Update dovecot2-pigeonhole package to 0.5.13.
v0.5.13 2021-01-04 Aki Tuomi <aki.tuomi@open-xchange.com>
- duplicate: The test was handled badly in a multiscript (sieve_before,
sieve_after) scenario in which an earlier script in the sequence with
a duplicate test succeeded, while a later script caused a runtime
failure. In that case, the message is recorded for duplicate tracking,
while the message may not actually have been delivered in the end.
- editheader: Sieve interpreter entered infinite loop at startup when
the "editheader" configuration listed an invalid header name. This
problem can only be triggered by the administrator.
- relational: The Sieve relational extension can cause a segfault at
compile time. This is triggered by invalid script syntax. The segfault
happens when this match type is the last argument of the test command.
This situation is not possible in a valid script; positional arguments
are normally present after that, which would prevent the segfault.
- sieve: For some Sieve commands the provided mailbox name is not
properly checked for UTF-8 validity, which can cause assert crashes at
runtime when an invalid mailbox name is encountered. This can be
caused by the user by writing a bad Sieve script involving the
affected commands ("mailboxexists", "specialuse_exists").
This can be triggered by the remote sender only when the user has
written a Sieve script that passes message content to one of the
affected commands.
- sieve: Large sequences of 8-bit octets passed to certain Sieve
commands that create or modify message headers that allow UTF-8 text
(vacation, notify and addheader) can cause the delivery or IMAP
process (when IMAPSieve is used) to enter a memory-consuming
semi-infinite loop that ends when the process exceeds its memory
limits. Logged in users can cause these hangs only for their own
processes.
Update mail/dovecot2 pacakge to 2.3.13, including security fixes.
v2.3.13 2021-01-04 Aki Tuomi <aki.tuomi@open-xchange.com>
* CVE-2020-24386: Specially crafted command can cause IMAP hibernate to
allow logged in user to access other people's emails and filesystem
information.
* Metric filter and global event filter variable syntax changed to a
SQL-like format. See https://doc.dovecot.org/configuration_manual/event_filter/
* auth: Added new aliases for %{variables}. Usage of the old ones is
possible, but discouraged.
* auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth
mechanism and related password schemes.
* auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail.
* auth: Removed postfix postmap socket
+ auth: Added new fields for auth server events. These fields are now
also available for all auth events. See
https://doc.dovecot.org/admin_manual/list_of_events/#authentication-server
for details.
+ imap-hibernate: Added imap_client_hibernated, imap_client_unhibernated
and imap_client_unhibernate_retried events. See
https://doc.dovecot.org/admin_manual/list_of_events/ for details.
+ lib-index: Added new mail_index_recreated event. See
https://doc.dovecot.org/admin_manual/list_of_events/#mail-index-recreated
+ lib-sql: Support TLS options for cassandra driver. This requires
cpp-driver v2.15 (or later) to work reliably.
+ lib-storage: Missing $HasAttachment / $HasNoAttachment flags are now
added to existing mails if mail_attachment_detection_option=add-flags
and it can be done inexpensively.
+ login proxy: Added login_proxy_max_reconnects setting (default 3) to
control how many reconnections are attempted.
+ login proxy: imap/pop3/submission/managesieve proxying now supports
reconnection retrying on more than just connect() failure. Any error
except a non-temporary authentication failure will result in reconnect
attempts.
- auth: Lua passdb/userdb leaks stack elements per call, eventually
causing the stack to become too deep and crashing the auth or
auth-worker process.
- auth: SASL authentication PLAIN mechanism could be used to trigger
read buffer overflow. However, this doesn't seem to be exploitable in
any way.
- auth: v2.3.11 regression: GSSAPI authentication fails because dovecot
disallows NUL bytes for it.
- dict: Process used too much CPU when iterating keys, because each key
used a separate write() syscall.
- doveadm-server: Crash could occur if logging was done outside command
handling. For example http-client could have done debug logging
afterwards, resulting in either segfault or
Panic: file http-client.c: line 642 (http_client_context_close):
assertion failed: (cctx->clients_list == NULL).
- doveadm-server: v2.3.11 regression: Trying to connect to doveadm server
process via starttls assert-crashed if there were no ssl=yes listeners:
Panic: file master-service-ssl.c: line 22 (master_service_ssl_init):
assertion failed: (service->ssl_ctx_initialized).
- fts-solr: HTTP requests may have assert-crashed:
Panic: file http-client-request.c: line 1232 (http_client_request_send_more):
assertion failed: (req->payload_input != NULL)
- imap: IMAP NOTIFY could crash with a segmentation fault due to a bad
configuration that causes errors. Sending the error responses to the
client can cause the segmentation fault. This can for example happen
when several namespaces use the same mail storage location.
- imap: IMAP NOTIFY used on a shared namespace that doesn't actually
exist (e.g. public namespace for a nonexistent user) can crash with a panic:
Panic: Leaked view for index /tmp/home/asdf/mdbox/dovecot.list.index: Opened in (null):0
- imap: IMAP session can crash with QRESYNC extension if many changes
are done before asking for expunged mails since last sync.
- imap: Process might hang indefinitely if client disconnects after
sending some long-running commands pipelined, for example FETCH+LOGOUT.
- lib-compress: Mitigate crashes when configuring a not compiled in
compression. Errors with compression configuration now distinguish
between not supported and unknown.
- lib-compression: Using xz/lzma compression in v2.3.11 could have
written truncated output in some situations. This would result in
"Broken pipe" read errors when trying to read it back.
- lib-compression: zstd compression could have crashed in some situations:
Panic: file ostream.c: line 287 (o_stream_sendv_int): assertion failed: (!stream->blocking)
- lib-dict: dict client could have crashed in some rare situations when
iterating keys.
- lib-http: Fix several assert-crashes in HTTP client.
- lib-index: v2.3.11 regression: When mails were expunged at the same
time as lots of new content was being saved to the cache (e.g. cache
file was lost and is being re-filled) a deadlock could occur with
dovecot.index.cache / dovecot.index.log.
