Rails 6.1.3 (February 17, 2021)
[ActionPack]
* Re-define routes when not set correctly via inheritance.
*John Hawthorn*
[ActiveRecord]
* Fix the MySQL adapter to always set the right collation and charset
to the connection session.
*Rafael Mendonça França*
* Fix MySQL adapter handling of time objects when prepared statements
are enabled.
*Rafael Mendonça França*
* Fix scoping in enum fields using conditions that would generate
an IN clause.
*Ryuta Kamizono*
* Skip optimised #exist? query when #include? is called on a relation
with a having clause
Relations that have aliased select values AND a having clause that
references an aliased select value would generate an error when
#include? was called, due to an optimisation that would generate
call #exists? on the relation instead, which effectively alters
the select values of the query (and thus removes the aliased select
values), but leaves the having clause intact. Because the having
clause is then referencing an aliased column that is no longer
present in the simplified query, an ActiveRecord::InvalidStatement
error was raised.
An sample query affected by this problem:
Author.select('COUNT(*) as total_posts', 'authors.*')
.joins(:posts)
.group(:id)
.having('total_posts > 2')
.include?(Author.first)
This change adds an addition check to the condition that skips the
simplified #exists? query, which simply checks for the presence of
a having clause.
Fixes#41417
*Michael Smart*
* Increment postgres prepared statement counter before making a
prepared statement, so if the statement is aborted without Rails
knowledge (e.g., if app gets kill -9d during long-running query or
due to Rack::Timeout), app won't end up in perpetual crash state for
being inconsistent with Postgres.
*wbharding*, *Martin Tepper*
Changelog:
Fixes
Importing an address book from a CSV file always reported an error
Security information for S/MIME messages was not displayed correctly prior to a
draft being saved
Calendar: FileLink UI fixes for Caldav calendars
Recurring tasks were always marked incomplete; unable to use filters
Various UI widgets not working
Dark theme improvements
Extension manager was missing link to addon support web page
Various security fixes
Security fixes:
#CVE-2021-23969: Content Security Policy violation report could have contained
the destination of a redirect
#CVE-2021-23968: Content Security Policy violation report could have contained
the destination of a redirect
#CVE-2021-23973: MediaError message property could have leaked information
about cross-origin resources
#CVE-2021-23978: Memory safety bugs fixed in Thunderbird 78.8
pkgsrc changes:
---------------
* The main maintainer seems to have changed. The GitHub repository has been
updated accordingly.
* Since the vendor dependencies has been removed from the Github release, we
use php-composer to resolve them.
upstream changes:
-----------------
Version 4.0.4 (to 4.0.3)
o Fix#321: Boolean settings in presets caused errors when trying to store
the preset's addressbooks to the database
o Fix#322: The refresh time string from admin presets was not converted to
seconds, causing errors or wrong values when storing the preset's
addressbooks to the database
o Fix#324: Changes not immediately visible with postgresql (delete contact,
add/remove contact to/from group)
o Fix: spurious error returned when creating VCard on Google
Version 4.0.3 (to 4.0.2)
o Allow release 1.0 of carddavclient in composer dependencies
o No changes to the plugin itself
Version 4.0.2 (to 4.0.1)
o Fix#316: Incompatibility with Sabre/VObject version 4 preventing saving
contacts using custom labels
o Fix: Default refresh time set to 1 sec in settings
Version 4.0.1 (to 4.0.0)
o Fix: Plugin version was not shown in about window for tarball installations
o Fix: Collation behavior was case-insensitive for MySQL (only). Now unified
across the different supported DBMS.
o Fix#306: With MySQL, sync failure could occur when several custom labels
where used that only differed in case (effect of previous issue).
o Fix#308: With SQLite, the initial sync after adding a new addressbook was
not automatically triggered.
Version 4.0.0 (to 3.0.3)
This release contains changes to DB schema. The database will be migrated
automatically upon login to roundcube.
o All changes from 4.0.0-alpha1
o Fix: Deletion of empty CATEGORIES-type groups
o Fix: Delete CATEGORIES-type groups from DB that become empty during a sync
o Fix: Renaming of empty CATEGORIES-type groups
o Fix: During deletion, do not rely on the DB's ON CASCADE DELETE because
this is disabled by default for SQLite
o Fix: It was not possible to discover multiple addressbooks for an admin
preset because of a wrong UNIQUE constraint in MySQL
o Fix: Catch exceptions thrown inside the plugin (avoid "white page" on error)
o Increase the maximum lengths of password, email and url fields
o Use transactions to synchronize concurrent operations on the same
addressbook (data consistency issues may still occur with MySQL because of
roundcube DB layer bug). For details, see DBSYNC.md.
o Unified database indexes across the different database backends: Create
indexes for foreign key columns (PostgreSQL, SQLite)
o Fixed issues in the migration scripts and added SQL scripts showing the
current DB schema
o Update hungarian translation (thanks to @tsabi)
Version 4.0.0-alpha1 (to 3.0.3)
Note: The Changelog for this version is not complete
This is an alpha release because I did not perform any tests on it.
