Security release.
v0.5.15 2021-06-21 Aki Tuomi <aki.tuomi@open-xchange.com>
* CVE-2020-28200: Sieve interpreter is not protected against abusive
scripts that claim excessive resource usage. Fixed by limiting the
user CPU time per single script execution and cumulatively over
several script runs within a configurable timeout period. Sufficiently
large CPU time usage is summed in the Sieve script binary and execution
is blocked when the sum exceeds the limit within that time. The block
is lifted when the script is updated after the resource usage times out.
* Disconnection log messages are now more standardized across services.
They also always now start with "Disconnected" prefix.
- managesieve: Commands pipelined together with and just after the
authenticate command cause these commands to be executed twice.
Security release.
v2.3.15 2021-06-21 Aki Tuomi <aki.tuomi@open-xchange.com>
* CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
JWT tokens. This may be used to supply attacker controlled keys to
validate tokens, if attacker has local access.
* CVE-2021-33515: On-path attacker could have injected plaintext commands
before STARTTLS negotiation that would be executed after STARTTLS
finished with the client.
* Disconnection log messages are now more standardized across services.
They also always now start with "Disconnected" prefix.
* Dovecot now depends on libsystemd for systemd integration.
* Removed support for Lua 5.2. Use version 5.1 or 5.3 instead.
* config: Some settings are now marked as "hidden". It's discouraged to
change these settings. They will no longer be visible in doveconf
output, except if they have been changed or if doveconf -s parameter
is used. See https://doc.dovecot.org/settings/advanced/ for details.
* imap-compress: Compression level is now algorithm specific.
See https://doc.dovecot.org/settings/plugin/compress-plugin/
* indexer-worker: Convert "Indexed" info logs to an event named
"indexer_worker_indexing_finished". See
https://doc.dovecot.org/admin_manual/list_of_events/#indexer-worker-indexing-finished
+ Add TSLv1.3 support to min_protocols.
+ Allow configuring ssl_cipher_suites. (for TLSv1.3+)
+ acl: Add acl_ignore_namespace setting which allows to entirely ignore
ACLs for the listed namespaces.
+ imap: Support official RFC8970 preview/snippet syntax. Old methods of
retrieving preview information via IMAP commands ("SNIPPET and PREVIEW
with explicit algorithm selection") have been deprecated.
+ imapc: Support INDEXPVT for imapc storage to enable private
message flags for cluster wide shared mailboxes.
+ lib-storage: Add new events: mail_opened, mail_expunge_requested,
mail_expunged, mail_cache_lookup_finished. See
https://doc.dovecot.org/admin_manual/list_of_events/#mail
+ zlib, imap-compression, fs-compress: Support compression levels that
the algorithm supports. Before, we would allow hardcoded value between
1 to 9 and would default to 6. Now we allow using per-algorithm value
range and default to whatever default the algorithm specifies.
- *-login: Commands pipelined together with and just after the authenticate
command cause these commands to be executed twice. This applies to all
protocols that involve user login, which currently comprises of imap,
pop3, submisision and managesieve.
- *-login: Processes are supposed to disconnect the oldest non-logged in
connection when process_limit was reached. This didn't actually happen
with the default "high-security mode" (with service_count=1) where each
connection is handled by a separate process.
- *-login: When login process reaches client/process limits, oldest
client connections are disconnected. If one of these was still doing
anvil lookup, this caused a crash. This could happen only if the login
process limits were very low or if the server was overloaded.
- Fixed building with link time optimizations (-flto).
- auth: Userdb iteration with passwd driver does not always return all
users with some nss drivers.
- dsync: Shared INBOX not synced when "mail_shared_explicit_inbox" was
disabled. If a user has a shared mailbox which is another user's INBOX,
dsync didn't include the mailbox in syncing unless explicit naming is
enabled with "mail_shared_explicit_inbox" set to "yes".
- dsync: Shared namespaces were not synced with "-n" flag.
- dsync: Syncing shared INBOX failed if mail_attribute_dict was not set.
If a user has a shared mailbox that is another user's INBOX, dsync
failed to export the mailbox if mail attributes are disabled.
- fts-solr, fts-tika: Using both Solr FTS and Tika may have caused HTTP
requests to assert-crash: Panic: file http-client-request.c: line 1232
(http_client_request_send_more): assertion failed: (req->payload_input != NULL)
- fts-tika: 5xx errors returned by Tika server as indexing failures.
However, Tika can return 5xx for some attachments every time.
So the 5xx error should be retried once, but treated as success if it
happens on the retry as well. v2.3 regression.
- fts-tika: v2.3.11 regression: Indexing messages with fts-tika may have
resulted in Panic: file message-parser.c: line 802 (message_parser_deinit_from_parts):
assertion failed: (ctx->nested_parts_count == 0 || i_stream_have_bytes_left(ctx->input))
- imap: SETMETADATA could not be used to unset metadata values.
