New stuff we've added since 4.95:
- A new ACL condition: seen. Records/tests a timestamp against a key.
- A variant of the "mask" expansion operator to give normalised IPv6.
- UTC output option for exim_dumpdb, exim_fixdb.
- An event for failing TLS connects to the daemon.
- The ACL "debug" control gains options "stop", "pretrigger" and "trigger".
- Query-style lookups are now checked for quoting, if the query string is
built using untrusted data ("tainted"). For now lack of quoting is merely
logged; a future release will upgrade this to an error.
- The expansion conditions match_<list-type> and inlist now set $value for
the expansion of the "true" result of the ${if}. With a static list, this
can be used for de-tainting.
Notable removals since 4.95:
- the "allow_insecure_tainted_data" main config option and the
"taint" log_selector. These were deprecated in the 4.95 release.
Ruby on Rails 6.1.6 (2022-05-12)
Active Support
* Fix and add protections for XSS in ActionView::Helpers and ERB::Util.
Add the method ERB::Util.xml_name_escape to escape dangerous characters in
names of tags and names of attributes, following the specification of XML.
Action View
* Fix and add protections for XSS in ActionView::Helpers and ERB::Util.
Escape dangerous characters in names of tags and names of attributes in
the tag helpers, following the XML specification. Rename the option
:escape_attributes to :escape, to simplify by applying the option to the
whole tag.
Action Pack
* Allow Content Security Policy DSL to generate for API responses.
Ruby on Rails 6.0.5 (2022-05-12)
Active Support
* Fix tag helper regression.
Action Text
* Disentangle Action Text from ApplicationController
Allow Action Text to be used without having an ApplicationController
defined.
This makes sure:
- Action Text attachments render the correct URL host in mailers.
- an ActionController::Renderer isn't allocated per request.
- Sidekiq doesn't hang with the "classic" autoloader.
Ruby on Rails 5.2.8 (2022-05-12)
Active Support
* Fix tag helper regression.
Action View
* Make `LoadInterlockAwareMonitor` work in Ruby 2.7.
* Retain Ruby 2.2 compatibility.
pkgsrc changes:
- Remove OAUTHBEARER patches for IMAP, part of 2.1 release
Changes:
2.1
---
- Add support for LMTP
- Add support for XOAUTH2 for IMAP
- Add support for OAUTHBEARER for IMAP
- Several bug fixes and improvements
Upstream changes:
version 3.012: Fri 11 Feb 11:34:31 CET 2022
Fixes:
- ::Field::Attributes should be stored case intensively
rt.cpan.org#140894 [Yanyan Yang]
- ::Field::Full phrase with encoding qp parsing failed when
the qp contains non-atext characters. Github#2 [Andy Beverley]
- ::Field::Full QP encoding must be more strict for use in
MIME headers. Github#3 [Andy Beverley]
- Coercion from Mail::Address to Mail::Message::Full::Address
is too lazy. Github#4 [Andy Beverley]
Improvements:
- extend date in mbox-separator to accept 203X as well.
Upstream changes:
1.20220520 2022-05-20 UTC
+ Change default algorithm in dkimsign.pl to sha-256
+ Use Getopt::Long::Descriptive in scripts for better command help
1.20220408 2022-04-08 UTC
+ Add support for signatures with an Expiration value
upstream changes:
-----------------
fetchmail-6.4.30 (released 2022-04-26, 31666 LoC):
# BREAKING CHANGES:
* Bump wolfSSL minimum required version to 5.2.0 to pull in security fix.
# CHANGES:
* Using OpenSSL 1.* before 1.1.1n elicits a compile-time warning.
* Using OpenSSL 3.* before 3.0.2 elicits a compile-time warning.