Nevertheless, it has many bugs fixed and I encourage you to upgrade and report
issues as you find them. The last release 3.0.3 has many issues that have been
fixed with in v4. I push this release early mainly because of the security
issue reported. I'll continue working on remaining issues I want to fix (note:
all of them are also present in 3.0.3) for v4 and I intend release a more
tested version and a more detailed changelog within the next weeks.
o Security issue: It was possible to read data from other user's
addressbooks. Depending on the configuration, it might also have been
possible to change data in their addressbooks. Thanks to @cnmicha for
reporting this issue. This issue affects all previously released versions
of RCMCardDAV using a database cache.
o Many bugs you reported and several more I discovered during refactoring
have been fixed.
o The password scheme now defaults to encrypted (if you have not configured a
password scheme, this will take effect automatically for newly stored
password. If you don't want this, configure a password scheme in
settings.php).
o The URL is not changeable after creation of an addressbook anymore. It used
to work in specific, but not all cases. As the behavior is potentially
broken and not easy to fix, it is removed for now.
o The two kinds of contact groups (VCard-based vs. CATEGORIES-based) are not
transparently supported to the possible extent. The configuration switch is
only meaningful concerning the type of group used when a new group is
created from RCMCardDAV. See details here.
o The CardDAV interaction is moved to a library. It is essentially a complete
rewrite of the code communicating with the CardDAV servers and includes
interoperability tests with many common servers, see here.
* Import upstream patch to fix runtime errors.
Changelog:
This is a feature release that comes with significant new functionality:
- The IMAP '$Forwarded' / Maildir 'P' (passed) flag is supported now.
- Support for configuring a TLS cipher string was added.
- IMAP mailbox subscriptions are supported now.
- The IMAP user query can be scripted now.
- Added built-in support for the macOS Keychain.
- Messages excluded by MaxSize will now result in placeholders.
Compatibility concerns:
- The 'isync' compatibility wrapper was removed.
- A C11 compiler is required for building now.
- The validity of the config file is checked more stricly now, including:
- Appearance of options in unexpected places
- The capitalization of INBOX
- The new TLSv1.3 flag must be added to SSLVersions if the option is
used, unless disabling that version is desired (which is unlikely).
- Removed support for the obsolete/insecure SSL v3.
- The use of Master/Slave terminology has been deprecated.
Bugfixes:
- All bugfixes up to 1.3.4 are included.
- IMAP protocol errors are handled more robustly now.
- Fixed support for SASL's built-in EXTERNAL mechanism.
- Improved reliability of synchronization when resuming interrupted runs.
- Fixed MaxSize being ignored under certain circumstances when only one of
New and ReNew was requested.
- Fixed a network inefficiency occurring with server-side mailboxes that
receive new messages only via mbsync.
Action Mailbox
Action Mailbox routes incoming emails to controller-like mailboxes for
processing in Rails. It ships with ingresses for Mailgun, Mandrill, Postmark,
and SendGrid. You can also handle inbound mails directly via the built-in
Exim, Postfix, and Qmail ingresses.
The inbound emails are turned into `InboundEmail` records using Active Record
and feature lifecycle tracking, storage of the original email on cloud storage
via Active Storage, and responsible data handling with on-by-default
incineration.
These inbound emails are routed asynchronously using Active Job to one or
several dedicated mailboxes, which are capable of interacting directly with
the rest of your domain model.
You can read more about Action Mailbox in the [Action Mailbox
Basics](https://edgeguides.rubyonrails.org/action_mailbox_basics.html) guide.
This is for Ruby on Rails 6.1.
Action Mailer is a framework for designing email-service layers. These layers
are used to consolidate code for sending out forgotten passwords, welcome
wishes on signup, invoices for billing, and any other use case that requires
a written notification to either a person or another system.
Action Mailer is in essence a wrapper around Action Controller and the
Mail gem. It provides a way to make emails using templates in the same
way that Action Controller renders views using templates.
