+v2.2.36.1 2019-02-05 Timo Sirainen <tss@iki.fi>
+
+ * CVE-2019-3814: If imap/pop3/managesieve/submission client has
+ trusted certificate with missing username field
+ (ssl_cert_username_field), under some configurations Dovecot
+ mistakenly trusts the username provided via authentication instead
+ of failing.
+ * ssl_cert_username_field setting was ignored with external SMTP AUTH,
+ because none of the MTAs (Postfix, Exim) currently send the
+ cert_username field. This may have allowed users with trusted
+ certificate to specify any username in the authentication. This bug
+ didn't affect Dovecot's Submission service.
+
+ - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT
+ - director: Kicking a user assert-crashes if login process is very slow
+ - lda/lmtp: Fix assert-crash with some Sieve scripts when
+ mail_attachment_detection_options=add-flags-on-save
+ - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file
+ - Snippet generation crashed with invalid Content-Type:multipart
+
v2.2.36 2018-05-23 Timo Sirainen <tss@iki.fi>
* login-proxy: If ssl_require_crl=no, allow revoked certificates.
# Be sure to update ABI version also if anything changes that might require
# recompiling plugins. Most importantly that means if any structs are changed.
-AC_INIT([Dovecot],[2.2.36],[dovecot@dovecot.org])
+AC_INIT([Dovecot],[2.2.36.1],[dovecot@dovecot.org])
AC_DEFINE_UNQUOTED([DOVECOT_ABI_VERSION], "2.2.ABIv36($PACKAGE_VERSION)", [Dovecot ABI version])
AC_CONFIG_AUX_DIR([.])
AC_CONFIG_SRCDIR([src])
projects / thirdparty / dovecot / core.git / commitdiff
