Exim version 4.90.1
JH/03 Fix pgsql lookup for multiple result-tuples with a single column.
Previously only the last row was returned.
JH/04 Bug 2217: Tighten up the parsing of DKIM signature headers. Previously
we assumed that tags in the header were well-formed, and parsed the
element content after inspecting only the first char of the tag.
Assumptions at that stage could crash the receive process on malformed
input.
JH/05 Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.
While running the DKIM ACL we operate on the Permanent memory pool so that
variables created with "set" persist to the DATA ACL. Also (at any time)
DNS lookups that fail create cache records using the Permanent pool. But
expansions release any allocations made on the current pool - so a dnsdb
lookup expansion done in the DKIM ACL releases the memory used for the
DNS negative-cache, and bad things result. Solution is to switch to the
Main pool for expansions.
While we're in that code, add checks on the DNS cache during store_reset,
active in the testsuite.
Problem spotted, and debugging aided, by Wolfgang Breyha.
JH/06 Fix issue with continued-connections when the DNS shifts unreliably.
When none of the hosts presented to a transport match an already-open
connection, close it and proceed with the list. Previously we would
queue the message. Spotted by Lena with Yahoo, probably involving
round-robin DNS.
JH/07 Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL.
Previously a spurious "250 OK id=" response was appended to the proper
failure response.
JH/10 Bug 2223: Fix mysql lookup returns for the no-data case (when the number of
rows affected is given instead).
JH/12 Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating
SMTP connection. Previously, when one had more receipients than the
first, an abortive onward connection was made. Move to full support for
multiple onward connections in sequence, handling cutthrough connection
for all multi-message initiating connections.
JH/13 Bug 2229: Fix cutthrough routing for nonstandard port numbers defined by
routers. Previously, a multi-recipient message would fail to match the
onward-connection opened for the first recipient, and cause its closure.
JH/14 Bug 2174: A timeout on connect for a callout was also erroneously seen as
a timeout on read on a GnuTLS initiating connection, resulting in the
initiating connection being dropped. This mattered most when the callout
was marked defer_ok. Fix to keep the two timeout-detection methods
separate.
HS/01 Fix Buffer overflow in base64d() (CVE-2018-6789)
JH/16 Fix bug in DKIM verify: a buffer overflow could corrupt the malloc
metadata, resulting in a crash in free().
PP/01 Fix broken Heimdal GSSAPI authenticator integration.
Broken in f2ed27cf5, missing an equals sign for specified-initialisers.
Broken also in d185889f4, with init system revamp.
Changelog:
Fixed Searching message bodies of messages in local folders, including
filter and quick filter operations, not working reliably:
Content not found in base64-encode message parts, non-ASCII text
not found and false positives found.
Fixed Defective messages (without at least one expected header) not shown
in IMAP folders but shown on mobile devices
Fixed Calendar: Unintended task deletion if numlock is enabled
Fixed Various security fixes
Security fixes:
#CVE-2018-5095: Integer overflow in Skia library during edge builder allocation
#CVE-2018-5096: Use-after-free while editing form elements
#CVE-2018-5097: Use-after-free when source document is manipulated during XSLT
#CVE-2018-5098: Use-after-free while manipulating form input elements
#CVE-2018-5099: Use-after-free with widget listener
#CVE-2018-5102: Use-after-free in HTML media elements
#CVE-2018-5103: Use-after-free during mouse event handling
#CVE-2018-5104: Use-after-free during font face manipulation
#CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right
#CVE-2018-5089: Memory safety bugs fixed in Firefox 58, Firefox ESR 52.6,
and Thunderbird 52.6
Small patch release to fix the worst bugs in v2.3.0. v2.3.1 is coming in about a month with a lot more changes.
* CVE-2017-15130: TLS SNI config lookups may lead to excessive
memory usage, causing imap-login/pop3-login VSZ limit to be reached
and the process restarted. This happens only if Dovecot config has
local_name { } or local { } configuration blocks and attacker uses
randomly generated SNI servernames.
