 7:20 AM, Timo Sirainen wrote: Here's a new release with some security fixes and quite a lot of other changes as well. * Removed support for Lua 5.2. Use version 5.1 or 5.3 instead. Looks like it doesn't want to build w/o lua now

Re: [Dovecot-news] Dovecot v2.3.15 released

2021-06-21 Thread Daniel J. Luke
On Jun 21, 2021, at 7:20 AM, Timo Sirainen wrote: > Here's a new release with some security fixes and quite a lot of other > changes as well. > > * Removed support for Lua 5.2. Use version 5.1 or 5.3 instead. Looks like it doesn't want to build w/o lua now. On my MacOS system configure says:

Re: [Dovecot-news] Dovecot v2.3.14.1 released

2021-06-21 Thread Daniel J. Luke
On Jun 21, 2021, at 7:21 AM, Timo Sirainen wrote: > This is an "important fixes only" release in case you don't want to upgrade > to v2.3.15. There is no matching Pigeonhole release - use the same v2.3.14 > instead. Need this small patch to build on newer MacOS: --- src/lib/ioloop-notify-kqueu

Re: Dovecot v2.3.15 released

2021-06-21 Thread Timo Sirainen
Hi, > On 21. Jun 2021, at 15.19, Laura Steynes wrote: > > I know I'm blonde so might be silly question, but this libsystemd dependency, > does this mean dovecot need it mandatory even if we do not use a systemd > infected OS ? Or is it only needed if we use one of those systemd infected > OS

Re: Dovecot v2.3.15 released

2021-06-21 Thread Laura Steynes
I know I'm blonde so might be silly question, but this libsystemd dependency, does this mean dovecot need it mandatory even if we do not use a systemd infected OS ? Or is it only needed if we use one of those systemd infected OS's? My question is because our linux does not use systemd Thanks On

CVE-2021-33515: SMTP Submission service STARTTLS injection

2021-06-21 Thread Timo Sirainen
Open-Xchange Security Advisory 2021-06-21 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-4583 (Bug ID) Vulnerability type: CWE-74: Failure to Sanitize Data into a Different Plane ('Injection') Vulnerable version: 2.3.0-2.3.14 Vulnerable component: submission Report confidence:

CVE-2021-29157: oauth2 JWT local validation path traversal

2021-06-21 Thread Timo Sirainen
Open-Xchange Security Advisory 2021-06-21 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-4476 (Bug ID) Vulnerability type: CWE-24: Path Traversal: '../filedir' Vulnerable version: 2.3.11-2.3.14 Vulnerable component: imap, pop3, submission, managesieve Report confidence: Confirme

CVE-2020-28200: Sieve excessive resource usage

2021-06-21 Thread Timo Sirainen
Open-Xchange Security Advisory 2021-06-21 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-4159 (Bug ID) Vulnerability type: CWE-400 Vulnerable version: 1.2.0-2.3.14 Vulnerable component: lmtp, lda Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.15

Dovecot v2.3.14.1 released

2021-06-21 Thread Timo Sirainen
Hi, This is an "important fixes only" release in case you don't want to upgrade to v2.3.15. There is no matching Pigeonhole release - use the same v2.3.14 instead. https://dovecot.org/releases/2.3/dovecot-2.3.14.1.tar.gz https://dovecot

Pigeonhole v0.5.15 released

2021-06-21 Thread Timo Sirainen
Hi, Pigeonhole release for Dovecot v2.3.15. One thing we noticed a bit before release is that if you're using imap_sieve_filter plugin, the IMAP FILTER command may trigger the new excessive resource usage check since it can be processing many messages rapidly. You may want to prevent this with

Dovecot v2.3.15 released

2021-06-21 Thread Timo Sirainen
Hi, Here's a new release with some security fixes and quite a lot of other changes as well. https://dovecot.org/releases/2.3/dovecot-2.3.15.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.15.tar.gz.sig