Additionally, an Action Mailer class can be used to process incoming email,
such as allowing a weblog to accept new posts from an email (which could even
have been sent from a phone).
This is for Ruby on Rails 6.1.
Version 2.2.0
=============
Changed
-------
- Performance improvements
- 2x faster _maybe_int_to_bytes for Python 2
- Fix _proc_folder_list quadratic runtime
- Faster utf7 encode. ~40% faster for input with a mix of unicode and
ASCII chars.
- Cache regex in _process_select_response
- poll() when available to surpass 1024 file descriptor limit with select()
- Use next instead of six.next as imapclient doesn't claim Python 2.5 support.
- Moved "Logged in/out" traces from INFO to DEBUG level
- Run tests on Python 3.8 and 3.9
- Support the Deleted special folder used by Outlook
- Clean up timeout handling
- Run the Black code formatter over the entire project
Added
-----
- MULTIAPPEND and LITERAL+ support
- Use ptpython for interactive shell if available
- Allow any custom SASL mechanism to be provided. This allows mechanisms such
as EXTERNAL, GSSAPI or SCRAM-SHA-256 to be used in the same way as with
imaplib.
- Add SASL OAUTHBEARER support
- add optional timeout parameter to IMAP4_TLS.open
Fixed
-----
- fixed special folder searching
- Catch the right exception in folder_status
- test_imapclient: Fix LoggerAdapter version check
- Fix config file parsing for None attributes
- Fix useless ref cycle in lexer
- Protocol parsing: Prevent converting numbers with leading zeroes to int.
- Prevent UnicodeDecodeError in IMAPlibLoggerAdapter
- Fix invalid string escape sequences
- Ensure timeout is used on Python 2.7. _create_socket isn't used with the
Python 2 version of imaplib so the open method has been overrided to make it
consistent across Python version.
- Fix IMAP4_TLS for imaplib in Python 3.9+
3.2021.0212 / 2021-02-12
* Updated the IANA media registry entries as of release date.
* Added a new rake task (release:automatic) that downloads and converts
the data from Apache and IANA; if there are changes detected, it updates
the release version, changelog, manifest, and gemspec and commits the
changes to git.
databases/ruby-activerecord60:
## Rails 6.0.3.5 (February 10, 2021) ##
* Fix possible DoS vector in PostgreSQL money type
Carefully crafted input can cause a DoS via the regular expressions used
for validating the money format in the PostgreSQL adapter. This patch
fixes the regexp.
Thanks to @dee-see from Hackerone for this patch!
[CVE-2021-22880]
*Aaron Patterson*
www/ruby-actionpack60
## Rails 6.0.3.5 (February 10, 2021) ##
* Prevent open redirect when allowed host starts with a dot
[CVE-2021-22881]
Thanks to @tktech (https://hackerone.com/tktech) for reporting this
issue and the patch!
*Aaron Patterson*
## Rails 5.2.4.5 (February 10, 2021) ##
* Fix possible DoS vector in PostgreSQL money type
Carefully crafted input can cause a DoS via the regular expressions used
for validating the money format in the PostgreSQL adapter. This patch
fixes the regexp.
Thanks to @dee-see from Hackerone for this patch!
[CVE-2021-22880]
*Aaron Patterson*
Changelog:
What's New
CardDAV address books now support OAuth2 and Google Contacts.
Changes
Thunderbird will no longer allow installation of addons that use the legacy API
Fixes
Send message button sometimes remained enabled when it should be disabled
Pressing command+enter to send a message on macOS did not work
OpenPGP: Failed to save attachments that contained binary data after decryption
Global search UI fixes
Various theme and color fixes to improve ease of use
RELEASE 1.4.11
--------------
- Display a nice error informing about no PHP8 support
- Elastic: Fix compatibility with Less v3 and v4 (#7813)
- Fix bug with managesieve_domains in Settings > Forwarding form (#7849)
- Fix errors in MSSQL database update scripts (#7853)
- Security: Fix cross-site scripting (XSS) via HTML messages with
malicious CSS content
Fetchmail is a Perl script that fetchs mail from Yahoo! account through
HTTP requests. Unfortunately, these requests no longer work and fetchyahoo
has not been maintained for a long time.
As an alternative for fetching Yahoo! mails, mail/fetchmail works well and
is actively developed.