* configure.ac was tweaked in order to hopefully fix cross-compilation issues
report, and different patch suggested, by Fabrice Fontaine,
https://gitlab.com/fetchmail/fetchmail/-/merge_requests/42
# TRANSLATIONS: language translations were updated by this fine person:
* ro: Remus-Gabriel Chelu [Romanian]
--------------------------------------------------------------------------------
fetchmail-6.4.29 (released 2022-03-20, 31661 LoC):
# TRANSLATIONS: language translations were updated by this fine person:
* vi: Trần Ngọc Quân [Vietnamese]
--------------------------------------------------------------------------------
fetchmail-6.4.28 (released 2022-03-05, 31661 LoC):
# DOCUMENTATION:
* Fix a typo in the manual page, courtesy of Jeremy Petch.
# TRANSLATIONS: language translations were updated by this fine person:
* es: Cristian Othón Martínez Vera [Spanish]
This milter implemets SRS (Sender Rewriting Scheme) that can be used to
fix envelope MAIL FROM for forwarded mails protected by SPF. It can be
configured in two modes for:
* Incoming mail -- rewrite RCPT TO addresses in SRS format back
* Outgoing mail -- rewrite MAIL FROM address to SRS format
pkgsrc changes:
* Use PKG_SYSCONFSUBDIR, there are a number of extra files supported in
the configuration file so everything should live in a sub-directory.
HEADS-UP! Users will need to migrate over to new config file location.
* Create opendmarc user/group, not currently used in rc.d script.
* Fix build on SunOS and add SMF support.
* Split multi-file patch correctly into separate files.
* Add TEST_TARGET.
* Various pkglint and cleanup.
opendmarc changes:
1.4.2 2021/12/19
Fix issue #175: Don't reject a multi-valued From when all of the
domains match.
Fix issue #179: Don't crash when a value in a multi-valued From field
is missing a domain name. Resolves CVE-2021-34555.
v2.3.19
+ Added mail_user_session_finished event, which is emitted when the mail
user session is finished (e.g. imap, pop3, lmtp). It also includes
fields with some process statistics information.
See https://doc.dovecot.org/admin_manual/list_of_events/ for more
information.
+ Added process_shutdown_filter setting. When an event matches the filter,
the process will be shutdown after the current connection(s) have
finished. This is intended to reduce memory usage of long-running imap
processes that keep a lot of memory allocated instead of freeing it to
the OS.
+ auth: Add cache hit indicator to auth passdb/userdb finished events.
See https://doc.dovecot.org/admin_manual/list_of_events/ for more
information.
+ doveadm deduplicate: Performance is improved significantly.
+ imapc: COPY commands were sent one mail at a time to the remote IMAP
server. Now the copying is buffered, so multiple mails can be copied
with a single COPY command.
+ lib-lua: Add a Lua interface to Dovecot's HTTP client library. See
https://doc.dovecot.org/admin_manual/lua/ for more information.
- auth: Cache lookup would use incorrect cache key after username change.
- auth: Improve handling unexpected LDAP connection errors/hangs.
Try to fix up these cases by reconnecting to the LDAP server and
aborting LDAP requests earlier.
- auth: Process crashed if userdb iteration was attempted while auth-workers
were already full handling auth requests.
- auth: db-oauth2: Using %{oauth2:name} variables caused unnecessary
introspection requests.
- dict: Timeouts may have been leaked at deinit.
- director: Ring may have become unstable if a backend's tag was changed.
It could also have caused director process to crash.
- doveadm kick: Numeric parameter was treated as IP address.
- doveadm: Proxying can panic when flushing print output. Fixes
Panic: file ioloop.c: line 865 (io_loop_destroy): assertion failed:
(ioloop == current_ioloop).
- doveadm sync: BROKENCHAR was wrongly changed to '_' character when
migrating mailboxes. This was set by default to %, so any mailbox
names containing % characters were modified to "_25".
- imapc: Copying or moving mails with doveadm to an imapc mailbox could
have produced "Error: Syncing mailbox '[...]' failed" Errors. The
operation itself succeeded but attempting to sync the destination
mailbox failed.