- lib-index: v2.3.11 regression: dovecot.index.cache file was being
purged (rewritten) too often when it had a field that hadn't been
accessed for over 1 month, but less than 2 months. Every cache file
change caused a purging in this situation.
- lib-mail: MIME parts were not returned correctly by Dovecot MIME parser.
Regression caused by fixing CVE-2020-12100.
- lib-mail: When max nested MIME parts were reached, IMAP BODYSTRUCTURE
was written in a way that may have caused confusion for both IMAP
clients and Dovecot itself when parsing it. The truncated part is now
written out using application/octet-stream MIME type.
- lib-mail: v2.3.11 regression: Mail delivery / parsing crashed when the
10000th MIME part was message/rfc822 (or if parent was multipart/digest):
Panic: file message-parser.c: line 167 (message_part_append):
assertion failed: (ctx->total_parts_count <= ctx->max_total_mime_parts).
- lib-oauth2: Dovecot incorrectly required oauth2 server introspection
reply to contain username with invalid token.
- lib-ssl-iostream, lib-dcrypt: Fix building with OpenSSL that has
deprecated APIs disabled.
- lib-storage: When mail's size is different from the cached one (in
dovecot.index.cache or Maildir S=size in the filename), this is
handled by logging "Cached message size smaller/larger than expected"
error. However, in some situations this also ended up crashing with:
Panic: file istream.c: line 315 (i_stream_read_memarea):
assertion failed: (old_size <= _stream->pos - _stream->skip).
- lib-storage: v2.3 regression: Copying/moving mails was taking much more
memory than before. This was mainly visible when copying/moving
thousands of mails in a single transaction.
- lib-storage: v2.3.11 regression: Searching messages assert-crashed
(without FTS): Panic: file message-parser.c: line 174 (message_part_finish):
assertion failed: (ctx->nested_parts_count > 0).
- lib: Dovecot v2.3 moved signal handlers around in ioloops,
causing more CPU usage than in v2.2.
- lib: Fixed JSON parsing: '\' escape sequence may have wrongly resulted
in error if it happened to be at read boundary. Any NUL characters and
'\u0000' will now result in parsing error instead of silently
truncating the data.
- lmtp, submission: Server may hang if SSL client connection disconnects
during the delivery. If this happened repeated, it could have ended
up reaching process_limit and preventing any further lmtp/submission
deliveries.
- lmtp: Proxy does not always properly log TLS connection problems as
errors; in some cases, only a debug message is logged if enabled.
- lmtp: The LMTP service can hang when commands are pipelined. This can
particularly occur when one command in the middle of the pipeline fails.
One example of this occurs for proxied LMTP transactions in which the
final DATA or BDAT command is pipelined after a failing RCPT command.
- login-proxy: The login_source_ips setting has no effect, and therefore
the proxy source IPs are not cycled through as they should be.
- master: Process was using 100% CPU in some situations when a broken
service was being throttled.
- pop3-login: POP3 login would fail with "Input buffer full" if the
initial response for SASL was too long.
- stats: Crash would occur when generating openmetrics data for metrics
using aggregating functions.
Changelog:
What's new in notmuch 0.31.3
=========================
Bindings
--------
Fix for exclude tags in notmuch2 bindings.
Build
-----
Portability update for T360-symbol-hiding
Library
-------
Fix for memory error in notmuch_database_get_config_list
* Fix build with devel/cbindgen-0.16.0.
Changelog:
New
MailExtensions: Added browser.windows.openDefaultBrowser()
Changes
Thunderbird now only shows quota exceeded indications on the main window
MailExtensions: menus API enabled in messages being composed
MailExtensions: Honor allowScriptsToClose argument in windows.create API
function
MailExtensions: APIs that returned an accountId will reflect the account the
message belongs to, not what is stored in message headers
Fixes
Keyboard shortcut for toggling message "read" status not shown in menus
OpenPGP: After importing a secret key, Key Manager displayed properties of the
wrong key
OpenPGP: Inline PGP parsing improvements
OpenPGP: Discovering keys online via Key Manager sometimes failed on Linux
OpenPGP: Encrypted attachment "Decrypt and Open/Save As" did not work
OpenPGP: Importing keys failed on macOS
OpenPGP: Verification of clear signed UTF-8 text failed
Address book: Some columns incorrectly displayed no data
Address book: The address book view did not update after changing the name
format in the menu
Calendar: Could not import an ICS file into a CalDAV calendar
Calendar: Two "Home" calendars were visible on a new profile
Calendar: Dark theme was incomplete on Linux
Dark theme did not apply to new mail notification popups
Folder icon, message list, and contact side bar visual improvements
MailExtensions: HTTP refresh in browser content tabs did not work
MailExtensions: messageDisplayScripts failed to run in main window
Various security fixes
Security fixes:
#CVE-2020-16042: Operations on a BigInt could have caused uninitialized memory to be exposed
#CVE-2020-26971: Heap buffer overflow in WebGL
#CVE-2020-26973: CSS Sanitizer performed incorrect sanitization
#CVE-2020-26974: Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free
#CVE-2020-26978: Internal network hosts could have been probed by a malicious webpage
#CVE-2020-35111: The proxy.onRequest API did not catch view-source URLs
#CVE-2020-35112: Opening an extension-less download may have inadvertently launched an executable instead
#CVE-2020-35113: Memory safety bugs fixed in Thunderbird 78.6
This release fixes a few assorted bugs. Unfortunately, one of those (for
large-file support) required a change to the header cache structures; so
your header cache files will need to regenerate when opening each mailbox.
Update roundcube to 1.4.10, including security fix.
RELEASE 1.4.10
--------------
- Fix extra angle brackets in In-Reply-To header derived from mailto: params (#7655)
- Fix folder list issue whan special folder is a subfolder (#7647)
- Fix Elastic's folder subscription toggle in search result (#7653)
- Fix state of subscription toggle on folders list after changing folder state from the search result (#7653)
- Security: Fix cross-site scripting (XSS) via HTML or Plain text messages with malicious content [CVE-2020-35730]
Change since 1.3.1 from RELEASE_NOTES
1.4.0 2018/06/??
