From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Tue, 5 Feb 2019 07:18:41 +0000 (+0200)
Subject: Released v2.3.4.1
X-Git-Tag: 2.3.4.1^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fheads%2Frelease-2.3.4;p=thirdparty%2Fdovecot%2Fcore.git

Released v2.3.4.1
---

diff --git a/NEWS b/NEWS
index f33af3476d..8129537920 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,16 @@
+v2.3.4.1 2019-02-05  Aki Tuomi <aki.tuomi@open-xchange.com>
+
+	* CVE-2019-3814: If imap/pop3/managesieve/submission client has
+	  trusted certificate with missing username field
+	  (ssl_cert_username_field), under some configurations Dovecot
+	  mistakenly trusts the username provided via authentication instead
+	  of failing.
+	* ssl_cert_username_field setting was ignored with external SMTP AUTH,
+	  because none of the MTAs (Postfix, Exim) currently send the
+	  cert_username field. This may have allowed users with trusted
+	  certificate to specify any username in the authentication. This bug
+	  didn't affect Dovecot's Submission service.
+
 v2.3.4 2018-11-23  Timo Sirainen <tss@iki.fi>
 
 	* The default postmaster_address is now "postmaster@<user domain or
diff --git a/configure.ac b/configure.ac
index 83eb1b398b..049895755a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2,7 +2,7 @@ AC_PREREQ([2.59])
 
 # Be sure to update ABI version also if anything changes that might require
 # recompiling plugins. Most importantly that means if any structs are changed.
-AC_INIT([Dovecot],[2.3.4],[dovecot@dovecot.org])
+AC_INIT([Dovecot],[2.3.4.1],[dovecot@dovecot.org])
 AC_DEFINE_UNQUOTED([DOVECOT_ABI_VERSION], "2.3.ABIv4($PACKAGE_VERSION)", [Dovecot ABI version])
 
 AC_CONFIG_SRCDIR([src])