- imapc: Prevent index log synchronization errors when two or more imapc
sessions are adding messages to the same mailbox index files, i.e.
INDEX=MEMORY is not used.
- indexer: Process was slowly leaking memory for each indexing request.
- lib-fts: fts header filters caused binary content to be sent to the
indexer with non-default configuration.
- doveadm-server: Process could hang in some situations when printing
output to TCP client, e.g. when printing doveadm sync state.
- lib-index: dovecot.index.log files were often read and parsed entirely,
rather than only the parts that were actually necessary. This mainly
increased CPU usage.
- lmtp-proxy: Session ID forwarding would cause same session IDs being
used when delivering same mail to multiple backends.
- log: Log prefix update may have been lost if log process was busy.
This could have caused log prefixes to be empty or in some cases
reused between sessions, i.e. log lines could have been logged for the
wrong user/session.
- mail_crypt: Plugin crashes if it's loaded only for some users. Fixes
Panic: Module context mail_crypt_user_module missing.
- mail_crypt: When LMTP was delivering mails to both recipients with mail
encryption enabled and not enabled, the non-encrypted recipients may
have gotten mails encrypted anyway. This happened when the first
recipient was encrypted (mail_crypt_save_version=2) and the 2nd
recipient was not encrypted (mail_crypt_save_version=0).
- pop3: Session would crash if empty line was sent.
- stats: HTTP server leaked memory.
- submission-login: Long credentials, such as OAUTH2 tokens, were refused
during SASL interactive due to submission server applying line length
limits.
- submission-login: When proxying to remote host, authentication was not
using interactive SASL when logging in using long credentials such as
OAUTH2 tokens. This caused authentication to fail due to line length
constraints in SMTP protocol.
- submission: Terminating the client connection with QUIT command after
mail transaction is started with MAIL command and before it is
finished with DATA/BDAT can cause a segfault crash.
- virtual: doveadm search queries with mailbox-guid as the only parameter
crashes: Panic: file virtual-search.c: line 77 (virtual_search_get_records):
assertion failed: (result != 0)
## Rails 6.1.5.1 (April 26, 2022) ##
* No changes.
## Rails 6.1.5 (March 09, 2022) ##
* Add `attachments` to the list of permitted parameters for inbound emails conductor.
When using the conductor to test inbound emails with attachments, this prevents an
unpermitted parameter warning in default configurations, and prevents errors for
applications that set:
```ruby
config.action_controller.action_on_unpermitted_parameters = :raise
```
*David Jones*, *Dana Henke*
Notmuch 0.36 (2022-04-25)
=========================
Library
-------
Add the `sexp` prefix to the infix (traditional) query parser. This
allows specific subqueries to be parsed by the sexp parser (with
appropropriate quoting). See `notmuch-search-terms(7)` for details.
Add another heuristic to regexp fields to prevent phrase parsing of
bracketed sub-expressions.
Command Line Interface
----------------------
Envelope from ("From ") headers are now escaped as X-Envelope-From: in
input to `notmuch-insert`. This prevents creating mbox files when
calling `notmuch-insert` from e.g. `postfix`.
Python (CFFI) Bindings
----------------------
Use the `config_pairs` API in ConfigIterator. This returns all
matching key-value pairs, not just those that happen to be stored in
the database.
Documentation
-------------
Reorganize documention for `notmuch-config`. Add a few links from
other man pages.
Emacs
-----
Bind the usual undo key sequences to new command
"notmuch-tag-undo". This allows transparent undo of tagging
operations.
Tests
-----
Fix smime.4 with newer gmime. Unset `XDG_DATA_HOME` and `MAILDIR` for tests.
New add-on tool: notmuch-web
-----------------------------
The new devel/ tool `notmuch-web` is a very thin web client. It
supports a full search interface for one user: there is no facility
for multiple users provided today. See the notmuch-web README file
for more information.
Be careful about running it on a network-connected system: it will
expose a web interface that requires no authentication but exposes
your mail store.