Instead NIL was handled as a "NIL" string. v2.3.14 regression.
- imap: IMAP BINARY FETCH crashes at least on empty base64 body:
Panic: file index-mail-binary.c: line 358 (blocks_count_lines):
assertion failed: (block_count == 0 || block_idx+1 == block_count)
- imap: If IMAP client using the NOTIFY command was disconnected while
sending FETCH notifications to the client, imap could crash with
Panic: Trying to close mailbox INBOX with open transactions.
- imap: Using IMAP COMPRESS extension can cause IMAP connection to hang
when IMAP commands are >8 kB long.
- imapc: If remote server sent BYE but didn't immediately disconnect, it
could cause infinite busy-loop.
- lib-index: Corrupted cache record size in dovecot.index.cache file
could have caused a crash (segfault) when accessing it.
- lib-oauth2: JWT token time validation now works correctly with
32-bit systems.
- lib-ssl-iostream: Checking hostnames against an SSL certificate was
case-sensitive.
- lib-storage: Corrupted mime.parts in dovecot.index.cache may have
resulted in Panic: file imap-bodystructure.c: line 206 (part_write_body):
assertion failed: (text == ((part->flags & MESSAGE_PART_FLAG_TEXT) != 0))
- lib-storage: Index rebuilding (e.g. via doveadm force-resync) didn't
preserve the "hdr-pop3-uidl" header. Because of this, the next pop3
session could have accessed all of the emails' metadata to read their
POP3 UIDL (opening dbox files).
- listescape: When using the listescape plugin and a shared namespace
the plugin didn't work properly anymore resulting in errors like:
"Invalid mailbox name: Name must not have '/' character."
- lmtp: Connection crashes if connection gets disconnected due to
multiple bad commands and the last bad command is BDAT.
- lmtp: The Dovecot-specific LMTP parameter XRCPTFORWARD was blindly
forwarded by LMTP proxy without checking that the backend has support.
This caused a command parameter error from the backend if it was
running an older Dovecot release. This could only occur in more complex
setups where the message was proxied twice; when the proxy generated
the XRCPTFORWARD parameter itself the problem did not occur, so this
only happened when it was forwarded.
- lmtp: The LMTP proxy crashes with a panic when the remote server
replies with an error while the mail is still being forwarded through
a DATA/BDAT command.
- lmtp: Username may have been missing from lmtp log line prefixes when
it was performing autoexpunging.
- master: Dovecot would incorrectly fail with haproxy 2.0.14 service
checks.
- master: Systemd service: Dovecot announces readiness for accepting
connections earlier than it should. The following environment variables
are now imported automatically and can be omitted from
import_environment setting: NOTIFY_SOCKET LISTEN_FDS LISTEN_PID.
- master: service { process_min_avail } was launching processes too
slowly when master was forking a lot of processes.
- util: Make the health-check.sh example script POSIX shell compatible.
3.6.1 (2021-06-14)
Fixed in Postfix 3.6.1, 3.5.11, 3.4.21, 3.3.18:
* Bugfix (introduced: Postfix 2.11): the command "postmap
lmdb:/file/name" (create LMDB database from textfile) handled
duplicate input keys ungracefully, discarding entries stored
up to and including the duplicate key, and causing a double
free() call with lmdb versions 0.9.17 and later. Reported by
Adi Prasaja; double free() root cause analysis by Howard Chu.
Fixed in Postfix 3.6.1, 3.5.11, 3.4.21:
* Typo (introduced: Postfix 3.4): silent_discard should be
silent-discard in BDAT_README.
Changes since version 2.0.7:
! The -d option allows a negative number. If negative, debug files are
not rotated. The debug level is the absolute value.
+ <view-pager> in the attachment menu uses a copiousoutput mailcap
entry, or falls back to raw text.
+ <view-mailcap>, <view-pager>, and <view-text> functions added to the
compose menu.
+ <view-alt-pager> in the compose menu allows previewing the output
of the $send_multipart_alternative_filter the way <view-pager> does.
+ <list-action>, bound to Esc-L in the index and pager menu, brings
up a menu of operations to perform on mailing list emails, such as
subscribe/unsubscribe.
+ <skip-headers>, bound to 'H' in the pager, will skip to the first
blank line following the headers.
! ~h patterns over IMAP and POP3 will only download the headers of the
message. However with message caching enabled (via $message_cachedir)
the whole message will still be downloaded.
+ $ssl_verify_host_override allows manually specifying the host name
to verify a server certificate against.
! --enable-hcache, with no particular backend enabled, will scan in
the order: kyotocabinet, tokyocabinet, lmdb, qdbm, gdbm, bdb.
! $allow_ansi understands 256-color ANSI escape sequences.
+ $message_id_format can be used to specify a custom message-id
format. Since it's a format string, this can also use a filter.
