Upload page content

You can upload content for the page named below. If you change the page name, you can also upload content for another page. If the page name is empty, we derive the page name from the file name.

File to load page content from
Page name
Comment

    PaulHowarth/Blog/2020-08-16

Sunday 16th August 2020

Local Packages

  • Created repository for Fedora 33, branched from Rawhide

  • Updated dovecot:

    • Updated dovecot to 2.3.11.3:

      • CVE-2020-12100: Parsing mails with a large number of MIME parts could have resulted in excessive CPU usage or a crash due to running out of stack memory

      • CVE-2020-12673: Dovecot's NTLM implementation did not correctly check message buffer size, which lead to reading past allocation, which could lead to crash

      • CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an address that has the empty quoted string as local-part caused the lmtp service to crash

      • CVE-2020-12674: Dovecot's RPA mechanism implementation accepted zero-length messages, which lead to assert-crashes later on

      • Events: Fix inconsistency in events (see event documentation at https://doc.dovecot.org/)

      • imap_command_finished event's cmd_name field now contains "unknown" for unknown commands; a new "cmd_input_name" field contains the command name exactly as it was sent

      • lib-index: Renamed mail_cache_compress_* settings to mail_cache_purge_*; note that these settings are mainly intended for testing and usually shouldn't be changed

      • Events: Renamed "index" event category to "mail-index"

      • Events: service:<name> category is now using the name from configuration file

      • dns-client: service dns_client was renamed to dns-client

      • log: Prefixes generally use the service name from configuration file; for example, dict-async service will now use "dict-async(pid): " log prefix instead of "dict(pid): "

      • *-login: Changed logging done by proxying to use a consistent prefix containing the IP address and port

      • *-login: Changed disconnection log messages to be slightly clearer

      • dict: Add events for dictionaries

      • lib-index: Finish logging with events

      • oauth2: Support local validation of JWT tokens

      • stats: Add support for dynamic histograms and grouping (see https://doc.dovecot.org/configuration_manual/stats/)

      • imap: Implement RFC 8514: IMAP SAVEDATE

      • lib-index: If a long-running transaction (e.g. SORT/FETCH on a huge folder) adds a lot of data to dovecot.index.cache file, commit those changes periodically to make them visible to other concurrent sessions as well

      • stats: Add OpenMetrics exporter for statistics (see https://doc.dovecot.org/configuration_manual/stats/openmetrics/)

      • stats: Support disabling stats-writer socket by setting stats_writer_socket_path=""

      • auth-worker: Process keeps slowly increasing its memory usage and eventually dies with "out of memory" due to reaching vsz_limit

      • auth: Prevent potential timing attacks in authentication secret comparisons: OAUTH2 JWT-token HMAC, imap-urlauth token, crypt() result

      • auth: Several auth-mechanisms allowed input to be truncated by NUL, which can potentially lead to unintentional issues or even successful logins that should have failed

      • auth: When auth policy returned a delay, auth_request_finished event had policy_result=ok field instead of policy_result=delayed

      • auth: auth process crash when auth_policy_server_url is set to an invalid URL

      • dict-ldap: Crash occurs if var_expand template expansion fails

      • dict: If dict client disconnected while iteration was still running, dict process could have started using 100% CPU, although it was still handling clients

      • doveadm: Running doveadm commands via proxying may hang, especially when doveadm is printing a lot of output

      • imap: "MOVE * destfolder" goes to a loop copying the last mail to the destination until the imap process dies due to running out of memory

      • imap: Running "UID MOVE 1:* Trash" on an empty folder goes to infinite loop

      • imap: SEARCH doesn't support $

      • lib-compress: Buffer over-read in zlib stream read

      • lib-dns: If DNS lookup times out, lib-dns can cause crash in calling process

      • lib-index: Fixed several bugs in dovecot.index.cache handling that could have caused cached data to be lost

      • lib-index: Writing to ≥1 GB dovecot.index.cache files may cause assert-crashes

      • lib-ssl-iostream: Fix buggy OpenSSL error handling without assert-crashing; if there is no error available, log it as an error instead of crashing

      • lib-ssl-iostream: ssl_key_password setting did not work

      • Submission: A segfault crash may occur when the client or server disconnects while a non-transaction command like NOOP or VRFY is still being processed

      • virtual: Copying/moving mails with IMAP into a virtual folder assert-crashes

      • auth: Lua passdb/userdb leaks stack elements per call, eventually causing the stack to become too deep and crashing the auth or auth-worker process

      • lib-mail: v2.3.11 regression: MIME parts not returned correctly by Dovecot MIME parser

      • pop3-login: Login would fail with "Input buffer full" if the initial response for SASL was too long

      • pop3-login: Login didn't handle commands in multiple IP packets properly; this mainly affected large XCLIENT commands or a large SASL initial response parameter in the AUTH command

      • pop3: pop3_deleted_flag setting was broken, causing assert-crash

    • Updated pigeonhole to 0.5.11:

      • managesieve: managesieve_max_line_length setting is now a "size" type instead of just number of bytes; this allows using e.g. "64k" as the value

      • lib-sieve: When folding white space is used in the Message-ID header, it is not stripped away correctly before the message ID value is used, causing e.g. garbled log lines at delivery

  • I added a patch to fix test failures on 32-bit systems (GH#134)

Recent