The check whether a block of memory is tainted erroneously returns true
if the block in question starts the very next byte after a block in the
tainted pool. Depending on the memory allocator, this can cause problems.
For example, on NetBSD/amd64 9.0, this seems to allocate the first tainted
block immediately before log_buffer. This leads to a recursive error in
log_write the first time anything is written to the log, leading to a
segmentation fault when the stack fills up.
3.2.5
Added
IMAP Daemon: added switch to control the diffential state reload
(mailbox_update_strategy=2), more information in dbmail.conf,
mailbox_update_strategy_2_max_iterations [#81]
IMAP Daemon: added switch to control UNSEEN first message in SELECT commands
Changed
IMAP Daemon: allow reporting UID COPY success in case of various failures
(except quota), reporting issues are sent to error log as warnings [#87]
Optimizations
optimizing differential state [#81]
optimizing fetch message headers [#85]
Issues
fixing issue related to copy message in regard to RFC 3501, section 6.4.8
fixing issues related group_concat for PostgreSql [#75], [#78]
fixing issue related to lastRowId [#71]
fixing issues related with differential update [#70], [#73]
fixing proc not being used in BSD systems [#74]
IMAP Daemon: segmentation fault [#68]
3.2.4
Added
IMAP Daemon: mailbox-update-strategy switch (see dbmail.conf), experimental
support for application_name in database connection uri
IMAP Daemon: mailbox_search_strategy switch (see dbmail.conf)
Changed
systemd unit changed to type notify
mailbox state is build using only valid messages [#39]
Optimizations
IMAP Daemon: optimization of sql queries in relation to message headers
libevent increased priority on accepting new connections
libevent optimization on reading and writing to sockets
simplify libzdb configuration (AC_CHECK_HEADERS)
Issues
fix segmentation fault in imap_append_hash_as_string [#12]
dbmail-users: sql issue on deleting alias user [#18]
IMAP Daemon: generation of invalid BODYSTRUCTURE in Content-Type field [#23]
fix support for jemalloc latest version [#35]
IMAP Deamon: BYE Command now offers optional message even on normal operations
IMAP Deamon: idle message now offers optional message (* OK Still Here)
IMAP Daemon: random hangs when single user is connected [#37]
fix fd leaks
IMAP Daemon: fix MODIFIED keyword, too many '[' and ']'
fix segmentation fault in find_end_of_header
fix gcc 10 compilation issue, duplicated definition
2020-08-14 Richard Russon <rich@flatcap.org>
* Security
- Add mitigation against DoS from thousands of parts
* Features
- Allow index-style searching in postpone menu
- Open NeoMutt using a mailbox name
- Add `cd` command to change the current working directory
- Add tab-completion menu for patterns
- Allow renaming existing mailboxes
- Check for missing attachments in alternative parts
- Add one-liner docs to config items
* Bug Fixes
- Fix logic in checking an empty From address
- Fix Imap crash in `cmd_parse_expunge()`
- Fix setting attributes with S-Lang
- Fix: redrawing of `$pager_index_lines`
- Fix progress percentage for syncing large mboxes
- Fix sidebar drawing in presence of indentation + named mailboxes
- Fix retrieval of drafts when "postponed" is not in the mailboxes list
- Do not add comments to address group terminators
- Fix alias sorting for degenerate addresses
- Fix attaching emails
- Create directories for nonexistent file hcache case
- Avoid creating mailboxes for failed subscribes
- Fix crash if rejecting cert
* Changed Config
- Add `$copy_decode_weed`, `$pipe_decode_weed`, `$print_decode_weed`
- Change default of `$crypt_protected_headers_subject` to "..."