* CVE-2017-14461: Parsing invalid email addresses may cause a crash or
leak memory contents to attacker. For example, these memory contents
might contain parts of an email from another user if the same imap
process is reused for multiple users. First discovered by Aleksandar
Nikolic of Cisco Talos. Independently also discovered by "flxflndy"
via HackerOne.
* CVE-2017-15132: Aborted SASL authentication leaks memory in login
process.
* Linux: Core dumping is no longer enabled by default via
PR_SET_DUMPABLE, because this may allow attackers to bypass
chroot/group restrictions. Found by cPanel Security Team. Nowadays
core dumps can be safely enabled by using "sysctl -w
fs.suid_dumpable=2". If the old behaviour is wanted, it can still be
enabled by setting:
import_environment=$import_environment PR_SET_DUMPABLE=1
- imap-login with SSL/TLS connections may end up in infinite loop
1.02 Sat Feb 03 13:41:38 2018
- add support for parsing and generating addresses with nul character
- fix function compose_address when both user and host contains non-ASCII 8bit characters
- fix possible memory leak in dovecot parser
Update mail/postfix to 3.2.5.
[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-3.2.4.html]
This announcement concerns fixes for problems that were introduced
with Postfix 3.0 and later. Older supported releases are unaffected.
Fixed in Postfix 3.1 and later:
* DANE interoperability. Postfix builds with OpenSSL 1.0.0 or
1.0.1 failed to send email to some sites with "TLSA 2 X X" DNS
records associated with an intermediate CA certificate. Problem
report and initial fix by Erwan Legrand.
Fixed in Postfix 3.0 and later:
* Missing dynamicmaps support in the Postfix sendmail command.
This broke authorized_submit_users settings that use a
dynamically-loaded map type. Problem reported by Ulrich Zehl.
2018-02-23 Richard Russon <rich@flatcap.org>
* Features
- browser: `<goto-parent>` function bound to "p"
- editor: `<history-search>` function bound to "Ctrl-r"
- Cygwin support: https://www.neomutt.org/distro/cygwin
- OpenSUSE support: https://www.neomutt.org/distro/suse
- Upstream Homebrew support: Very soon - https://www.neomutt.org/distro/homebrew
* Bug Fixes
- gmail server-size search
- nested-if: correctly handle "<" and ">" with %?
- display of special chars
- lua: enable myvars
- for pgpewrap in default gpg.rc
- reply_regexp which wasn't formatted correctly.
- parsing of urls containing '?'
- out-of-bounds read in mutt_str_lws_len
* Translations
- Review fuzzy lt translations
- Updated French translation
* Website
- Installation guide for Cygwin
- Installation guide for OpenSUSE
- Installation guide for CRUX
* Build
- check that DTDs are installed
- autosetup improvements
- option for which version of bdb to use
- drop test for resizeterm -- it's always present
* Code
- split if's containing assignments
- doxygen: add/improve comments
- rename functions / parameters for consistency
- add missing {}s for clarity
- move functions to library
- reduce scope of variables
- boolify more variables
- iwyu: remove unnecessary headers
- name unicode chars
- tailq: migrate parameter api
- md5: refactor and tidy
- rfc2047: refactor and tidy
- buffer: improvements
- create unit test framework
- fix several coverity defects
* Upstream
- Fix s/mime certificate deletion bug
- Disable message security if the backend is not available
- Fix improper signed int conversion of IMAP uid and msn values
- Change imap literal counts to parse and store unsigned ints
- Fix imap status count range check
- cmd_handle_fatal: make error message a bit more descriptive
- Create pgp and s/mime default and sign_as key vars
- Add missing setup calls when resuming encrypted drafts
- mutt_pretty_size: show real number for small files
- examine_directory: set directory/symlink size to zero
- Add history-search function, bound to ctrl-r
- Avoid a potential integer overflow if a Content-Length value is huge
- Fix build issue with redefining the "accept" function.
- Added support for whitelists in the rbl plugin.
- Added option to skip the Received header for authenticated connections.