* fix unit tests in a clean environment
* move default database path to ~/.local/share (Closes: GL#16)
* default to data directory and add a deprecation warning (Closes: GL#17)
Changelog:
What's New
Extension API: Compose API now supports editing messages and templates as new
messages
Extension API: composeHtml is now exposed in MailIdentity
Extension API: windows.update and windows.create now support titlePreface
Extension API: new Accounts API functions: accounts.getDefault() and
accounts.getDefaultIdentity(accountId)
Changes
Extension API: body and plainTextBody are now used as compose mode selectors in
setComposeDetails and begin* functions in Compose API
Theme: removed the double border around the task description field on the Tasks
tab
Fixes
Account Manager: When deleting the last remaining account, the default account
was not getting cleared and still pointed to the no-longer-existing account
OpenPGP: Verification of an inline signed message would fail if it contained
leading whitespace
OpenPGP: Various other minor bug and stability fixes
Mail Window: Quickfilter bar buttons disappear when hovered on Windows 10 High
Contrast Black theme
Theme: folder properties dialog contained black text on a black background in
dark mode
Theme: recipient pills in compose window were not visible in high contrast dark
theme on Windows 10
Extension API: browserAction buttons were not restored after restart if they
were moved outside the default toolbar
Extension API: browser.compose.beginNew could not override identity plaintext
setting
Extension API: browser.compose.beginForward was ignoring ComposeDetails
Extension API: browser.compose.setComposeDetails did not properly handle
Windows-style line endings
Various security fixes
Security fixes:
#CVE-2021-23953: Cross-origin information leakage via redirected PDF requests
#CVE-2021-23954: Type confusion when using logical assignment operators in
JavaScript switch statements
#CVE-2020-15685: IMAP Response Injection when using STARTTLS
#CVE-2020-26976: HTTPS pages could have been intercepted by a registered
service worker when they should not have been
#CVE-2021-23960: Use-after-poison for incorrectly redeclared JavaScript
variables during GC
#CVE-2021-23964: Memory safety bugs fixed in Thunderbird 78.7
upstream changes:
-----------------
fetchmail-6.4.15 (released 2021-01-03, 27614 LoC):
# BUG FIXES
* Fix a typo in the manual page reported by David McKelvie.
* Fix cross-compilation with openssl, by Fabrice Fontaine. Merge request !23.
* Fix truncation of SMTP PLAIN AUTH with ^ in credentials, by Earl Chew. Gitlab issue #23, merge request !25.
fetchmail-6.4.14 (released 2020-11-26, 27608 LoC):
# TRANSLATION UPDATES were made by these fine people:
* sr: Мирослав Николић (Miroslav Nikolić) [Serbian]
upstream changes:
-----------------
* Fixed issues with DKIM and ARC verification
It was possible for some DKIM checks to fail where multiple signatures are
present due to a canonicalisation bug. This issue has now been fixed. Arc
plugin has also been fixed to support certain CV values.
* Added support for S/MIME containers
From this version, Rspamd supports .p7 containers and extracting signed
parts during the checks. For details see the following issue.
* Several important rules rework
Anton Yuzhaninov has reworked many old rules in Rspamd improving their
quality and has removed several outdated rules as well.
* Support of caching for regexp multimaps
Regexp maps can now be cached on disk which should improve loading speed of
large maps on reload/restart of Rspamd if they are unchanged.
* Neural plugin offline learning
In this mode, Rspamd can train neural network from Clickhouse so it is
possible to define better training conditions and manage learning for large
systems with more fine grained control. Please refer to the corresponding
documentation section for more details. Thanks to Andrew Lewis for
implementing this functionality.