- Add default keybindings to history-up/down
* Translations
- 100% Czech
- 100% Spanish
* Build
- Allow building against Lua 5.4
- Fix when sqlite3.h is missing
* Docs
- Add a brief section on stty to the manual
- Update section "Terminal Keybindings" in the manual
- Clarify PGP Pseudo-header `S<id>` duration
* Code
- Clean up String API
- Make the Sidebar more independent
- De-centralise the Config Variables
- Refactor dialogs
- Refactor: Help Bar generation
- Make more APIs Context-free
- Adjust the edata use in Maildir and Notmuch
- Window refactoring
- Convert libsend to use Config functions
- Refactor notifications to reduce noise
- Convert Keymaps to use STAILQ
- Track currently selected email by msgid
- Config: no backing global variable
- Add events for key binding
* Upstream
- Fix imap postponed mailbox use-after-free error
- Speed up thread sort when many long threads exist
- Fix ~v tagging when switching to non-threaded sorting
- Add message/global to the list of known "message" types
- Print progress meter when copying/saving tagged messages
- Remove ansi formatting from autoview generated quoted replies
- Change postpone mode to write Date header too
- Unstuff `format=flowed`
Distfile changes.
1. Official annoucne says "The only change here is that the configure.ac
file has correctly formatted version number."
2. Name of distfile is changed to match previous file naming scheme.
Old distfile is still available.
3. automake 1.15.1 is used instead of previous 1.15. So, generated files
by it are changed.
4. Other files are not changed, so there is no functional change.
Bump PKGREVISION.
correct install_name_tool -id on macOS, where this fixes CHECK_SHLIBS
(and probably runtime behavior too). While here, the patch to link with
-lrt on NetBSD has been upstreamed; remove. Bump PKGREVISION.
Update dovecot2-pigeonhole to 0.5.11.
v0.5.11 2020-08-12 Aki Tuomi <aki.tuomi@open-xchange.com>
* managesieve: managesieve_max_line_length setting is now a "size" type
instead of just number of bytes. This allows using e.g. "64k" as the
value.
- lib-sieve: When folding white space is used in the Message-ID header,
it is not stripped away correctly before the message ID value is used,
causing e.g. garbled log lines at delivery.
Update roundcube to 1.4.8, security release.
RELEASE 1.4.8
-------------
- Security: Fix potential XSS issue in HTML editor of the identity signature input (#7507)
- Managesieve: Fix too-small input field in Elastic when using custom headers (#7498)
- Fix support for an error as a string in message_before_send hook (#7475)
- Elastic: Fix redundant scrollbar in plain text editor on mail reply (#7500)
- Elastic: Fix deleted and replied+forwarded icons on messages list (#7503)
- Managesieve: Allow angle brackets in out-of-office message body (#7518)
- Fix bug in conversion of email addresses to mailto links in plain text messages (#7526)
- Fix format=flowed formatting on plain text part derived from the HTML content (#7504)
- Fix incorrect rewriting of internal links in HTML content (#7512)
- Fix handling links without defined protocol (#7454)
- Fix paging of search results on IMAP servers with no SORT capability (#7462)
- Fix detecting special folders on servers with both SPECIAL-USE and LIST-STATUS (#7525)
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145]
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious math content
* Drop support for EOL Python 3.4, add support for Python 3.8
* Add List_ID and List_Post headers to the generated emails
* Add a new `reply-changes` setting
* Improve configurability of text wrapping for the emails
* Use `platform.node()` instead of "dev.null.invalid" in
"Message-ID" header
* Improve locking support for when multiple rss2email instances are run
in parallel
* Fix handling of __VERSION__ and __URL__ in user-agent strings
* Fix opmlexport
Use res_ndestroy() instead of res_nclose() to properly cleanup resources
on NetBSD (and others that use __res_ndestroy() or res_ndestroy() instead
of res_nclose()). Original patch by Roy Marples.
Upstream changes:
version 3.005: Wed 22 Jul 10:40:05 CEST 2020
Improvements:
- warn to use ::SMTP, not ::SendMail on bulk messages.