2.0.2 (2017-12-14)
* Fix treatment of No_Mail configuration parameter so that specifying
No_Mail = False (the default) does not cause incorrect results
* Conditionally import authres is Header_Type is AR and raise an error if it
is missing (sorry pep-8) to avoid cases where users change the config
and suddenly it doesn't work for an example, see:
https://bugzilla.redhat.com/show_bug.cgi?id=1208876
* Update and correct Mail_From_pass_restriction description in
policyd-spf.conf(5 ()
* Update HELO checking default option in policyd-spf.conf(5)
* Note that SPF_Not_Pass is not consistent with RFC 7208 in the HELO
checking section of policyd-spf.conf(5) - already documented for Mail From
1.0.2:
+ Added DKIM 'a' property so signature algorithm can be reported as proposed
for inclusion in draft-ietf-dmarc-rfc7601bis (experimental)
+ Added match_signature_algorithm to the DKIMAuthenticationResult class to
make it easier to find the correct DKIM result based on both domain and
algorithm
+ Added DKIM 's' property so signature algorithm can be reported as proposed
for inclusion in draft-ietf-dmarc-rfc7601bis (experimental)
- [CritFix] Add sanity guards for badly broken HTML
- [CritFix] Another errors path handling fix
- [CritFix] Fix ARC chain verification
- [CritFix] Fix crash in milter errors handler
- [Feature] Allow to insert headers into specific position
- [Feature] Allow to receive signing keys from mempool vars
- [Feature] Authentication-Results: support hiding usernames
- [Fix] Another try to deal with #1998
- [Fix] Another try to fix#1998
- [Fix] Better handling of the legacy protocol
- [Fix] Check decoded headers sanity (e.g. by excluding \0)
- [Fix] Deal with nan and inf encoding in json/ucl
- [Fix] Deal with URLs wrapped in [] in text parts
- [Fix] DKIM signing: allow for auth_only to be false
- [Fix] Do not crash on empty subtype
- [Fix] Do not fail rbl plugin when there are no received or emails
- [Fix] Do not skip the last character
- [Fix] Do not try to dereference last character
- [Fix] Do not try to sign unknown domains
- [Fix] Exim Received header protocol parsing
- [Fix] First load selector_map and path_map. And only return false
when domain not found if try_fallback is false
- [Fix] Fix bad archive characters stripping
- [Fix] Fix comparision
- [Fix] Fix connecting to a unix socket in rspamadm statconvert
- [Fix] Fix empty headers simple canonicalization
- [Fix] Fix extra hits in PCRE mode for regular expressions
- [Fix] Fix parsing of the per-user script
- [Fix] Fix processing of skip-hashes in fuzzy storage
- [Fix] Fix Redis timeout setup
- [Fix] Fix sanity checks on macro value
- [Fix] Fix text splitting: stack overflow (too many captures)
- [Fix] Fix urls/emails distinguishing found in queries
- [Fix] F-PROT Antivirus: only check return code to determine
infection
- [Fix] Metadata exporter: check IP sanity
- [Fix] Multimap: received: filtering of artificial header
- [Fix] Plan new event on HTTP errors
- [Fix] Plug another possible memory leak
- [Fix] Remove hop-by-hop headers in proxy
- [Fix] Sanitize IP in history redis
- [Fix] Setting check_local / check_authed in plugins (#1954)
- [Fix] Settings: avoid checking invalid IP (#1981)
- [Fix] Try harder in passing IPv6 addresses
- [Fix] WebUI: use relative path for savemap (#1943)
- [WebUI] Fix message count in throughput summary (#1724)
- [WebUI] Fix NaNs display on Throughput graph
- [WebUI] Restore passwordless login support (#2003)
use same PKG_OPTIONS_VAR as imap-uw to determine whether the build
needs to include kerberos support; this makes this extension actually
build against such imap-uw
bump PKGREVISION
when EXTRAAUTHENTICATORS is passed as MAKE_FLAGS, it ends up being
doubled, mkauths then generates auths.c with doubled auth_gss.c and
auth_mit.c twice, triggering duplicate definition errors with clang
9.0.0; pass via MAKE_ENV instead
bump PKGREVISION
Upstream changes:
version 2.20: Mon 22 Jan 18:14:44 CET 2018
Improvements:
- rewrite doc syntax to my current standard style.