Please use this option with care, as Mutt won't check if your
message-id is legal.
! mailboxes -nonotify will poll a mailbox for new mail, but will not
trigger new mail notifications (e.g. $beep_new or $new_mail_command).
! $reverse_name affects tagged reply/forward/compose-to-sender
actions too.
! ANSI sequences are filtered for inline-forwarded autoview content,
in addition to replies.
! $forward_decrypt is now a quadoption, defaulting 'yes' for backward
compatibility.
! Pattern functions, (e.g. search and limit) can be interrupted with
ctrl-c.
! The default mailto_allow list now includes cc, in-reply-to, and
references.
+ $sort_browser_mailboxes controls mailbox browsing, and defaults
"unsorted". $sort_browser now only controls directory browsing.
! $sort_browser and $sort_browser_mailboxes "unsorted" now means the
order added (e.g. specified in the muttrc). Switching back to
"unsorted" will now resort in that order (previously it was a no-op.)
! In the browser ".." is excluded from sorting and kept at the top.
! Temp filenames generated for mailcap invocation now allow non-ascii
characters.
+ $local_date_header, when unset, causes the date in the Date header
to be formatted using the GMT timezone.
Postfix stable release 3.6.0 is available. This ends the support
for legacy release Postfix 3.2.
The main changes are below. See the RELEASE_NOTES file for further
details.
Incompatible changes:
* This release requires "postfix stop" before updating, or before
backing out to an earlier release, because some internal protocols
have changed. Otherwise, long-running daemons (pickup, qmgr,
verify, tlsproxy, postscreen) may fail to communicate with the
rest of Postfix, causing mail delivery delays until Postfix is
restarted.
* Respectful logging. Postfix version 3.6 deprecates terminology
that implies white is better than black. Instead, Postfix prefers
'allowlist', 'denylist', and variations on those words. This
change affects Postfix documentation, and postscreen parameters
and logging.
To keep the old postscreen logging set "respectful_logging =
no" in main.cf before setting "compatibility_level = 3.6". In
any case, the old postscreen parameter names will keep working
as before.
Other changes:
* The minimum supported OpenSSL version is 1.1.1, which will reach
the end of life by 2023-09-11. Postfix 3.6 is expected to reach
the end of support in 2025. Until then, Postfix will be updated
as needed for compatibility with OpenSSL.
The default fingerprint digest has changed from md5 to sha256
(Postfix 3.6 with compatibility_level >= 3.6). With a lower
compatibility_level setting, Postfix defaults to using md5, and
logs a warning when a Postfix configuration specifies no explicit
digest type.
The export-grade Diffie-Hellman key exchange is no longer
supported, and the tlsproxy_tls_dh512_param_file parameter is
ignored,
* Better error messages when someone configures an incorrect
program in master.cf. To recognize such mistakes, every Postfix
internal service, including the postdrop command, announces the
name of its protocol before doing any other I/O, and every
Postfix client program, including the Postfix sendmail command,
will verify that the protocol name matches what it expects.
* Fine-grained control over the envelope sender address for
submission with the Postfix sendmail (or postdrop) commands.
Example:
/etc/postfix/main.cf:
# Allow root and postfix full control, anyone else can only
# send mail as themselves. Use "uid:" followed by the numerical
# UID when the UID has no entry in the UNIX password file.
local_login_sender_maps =
inline:{ { root = *}, { postfix = * } },
pcre:/etc/postfix/login_senders
/etc/postfix/login_senders:
# Allow both the bare username and the user@domain forms.
/(.+)/ $1 $1@example.com
* Threaded bounces. This allows mail readers to present a
non-delivery, delayed delivery, or successful delivery notification
in the same email thread as the original message.
Unfortunately, this also makes it easy for users to mistakenly
delete the whole email thread (all related messages), instead
of deleting only the delivery status notification.
To enable, specify "enable_threaded_bounces = yes".
* Postfix by default no longer uses the services(5) database to
look up the TCP ports for SMTP and LMTP services. Instead, this
information is configured with the new known_tcp_ports configuration
parameter (default: lmtp=24, smtp=25, smtps=submissions=465,
submission=587). When a service is not specified in known_tcp_ports,
Postfix will still query the services(5) database.
* Starting with Postfix version 3.6, the compatibility level is
"3.6". In future Postfix releases, the compatibility level will
be the Postfix version that introduced the last incompatible
change. The level is formatted as 'major.minor.patch', where
'patch' is usually omitted and defaults to zero. Earlier
compatibility levels are 0, 1 and 2.
This also introduces main.cf and master.cf support for the
<=level, < level, and other operators to compare compatibility
levels. With the standard <=, <, etc. operators, compatibility
level 3.10 would be less than 3.9, which is undesirable.