Add ARC support. Extensive work contributed by ValiMail.
Add "DomainWhitelist" and "DomainWhitelistFile" config options.
Extract client IP address for ARC reports when provided via
Authentication-Results.
Update SQL schema to support new reporting functionality for DKIM
selectors and ARC local policy overrides (refer to the example
schema.mysql file).
Add experimental support for reporting of ARC local policy overrides.
Add support for recording and reporting of DKIM selectors.
Override a DMARC "fail" if an ARC "pass" is recorded in conjunction with
an ARC policy pass.
Fix bug #137: Handle base64 inside AR tokens that are values.
Problem reported by Joseph Coffland.
LIBOPENDMARC: Fix bug #203: Reject DMARC records that have duplicate
tags in them. Reported by Dirk Stoecker.
REPORTS: Feature request #146: Add option to pull input from a file.
REPORTS: Fix bug #153: Suppress duplicate results from the same
domain. Patch from Tomki Camp.
1.3.2 2017/03/04
Feature request #86: Change meaning of "RequiredHeaders" such that
header validity is always checked, but messages are only
rejected on that basis when the flag is set. Based
on a patch from Andreas Schulze.
Feature request #127: Log SPF results when rejecting. Requested
by Patrick Wagner; patch from Andreas Schulze, follow-up
patch from Juri Haberland.
Feature request #138: Inculde policy and disposition information
in an Authentication-Results comment. Based on a patch
from Juri Haberland.
Feature request #139: Include the client host name if known
in failure reports. Suggested by Roland Turner;
patch by Andreas Schulze.
Fix bug #95: Assume IPv6 for SPF operations. Patch from Juri Haberland.
Fix bug #120: Fix control logic around the SPF result.
Reported by Christophe Wolfhugel; patch from Andreas Schulze.
Fix bug #122: Don't skip the HELO milter phase when SPF is enabled.
Reported by Christophe Wolfhugel.
Fix bug #157: Fix logging of implicit authserv-ids. Reported
by Andreas Schulze; patch from Juri Haberland.
Fix bug #158: Log ignored connections. Patch from Andreas Schulze.
Fix bug #160: Fix "SyslogFacility" handling. Patch from
Juri Haberland.
Fix bug #163: Use a larger buffer for the raw MAIL FROM value.
Based on a patch from Andreas Schulze.
Fix bug #174: Trim "!" suffixes from reporting addresses. Problem
noted by Juri Haberland.
Fix bug #186: When reloading the configuration file, the public
suffix list was read in with the wrong comment indicator.
Patch from Federico Omoto.
Fix bug #194: Fix inappropriate DMARC status when "p=none" is
discovered. Patch from Juri Haberland.
Fix bug #195: When parsing Received-SPF, use the correct constants
in the history file entries. Patch from Juri Haberland.
LIBOPENDMARC: Fix bug #115: Fix type mismatch. Patch from
Sebastian A. Siewior via Scott Kitterman.
LIBOPENDMARC: Fix bug #121: Fix IPv6 CIDR matching in SPF code.
Patch from Christophe Wolfhugel.
LIBOPENDMARC: Fix bug #125: Compile time IPv6 fix. Reported by
Christophe Wolfhugel.
LIBOPENDMARC: Fix bug #131: Fix alignment bug. Patch from
Andreas Schulze.
LIBOPENDMARC: Fix bug #147: Fix stripping of whitespace from
DMARC DNS records. Based on a patch from Job Noorman.
LIBOPENDMARC: Fix bug #149: Apply "sp" setting, if present and
applicable. Patch from Petr Novak.
LIBOPENDMARC: Fix bug #154: Fix "rf" and "fo" processing logic.
LIBOPENDMARC: Fix bug #156: Fix variable name. Patch by
Andreas Schulze.
LIBOPENDMARC: Fix bug #165: Fix logic in checking which SPF
identifier was used. Patches from Marco Favero and
Juri Haberland.
LIBOPENDMARC: Fix bug #167: Don't return "fail" when we should
return "none". Patch from Marco Favero.
REPORTS: Fix bug #134: Handle SMTP errors correctly. Patch from
Andreas Schulze.
REPORTS: Fix bug #141: Set the HELO parameter correctly.
Reported by Alan Smith; patch from Andreas Schulze.
REPORTS: Fix bug #143: Fix logic in table truncation.
Reported by Wayne Andersen; patch from Juri Haberland.
REPORTS: Fix bug #162: Always report "sp" in aggregate reports.
Patch from Juri Haberland.
REPORTS: Fix bug #166: Fix report start/end time logic.
Patch from Juri Haberland.
REPORTS: Fix bug #188: Don't delete inputs too early in
opendmarc-reports. Patch from Juri Haberland.
TOOLS: Fix bug #161: "Forensic" reports were renamed "Failure"
reports. Patch from Andreas Schulze.
TOOLS: Fix bug #164: Handle IPv6 test addresses. Reported by
Andreas Schulze; patch from Juri Haberland.
DOCS: Patch #189: Replace the DMARC RFC with an HTML page
referencing the relevant specs, since Debian doesn't
consider RFCs to be "free". Patch from Scott Kitterman
via Juri Haberland.
- qmail-qfilter-{ofmipd,smtpd}-queue: Remove after 2 years' deprecation.
If you're using these, please switch to qmail-qfilter-queue.
- qmail-qfilter-viruscan: Optionally build with qmail-queue-custom-error
support, returning the same error message as Russ Nelson's original
viruscan patch.
- qmail-qfilter-queue.8, qmail-rcptcheck.8: Add an ERRORS section.
Darwin doesn't install include files in ${KRB5BASE}
(They are in the SDK instead)
therefore let fetchmail use krb5-config to determine how to
link against kerberos
- reup: Delete, because retrying AUTH has been broken ever since TLS was
added to authup.
- authup: Fix AUTH retries under TLS by inlining the retry logic.
- fixsmtpio: Fix process-management bugs in "Ensure STARTTLS resets all
state by restarting qmail-smtpd."