- text corrections rt.cpan.org#123823 [Ville Skytt瓣]
- text corrections rt.cpan.org#123824 [Ville Skytt瓣]
- convert to GIT
- move to GitHUB
1.6.5: 22 Oct 2017
- [CritFix] Another portion of tokenization fixes
- [CritFix] Fix memory leak in spf caching logic
- [CritFix] Fix milter commands pipelining
- [CritFix] Fix newlines detection
- [Feature] Filter nan and inf when adding scores
- [Feature] Implement headers flags in mime parser
- [Feature] Support Expires header when using HTTP maps
- [Fix] Actively load skip hashes map in fuzzy storage
- [Fix] Add workaround for IPv6 in sendmail
- [Fix] Authentication Results: Fix SPF smtp.mail_from
- [Fix] Check for magic when checking for an archive
- [Fix] Deal with another case when processing exceptions
- [Fix] Deal with URLs with no slashes after protocol
- [Fix] Do not allow garbadge when checking url domain
- [Fix] Do not ignore short words
- [Fix] Do not strip last character in the last word
- [Fix] Do not treat script content as text
- [Fix] Erase unknown HTML entities
- [Fix] Fix another tokenization issue
- [Fix] Fix DKIM forgeries via multiple headers
- [Fix] Fix emails detection
- [Fix] Fix empty threshold check in greylisting module
- [Fix] Fix enormous scores for R_WHITE_ON_WHITE
- [Fix] Fix loading of per-user redis backend for statistics
- [Fix] Fix multiple headers in DKIM headers list
- [Fix] Fix obscured url in format user@@example.com
- [Fix] Further tokenization fixes
- [Fix] Load skip map from all processes as shared cache is
unavailable
- [Fix] Lowercase words
- [Fix] Milter headers: skip_local / skip_authenticated settings
- [Fix] Milter headers: X-Spamd-Result header if X-Virus ran first
- [Fix] Ratelimit: fix whitelisted_rcpts matching
- [Fix] Some more fixes towards emails detection
- [Fix] SpamAssassin: Fail check_freemail_header if regexp didn't
match
- [Fix] Use greylisting threshold in greylisting module
1.6.4: 10 Sep 2017
- [Feature] Add method to get all content-type attributes in Lua
- [Feature] Add some sanity checks for actions and controller
- [Feature] Allow randomly select User-Agent from a list
- [Feature] Deal with obscured URLs with @ symbols
- [Feature] Milter headers: support adding/removing arbitrary headers
from config
- [Fix] Add another workaround to display history properly
- [Fix] Add missing rspamadm control options to help
- [Fix] Auth-Results: Multiple DKIM signatures
- [Fix] Crash in URL processing
- [Fix] Default monitoring domain for surbl plugin
- [Fix] Detection of maillist optimized and fixed
- [Fix] Do not cache SPF records with PTR elements
- [Fix] Fix blacklists and DMARC in whitelist
- [Fix] Fix exceptions list in surbl
- [Fix] Fix processing of closed tags
- [Fix] Fix PTR processing in SPF
- [Fix] Lowercase HTTP headers to make them searchable from Lua
- [Fix] options.local_networks setting
- [Fix] Ratelimit: lowercase email addresses
- [Fix] Rebalance and slightly rework MX check plugin
- [Fix] Redis script loading in DMARC; URL tags; URL reputation
- [Fix] Reject invalid bh for DKIM signatures earlier
- [Fix] Remove incorrect method `task:set_metric_subject`
- [Fix] Rewriting subjects via force actions module
- [Fix] RPM postinstall
- [Fix] Treat 'rewrite subject' as spam action
- [Fix] Try harder to find urls
- [Fix] Use full URL when making an HTTP request
- [Fix] Use raw urls when sending requests to redirector
- [Fix] Use weight from map for fuzzy scoring
- [Rules] Penalise R_BAD_CTE_7BIT for utf8 messages
1.6.3: 26 Jul 2017
- [CritFix] Fix semicolons parsing in the content type
- [Feature] Add EBL to the default config
- [Feature] Allow to configure monitored
- [Feature] Allow to skip specific hashes in fuzzy storage
- [Feature] Multimap: checking of symbol options
- [Feature] Redis settings: support checking multiple keys
- [Fix] ARC: Fix Lua 5.3 compatibility; timestamp should be integer