Changes since 1.4.0 from the RELEASE_NOTES file
NOTE: In response to CVE-2019-20790, opendmarc has changed
how it evaluates headers added by previous
SPF milters. Users are encouraged to read the
CVE-2019-20790 file in the "SECURITY" folder
for more details. (#49, #158). Originally reported by
Jianjun Chen, feedback by Simon Wilson and
David Bürgin <dbuergin@gluet.ch>.
NOTE: OpenDMARC's internal SPF handling will be removed
in a future version. Users are encouraged to
build linked against libspf2. Many pre-built
packages provided by OS packagers already do this.
(See https://www.libspf2.org)
Addition of defines for MUSL C Library. (#129/#133). Patches by
Marco Rebhan.
Updated opendmarc.conf manpage and opendmarc.conf.sample to point to
https://publicsuffix.org/list/.
Added a CONTRIBUTING document.
Fix two #ifdefs in arc functions for strlcpy. (#138). Reported by
Leo Bicknell.
Fixes to MySQL Schema (#98/#99). Patch by Bond Keevil.
LIBSPF2 calls would not compile on OpenBSD due to OpenBSD not
having the ns_type definition in arpa/resolv.h.
Added detection to configure script. (#134)
Reworked hcreate_r calls to use hcreate, to compile natively on
OpenBSD and MacOS. (Part of #94) Reported by Rupert
Gallagher.
Add compatibility with AutoConf 2.70. (#95)
Documentation updates about SourceForge being deprecated. (#101)
Only accept results from Received-SPF fields that indicate clearly
which identifier was being evaluated, since DMARC specifically
only wants results based on MAIL FROM.
Many build-time fixes (#100, #91, #90, #86, #85, #84, #83, #82, #81)
Patches provided by Rupert Gallagher (ruga@protonmail.com)
Added config option HoldQuarantinedMessages (default false), which
controls if messages with p=quarantine will be passed on to
the mail stream (if False) or placed in the MTA's "hold"
queue (if True). Issue #105. Patch by Marcos Moraes, on
the OpenDMARC mailing list.
Remove "--with-wall" from "configure". Suggested by Leo Bicknell.
LIBOPENDMARC: Fix bug #50: Ignore all RRTYPEs other than TXT.
Problem reported by Jan Bouwhuis.
LIBOPENDMARC: Fix bug #89: Repair absurd RRTYPE test in SPF code.
LIBOPENDMARC: Fix bug #104: Fix bogus header field parsing code.
LIBOPENDMARC: Fix bug #161: Don't pass the client IP address through
htonl() since it's already in network byte order. This
was causing SPF errors when the internal SPF
implementation was in use.
LIBOPENDMARC: Fix numerous problems with the internal SPF
implementation.
S-nail (later S-mailx) provides a simple and friendly environment for
sending and receiving mail. It is intended to provide the functionality
of the POSIX mailx(1) command, but is MIME capable and optionally offers
extensions for line editing, S/MIME, SMTP and POP3, among others.
It divides incoming mail into its constituent messages and allows the
user to deal with them in any order, offers many commands and variables
for manipulating messages and sending mail, as well as line editing, and
increasingly powerful scripting capabilities.
upstream changes:
-----------------
fetchmail-6.4.19 (released 2021-04-24, 30026 LoC):
# CHANGE:
* fetchmailconf: properly catch and report option parsing errors
# BUG FIX:
* LMTP: do not try to validate the last component of a UNIX-domain LMTP socket
as though it were a TCP port. Reported by Christoph Heitkamp, Gitlab issue #33.
# TRANSLATION UPDATE:
This fine person has contributed an updated translation:
* sr: Мирослав Николић (Miroslav Nikolić) [Serbian]
--------------------------------------------------------------------------------
fetchmail-6.4.18 (released 2021-03-27, 30011 LoC):
# REGRESSION FIX:
* fetchmailconf: fetchmail 6.4.16 added --sslcertfile to the configuration dump,
but fetchmailconf support was incomplete in Git 7349f124 and it could not
parse sslcertfile, thus the user settings editor came up empty with console
errors printed. Fix configuration parser in fetchmailconf.
# ROBUSTNESS FIXES:
* fetchmailconf: do not require fetchmail for -V. do not require Tk (Tkinter)
for -d option. This is to fail more gracefully on incomplete installs.
* TLS code: remove OPENSSL_NO_DEPRECATED macros to avoid portability issues
with OpenSSL v3 - these are for development purposes, not production.
* TLS futureproofing: use SSL_use_PrivateKey_file instead of
SSL_use_RSAPrivateKey_file, the latter will be deprecated with OpenSSL v3,
and the user's key file might be something else than RSA.
# TRANSLATION UPDATE:
This fine person has contributed an updated translation:
* fi: Lauri Nurmi [Finnish]
--------------------------------------------------------------------------------
fetchmail-6.4.17 (released 2021-03-07, 29998 LoC):
# BUG FIXES
* IMAP client: it used to leak memory for username and password when trying
the LOGIN (password-based) authentication and encountered a timeout situation.