- much lower elapse time on ::SMTP (local?) delivery.
version 3.004: Fri 3 May 09:29:07 CEST 2019
Improvements:
- add imap/imap4
Enigmail 2.1.7
Released 2020-06-27, works with Thunderbird 68 and Postbox 7.
Notable Changes
This release displays information about the upcoming release of Thunderbird 78.
This is a bug-fix release fixing a problem resetting access times that snuck
in starting with 1.11.0. This only affected relative-path mailboxes, but
caused Mutt to "forget" new mail in mbox files.
Changelog:
Notmuch 0.30 (2020-07-10)
=========================
S/MIME
------
Handle S/MIME (PKCS#7) messages -- one-part signed messages, encrypted
messages, and multilayer messages. Treat them symmetrically to
OpenPGP messages. This includes handling protected headers
gracefully.
If you're using Notmuch with S/MIME, you currently need to configure
gpgsm appropriately.
Mixed-up MIME Repair
--------------------
Detect and automatically repair a common form of message mangling
created by Microsoft Exchange (see index.repaired=mixedup in
notmuch-properties(7)).
Protected Headers
-----------------
Avoid indexing the legacy-display part of an encrypted message that
has protected headers (see
index.repaired=skip-protected-headers-legacy-display in
notmuch-properties(7)).
Python
------
Drop support for python2, focus on python3.
Introduce new CFFI-based python bindings in the python module named
"notmuch2". Officially deprecate (but still support) the older
"notmuch" module.
Dependencies
------------
Support for Xapian 1.2 is removed. The minimum supported version of
Xapian is now 1.4.0.
Notmuch 0.29.3 (2019-11-27)
===========================
General
-------
Fix for use-after-free in notmuch_config_list_{key,val}.
Fix for double close of file in notmuch-dump.
Debian
------
Drop python2 support from shipped debian packaging.
Notmuch 0.29.2 (2019-10-19)
===========================
General
-------
Fix for file descriptor leak when opening gzipped mail files. Thanks
to James Troup for the bug report and the fix.
Notmuch 0.29.1 (2019-06-11)
===========================
Build
-----
Fix for installation failure with `configure --without-emacs`.
Update roundcube to 1.4.7.
RELEASE 1.4.7
-------------
- Fix bug where subfolders of special folders could have been duplicated on folder list
- Increase maximum size of contact jobtitle and department fields to 128 characters
- Fix missing newline after the logged line when writing to stdout (#7418)
- Elastic: Fix context menu (paste) on the recipient input (#7431)
- Fix problem with forwarding inline images attached to messages with no HTML part (#7414)
- Fix problem with handling attached images with same name when using database_attachments/redundant_attachments (#7455)
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace
Changelog:
Fixes
fixed Chat: Topics displayed some characters improperly
fixed Calendar: Filtering tasks did not work when "Incomplete Tasks" was selected
Security fixes:
CVE-2020-12417: Memory corruption due to missing sign-extension for ValueTags on ARM64
#CVE-2020-12418: Information disclosure due to manipulated URL object
#CVE-2020-12419: Use-after-free in nsGlobalWindowInner
#CVE-2020-12420: Use-After-Free when trying to connect to a STUN server
#MFSA-2020-0001: Automatic account setup leaks Microsoft Exchange login credentials
#CVE-2020-12421: Add-On updates did not respect the same certificate trust rules as software updates
Update postfix to 3.5.4.
Fixed in Postfix 3.5.4, 3.4.14:
* The connection_reuse attribute in smtp_tls_policy_maps always
resulted in an "invalid attribute name" error. Fix by Thorsten
Habich.
* SMTP over TLS connection reuse always failed for Postfix SMTP
client configurations that specify explicit trust anchors (remote
SMTP server certificates or public keys). Reported by Thorsten
Habich.