- [Fix] Avoid changing content-transfer-encoding header's value
- [Fix] Don't use whitelist/greylist maps as regexp, but as map
- [Fix] Fix get_content method
- [Fix] Header checks: Fix get_raw_header method
- [Fix] Header checks: REPLYTO_UNPARSEABLE rule
- [Fix] Lua_http: freeing
- [Fix] Milter headers: custom headers: removing headers
- [Fix] Parse HREF urls without explicit prefix
- [Fix] WHITE_ON_WHITE: Ensure score is matched to part that fired the
rule
- [WebUI] Escape strings inside HTML in history
1.6.2: 08 Jul 2017
- [Conf] Remove Rambler email bl for now
- [Conf] Switch RAMBLER_URIBL to a locally managed source
- [CritFix] Switch from ragel to C for Content-Type parsing
- [Feature] Add `-e` option for lua_repl
- [Feature] Add per-domain emails normalisation rules
- [Feature] Add sessions cache to debug dangling sessions
- [Feature] Add short_text_direct_hash for fuzzy check module
- [Feature] Add text_part:get_stats function
- [Feature] Allow to add custom processing script for surbl
- [Feature] Allow to check reply-to email
- [Feature] Allow to customize spam header, remove existing spam
headers
- [Feature] Allow to disable specific workers in the config
- [Feature] Allow to discard messages instead of rejection
- [Feature] Allow to specify custom delimiter in emails plugin
- [Feature] Allow to specify custom User-Agent for rspamc
- [Feature] Allow to store symbols data in Clickhouse
- [Feature] Allow to use HTTPS when connecting to Clickhouse
- [Feature] Enable sessions cache tracking for milter connections
- [Feature] Implement per-line mode in lua_repl (like `perl -p`)
- [Feature] Implement rdns-curve plugin based on rspamd cryptobox
- [Feature] Improve maps cached data lifetime
- [Feature] Improve maps checking frequency
- [Feature] Improve monitored timeouts logic
- [Feature] milter_headers: add `extended_headers_rcpt` option
- [Feature] Milter headers: Add X-Spam-Flag to rmilter-compatibility
headers
- [Feature] Milter headers: remove-header routine
- [Feature] Multimap: received filters for extracting TLDs from
hostnames
- [Feature] Normalize email aliases in emails module
- [Feature] Re-add rambler email bl (as hashed list)
- [Feature] Reload file maps more frequently
- [Feature] Rework newlines strip parser one more time
- [Feature] Skip updates for messages scanned via controller
- [Feature] Split long DKIM public keys
- [Feature] Store more data when stripping newlines
- [Feature] Support SPF macros transformations
- [Feature] Support suppressing DMARC reports for some domains
- [Fix] Add missing `break` statement
- [Fix] Allow modifiers in SPF macros
- [Fix] DKIM sign tools: edge-cases around use_esld
- [Fix] Do not cache SPF records with macros
- [Fix] Do not overwrite score when setting pre-action
- [Fix] Fix comparison logic
- [Fix] Fix DKIM base64 folding for milter flagged messages
- [Fix] Fix emails module configuration
- [Fix] Fix folding for arc headers when milter interface is used
- [Fix] Fix gmail dots removal
- [Fix] Fix rspamc detection in greylist module
- [Fix] Fix some more issues with HTTP maps
- [Fix] Milter sessions can live forever
- [Fix] Normalize fuzzy probability better
- [Fix] Plug memory leak
- [Fix] RBL: Fixed hashed email address lookups
- [Fix] Try to deal with brain-damaged milter behaviour
- [Fix] Use `\n` to fold headers for milter
- [Rework] Allow to use custom callback for monitored checks
- [Rework] Further steps towards one process monitoring
- [Rework] Send health checks from a single worker
- [WebUI] Round-up throughput summary values
Notmuch 0.26 (2018-01-09)
=========================
Command Line Interface
----------------------
Support for re-indexing existing messages
There is a new subcommand, `notmuch reindex`, which re-indexes all
messages matching supplied search terms. This permits users to
change the way specific messages are indexed.