- Manual pages: considerably improve clarity of authup(8) and
fixsmtpio(8). Mention s6-ucspitlsd, a new UCSPI-TLS server
implementation coming soon to s6-networking.
Changelog:
What's New
OpenPGP: Added option to disable email subject encryption
Changes
OpenPGP public key import now supports multi-file selection and bulk accepting imported keys
MailExtensions: getComposeDetails will wait for "compose-editor-ready" event
Fixes
New mail icon was not removed from the system tray at shutdown
"Place replies in the folder of the message being replied to" did not work when using "Reply to List"
Thunderbird did not honor the "Run search on server" option when searching messages
Highlight color for folders with unread messages wasn't visible in dark theme
OpenPGP: Key were missing from Key Manager
OpenPGP: Option to import keys from clipboard always disabled
The "Link" button on the large attachments info bar failed to open up Filelink section in Options if the user had not yet configured Filelink
Address book: Printing members of a mailing list resulted in incorrect output
Unable to connect to LDAP servers configured with a self-signed SSL certificate
Autoconfig via LDAP did not work as expected
Calendar: Pressing Ctrl-Enter in the new event dialog would create duplicate events
Various security fixes
Security fixes:
#CVE-2020-26970: Stack overflow due to incorrect parsing of SMTP server response codes
Change log:
1.3.0
======
- GTK 3 Port
- Remove Libgcrypt dependency
- Move "watching" column to the left to avoid overlapping with scrollbar
- Add support for XfceTitledDialog new API
- Fix cast to pointer
- Replace deprecated GTimeVal
- Update URLs from goodies.x.o to docs.x.o (Bug #16167)
- Added support for multi-row/column panels in xfce4-panel > 4.9
- Fix running command on each change of the count
- Fix running an empty command
- Do not run command when new message count is 0
- Add SSL support CFLAGS and LDFLAGS conditionally
- Translation Updates:
Albanian, Arabic, Asturian, Basque, Belarusian, Bulgarian, Catalan,
Chinese (China), Chinese (Taiwan), Croatian, Czech, Danish, Dutch,
English (Australia), English (United Kingdom), Finnish, French,
Galician, German, Greek, Hebrew, Hungarian, Icelandic, Indonesian,
Interlingue, Italian, Japanese, Korean, Latvian, Lithuanian, Malay,
Norwegian Bokmål, Occitan (post 1500), Polish, Portuguese,
Portuguese (Brazil), Russian, Serbian, Slovak, Slovenian, Spanish,
Swedish, Thai, Turkish, Ukrainian, Urdu, Urdu (Pakistan), Uyghur,
Vietnamese
IMAPFilter 2.7.4 - 18 Nov 2020
- Bug fix; incorrect argument to regular expression compile function.
IMAPFilter 2.7.3 - 14 Nov 2020
- Bug fix; incorrect free of compiled pattern.
- Unexpected network errors and IMAP BYE are now logged.
IMAPFilter 2.7.2 - 10 Nov 2020
- Makefile is back to being Lua version agnostic.
IMAPFilter 2.7.1 - 9 Nov 2020
- Makefile now builds with Lua 5.4 and PCRE2.
IMAPFilter 2.7 - 8 Nov 2020
- Lua 5.4 compatibility (the codebase can still be compiled with versions
5.3, 5.2 and 5.1).
- PCRE2 compatibility (version 10.00 and later)
- New error code is returned if certificate verify fails.
- Bug fix; add missing truststore option from brief usage message.
IMAPFilter 2.6.16 - 23 Nov 2019
- Bug fix; escape the double-quote character in passwords.
IMAPFilter 2.6.15 - 14 Nov 2019
- Bug fix; try to setup both a CA file and path for SSL validations.
IMAPFilter 2.6.14 - 1 Nov 2019
- Bug fix; OpenSSL version mess up for SSL hostname validation.
IMAPFilter 2.6.13 - 17 Sep 2019
- Support for SSL hostname validation.
IMAPFilter 2.6.12 - 3 Oct 2018
- Support for Server Name Indication (SNI).
- The searching methods return values are described in the config man page.
- Example of using the enter_idle() function in the sample extend file.
IMAPFilter 2.6.11 - 19 Nov 2017
- Support for interrupting IDLE mode with SIGUSR1/SIGUSR2.
- New "persist" option to try to recover a connection indefinitely.
- New "range" option to limit messages included in a range.
- Bug fix; always close selected mailbox before check_status().
- Bug fix; closing of selected mailbox twice with fetch_message().
* 3.17.8
--------
* Shielded template's |program{} and |attach_program{} so that the
command-line that is executed does not allow sequencing such as
with && || ;, preventing possible execution of nasty, or at least
unexpected, commands
* fixed bug 4376, 'Litehtml breaks locale'
* updated English, French, and Spanish manuals
* 3.17.7
--------
* Image Viewer: Image attachments, when displayed, are now resized
to fit the available width rather than the available height.
* -d is now an alias to --debug.
* Libravatar plugin: New styles supported: Robohash and Pagan.
* SpamAssassin plugin: The 'Maximum size' option now matches
SpamAssassin's maximum; it can now handle messages up to 256MB.
* LiteHTML viewer plugin: The UI is now translatable.
* The manual has been updated.
* The man page has been updated.
* Updated translations: French, Spanish.
* bug fixes:
o bug 4313, 'Recursion stack overflow with rebuilding folder
tree'
o bug 4372, '[pl_PL] Crash after "Send later" without
recipient and then "Close"'
o bug 4373, 'attach mailto URI double free'
o bug 4374, 'insert mailto URI misses checks'
o bug 4384, 'U+00AD (soft hyphen) changed to space in
Subject'
o bug 4386, 'Allow Sieve config without userid without
warning'
o Add missing SSL settings when cloning accounts.
o Parsing of command-line arguments.
o PGP Core plugin: fix segv in address completion with a
keyring.
o Libravatar plugin: fixes to image display.
* 3.17.6
--------
* It is now possible to 'Inherit Folder properties and processing
rules from parent folder' when creating new folders with the
move message and copy message dialogues.