* Other changes
Here is the list of the important changes:
[Conf] Add R_DKIM_PERMFAIL to the metric
[CritFix] Dkim: Fix simple canonicalisation if multiple signatures are presented
[CritFix] Fix controller paths normalisation
[Feature] Add INVALID_DATE rule
[Feature] Add controller endpoint for training neural
[Feature] Add sanity checks for actions thresholds
[Feature] Add support of ‘==’ and ‘!=’ in Rspamd expressions
[Feature] Composites: Improve composite atoms parser
[Feature] Docker: use Debian slim variant
[Feature] Elastic: Add some missing fields
[Feature] Extract text from img alt attributes
[Feature] Improve charset detection logic
[Feature] Lua_clickhouse: Add optional row callback for large selections
[Feature] Lua_dns_resolver: Add idna_convert_utf8 method
[Feature] Lua_mime: Add ability to do multipattern replacement
[Feature] Lua_trie: Allow to report start of the match
[Feature] Multimap: support adding map values as extra options
[Feature] Neural: Move PCA learning to a subprocess
[Feature] RBL: support matching content/image URLs only
[Feature] RBL: support use of multiple selectors
[Feature] Reputation: Allow to specify ip masks
[Feature] Support SMIME signed messages container
[Feature] Support multiple conditions for symbols
[Feature] Support ping in milter mode
[Feature] Support rspamd_text in selector regexps
[Feature] Use own daemonization routine
[Feature] Vadesecure: Implement settings_outbound feature as recommended by Vade
[Feature] rspamadm clickhouse command
[Feature] allow hyperscan for aarch64
[Fix] Allow to set priorities between post init scripts
[Fix] Allow to use maps for strings that are not zero terminated
[Fix] Apply max_lua_urls limit for emails as well
[Fix] Arc: Fix CV check on signing
[Fix] Arc: Fix signing of the broken ARC chains
[Fix] Clickhouse: escape carriage return
[Fix] Composites: Allow partial match
[Fix] Deduct type of a table methods
[Fix] Do not load errored hyperscan database
[Fix] Do not process links in ignored html tags
[Fix] Fix ClamAV result for cached encrypted file (#3395)
[Fix] Fix canonicalisation when l= tag is presented
[Fix] Fix flag shift
[Fix] Fix handling of skip/skip_process http flags
[Fix] Fix html attachments checks
[Fix] Fix issue with pushing binary formats to Lua strings
[Fix] Fix logging for rspamadm
[Fix] Fix off-by-one with init check
[Fix] Fix parsing of escape characters in quoted pairs
[Fix] Fix pushing ucl strings with \0 inside
[Fix] Fix quoted-printable soft newlines bugged case
[Fix] Fix settings in case actions are set to null (#3415)
[Fix] Fix several issues with auth results producing
[Fix] Fix smtp comments exclusion
[Fix] Fix smtp date syntax definition
[Fix] Fix substring search in case if srchlen == inlen
[Fix] Fix text selectors
[Fix] Honour systemd setting when logging to console (#3514)
[Fix] Html: Add entities collisions prevention logic (e.g. for mathml entities)
[Fix] Lua_auth_results: Quote potentially bad values in AR header
[Fix] Multimap: Fix flags usage
[Fix] Multimap: Fix scoring for combined maps
[Fix] Plug GList * leak in redis pool
[Fix] RBL: allow for multiple matches of the same label if types are different
[Fix] Rely on libev checks for file maps
[Fix] Restore simple dkim canonicalisation mode
[Fix] Return MimeCharset as we work with emails…
[Fix] Spamassassin: Fix pcre_only flags
[Fix] Spamassassin: Preserve ‘pcre_only’ flag when dealing with regexp replacements
[Fix] Try to fix GError leak
[Fix] Try to fix a mess with settings loading by adding priorities
[Fix] Try to move setings initialisation to a later stage
[Fix] Use dup fd in milter handler to avoid races with the proxy
[Fix] Use message pointer to avoid obsolete data to be cached
[Project] Rbl: Migrate to checks
[Project] Rbl: Move config code outside of the plugin
[Project] Ressurect empty prefilters as connection filters
[Project] Support connection filters registration from Lua
[Rework] Add final cleanup logic
[Rework] Add preliminary support of hyperscan caching for re maps
[Rework] Add stale cache removal
[Rework] Clickhouse: Improve performance
[Rework] Distinguish between strict config test mode
[Rework] Furhter logging improvements
[Rework] Milter_headers: improve extended_headers_rcpt support
[Rework] Move parsers to a separate lua library
[Rework] Neural: Skip composite symbols
[Rework] Rbl: Rework defaults logic
[Rework] Some tunes to cache saving
[Rework] Track maps origins
[Rework] Use full crypto hash for regexp maps
[Rules] Remove broken rule
upstream changes:
-----------------
This update improves the reporting of DNSSEC problems that may affect DANE
security. DNSSEC support may unavailable because of local configuration, libc
incompatibility, or other infrastructure issues. This was backported from
Postfix 3.6.
Background: DNSSEC validation is needed for Postfix DANE support; this ensures
that Postfix receives TLSA records with secure TLS server certificate info.
When DNSSEC validation is unavailable, mail deliveries using opportunistic DANE
(security level 'dane') will not be protected by server certificate info in
TLSA records, and mail deliveries using mandatory DANE (security level
'dane-only') will not be made at all.
This update introduces the following behavior: when a process requests DNSSEC
support (typically, for Postfix DANE support), the process may now do a runtime
test to determine if DNSSEC validation is available.