* dist-tools/getstats.py: also counts lines in *.py files, shown above.
# CHANGES
* fetchmail.man: now mentions that you may need to add --ssl when specifying
a TLS-wrapped port.
* fetchmailconf: --version (-V) now prints the Python version in use.
# TRANSLATION UPDATE:
This fine person has contributed an updated translation:
* ja: Takeshi Hamasaki [Japanese]
--------------------------------------------------------------------------------
fetchmail-6.4.16 (released 2021-02-08, 27707 LoC):
# BUG FIXES
* fetchmail's --configdump, and fetchmailconf, lacked support for the
sslcertfile option. --configdump support added by Earl Chew,
Gitlab issue #25, merge request !28.
* fetchmail's manual page was never updated to reflect 6.2.5's change about the
duplicate-killer code for multidrop mode, which read
"* Dup-killer code now keys on an MD5 hash of the raw headers."
...instead of just the Message-ID. [commit 9dd8400, 2003-10-10 by esr]
The manual page was now updated accordingly and documents
historic behaviour:
start to 5.0.7 no duplicate suppression;
5.0.8 to 6.2.4 duplicate suppression only by Message-ID;
6.2.5 to 6.4.X duplicate suppression by entire raw header.
Manpage bug found by Julian Bane debugging "duplicate message" behaviour.
* ./configure no longer runs AC_LIB_LINKFLAGS (how to link) checks
when called --without-ssl
# FEATURES
* fetchmail --version [fetchmail -V] now queries and prints the SSL/TLS
library's "SSL default trusted certificate" file or directory (mind the word
"default"), where the OpenSSL-compatible TLS implementation will look for
trusted root, meaning certification authority (CA), certificates.
NOTE 1: watch the output carefully if the line prints the defaults
or the configured path (without "default").
NOTE 2: SSL_CERT_DIR and SSL_CERT_FILE are documented environment variables
for OpenSSL 1.1.1 to override the *default* locations (those compiled into
OpenSSL or possibly in its configuration file).
This was added when Gene Heskett was debugging his setup and the
information "where does OpenSSL look" was missing.
* fetchmail --version now prints version of the OpenSSL library that
it was compiled against, and that it is using at runtime, and also
the OPENSSL_DIR and OPENSSL_ENGINES_DIR (if available).
# TRANSLATION UPDATES
These fine people have contributed updated translations for fetchmail,
in no particular order:
* sq: Besnik Bleta [Albanian]
* eo: Keith Bowes [Esperanto]
* cs: Petr Pisar [Czech]
* pl: Jakub Bogusz [Polish]
* sv: Göran Uddeborg [Swedish]
* fr: Frédéric Marchal [French]
Changelog:
78.10.2
What's New
Added support for importing OpenPGP keys without a primary secret key
Add-ons manager displays a preferences icon for mail extensions that include an
options page
Fixes
OpenPGP messages with a high compression ratio (over 10x) could not be
decrypted
Selected OpenPGP key was lost after opening the Key Properties dialog in
Account Settings
Parsing some OpenPGP user IDs failed
Various improvements to OpenPGP partial encryption reminders
Troubleshooting information page did not display row labels on macOS
Mail toolbar buttons were too big when displaying both icons and text
Various security fixes
Security fixes:
#CVE-2021-29957: Partial protection of inline OpenPGP message not indicated
#CVE-2021-29956: Thunderbird stored OpenPGP secret keys without master password
protection
78.10.1
Changes
Removed the fix for bug 1689804 introduced in Thunderbird 78.9.0, restoring the
previous behavior
Fixes
Various security fixes
Security fixes:
#CVE-2021-29951: Thunderbird Maintenance Service could have been started or
stopped by domain users
pkgsrc changes:
---------------
* Change HOMEPAGE since the development lead is now on Github.
* Add a composer.lock file to avoid PLIST breaking each time a dependency
is updated.
upstream changes:
-----------------
Version 4.1.1 (to 4.1.0)
o Fix: A fatal error would be raised when a password could not be decrypted,
only on photo download. This would not be notable to the user (except for
the photo not being displayed), but show up in the logs.
o Fix#339: Allow adding public/shared addressbooks by giving full URL.
Discovery is still used if the given URL does not point to an addressbook
directly, or points to an addressbook inside the user's addressbook home.