* A Phishing warning is now shown when copying a phishing URL, (in
addition to clicking a phishing URL).
* The progress window when importing an mbox file is now more
responsive.
* A warning dialogue is shown if the selected privacy system is
'None' and automatic signing amd/or encrypting is enabled.
* Python plugin: pkgconfig is now used to check for python2. This
enables the Python plugin (which uses python2) to be built on
newer systems which have both python2 and python3.
* Add translation: Greek.
* Updated translation: Polish.
* bug fixes:
o bug 3922, 'minimize to tray on startup not working'
o bug 4220, 'generates files in cache without content'
o bug 4325, 'Following redirects when retrieving image'
o bug 4342, 'Import mbox file command doesn't work twice on a
row'
o fix STARTTLS protocol violation
o fix initial debug line
o fix fat-fingered crash when v (hiding msgview) is pressed
just before c (check signature)
o fix non-translation of some Templates strings
1.2.2
Added
Apache License version 2.0
Support for SMTP AUTH, with AUTH hooks feature
Built-in implementation for AUTH PLAIN and AUTH LOGIN logic
Feature to inject keyword args during server class instantiation in Controller.factory
Support for Python 3.8 and 3.9.0
Fixed/Improved
Don’t strip last \r\n prior to terminating dot.
Slight improvement to make Test Suite more maintainable
No more failures/DeprecationWarnings for Python 3.8
Faster _handle_client() processing
Faster method access for smtp_*, handle_*, and auth_* hooks
Removed
Unit Tests that mocked too deep, possibly masking observable internal behaviors
Drop support for Python 3.5
Alpine 2.23
* Implementation of XOAUTH2 authentication support for Outlook. Based on
documentation suggested by Andrew C Aitchison.
* Add support for the OAUTHBEARER authentication method in Gmail. Thanks to
Alexander Perlis for suggesting it and explaining how the method works.
* Creation of Alpine's Privacy Policy. This is presented as a link to an
online document from the Release Notes (Link at the top of this document.)
Upon user request, Alpine downloads and displays this document. Links to
the privacy policy are also displayed when a user starts Alpine for the
first time, or when a user starts a new version of Alpine. There is no
default exit greeting command for these screens, and to exit the user must
press "E", instead of the old default, which was the RETURN command. The
RETURN command will open the handle on which the cursor is on, which by
default is the Privacy Policy.
* Support for the SASL-IR IMAP extension that avoids a round trip during
authentication. Similar support added for the SMTP, NNTP and POP3
protocols. Thanks to Geoffrey Bodwin for a report that lead to this
implementation.
* Alpine can pass an HTML message to an external web browser, by using the
"External" command in the ATTACHMENT INDEX screen.
* New configuration variable external-command-loads-inline-images-oly that
controls if Alpine will keep the source link to all the images in the HTML
message, or will only pass a link to inline images included in the message.
For your privacy and security this feature is enabled by default.
* When reading an email and a user selects an email address to which to
compose a message from the message, the user will be able to select a role
to compose that message.
* New variable system-certs-path that allows users to indicate the location
of the directory where certificates are located. In PC-Alpine this must be
C:\libressl\ssl\certs. The C: drive can be replaced by the name of the
drive where the binary and DLL files are located.
* New variable system-certs-file that allows users to configure the location
of a container of certificate authority (CA) certificates to be used to
validate certificates of remote servers.
* Remove sleep of 5 seconds for mailcap programs that use the terminal to
display content. Suggested by Carl Edquist. In addition, remove
configurable process table command and its corresponding sleep time.
Bugs that have been addressed include:
* Security Bug: Alpine can be configured to start a secure connection using
/tls on an insecure connection. However, if the connection is PREAUTH,
Alpine will not upgrade the connection to a secure connection, because a
client must not issue a STARTTLS to a server that supports it in
authenticated state. This makes Alpine continue to use an insecure
connection with the server, exposing user data. Reported by Damian
Poddebniak and Fabian Ising from Muenster University of Applied Sciences.
* Selecting by subject might not copy the subject of the current message to
the selection text correctly. Reported by Iosif Fettich.
* Alpine does not set the return path correctly when using a role while
bouncing a message. Reported by Dr. C. Griewatsch.
* Bug in PC-Alpine that made Alpine go into an infinite loop and consume CPU
when it was iconized. Reported by Holger Schieferdecker in comp.mail.pine.
* Crash in Alpine when attempting to reply to a multipart/alternative message
that is malformed, and the option to include attachments in reply is
enabled. Reported and patched by Peter Tirsek.
* Bug that makes Alpine split encoded words in the subject of a message in
the middle of a utf-8 character into two encoded words, breaking the
encoding. Reported by Jean Chevalier.
* Alpine would not redraw the screen when a check for new mail in an incoming
folder failed due to a failure while validating the server certificate,
and the user did not allow the connection to proceed.
* Crash in Alpine while resizing the screen when using any of the tokens
SUBJKEYTEXT, SUBJECTTEXT, or SUBJKEYINITTEXT in the index format, and the
screen was resized. Reported by Iggy Mogo.
* When Alpine is trying to authenticate to Gmail, using the XOAUTH2 method,
it does not display the url the user needs to open, in order to authorize
Alpine to access Gmail using XOAUTH2 when Alpine still has not created a
screen. Reported by Baron Fujimoto.
* When an html anchor does not quote the link in the href parameter, alpine
does not link to it.
* Attempt to fix a bug that breaks scrolling of a message in Alpine when the
screen is resized. Reported in the Debian bug system at
https://bugs.debian.org/cgi-bin/bugreport.cgie?bug=956361.
Alpine 2.24
* Implementation of XOAUTH2 for Yahoo! Mail.
* Expansion of the configuration screen for XOAUTH2 to include username,
authorization flow, and tenant.
* XOAUTH2: automatic renew of access token and connection to a server within
60 seconds of expiration of the access token.
* If a user has more than one client-id for a service, Alpine asks the user
which client-id to use and associates that client-id to the credentials in
the XOAUTH2 configuration screen.