The new dnssec_probe parameter specifies a DNS query type (default: "ns") and
DNS query name (default: ".") that Postfix may use to determine whether DNSSEC
validation is available. Specify an empty value to disable this feature.
When dnssec_probe is enabled, a Postfix process will send a DNSSEC probe after
1) the process made a DNS query that requested DNSSEC validation, 2) the
process did not receive a DNSSEC validated response to this query or to an
earlier query, and 3) the process did not already send a DNSSEC probe.
When the DNSSEC probe has no response, or when the response is not DNSSEC
validated, Postfix logs a warning that DNSSEC validation may be unavailable.
Examples:
warning: DNSSEC validation may be unavailable
warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
warning: reason: dnssec_probe 'ns:.' received no response: Server failure
With this update, the Postfix build system will no longer automatically disable
DNSSEC support when it determines that Postfix will use libc-musl. This removes
the earlier libc-musl workaround introduced with Postfix 3.2.15, 3.3.10,
3.4.12, and 3.5.2.
1.10.10 (2021-01-17 03:34 UTC)
Changelog:
* Compatibility fixes for PHP 5.2 and 5.3 [alec]
* Corrected soft line breaks handling to be RFC compliant [ixs]
* Corrected line breaks for lines ending in dots and length more than 74 [ixs]
- Set CADIR in the environment.
- Prefer a separate keyfile for TLS. If it's not present, attempt to
generate it by copying out the private key from the certfile.
- Don't provide an affordance for overriding the compiled-in cipherlist.
- Be willing to enable TLS without a DH params file.
While here, invent control/localfilters. If it exists, it's a sequence
of filters for SMTP connections on localhost.
Bump version.
## 3.2020.1104 / 2020-11-04
- Updated the IANA media registry entries as of release date.
- Added `application/x-zip-compressed`. [#36][].
- Updated the contributing guide to include information about the release
process as described in [#18][].
- Corrected a misspelling of Yoran Brondsema's name. Sorry, Yoran. [#35][].
Update dovecot2-pigeonhole package to 0.5.13.
v0.5.13 2021-01-04 Aki Tuomi <aki.tuomi@open-xchange.com>
- duplicate: The test was handled badly in a multiscript (sieve_before,
sieve_after) scenario in which an earlier script in the sequence with
a duplicate test succeeded, while a later script caused a runtime
failure. In that case, the message is recorded for duplicate tracking,
while the message may not actually have been delivered in the end.
- editheader: Sieve interpreter entered infinite loop at startup when
the "editheader" configuration listed an invalid header name. This
problem can only be triggered by the administrator.
- relational: The Sieve relational extension can cause a segfault at
compile time. This is triggered by invalid script syntax. The segfault
happens when this match type is the last argument of the test command.
This situation is not possible in a valid script; positional arguments
are normally present after that, which would prevent the segfault.
- sieve: For some Sieve commands the provided mailbox name is not
properly checked for UTF-8 validity, which can cause assert crashes at
runtime when an invalid mailbox name is encountered. This can be
caused by the user by writing a bad Sieve script involving the
affected commands ("mailboxexists", "specialuse_exists").
This can be triggered by the remote sender only when the user has
written a Sieve script that passes message content to one of the
affected commands.
- sieve: Large sequences of 8-bit octets passed to certain Sieve
commands that create or modify message headers that allow UTF-8 text
(vacation, notify and addheader) can cause the delivery or IMAP
process (when IMAPSieve is used) to enter a memory-consuming
semi-infinite loop that ends when the process exceeds its memory
limits. Logged in users can cause these hangs only for their own
processes.
Update mail/dovecot2 pacakge to 2.3.13, including security fixes.
v2.3.13 2021-01-04 Aki Tuomi <aki.tuomi@open-xchange.com>
* CVE-2020-24386: Specially crafted command can cause IMAP hibernate to
allow logged in user to access other people's emails and filesystem
information.
* Metric filter and global event filter variable syntax changed to a
SQL-like format. See https://doc.dovecot.org/configuration_manual/event_filter/
* auth: Added new aliases for %{variables}. Usage of the old ones is
possible, but discouraged.
* auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth
mechanism and related password schemes.
* auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail.
* auth: Removed postfix postmap socket
+ auth: Added new fields for auth server events. These fields are now
also available for all auth events. See
https://doc.dovecot.org/admin_manual/list_of_events/#authentication-server
for details.