Version 4.1.0 (to 4.0.4)
o Fix: Prefer labels from X-ABLabel extension if available over standard
labels
o Fix#317: Support specification of department with empty organization
o Support several levels of departments separated by semicolon that end up as
structured value in the VCard
o Fix#318: Some attributes (e.g. gender) could not be deleted when updating
a contact
o Fix#53: Only create displayname when not present in VCard / not provided
by roundcube
o Fix#325: Roundcube setting for contact sorting field was not used
o Fix#279: More specific error message when syntactically wrong URL is
entered for new addressbook
o Fix#328: Contact search with MySQL might not have returned all results
o Fix#332: When adding a new contact via "add to addressbook" from mail
view, the email address was missing in the new card
o New: Download externally referenced photos on demand, drastically speeding
up sync with when photos are stored separately from the VCard (e.g.
iCloud). For details see #247.
o New: Support for instant messaging data fields and maiden name (resolves
#46). Interoperability with other CardDAV clients suffers some caveats, but
I tried my best to achieve maximum possible interoperability. See IMPP.md
for the gory details.
o Removed a workaround that appears to be needed in the part to provide
address data to the calendar plugin. It seems this is no longer the case
for current versions of calendar.
Changelog:
Notmuch 0.32.1 (2021-05-15)
===========================
General
-------
Restore handling of relative values for `database.path` that was
broken by 0.32. Extend this handling to `database.mail_root`,
`database.backup_dir`, and `database.hook_dir`.
Reload certain metadata from Xapian database in
notmuch_database_reopen. This fixes a bug when adding messages to the
database in a pre-new hook.
Fix default of `$HOME/mail` for `database.path`. In release 0.32, this
default worked only in "notmuch config".
Emacs
-----
Restore the dynamically bound variables `tag-changes` and `query` in
in `notmuch-before-tag-hook` and `notmuch-after-tag-hook`.
Real changes are in www/ruby-actionpack61 only.
## Rails 6.1.3.2 (May 05, 2021) ##
* Prevent open redirects by correctly escaping the host allow list
CVE-2021-22903
* Prevent catastrophic backtracking during mime parsing
CVE-2021-22902
* Prevent regex DoS in HTTP token authentication
CVE-2021-22904
* Prevent string polymorphic route arguments.
`url_for` supports building polymorphic URLs via an array
of arguments (usually symbols and records). If a developer passes a
user input array, strings can result in unwanted route helper calls.
CVE-2021-22885
*Gannon McGibbon*
Real changes are in www/ruby-actionpack60 only.
## Rails 6.0.3.7 (May 05, 2021) ##
* Prevent catastrophic backtracking during mime parsing
CVE-2021-22902
* Prevent regex DoS in HTTP token authentication
CVE-2021-22904
* Prevent string polymorphic route arguments.
`url_for` supports building polymorphic URLs via an array
of arguments (usually symbols and records). If a developer passes a
user input array, strings can result in unwanted route helper calls.
CVE-2021-22885
*Gannon McGibbon*
This includes a number of serious security fixes (one of which was
included in a now obsoleted pkgsrc patch)
CVE-2020-28016
CVE-2020-BDATA
CVE-2020-EXOPT
CVE-2020-PFPSN
CVE-2020-RCPTL
CVE-2020-SLCWD
CVE-2020-SPRSS
Since Exim version 4.94
-----------------------
JH/02 Bug 2587: Fix pam expansion condition. Tainted values are commonly used
as arguments, so an implementation trying to copy these into a local
buffer was taking a taint-enforcement trap. Fix by using dynamically
created buffers. Similar fix for radius expansion condition.
JH/03 Bug 2586: Fix listcount expansion operator. Using tainted arguments is
reasonable, eg. to count headers. Fix by using dynamically created
buffers rather than a local. Do similar fixes for ACL actions "dcc",
"log_reject_target", "malware" and "spam"; the arguments are expanded
so could be handling tainted values.
JH/04 Bug 2590: Fix -bi (newaliases). A previous code rearrangement had
broken the (no-op) support for this sendmail command. Restore it
to doing nothing, silently, and returning good status.
JH/05 Bug 2593: Fix "vacation" in Exim filter. Previously, when a "once"
record path was given (or the default used) without a leading directory
path, an error occurred on trying to open it. Use the transport's working
directory.
JH/06 Bug 2594: Change the name used for certificate name checks in the smtp
transport. Previously it was the name on the DNS A-record; use instead
the head of the CNAME chain leading there (if there is one). This seems
to align better with RFC 6125.
JH/07 Bug 2597: Fix a resource leak. Using a lookup in obtaining a value for
smtp_accept_max_per_host allocated resources which were not released
when the limit was exceeded. This eventually crashed the daemon. Fix
by adding a relase action in that path.
JH/08 Bug 2598: Fix verify ACL condition. The options for the condition are
expanded; previously using tainted values was rejected. Fix by using
dynamically-created buffers.
JH/10 Bug 2603: Fix coding of string copying to only evaluate arguments once.
Previously a macro used one argument twice; when called with the
argument as an expression having side-effects, incorrect operation
resulted. Use an inlineable function.
JH/11 Bug 2604: Fix request to cutthrough-deliver when a connection is already
held open for a verify callout. Previously this wan not accounted for
and a corrupt onward SMTP conversation resulted.