* Addition of Yandex.com to the list of services that Alpine can use XOAUTH2
to authenticate for reading and sending email.
* Addition of a link to the Apache License 2.0 (see above). This is available
from the Release Notes as well as the welcome screen.
* Modifications to protect the privacy of users:
+ Alpine does not generate Sender or X-X-Sender by default by enabling
[X] Disable Sender as the default.
+ Alpine does not disclose User Agent by default by enabling [X] Suppress
User Agent by default.
+ Alpine uses the domain in the From: header of a message to generate a
message-id and suppresses all information about Alpine, version,
revision, and time of generation of the message-id from this header.
This information is replaced by a random string.
* Unix Alpine displays configure options and flags when invoked as "alpine
-v". Suggested by Matt Ackeret.
* Alpine will ding the terminal bell when asking about quitting when new mail
arrives. This is consistent with Alpine dinging the bell when new mail
arrives. The bell will not ding if it is disabled for status messages.
Suggested by Chime Hart.
* When messages are selected, pressing the ";" command to broaden or narrow a
search, now offers the possibility to completely replace the search, and is
almost equivalent to being a shortcut to "unselect all messages, and select
again". The difference is that cancelling this command will not unselect
all currently selected messages. Suggested by Holger Trapp.
* Alpine will not write debug files unless started with the option -d, so for
example "alpine -d 2" will generate a debug file at level 2, but just
issuing the alpine command will not write any debug to a file.
* Experimental: Attempt to implement the Encryption Range in Windows. It
works in Windows 10, and it should work in Windows 8.1. It needs testing in
Windows 7 and Windows Vista.
* Addition of variables user-certs-path and user-certs-file which allow a
user to specify locations for certificates that the user trusts.
* Ignore non-empty initial challenge in the GSSAPI authenticator. Based on a
patch written by Jarek Polok, but submitted by Ignacio Reguero.
* When a server expires a refresh token, Alpine needs to cancel it
internally. Alpine will attempt to get a new one when it reopens the folder
after it cancels it.
* Set up the IMAP ID at the moment of logging in to the server, rather than
as a one time option, in case we need to use a special IMAP ID.
Bugs that have been addressed include:
* When Alpine starts a PREAUTH connection, it might still ask the user to
login. Reported by Frank Tobin.
* Crash while resizing the screen when viewing a calendar event.
* When Alpine opens a folder in a server whose address is given numerically
it might crash due to an incorrect freeing of memory. Reported by Wang
Kang.
* Crash when Alpine frees memory on a system where LC_CTYPE is not
configured, and the user calls the file browser to attach files to a
message. Reported by Luis Gerardo Tejero.
* Invalid signatures created by Alpine, when built with recent releases of
the Openssl-1.1.1 series (but not in the Openssl-1.0.1 series). Fix
contributed by Bernd Edlinger.
* After returning from the directory side of a dual-folder, sometimes Alpine
would return to the first folder in the parent directory or to the
dual-folder. The fix is to return to the original dual-folder as intended.
Reported by Holger Trapp.
* When an attachment is deleted and the original message is saved, Alpine
might write only a part of the name of the file deleted. Reported by Holger
Trapp.
* URLs that are surrounded by white space are not cleaned by Alpine before
passing them to the browser, resulting in no display of the URL when Alpine
tries to open it. Reported by Gregory Heytings.
* When Alpine is built without smime, password file functionality might fail.
Reported by Andres Fehr.
* Crash in PC-Alpine when using the eXternal command.
* Fix in Macs that made Alpine abort a ssh connection to an imap server.
Reported and assisted by Wang Kang.
Fixed in Postfix version 3.5.8:
[Postfix 3.5 and later] The Postfix SMTP client inserted <CR><LF> into message headers with lines longer than $line_length_limit (default: 2048), causing all subsequent header content to become message body content. Reported by Andreas Weigel.
Fixed in Postfix versions 3.5.8, 3.4.18, 3.3.15, 3.2.20:
[Postfix 2.8 and later] The postscreen daemon did not save a copy of the postscreen_dnsbl_reply_map lookup result. This has no effect when the recommended texthash: lookup table is used, but it could result in stale data with other lookup tables.
[Postfix 2.3 and later] After deleting a recipient with a Milter, the Postfix recipient duplicate filter was not updated; the filter suppressed requests to add the recipient back. Reported by Mehmet Avcioglu.
[Postfix 2.3 and later] Memory leak: the static: maps did not free their casefolding buffer.
[Postfix 2.2 and later] With "smtpd_tls_wrappermode = yes", the smtps service was waiting for a TLS handshake, after processing an XCLIENT command. Reported by Aki Tuomi.
[Postfix 2.0 and later] The smtp_sasl_mechanism_filter implementation ignored table lookup errors, treating them as 'not found'.
[Postfix alpha and later] The code that looks for Delivered-To: headers ignored headers longer than $line_length_limit (default: 2048).
This is an important bug fix release, addressing CVE-2020-28896. Mutt had
incorrect error handling when initially connecting to an IMAP server, which
could result in an attempt to authenticate without enabling TLS.
2020-11-20 Richard Russon <rich@flatcap.org>
* Security
- imap: close connection on all failures
* Features
- alias: add <limit> function to Alias/Query dialogs
- config: add validators for {imap,smtp,pop}_authenticators
- config: warn when signature file is missing or not readable
- smtp: support for native SMTP LOGIN auth mech
- notmuch: show originating folder in index
* Bug Fixes
- sidebar: prevent the divider colour bleeding out
- sidebar: fix <sidebar-{next,prev}-new>
- notmuch: fix <entire-thread> query for current email
- restore shutdown-hook functionality
- crash in reply-to
- user-after-free in folder-hook
- fix some leaks
- fix application of limits to modified mailboxes
- write Date header when postponing
* Translations
- 100% Lithuanian
- 100% Czech
- 70% Turkish
* Docs
- Document that $sort_alias affects the query menu
* Build
- improve ASAN flags
- add SASL and S/MIME to --everything
- fix contrib (un)install
* Code
- my_hdr compose screen notifications
- add contracts to the MXAPI
- maildir refactoring
- further reduce the use of global variables
* Upstream
- Add $count_alternatives to count attachments inside alternatives
* Fix build with lang/rust-1.47.0.
