Sunday 16th August 2020
Local Packages
- Created repository for Fedora 33, branched from Rawhide
Updated dovecot:
Updated dovecot to 2.3.11.3:
CVE-2020-12100: Parsing mails with a large number of MIME parts could have resulted in excessive CPU usage or a crash due to running out of stack memory
CVE-2020-12673: Dovecot's NTLM implementation did not correctly check message buffer size, which lead to reading past allocation, which could lead to crash
CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an address that has the empty quoted string as local-part caused the lmtp service to crash
CVE-2020-12674: Dovecot's RPA mechanism implementation accepted zero-length messages, which lead to assert-crashes later on
Events: Fix inconsistency in events (see event documentation at https://doc.dovecot.org/)
imap_command_finished event's cmd_name field now contains "unknown" for unknown commands; a new "cmd_input_name" field contains the command name exactly as it was sent
lib-index: Renamed mail_cache_compress_* settings to mail_cache_purge_*; note that these settings are mainly intended for testing and usually shouldn't be changed
- Events: Renamed "index" event category to "mail-index"
Events: service:<name> category is now using the name from configuration file
dns-client: service dns_client was renamed to dns-client
log: Prefixes generally use the service name from configuration file; for example, dict-async service will now use "dict-async(pid): " log prefix instead of "dict(pid): "
*-login: Changed logging done by proxying to use a consistent prefix containing the IP address and port
*-login: Changed disconnection log messages to be slightly clearer
- dict: Add events for dictionaries
lib-index: Finish logging with events
oauth2: Support local validation of JWT tokens
stats: Add support for dynamic histograms and grouping (see https://doc.dovecot.org/configuration_manual/stats/)
imap: Implement RFC 8514: IMAP SAVEDATE
lib-index: If a long-running transaction (e.g. SORT/FETCH on a huge folder) adds a lot of data to dovecot.index.cache file, commit those changes periodically to make them visible to other concurrent sessions as well
stats: Add OpenMetrics exporter for statistics (see https://doc.dovecot.org/configuration_manual/stats/openmetrics/)
stats: Support disabling stats-writer socket by setting stats_writer_socket_path=""
auth-worker: Process keeps slowly increasing its memory usage and eventually dies with "out of memory" due to reaching vsz_limit
auth: Prevent potential timing attacks in authentication secret comparisons: OAUTH2 JWT-token HMAC, imap-urlauth token, crypt() result
- auth: Several auth-mechanisms allowed input to be truncated by NUL, which can potentially lead to unintentional issues or even successful logins that should have failed
auth: When auth policy returned a delay, auth_request_finished event had policy_result=ok field instead of policy_result=delayed
auth: auth process crash when auth_policy_server_url is set to an invalid URL
dict-ldap: Crash occurs if var_expand template expansion fails
dict: If dict client disconnected while iteration was still running, dict process could have started using 100% CPU, although it was still handling clients
doveadm: Running doveadm commands via proxying may hang, especially when doveadm is printing a lot of output
imap: "MOVE * destfolder" goes to a loop copying the last mail to the destination until the imap process dies due to running out of memory
imap: Running "UID MOVE 1:* Trash" on an empty folder goes to infinite loop
imap: SEARCH doesn't support $
lib-compress: Buffer over-read in zlib stream read
lib-dns: If DNS lookup times out, lib-dns can cause crash in calling process
lib-index: Fixed several bugs in dovecot.index.cache handling that could have caused cached data to be lost
lib-index: Writing to ≥1 GB dovecot.index.cache files may cause assert-crashes
lib-ssl-iostream: Fix buggy OpenSSL error handling without assert-crashing; if there is no error available, log it as an error instead of crashing
lib-ssl-iostream: ssl_key_password setting did not work
Submission: A segfault crash may occur when the client or server disconnects while a non-transaction command like NOOP or VRFY is still being processed
virtual: Copying/moving mails with IMAP into a virtual folder assert-crashes
auth: Lua passdb/userdb leaks stack elements per call, eventually causing the stack to become too deep and crashing the auth or auth-worker process
lib-mail: v2.3.11 regression: MIME parts not returned correctly by Dovecot MIME parser
pop3-login: Login would fail with "Input buffer full" if the initial response for SASL was too long
pop3-login: Login didn't handle commands in multiple IP packets properly; this mainly affected large XCLIENT commands or a large SASL initial response parameter in the AUTH command
pop3: pop3_deleted_flag setting was broken, causing assert-crash
Updated pigeonhole to 0.5.11:
managesieve: managesieve_max_line_length setting is now a "size" type instead of just number of bytes; this allows using e.g. "64k" as the value
lib-sieve: When folding white space is used in the Message-ID header, it is not stripped away correctly before the message ID value is used, causing e.g. garbled log lines at delivery
I added a patch to fix test failures on 32-bit systems (GH#134)