JH/13 Fix dsearch "subdir" filter to ignore ".". Previously only ".." was
excluded, not matching the documentation.
JH/14 Bug 2606: Fix a segfault in sqlite lookups. When no, or a bad, filename
was given for the sqlite_dbfile a trap resulted.
JH/15 Bug 2620: Fix "spam" ACL condition. Previously, tainted values for the
"name" argument resulted in a trap. There is no reason to disallow such;
this was a coding error.
JH/16 Bug 2615: Fix pause during message reception, on systems that have been
suspended/resumed. The Linux CLOCK_MONOTONIC does not account for time
spent suspended, ignoring the Posix definition. Previously we assumed
it did and a constant offset from real time could be used as a correction.
Change to using the same clock source for the start-of-message and the
post-message next-tick-wait. Also change to using CLOCK_BOOTTIME if it
exists, just to get a clock slightly more aligned to reality.
JH/17 Bug 2295: Fix DKIM signing to always semicolon-terminate. Although the
RFC says it is optional some validators care. The missing char was not
intended but triggered by a line-wrap alignement. Discovery and fix by
Guillaume Outters, hacked on by JH.
JH/18 Bug 2617: Fix a taint trap in parse_fix_phrase(). Previously when the
name being quoted was tainted a trap would be taken. Fix by using
dynamicaly created buffers. The routine could have been called by a
rewrite with the "h" flag, by using the "-F" command-line option, or
by using a "name=" option on a control=submission ACL modifier.
JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion.
Previously when a whitespace character was specified it was not inserted
after removing the newline.
JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for
is_tainted() had an off-by-one error in the overenthusiastic direction.
Find and fix by Gavan. Although NetBSD is not a supported platform for
4.94 this bug could affect other platforms.
JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for
is_tainted() had an off-by-one error in the overenthusiastic direction.
Find and fix by Gavan. Although NetBSD is not a supported platform for
4.94 this bug could affect other platforms.
JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion.
Previously when a whitespace character was specified it was not inserted
after removing the newline.
JH/22 Bug 2265: Force SNI usage for smtp transport DANE'd connections, to be
the domain part of the recipient address. This overrides any tls_sni
option set, which was previously used.
JH/23 Logging: with the +tls_sni log_selector, do not wrap the received SNI
in quotes.
JH/26 Bug 2646: fix a memory usage issue in ldap lookups. Previously, when more
than one server was defined and depending on the platform memory layout
details, an internal consistency trap could be hit while walking the list
of servers.
JH/27 Bug 2648: fix the passing of an authenticator public-name through spool
files. The value is used by the authresults expansion item. Previously
if this was used in a router or transport, a crash could result.
JH/30 Bug 2677: fix matching of long addresses. Since 4.93 a limit of 256 was
applied. This resulted, if any header-line rewrite rules were configured,
in a panic-log trigerrable by sending a message with a long address in
a header. Fix by increaing the arbitrary limit to larger than a single
(dewrapped) 5322 header line maximum size.
JH/31 The ESMTP option name advertised for the SUPPORT_EARLY_PIPE build option
is changed from X_PIPE_CONNECT to PIPE_CONNECT. This is in line with
RFC 6648 which deprecates X- options in protocols as a general practice.
Changeover between the implementations is handled by the mechanisms
alrready coded.
JH/32 Bug 2599: fix delay of delivery to a local address where there is also
a remote which uses callout/hold. Previously the local was queued.
JH/33 Fix a taint trap in the ${listextract } expansion when the source data
was tainted.
JH/35 Bug 2343: Harden exim_tidydb against corrupt wait- files.
JH/36 Bug 2687: Fix interpretation of multiple ^ chars in a plaintext
authenticator client_send option. Previously the next char, after a pair
was collapsed, was taken verbatim (so ^^^foo became ^^foo; ^^^^foo became
^^\x00foo). Fixed to get ^\x00foo and ^^foo respectively to match the
documentation. There is still no way to get a leading ^ immediately
after a NUL (ie. for the password of a PLAIN method authenticator.
JH/39 Bug 2691: fix $local_part_data. When the matching list element
referred to a file, bad data was returned. This likely also affected
$domain_part_data.
JH/41 Fix daemon SIGHUP on FreeBSD. Previously, a named socket for IPC was
left undeleted; the attempt to re-create it then failed - resulting in
the usual "SIGHUP tp have daemon reload configuration" to not work.
This affected any platform not supporting "abstract" Unix-domain
sockets (i.e. not Linux).
JH/42 Bug 2692: Harden against a peer which reneges on a 452 "too many
recipients" response to RCPT in a later response, with a 250. The
previous coding assumed this would not happen, and under PIPELINING
would result in both lost and duplicate recipients for a message.
JH/43 Bug 2694: Fix weighted distribution of work to multiple spamd servers.