Changelog:
78.5.0
What's New
OpenPGP: Added option to disable attaching the public key to a signed message
MailExtensions: "compose_attachments" context added to Menus API
MailExtensions: Menus API now available on displayed messages
Changes
MailExtensions: browser.tabs.create will now wait for "mail-delayed-startup-finished" event
Fixes
OpenPGP: Support for inline PGP messages improved
OpenPGP: Message security dialog showed unverified keys as unavailable
Chat: New chat contact menu item did not function
Various theme and usability improvements
Various security fixes
#CVE-2020-26951: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code
#CVE-2020-16012: Variable time processing of cross-origin images during drawImage calls
#CVE-2020-26953: Fullscreen could be enabled without displaying the security UI
#CVE-2020-26956: XSS through paste (manual and clipboard API)
#CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME type restrictions
#CVE-2020-26959: Use-after-free in WebRequestService
#CVE-2020-26960: Potential use-after-free in uses of nsTArray
#CVE-2020-15999: Heap buffer overflow in freetype
#CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses
#CVE-2020-26965: Software keyboards may have remembered typed passwords
#CVE-2020-26966: Single-word search queries were also broadcast to local network
#CVE-2020-26968: Memory safety bugs fixed in Thunderbird 78.5
78.4.3
Fixes
User interface was inconsistent when switching from the default theme to the dark theme and back to the default theme
Email subject would disappear when hovering over it with the mouse when using Windows 7 Classic theme
78.4.2
Fixes
Security fix
#CVE-2020-26950: Write side effects in MCallGetProperty opcode not accounted for
78.4.1
What's New
Thunderbird prompts for an address to use when starting an email from an address book entry with multiple addresses
Fixes
Searching global search results did not work
Link location was not focused by default when adding a hyperlink in message composer
Advanced address book search dialog was unusable
Encrypted draft reply emails lost "Re:" prefix
Replying to a newsgroup message did not open the compose window
Unable to delete multiple newsgroup messages
Appmenu displayed visual glitches
Visual glitches when selecting multiple messages in the message pane and using Ctrl+click
Switching between dark and light mode could lead to unreadable text on macOS
78.4.0
What's New
MailExtensions: browser.tabs.sendMessage API added
MailExtensions: messageDisplayScripts API added
Changes
Yahoo and AOL mail users using password authentication will be migrated to OAuth2
MailExtensions: messageDisplay APIs extended to support multiple selected messages
MailExtensions: compose.begin functions now support creating a message with attachments
Fixes
Thunderbird could freeze when updating global search index
Multiple issues with handling of self-signed SSL certificates addressed
Recipient address fields in compose window could expand to fill all available space
Inserting emoji characters in message compose window caused unexpected behavior
Button to restore default folder icon color was not keyboard accessible
Various keyboard navigation fixes
Various color-related theme fixes
MailExtensions: Updating attachments with onBeforeSend.addListener() did not work
Various security fixes
Security fixes:
#CVE-2020-15969: Use-after-free in usersctp
#CVE-2020-15683: Memory safety bugs fixed in Thunderbird 78.4
78.3.3
Fixes
OpenPGP: Improved support for encrypting with subkeys
OpenPGP message status icons were not visible in message header pane
OpenPGP Key Manager was missing from Tools menu on macOS
Creating a new calendar event did not require an event title
78.3.2
Changes
Thunderbird will no longer automatically install updates when Preferences tab is opened
Fixed
OpenPGP: Improved support for encrypting with subkeys
OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly
Single-click deletion of recipient pills with middle mouse button restored
Searching an address book list did not display results
Windows installer was unreadable with Windows in high contrast mode
Dark mode, high contrast, and Windows theming fixes
This release fixes a compilation issue on a few platforms, and clarifies the
pattern completion function in the UPDATING file. No other changes were made.
Changelog:
What's new in notmuch 0.31.2
=========================
Build
-----
Catch one more occurence of "version" in the build system, which
caused the file to be regenerated in the release tarball.
What's new in notmuch 0.31.1
=========================
Library
-------
Fix a memory initialization bug in notmuch_database_get_config_list.
Build
-----
Rename file 'version' to 'version.txt'. The old file name conflicted
with a C++ header for some compilers.
Replace use of coreutils `realpath` in configure.
Change since version 1.14.7:
+ Domain-literal support for email addresses, e.g user@[IPv6:fcXX:...]
! Buffy completion only occurs for the "change-folder" set of functions.
It has been disabled for <attach-message>, <write-fcc>, the fcc
mailbox prompt, and the autocrypt scan mailbox prompt.
! The "save/copy message to mailbox" set of functions use the "mailbox"
history list, instead of the "filename" list.
! Message-ID extraction permits values missing angle brackets and '@'
to allow properly threading the garbage sent by some providers.
Mutt will add missing angle brackets when sending out replies, however.
! When adding multiple attachments, via <attach-file> in the compose menu,
the browser menu can be exiting via <quit> after tagging the files.
Previously, <select-entry> had to be used.
! ctrl-p/ctrl-n are by default bound to <history-up>/<history-down> in the
editor menu.
+ The "cd" command allows changing the current working directory.
As part of this, Mutt expands relative paths internally. There
may be a change to some "prettified" relative paths because of this.
! Some configuration variable default values are localizable by
translators. Currently these are: $attribution, $compose_format,
$forward_attribution_intro, $forward_attribution_trailer, $status_format,
$ts_icon_format, $ts_status_format.
+ Mutt will try to automatically reconnect to an IMAP mailbox on error,
and will merge unsync'ed changes if possible.
! $crypt_protected_headers_subject defaults to "...", following the
protected headers revised specification.
! Date, From, To, Cc, and Reply-To headers are stored as protected headers.
