#acl PaulHowarth:read,write,admin,revert,delete All:read === Wednesday 1st May 2019 === ==== Local Packages ==== * Updated `dovecot` (2.3): * Updated `dovecot` to 2.3.6: * [[CVE:2019-11494|CVE-2019-11494]]: Submission-login crashed with signal 11 due to null pointer access when authentication was aborted by disconnecting * [[CVE:2019-11499|CVE-2019-11499]]: Submission-login crashed when authentication was started over TLS secured channel and invalid authentication message was sent * auth: Support password grant with `passdb oauth2` * Use system default CAs for outbound TLS connections * Simplify array handling with new helper macros * `fts_solr`: Enable configuring `batch_size` and `soft_commit` features * lmtp/submission: Fixed various bugs in `XCLIENT` handling, including a hang when `XCLIENT` commands were sent infinitely to the remote server * lmtp/submission: Forwarded multi-line replies were erroneously sent as two replies to the client * lib-smtp: client: Message was not guaranteed to contain CRLF consistently when `CHUNKING` was used * `fts_solr`: Plugin was no longer compatible with Solr 7 * Make it possible to disable certificate checking without setting `ssl_client_ca_*` settings * `pop3c`: SSL support was broken * mysql: Closing connection twice lead to crash on some systems * auth: Multiple oauth2 passdbs crashed auth process on deinit * HTTP client connection errors infrequently triggered a segmentation fault when the connection was idle and not used for a particular client instance * Updated `pigeonhole` to 0.5.6: * sieve: Redirect loop prevention is sometimes ineffective; improve existing loop detection by also recognizing the `X-Sieve-Redirected-From` header in incoming messages and dropping redirect actions when it points to the sending account (this header is already added by the `redirect` action, so this improvement only adds an additional use of this header) * sieve: Prevent execution of implicit keep upon temporary failure occurring at runtime ----