Previously the weighting was incorrectly applied. Similar fix for socks
proxies. Found and fixed by Heiko Schlichting.
JH/44 Bug 2701: Fix list-expansion of dns_ipv4_lookup. Previously, it did
not handle sub-lists included using the +namedlist syntax. While
investigating, the same found for dns_trust_aa, dns_again_means_nonexist,
dnssec_require_domains, dnssec_request_domains, srv_fail_domains,
mx_fail_domains.
HS/01 Enforce absolute PID file path name.
HS/02 Handle SIGINT as we handle SIGTERM: terminate the Exim process.
PP/01 Add a too-many-bad-recipients guard to the default config's RCPT ACL.
PP/02 Bug 2643: Correct TLS DH constants.
A missing NUL termination in our code-generation tool had led to some
incorrect Diffie-Hellman constants in the Exim source.
Reported by kylon94, code-gen tool fix by Simon Arlott.
PP/03 Impose security length checks on various command-line options.
Fixes CVE-2020-SPRSS reported by Qualys.
PP/04 Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX
better. Reported by Qualys.
PP/05 Fix security issue CVE-2020-PFPSN and guard against cmdline invoker
providing a particularly obnoxious sender full name.
Reported by Qualys.
PP/06 Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in parse_fix_phrase()
PP/07 Refuse to allocate too little memory, block negative/zero allocations.
Security guard.
PP/08 Change default for recipients_max from unlimited to 50,000.
PP/09 Fix security issue with too many recipients on a message (to remove a
known security problem if someone does set recipients_max to unlimited,
or if local additions add to the recipient list).
Fixes CVE-2020-RCPTL reported by Qualys.
PP/10 Fix security issue in SMTP verb option parsing
Fixes CVE-2020-EXOPT reported by Qualys.
PP/11 Fix security issue in BDAT state confusion.
Ensure we reset known-good where we know we need to not be reading BDAT
data, as a general case fix, and move the places where we switch to BDAT
mode until after various protocol state checks.
Fixes CVE-2020-BDATA reported by Qualys.
HS/03 Die on "/../" in msglog file names
QS/01 Creation of (database) files in $spool_dir: only uid=0 or the uid of
the Exim runtime user are allowed to create files.
QS/02 PID file creation/deletion: only possible if uid=0 or uid is the Exim
runtime user.
QS/03 When reading the output from interpreted forward files we do not
pass the pipe between the parent and the interpreting process to
executed child processes (if any).
QS/04 Always die if requested from internal logging, even is logging is
disabled.
Changelog:
Notmuch 0.32 (2021-05-02)
=========================
General
-------
This release includes a significant overhaul of the configuration
management facilities for notmuch. The previous distinction between
configuration items that can be modified via plain text configuration
files and those that must be set in the database via the "notmuch
config" subcommand is gone, and all configuration items can be set in
both ways. The external configuration file overrides configuration
items in the database. The location of database, hooks, and
configuration files is now more flexible, with several new
configuration variables. In particular XDG locations are now supported
as fallbacks for database, configuration and hooks. For more
information see `notmuch-config(1)`.
Library
-------
To support the new configuration facilities, several functions and
constants have been added to the notmuch API. Most notably:
- `notmuch_database_create_with_config`
- `notmuch_database_open_with_config`
- `notmuch_database_load_config`
- `notmuch_config_get`
A previously requested API change is that `notmuch_database_reopen` is
now exposed (and generalized).
The previously severe slowdowns from large numbers calls to
notmuch_database_remove_message or notmuch_message_delete in one
session has been fixed.
As always, the canonical source of API documentation is
`lib/notmuch.h`, or the doxygen formatted documentation in `notmuch(3)`
CLI
---
The `notmuch config set` subcommand gained a `--database` argument to
specify that the database should be updated, rather than a config file.
The speed of `notmuch new` and `notmuch reindex` in dealing with large
numbers of mail file deletions is significantly improved.
Emacs
-----
Completion related updates include: de-duplicating tags offered for
completion, use the actual initial input in address completion, allow
users to opt out of notmuch address completion, and do not force Ido
when prompting for senders.
Some keymaps used to contain bindings for unnamed commands. These
lambda expressions have been replaced by named commands (symbols), to
ease customization.
Lexical binding is now used in all notmuch-emacs libraries.
Fix bug in calling `notmuch-mua-mail` with a non-nil RETURN-ACTION.
Removed, inlined or renamed functions and variables:
`notmuch-address-locate-command`,
`notmuch-documentation-first-line`, `notmuch-folder`,
`notmuch-hello-trim', `notmuch-hello-versions` => `notmuch-version`,
`notmuch-remove-if-not`, `notmuch-search-disjunctive-regexp`,
`notmuch-sexp-eof`, `notmuch-split-content-type`, and
`notmuch-tree-button-activate`.
