PaulHowarth/Blog/2026-04-10

Friday 10th April 2026

Fedora Project

  • Updated perl-Apache-Session-Browseable (1.3.18) in Rawhide to BR: perl(DBD::Cassandra) to improve test coverage (PR#3)

  • Updated perl-Business-ISBN-Data to 20260410.001 in Rawhide:

    • Data update for 2026-04-10

  • Updated perl-Mail-Message to 4.05 in Rawhide:

  • Fixes:

    • Parse X-MLServer

    • $msg->string must end with a newline

    • Fold fields with newline
  • Improvements:

    • Mail::Message->new(message_id) replacing messageId: parameters should not use camel-casing; old attribute now deprecated

    • Mail::Message add clean attributes for fieldType, headType, bodyType, and isTrusted

    • Remove version of introduction indicators '[3*]', because version 4 is not backwards compatible anyway

Local Packages

  • Updated dovecot (2.4) to 2.4.3:

    • CVE-2025-59028: Invalid base64 authentication could cause DoS for other logins

    • CVE-2025-59031: decode2text.sh OOXML extraction may follow symlinks and read unintended files during indexing (fixed by dropping the script)

    • CVE-2026-24031: SQL injection possible if auth_username_chars is configured empty (fixed escaping to always happen; v2.4 regression)

    • CVE-2026-27859: Excessive RFC 2231 MIME parameters in email would cause excessive CPU usage (fixed by limiting number of parameters to process)

    • CVE-2026-27860: LDAP query injection possible if auth_username_chars is configured empty (fixed escaping to always happen; v2.4 regression)

    • CVE-2026-27857: Sending excessive parenthesis causes imap-login to use excessive memory

    • CVE-2026-27856: doveadm credentials were not checked using timing-safe checking function

    • CVE-2026-27855: OTP driver vulnerable to replay attack

    • Remove default service/*/service_extra_groups=$SET:default_internal_group; they are now replaced by default mail_access_groups=$SET:default_internal_group

    • The version file has been renamed as version.txt to avoid clash with C++ headers

    • auth: oauth2 - Do not export token automatically, must be exported using fields

    • config: Don't accept 0 as meaning unlimited any more for last_valid_uid, last_valid_gid, mail_cache_max_headers_count, mail_cache_max_header_name_length, mail_vsize_bg_after_count, mail_sort_max_read_count, message_max_size, submission_max_recipients and quota_mail_size

    • imap, pop3: Don't autoexpunge if Dovecot is shutting down or process is killed

    • imap: LIST - Handle invalid mUTF-7 mailbox names as never matching anything

    • lazy-expunge: Change lazy_expunge_only_last_instance default to yes

    • lda: Use EX_TEMPFAIL (75) if configuration is invalid instead of 89; v2.4 regression

    • lib-master: Increase ANVIL_DEFAULT_LOOKUP_TIMEOUT_MSECS from 5s to 30s

    • lib: crc32 - Use zlib's built-in CRC32 function

    • Improve UTF-8 support for mail storage
    • auth: Add default auth-token UNIX socket for token-based authentication

    • doc: solr-config-9.xml - Make it compatible with Solr 9.8.0

    • doveadm: dsync - Search mails when exporting to reduce number of mails exported by dsync-server

    • dovecot-sysreport: Add -D|--destdir support

    • imap, imap-hibernate: Use DOVECOT-TOKEN authentication for unhibernation; default imap-master socket permissioms have been changed due to this

    • imap: Add APPENDLIMIT capability when configured with quota_mail_size

    • imap: Support STATUS (DELETED) for IMAP4rev2

    • imapc: Add support for SEARCH MIMEPART

    • imapc: Improve error forwarding

    • imapc: Support SORT and ESORT extensions

    • imapc: Support STATUS (DELETED) for IMAP4rev2

    • lib-sql: Support parameterized queries

    • lib-test: Add new test-dir API for better temporary test directory handling

    • lmtp: Advertise SIZE capability when configured with quota_mail_size

    • lmtp: Support XCLIENT DESTADDR and DESTPORT

    • pop3-login: proxy - Add support for XCLIENT DESTIP and DESTPORT

    • submission-login: proxy - Add support for XCLIENT DESTIP and DESTPORT

    • Various optimizations have been made to the code
    • Fix building dovecot with BSD, Solaris and macOS

    • auth: Crash would occur if users were iterated but userdb_ldap_iterate_fields was not set

    • auth: Fix request leak when client authenticates with unsupported mechanism

    • auth: Some passdbs would default to PLAIN instead of CRYPT scheme

    • config: Section and setting names could have been intermixed, resulting in the setting being silently ignored

    • configure: Fix checking if BUILD_IMAP_HIBERNATE is set

    • doveadm: dsync - -e parameter was handled wrong with dsync-server

    • fts-flatcurve: Mailbox leak would occur if mailbox failed to open

    • imap: Fix potential issues with unhibernation and process state handling

    • imapc: SEARCH failure handling was done wrong

    • imapc: UID STORE commands included extra comma in uidset

    • lib-auth-client: auth-master - Fix panic when reconnecting after handshake timeout

    • lib-compression: Lz4 algorithm would assert-crash with malicious data

    • lib-dcrypt: Fix digest algorithm handling

    • lib-dict: Escape username paths to prevent traversal issues with dict-fs

    • lib-http: Fix HTTP parsing edge cases and state handling

    • lib-iostream: Disallow empty ssl_min_protocol

    • lib-json: Fix incorrect character handling logic

    • lib-ldap: Fix various TLS-related bugs

    • lib-mail: Fix charset translation and MIME parsing edge cases

    • lib-mail: Fix multiple bounds checks and parsing issues in message handling

    • lib-var-expand: Multiple fixes and improvements for expansion handling

    • lib: Fix punycode decoding out-of-bounds reads
    • lib: Fix unicode normalization edge cases causing crashes

    • lib-http: Chunked transfer trailer size was not limited

    • login-common: Improve logging and internal error handling

    • login-common: login_log_format_elements was split by spaces naively, which could break variable expansion; use template-aware splitting now

    • master: Dovecot would fail to start if listen directive was used and dovenull or dovecot user was missing

    • pop3c: Connection might've hung with SSL
    • util: Fix handling of environment variables containing control characters
    • Many other bugs have been fixed

  • Updated pigeonhole to 2.4.3:

    • CVE-2026-27858: managesieve-login can allocate large amount of memory during authentication

    • CVE-2025-59032: ManageSieve panic occurs with sieve-connect as a client

    • lib-sieve: Don't accept 0 as meaning unlimited any more for sieve_quota_script_count and sieve_quota_storage_size

    • managesieve-login: If mail_max_userip_connections is reached, return LIMIT/CONNECTIONS resp-code

    • managesieve-login: proxy - Return unexpected backend failures as TRYLATER/NORETRY resp-code

    • managesieve: Remove default service_extra_groups=$SET:default_internal_group

    • managesieve-login: proxy - Add support for XCLIENT DESTIP and DESTPORT

    • imapsieve: Fix panic occurring upon implicit flag changes

    • lib-sieve: include-extension - Fix crash occurring when previous global command has no arguments

    • lib-sieve: Fix erroneous attempt to read active script for non-personal storage

    • lib-sieve: ldap: Fix linking non-shared LIBDOVECOT

  • I had to hack the configure script to specify a custom TEST_DIR value because the path name of the default TEST_DIR in the buildsystem is too long to be able to use a unix-domain socket in it and as a result, test-imap-client-hibernate would fail

Recent