Note that for messages with multiple variants in the message
archive, the recorded Subject: of may change upon reindexing,
depending on the order in which the variants are indexed.
Improved error reporting in notmuch new
Give more details when reporting certain Xapian exceptions.
Support maildir synced tags in `new.tags`
Tags `draft`, `flagged`, `passed`, and `replied` are now supported
in `new.tags`. The tag `unread` is still special in the presence of
maildir syncing, and will be added for files in `new/` regardless of
the setting of `new.tags`.
Support /regex/ in new.ignore
Files and directories may be ignored based on regular expressions.
Allow `notmuch insert --folder=""`
This inserts into the top level folder.
Strip trailing '/' from folder path for notmuch insert
This prevents a potential problem with duplicated database records.
New option --output=address for notmuch address
Make `notmuch show` more robust against deleting duplicate files
The option --decrypt now takes an explicit argument
The --decrypt option to `notmuch show` and `notmuch reply` now takes
an explicit argument. If you were used to invoking `notmuch show
--decrypt`, you should switch to `notmuch show --decrypt=true`.
Boolean and keyword arguments now take a `--no-` prefix
Encrypted Mail
--------------
Indexing cleartext of encrypted e-mails
It's now possible to include the cleartext of encrypted e-mails in
the notmuch index. This makes it possible to search your encrypted
e-mails with the same ease as searching cleartext. This can be done
on a per-message basis by passing --decrypt=true to indexing
commands (new, insert, reindex), or by default by running "notmuch
config set index.decrypt true".
Encrypted messages whose cleartext is indexed will typically also
have their session keys stashed as properties associated with the
message. Stashed session keys permit rapid rendering of long
encrypted threads, and disposal of expired encryption-capable keys.
If for some reason you want cleartext indexing without stashed
session keys, use --decrypt=nostash for your indexing commands (or
run "notmuch config set index.decrypt nostash"). See `index.decrypt`
in notmuch-config(1) for more details.
Note that stashed session keys permit reconstruction of the
cleartext of the encrypted message itself, and the contents of the
index are roughly equivalent to the cleartext as well. DO NOT USE
this feature without considering the security of your index.
Emacs
-----
Guard against concurrent searches in notmuch-tree
Use make-process when available
This allows newer Emacs to separate stdout and stderr from the
notmuch command without using temporary files.
Library Changes
---------------
Indexing files with duplicate message-id
Files with duplicate message-id's are now indexed, and searchable
via terms and phrases. There are known issues related to
presentation of results and regular-expression search, but in
principle no mail file should be completely unsearchable now.
New functions to count files
Two new functions in the libnotmuch API:
`notmuch_message_count_files`, and `notmuch_thread_get_total_files`.
New function to remove properties
A new function was added to the libnotmuch API to make it easier to
drop all properties with a common pattern:
`notmuch_message_remove_all_properties_with_prefix`
Change of return value of `notmuch_thread_get_authors`
In certain corner cases, `notmuch_thread_get_authors` previously
returned NULL. This has been replaced by an empty string, since the
possibility of NULL was not documented.
Transition `notmuch_database_add_message` to `notmuch_database_index_file`
When indexing an e-mail message, the new
`notmuch_database_index_file` function is the preferred form, and
the old `notmuch_database_add_message` is deprecated. The new form
allows passing a set of options to the indexing engine, which the
operator may decide to change from message to message.