Fixed in Postfix versions 3.5.4, 3.4.14, 3.3.12, 3.2.17:
* The Postfix SMTP client's DANE implementation would always send
an SNI option with the name in a destination's MX record, even
if the MX record pointed to a CNAME record. MX records that
point to CNAME records are not conformant with RFC5321, and so
are rare.
Based on the DANE survey of ~2 million hosts it was found that
with the corrected SMTP client behavior, sending SNI with the
CNAME-expanded name, the SMTP server would not send a different
certificate. This fix should therefore be safe.
Instead:
1. Package makefiles including their own options.mk
2. Packages say "SUBST_CLASSES+=djberrno" to get the hack, if needed
3. Packages adjust SUBST_FILES.djberrno, if needed
Should fix bulk build failures due to multiple inclusions of options.mk
and/or incorrect definitions of DJB_ERRNO_HACK.
Approved during the freeze by wiz@.
This release fixes a regression from the 1.14.3 release. Encryption settings
are no longer checked when using $tunnel to connect to a preauthenticated IMAP
server.
Remove some patches that would get voting rights soon.
Remove support for NetBSD 1.5.
pkglint cleanup.
XXX: someone should send the remaining patches upstream.
Mutt 1.14.4 was released on June 18, 2020. This is an important
bug-fix release. It fixes a possible machine-in-the-middle response
injection attack when using STARTTLS with IMAP, POP3, and SMTP
(CVE-2020-14954).
Mutt 1.14.3 was released on June 14, 2020. This is an important
bug-fix release. It fixes a possible IMAP fcc/postpone
machine-in-the-middle attack (CVE-2020-14093). It also fixes some
GnuTLS certificate prompt issues.
Mutt 1.14.2 was released on May 25, 2020. This is a bug-fix release,
fixing a few prompt buffer-size issues and adding a potential DoS
mitigation.
Mutt 1.14.1 was released on May 16, 2020. This is a bug-fix release,
fixing a documentation build issue and a few other small bugs.
Mutt 1.14.0 was released on May 2, 2020. This release has new
features and bug fixes. See the UPDATING file, or for more details
see the release notes page.
2020-06-19 Richard Russon <rich@flatcap.org>
* Security
- Abort GnuTLS certificate check if a cert in the chain is rejected
- TLS: clear data after a starttls acknowledgement
- Prevent possible IMAP MITM via PREAUTH response
* Features
- add config operations +=/-= for number,long
- Address book has a comment field
- Query menu has a comment field
* Contrib
- sample.neomuttrc-starter: Do not echo promted password
* Bug Fixes
- make "news://" and "nntp://" schemes interchangeable
- Fix CRLF to LF conversion in base64 decoding
- Double comma in query
- compose: fix redraw after history
- Crash inside empty query menu
- mmdf: fix creating new mailbox
- mh: fix creating new mailbox
- mbox: error out when an mbox/mmdf is a pipe
- Fix list-reply by correct parsing of List-Post headers
- Decode references according to RFC2047
- fix tagged message count
- hcache: fix keylen not being considered when building the full key
- sidebar: fix path comparison
- Don't mess with the original pattern when running IMAP searches
- Handle IMAP "NO" resps by issuing a msg instead of failing badly
- imap: use the connection delimiter if provided
- Memory leaks
* Changed Config
- `$alias_format` default changed to include `%c` comment
- `$query_format` default changed to include `%e` extra info
* Translations
- 100% Lithuanian
- 84% French
- Log the translation in use
* Docs
- Add missing commands unbind, unmacro to man pages
* Build
- Check size of long using `LONG_MAX` instead of `__WORDSIZE`
- Allow ./configure to not record cflags
- fix out-of-tree build
- Avoid locating gdbm symbols in qdbm library
* Code
- Refactor unsafe TAILQ returns
- add window notifications
- flip negative ifs
- Update to latest acutest.h
- test: add store tests
- test: add compression tests
- graphviz: email
- make more opcode info available
- refactor: `main_change_folder()`
- refactor: `mutt_mailbox_next()`
- refactor: `generate_body()`
- compress: add `{min,max}_level` to ComprOps
- emphasise empty loops: "// do nothing"
- prex: convert `is_from()` to use regex
- Refactor IMAP's search routines
2020-05-01 Richard Russon <rich@flatcap.org>
* Bug Fixes
- Make sure buffers are initialized on error
- fix(sidebar): use abbreviated path if possible
* Translations
- 100% Lithuanian
* Docs
- make header cache config more explicit
pkgsrc changes:
- Update MASTER_SITES and HOMEPAGE to current ones
Changes:
Version 1.4.10:
- Improved handling of temporary files on Windows systems.