+ imap-hibernate: Added imap_client_hibernated, imap_client_unhibernated
and imap_client_unhibernate_retried events. See
https://doc.dovecot.org/admin_manual/list_of_events/ for details.
+ lib-index: Added new mail_index_recreated event. See
https://doc.dovecot.org/admin_manual/list_of_events/#mail-index-recreated
+ lib-sql: Support TLS options for cassandra driver. This requires
cpp-driver v2.15 (or later) to work reliably.
+ lib-storage: Missing $HasAttachment / $HasNoAttachment flags are now
added to existing mails if mail_attachment_detection_option=add-flags
and it can be done inexpensively.
+ login proxy: Added login_proxy_max_reconnects setting (default 3) to
control how many reconnections are attempted.
+ login proxy: imap/pop3/submission/managesieve proxying now supports
reconnection retrying on more than just connect() failure. Any error
except a non-temporary authentication failure will result in reconnect
attempts.
- auth: Lua passdb/userdb leaks stack elements per call, eventually
causing the stack to become too deep and crashing the auth or
auth-worker process.
- auth: SASL authentication PLAIN mechanism could be used to trigger
read buffer overflow. However, this doesn't seem to be exploitable in
any way.
- auth: v2.3.11 regression: GSSAPI authentication fails because dovecot
disallows NUL bytes for it.
- dict: Process used too much CPU when iterating keys, because each key
used a separate write() syscall.
- doveadm-server: Crash could occur if logging was done outside command
handling. For example http-client could have done debug logging
afterwards, resulting in either segfault or
Panic: file http-client.c: line 642 (http_client_context_close):
assertion failed: (cctx->clients_list == NULL).
- doveadm-server: v2.3.11 regression: Trying to connect to doveadm server
process via starttls assert-crashed if there were no ssl=yes listeners:
Panic: file master-service-ssl.c: line 22 (master_service_ssl_init):
assertion failed: (service->ssl_ctx_initialized).
- fts-solr: HTTP requests may have assert-crashed:
Panic: file http-client-request.c: line 1232 (http_client_request_send_more):
assertion failed: (req->payload_input != NULL)
- imap: IMAP NOTIFY could crash with a segmentation fault due to a bad
configuration that causes errors. Sending the error responses to the
client can cause the segmentation fault. This can for example happen
when several namespaces use the same mail storage location.
- imap: IMAP NOTIFY used on a shared namespace that doesn't actually
exist (e.g. public namespace for a nonexistent user) can crash with a panic:
Panic: Leaked view for index /tmp/home/asdf/mdbox/dovecot.list.index: Opened in (null):0
- imap: IMAP session can crash with QRESYNC extension if many changes
are done before asking for expunged mails since last sync.
- imap: Process might hang indefinitely if client disconnects after
sending some long-running commands pipelined, for example FETCH+LOGOUT.
- lib-compress: Mitigate crashes when configuring a not compiled in
compression. Errors with compression configuration now distinguish
between not supported and unknown.
- lib-compression: Using xz/lzma compression in v2.3.11 could have
written truncated output in some situations. This would result in
"Broken pipe" read errors when trying to read it back.
- lib-compression: zstd compression could have crashed in some situations:
Panic: file ostream.c: line 287 (o_stream_sendv_int): assertion failed: (!stream->blocking)
- lib-dict: dict client could have crashed in some rare situations when
iterating keys.
- lib-http: Fix several assert-crashes in HTTP client.
- lib-index: v2.3.11 regression: When mails were expunged at the same
time as lots of new content was being saved to the cache (e.g. cache
file was lost and is being re-filled) a deadlock could occur with
dovecot.index.cache / dovecot.index.log.
- lib-index: v2.3.11 regression: dovecot.index.cache file was being
purged (rewritten) too often when it had a field that hadn't been
accessed for over 1 month, but less than 2 months. Every cache file
change caused a purging in this situation.
- lib-mail: MIME parts were not returned correctly by Dovecot MIME parser.
Regression caused by fixing CVE-2020-12100.
- lib-mail: When max nested MIME parts were reached, IMAP BODYSTRUCTURE
was written in a way that may have caused confusion for both IMAP
clients and Dovecot itself when parsing it. The truncated part is now
written out using application/octet-stream MIME type.
- lib-mail: v2.3.11 regression: Mail delivery / parsing crashed when the
10000th MIME part was message/rfc822 (or if parent was multipart/digest):
Panic: file message-parser.c: line 167 (message_part_append):
assertion failed: (ctx->total_parts_count <= ctx->max_total_mime_parts).
