#acl PaulHowarth:read,write,admin,revert,delete All:read === Sunday 16th August 2020 === ==== Local Packages ==== * Created repository for Fedora 33, branched from Rawhide * Updated `dovecot`: * Updated `dovecot` to 2.3.11.3: * [[CVE:2020-12100|CVE-2020-12100]]: Parsing mails with a large number of MIME parts could have resulted in excessive CPU usage or a crash due to running out of stack memory * [[CVE:2020-12673|CVE-2020-12673]]: Dovecot's NTLM implementation did not correctly check message buffer size, which lead to reading past allocation, which could lead to crash * [[CVE:2020-10967|CVE-2020-10967]]: lmtp/submission: Issuing the `RCPT` command with an address that has the empty quoted string as local-part caused the lmtp service to crash * [[CVE:2020-12674|CVE-2020-12674]]: Dovecot's RPA mechanism implementation accepted zero-length messages, which lead to assert-crashes later on * Events: Fix inconsistency in events (see event documentation at https://doc.dovecot.org/) * `imap_command_finished` event's `cmd_name` field now contains "`unknown`" for unknown commands; a new "`cmd_input_name`" field contains the command name exactly as it was sent * `lib-index`: Renamed `mail_cache_compress_*` settings to `mail_cache_purge_*`; note that these settings are mainly intended for testing and usually shouldn't be changed * Events: Renamed "index" event category to "mail-index" * Events: `service:` category is now using the name from configuration file * dns-client: service `dns_client` was renamed to `dns-client` * log: Prefixes generally use the service name from configuration file; for example, `dict-async` service will now use "`dict-async(pid):` " log prefix instead of "`dict(pid): `" * `*-login`: Changed logging done by proxying to use a consistent prefix containing the IP address and port * `*-login`: Changed disconnection log messages to be slightly clearer * dict: Add events for dictionaries * `lib-index`: Finish logging with events * `oauth2`: Support local validation of JWT tokens * stats: Add support for dynamic histograms and grouping (see https://doc.dovecot.org/configuration_manual/stats/) * imap: Implement RFC 8514: `IMAP SAVEDATE` * `lib-index`: If a long-running transaction (e.g. `SORT`/`FETCH` on a huge folder) adds a lot of data to `dovecot.index.cache` file, commit those changes periodically to make them visible to other concurrent sessions as well * stats: Add !OpenMetrics exporter for statistics (see https://doc.dovecot.org/configuration_manual/stats/openmetrics/) * stats: Support disabling `stats-writer` socket by setting `stats_writer_socket_path=""` * `auth-worker`: Process keeps slowly increasing its memory usage and eventually dies with "out of memory" due to reaching `vsz_limit` * auth: Prevent potential timing attacks in authentication secret comparisons: OAUTH2 JWT-token HMAC, imap-urlauth token, `crypt()` result * auth: Several auth-mechanisms allowed input to be truncated by NUL, which can potentially lead to unintentional issues or even successful logins that should have failed * auth: When auth policy returned a delay, `auth_request_finished` event had `policy_result=ok` field instead of `policy_result=delayed` * auth: auth process crash when `auth_policy_server_url` is set to an invalid URL * `dict-ldap`: Crash occurs if `var_expand` template expansion fails * dict: If dict client disconnected while iteration was still running, `dict` process could have started using 100% CPU, although it was still handling clients * `doveadm`: Running `doveadm` commands via proxying may hang, especially when `doveadm` is printing a lot of output * imap: "`MOVE * destfolder`" goes to a loop copying the last mail to the destination until the `imap` process dies due to running out of memory * imap: Running "`UID MOVE 1:* Trash`" on an empty folder goes to infinite loop * imap: `SEARCH` doesn't support `$` * `lib-compress`: Buffer over-read in `zlib` stream read * `lib-dns`: If DNS lookup times out, `lib-dns` can cause crash in calling process * `lib-index`: Fixed several bugs in `dovecot.index.cache` handling that could have caused cached data to be lost * `lib-index`: Writing to ≥1 GB `dovecot.index.cache` files may cause `assert`-crashes * `lib-ssl-iostream`: Fix buggy OpenSSL error handling without `assert`-crashing; if there is no error available, log it as an error instead of crashing * `lib-ssl-iostream`: `ssl_key_password` setting did not work * Submission: A segfault crash may occur when the client or server disconnects while a non-transaction command like `NOOP` or `VRFY` is still being processed * virtual: Copying/moving mails with IMAP into a virtual folder `assert`-crashes * auth: Lua `passdb`/`userdb` leaks stack elements per call, eventually causing the stack to become too deep and crashing the `auth` or `auth-worker` process * `lib-mail`: v2.3.11 regression: MIME parts not returned correctly by Dovecot MIME parser * `pop3-login`: Login would fail with "`Input buffer full`" if the initial response for SASL was too long * `pop3-login`: Login didn't handle commands in multiple IP packets properly; this mainly affected large `XCLIENT` commands or a large SASL initial response parameter in the `AUTH` command * `pop3`: `pop3_deleted_flag` setting was broken, causing `assert`-crash * Updated `pigeonhole` to 0.5.11: * `managesieve`: `managesieve_max_line_length` setting is now a "size" type instead of just number of bytes; this allows using e.g. "64k" as the value * `lib-sieve`: When folding white space is used in the `Message-ID` header, it is not stripped away correctly before the message ID value is used, causing e.g. garbled log lines at delivery . I added a patch to fix test failures on 32-bit systems ([[https://github.com/dovecot/core/pull/134|GH#134]]) ----