- Re-enabled support for systems lacking vasprintf(), such as IBM i PASE.
Version 1.4.9:
- No significant changes.
Version 1.4.8:
- Added a new socket command and --socket option to connect via local sockets.
- Added a new tls_host_override command and --tls-host-override option to
override the host name used for TLS verification.
- Fixed the source_ip command for proxies.
Version 1.4.7:
- Minor bug fixes.
Version 1.4.6:
- Minor bug fixes.
Version 1.4.5:
- Fixed OAUTHBEARER.
- Support for TLS client certificates via PKCS11 devices, e.g. smart cards.
- Various small bug fixes and improvements.
Version 1.4.4:
- Added support for the OAUTHBEARER authentication method.
- Several minor bug fixes.
Version 1.4.3:
- This version fixes a security problem that affects version 1.4.2 (older
versions are not affected): when the new default value system for
tls_trust_file is used, the result of certificate verification was not
properly checked.
Version 1.4.2:
- To simplify TLS setup, the tls_trust_file command has a new default value
'system' that selects the system default trust. Now you just need tls=on to
use TLS; the other TLS options are only required in special cases.
To make this work without breaking compatibility with older mpop versions,
tls_fingerprint now overrides tls_trust_file, and tls_certcheck=off overrides
both (previously, you could not specify contradicting options).
- To simplify setup, a new option '--configure <mailaddress>' was added that
automatically generates a configuration file for a given mail address.
However, this only works if the mail domain publishes appropriate SRV records.
Version 1.4.1:
- Fixed our TLS code to support TLS 1.3 with GnuTLS.
Version 1.4.0:
- Using OpenSSL is discouraged and may not be supported in the future. Please
use GnuTLS instead. The reasons are explained here:
https://marlam.de/mpop/news/openssl-discouraged/
- As using GNU SASL is most likely unnecessary, it is disabled by default now.
Since everything uses TLS nowadays and thus can use PLAIN authentication, you
really only need it for GSSAPI.
- If your system requires a library for IDN support, libidn2 is now used instead
of the older libidn.
- The APOP and CRAM-MD5 authentication method are marked as obsolete / insecure
and will not be chosen automatically anymore.
- The passwordeval command does not require the password to be terminated by a
new line character anymore.
- Builtin default port numbers are now used instead of consulting /etc/services.
- Support for DJGPP and for systems lacking vasprintf(), mkstemp(), or tmpfile()
is removed.
Version 1.2.8:
- Fix support for ~/.config/mpop/config as configuration file
- Add --source-ip option and source_ip command to bind the outgoing connection
to a specific source IP address.
- Enable SNI for TLS
Version 1.2.7:
- Add support for ~/.config/mpop/config as configuration file
- Add network timeout handling on Windows
- Fix command line handling of SHA256 TLS fingerprints
- Update german translation
Discussed and ok with <reed>, thanks!
Update Ruby on Rails to 6.0.3.2.
www/ruby-actionpack60 is the really updated package and other packages
have no change except version.
CHANGELOG of www/ruby-actionpack60 is here:
## Rails 6.0.3.2 (June 17, 2020) ##
* [CVE-2020-8185] Only allow ActionableErrors if
show_detailed_exceptions is enabled
