From: Timo Sirainen Date: Mon, 4 Feb 2019 16:59:04 +0000 (-0800) Subject: Released v2.2.36.1. X-Git-Tag: 2.2.36.1^0 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5d621cf65a8ebdc30b8b329869d3682b1e1b635d;p=thirdparty%2Fdovecot%2Fcore.git Released v2.2.36.1. --- diff --git a/NEWS b/NEWS index b57d9d24f0..29d954edee 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,23 @@ +v2.2.36.1 2019-02-05 Timo Sirainen + + * CVE-2019-3814: If imap/pop3/managesieve/submission client has + trusted certificate with missing username field + (ssl_cert_username_field), under some configurations Dovecot + mistakenly trusts the username provided via authentication instead + of failing. + * ssl_cert_username_field setting was ignored with external SMTP AUTH, + because none of the MTAs (Postfix, Exim) currently send the + cert_username field. This may have allowed users with trusted + certificate to specify any username in the authentication. This bug + didn't affect Dovecot's Submission service. + + - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT + - director: Kicking a user assert-crashes if login process is very slow + - lda/lmtp: Fix assert-crash with some Sieve scripts when + mail_attachment_detection_options=add-flags-on-save + - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file + - Snippet generation crashed with invalid Content-Type:multipart + v2.2.36 2018-05-23 Timo Sirainen * login-proxy: If ssl_require_crl=no, allow revoked certificates. diff --git a/configure.ac b/configure.ac index f2a7748c36..dc8807fcb1 100644 --- a/configure.ac +++ b/configure.ac @@ -2,7 +2,7 @@ AC_PREREQ([2.59]) # Be sure to update ABI version also if anything changes that might require # recompiling plugins. Most importantly that means if any structs are changed. -AC_INIT([Dovecot],[2.2.36],[dovecot@dovecot.org]) +AC_INIT([Dovecot],[2.2.36.1],[dovecot@dovecot.org]) AC_DEFINE_UNQUOTED([DOVECOT_ABI_VERSION], "2.2.ABIv36($PACKAGE_VERSION)", [Dovecot ABI version]) AC_CONFIG_AUX_DIR([.]) AC_CONFIG_SRCDIR([src])