- lib-oauth2: Dovecot incorrectly required oauth2 server introspection
reply to contain username with invalid token.
- lib-ssl-iostream, lib-dcrypt: Fix building with OpenSSL that has
deprecated APIs disabled.
- lib-storage: When mail's size is different from the cached one (in
dovecot.index.cache or Maildir S=size in the filename), this is
handled by logging "Cached message size smaller/larger than expected"
error. However, in some situations this also ended up crashing with:
Panic: file istream.c: line 315 (i_stream_read_memarea):
assertion failed: (old_size <= _stream->pos - _stream->skip).
- lib-storage: v2.3 regression: Copying/moving mails was taking much more
memory than before. This was mainly visible when copying/moving
thousands of mails in a single transaction.
- lib-storage: v2.3.11 regression: Searching messages assert-crashed
(without FTS): Panic: file message-parser.c: line 174 (message_part_finish):
assertion failed: (ctx->nested_parts_count > 0).
- lib: Dovecot v2.3 moved signal handlers around in ioloops,
causing more CPU usage than in v2.2.
- lib: Fixed JSON parsing: '\' escape sequence may have wrongly resulted
in error if it happened to be at read boundary. Any NUL characters and
'\u0000' will now result in parsing error instead of silently
truncating the data.
- lmtp, submission: Server may hang if SSL client connection disconnects
during the delivery. If this happened repeated, it could have ended
up reaching process_limit and preventing any further lmtp/submission
deliveries.
- lmtp: Proxy does not always properly log TLS connection problems as
errors; in some cases, only a debug message is logged if enabled.
- lmtp: The LMTP service can hang when commands are pipelined. This can
particularly occur when one command in the middle of the pipeline fails.
One example of this occurs for proxied LMTP transactions in which the
final DATA or BDAT command is pipelined after a failing RCPT command.
- login-proxy: The login_source_ips setting has no effect, and therefore
the proxy source IPs are not cycled through as they should be.
- master: Process was using 100% CPU in some situations when a broken
service was being throttled.
- pop3-login: POP3 login would fail with "Input buffer full" if the
initial response for SASL was too long.
- stats: Crash would occur when generating openmetrics data for metrics
using aggregating functions.
Changelog:
What's new in notmuch 0.31.3
=========================
Bindings
--------
Fix for exclude tags in notmuch2 bindings.
Build
-----
Portability update for T360-symbol-hiding
Library
-------
Fix for memory error in notmuch_database_get_config_list
* Fix build with devel/cbindgen-0.16.0.
Changelog:
New
MailExtensions: Added browser.windows.openDefaultBrowser()
Changes
Thunderbird now only shows quota exceeded indications on the main window
MailExtensions: menus API enabled in messages being composed
MailExtensions: Honor allowScriptsToClose argument in windows.create API
function
MailExtensions: APIs that returned an accountId will reflect the account the
message belongs to, not what is stored in message headers
Fixes
Keyboard shortcut for toggling message "read" status not shown in menus
OpenPGP: After importing a secret key, Key Manager displayed properties of the
wrong key
OpenPGP: Inline PGP parsing improvements
OpenPGP: Discovering keys online via Key Manager sometimes failed on Linux
OpenPGP: Encrypted attachment "Decrypt and Open/Save As" did not work
OpenPGP: Importing keys failed on macOS
OpenPGP: Verification of clear signed UTF-8 text failed
Address book: Some columns incorrectly displayed no data
Address book: The address book view did not update after changing the name
format in the menu
Calendar: Could not import an ICS file into a CalDAV calendar
Calendar: Two "Home" calendars were visible on a new profile
Calendar: Dark theme was incomplete on Linux
Dark theme did not apply to new mail notification popups
Folder icon, message list, and contact side bar visual improvements
MailExtensions: HTTP refresh in browser content tabs did not work
MailExtensions: messageDisplayScripts failed to run in main window
Various security fixes
Security fixes:
#CVE-2020-16042: Operations on a BigInt could have caused uninitialized memory to be exposed
#CVE-2020-26971: Heap buffer overflow in WebGL
#CVE-2020-26973: CSS Sanitizer performed incorrect sanitization
#CVE-2020-26974: Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free
#CVE-2020-26978: Internal network hosts could have been probed by a malicious webpage
#CVE-2020-35111: The proxy.onRequest API did not catch view-source URLs
#CVE-2020-35112: Opening an extension-less download may have inadvertently launched an executable instead
#CVE-2020-35113: Memory safety bugs fixed in Thunderbird 78.6