Test Suite
----------
Out-of-tree builds
The test suite now works properly with out-of-tree builds, i.e. with
separate source and build directories. The --root option to tests
has been dropped. The same can now be achieved more reliably using
out-of-tree builds.
Python Bindings
---------------
Python bindings specific Debian packaging is removed
The bindings have been build by the top level Debian packaging for a
long time, and `bindings/python/debian` has bit-rotted.
Open mail files in binary mode when using Python 3
This avoids certain encoding related crashes under Python 3.
Add python bindings for `notmuch_database_{get,set}_config*`
Optional `decrypt_policy` flag is available for notmuch.database().index_file()
nmbug
-----
nmbug's internal version increases to 0.3 in this notmuch release.
User-facing changes with this notmuch release:
* Accept failures to unset `core.worktree` in `clone`, which allows
nmbug to be used with Git 2.11.0 and later.
* Auto-checkout in `clone` if it wouldn't clobber existing content,
which makes the initial clone more convenient.
* Only error for invalid diff lines in `tags/`, which allows for
`README`s and similar in nmbug repositories.
Documentation
-------------
New man page: notmuch-properties(7)
This new page to the manual describes common conventions for how
properties are used by libnotmuch, the CLI, and associated programs.
External projects that use properties are encouraged to claim their
properties and conventions here to avoid collisions.
Upstream changes:
version 2.17: Fri Jan 26 23:42:01 CET 2018
Fixes:
- when picking a preferred type for an extension, do prefer the type
with the same minor-name. Issue triggered by [Henry van Styn]
- remove iana obsoleted types
version 2.16: Tue 23 Jan 12:14:39 CET 2018
Fixes:
- collecting of IANA info has stalled: logic rewritten
Discovered by [Julien Lüthi]
Improvements:
- move scripts and source files into MANIFEST.extra
- update types and extensions
version 2.15: Fri 19 Jan 17:23:56 CET 2018
Improvements:
- moved to GIT and GitHUB.
Changelog:
Fix
This releases fixes the "Mailsploit" vulnerability and other vulnerabilities
detected by the "Cure53" audit. For details and various other security
fixes see here.
CVE-2017-7845: Buffer overflow when drawing and validating elements with
ANGLE library using Direct 3D 9
CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin
CVE-2017-7847: Local path string can be leaked from RSS feed
CVE-2017-7848: RSS Feed vulnerable to new line Injection
CVE-2017-7829: Mailsploit part 1: From address with encoded null character
is cut off in message header display
This library validates that address are of the form x@y.com. This is the sort
of validation you would want for a login form on a website.
Key features:
* Good for validating email addresses used for logins/identity.
* Friendly error messages when validation fails (appropriate to show to end
users).
* (optionally) Checks deliverability: Does the domain name resolve?
* Supports internationalized domain names and (optionally) internationalized
local parts.
* Normalizes email addresses (super important for internationalized addresses!).
Version 0.52
* Internet connection tests were declared in the wrong order
Version 0.51
* Fix for older versions of perl
* Tests no longer fail with no internet connection
Notmuch 0.25.3 (2017-12-08)
===========================
Emacs
-----
Extend mitigation (disabling handling x-display in text/enriched) for
Emacs bug #28350 to Emacs versions before 24.4 (i.e. without
`advice-add`).
Command Line Interface
----------------------
Correctly report userid validity. Fix test suite failure for GMime >=
3.0.3. This change raises the minimum supported version of GMime 3.x
to 3.0.3.
- feature request: added record_mailbox configuration parameter, to
allow turning off the header getmail adds with this information.
Thanks: Daniel Kahn Gillmor, Osamu Aoki, Josh Triplett.
Changelog v0.5.0.1:
- imap4flags extension: Fix binary corruption occurring when
setflag/addflag/removeflag flag-list is a variable.
- sieve-extprograms plugin: Fix segfault occurring when used in
IMAPSieve context.