+ XOAUTH2 support. Please see the manual, contrib script mutt_oauth2.py,
and mutt_oauth.py.README for more details.
+ $tunnel_is_secure, default set, assumes a connection via $tunnel is
encrypted. Unsetting this will cause $ssl_starttls and $ssl_force_tls
to be respected.
+ Patterns are tab-completable in the editor menu.
! $reply_to is consulted before $reply_self.
+ $copy_decode_weed, default unset, controls header weeding for <decode-copy>
and <decode-save>.
+ $pipe_decode_weed, default set, enables header weeding for <pipe-message>.
+ $print_decode_weed, default set, enables header weeding for <print-message>.
! format=flowed attachments are space-unstuffed when viewed, saved,
piped, and printed.
+ The "run" command will execute MuttLisp. $muttlisp_inline_eval, if set, will
execute unquoted parenthesized command arguments as MuttLisp. Please see
the manual for more details about both.
+ $cursor_overlay, when set, will overlay the indicator, tree,
sidebar_highlight, and sidebar_indicator colors onto the current line.
"default" colors will be overridden and attributes will be merged.
! The message-id generation algorithm uses a random number instead of
the step counter and PID.
! $ssl_force_tls defaults set. (Trying this again for 2.0).
! $hostname is set *after* muttrc processing. It can be manually set
in the muttrc to avoid using DNS calls to obtain the FQDN.
+ $attach_save_dir specifies a directory to use when saving attachments.
CurveCP support.
qmail-qremote resolves IP addresses for SMTP server and then calls
either tcpclient or qmail-curvecpclient for TCP or CurveCP connections,
respectively. Once the connection is established, qmail-rsmtp executes
to send mail via SMTP.
IMAPClient is an easy-to-use, Pythonic and complete IMAP client library
on top of the standard library.
- Arguments and return values are natural Python types.
- IMAP server responses are fully parsed and readily usable.
- IMAP unique message IDs (UIDs) are handled transparently.
- Internationalised mailbox names are transparently handled.
- Time zones are correctly handled.
- Convenience methods are provided for commonly used functionality.
- Exceptions are raised when errors occur.
nopop3d is not a POP3 server. It can be useful as part of a simple
authentication service that happens to be implemented as POP3.
nopop3d consists of qmail-pop3d with several POP3 verbs and all the file
access removed.
Update Ruby on Rails 6.0 related packages to 6.0.3.4.
This is security fix for ruby-actionpack60.
## Rails 6.0.3.4 (October 07, 2020) ##
* [CVE-2020-8264] Prevent XSS in Actionable Exceptions
## 1.0 (2020-09-12)
* Caution! Backwards incompatible changes:
* As a message name, `-` now refers to the message on the standard input,
and not the the previous message anymore. Use `.-` to refer to
the previous message in a short way.
The tools will print a warning if you use `-` and the standard input
comes from a TTY.
* mpick: use the -F flag to read script files.
* mpick: remove msglist support, use plain mmsg(7) arguments.
* Many mblaze tools now make use of pledge(2) on OpenBSD.
* add contrib/mcount, a tool to count mails
* mrep: use Reply-From configuration to find From header
* Many bug fixes.
## 0.7 (2020-05-15)
* All tools now follow symlinks to mails.
* mdirs: add -a to list all subfolders, ignoring Maildir++ convention.
* mcom: add preview alias for show command.
* mrep/mbnc: allow only one message as argument.
* maddr: add -d to only print display name.
* mthread: add -r to reverse top-level order.
* mlist: print number of matches when message selection is in place.
* mpick: many improvements.
* Many bug fixes.
Notable bugs fixed:
- Last release introduced a bug where Date: headers were localized,
which is against RFC. Further, that localization then broke character
rendering in some locales. A new fix for the original issue (#17) was
put in place, which no longer localizes the Date: header and fixes the
newly introduced rendering issue (#25)
- Last release introduced a bug which prevented –protect-prompt from
working. This is now fixed (#26)
New features:
- Added .netrc support
- Added –tls-sni option
- Swaks is now available on CPAN as App::swaks
- Swaks will now print errors if deprecated functionality is used
Notable changes:
- Automatic file detection is deprecated. Previously, if an argument
to –data, –body, –attach-body, and –attach resolved to an
openable file, the contents of that file would be used as the actual
argument. Now the proper way to do this is to place '@' in front
of the argument to state explicitly that the argument contents are
in a file.
- If any of the –xclient-* family of options (–xclient-name,
–xclient-addr, etc) is provided more than once, only the last option
provided will be used. See –xclient option if you need to simulate
the previous behavior
- -g option is now deprecated
- Time::Local is no longer used and POSIX is now listed as a
required module
Notable bugs fixed:
- Fix for subtle issue related to environment variable options. Affected
error handling for options which required args.
- Fix issue preventing XCLIENT and STARTTLS from working together
properly (#21)
- Fix issue which could cause generated date header to oscillate on the
day of DST transition (#17, deb bug 955798)
Changelog:
Changes
Thunderbird will no longer automatically install updates when Preferences tab is opened
Fixes
OpenPGP: Improved support for encrypting with subkeys
OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly
Single-click deletion of recipient pills with middle mouse button restored
Searching an address book list did not display results
Windows installer was unreadable with Windows in high contrast mode
Dark mode, high contrast, and Windows theming fixes
API changes:
* refactoring into a somewhat MVC model: split large feeds.py into
model.py and controller.py
* rename FeedCacheStorage to FeedItemCacheStorage
* factor out getter/setters in the base sqlite class
* remove conn member in sqlite to force use of context manager
* move session and fetching to the feed manager
* rename feeds to feed_manager in main
* allow absolute path in folder setting (Closes: #14)
New features:
* caching: latest feed contents get cached to avoid re-downloading
unchanged feeds. this includes parsing HTTP headers and so on, and
relies on the good behavior of the `cachecontrol` Python module
* Python 3.6-3.8 support
Bugfixes:
* recover from feedparser exceptions (Closes: #964597)
[ Roland Hieber ]
* README: don't let the example config create a folder named '~/Mailbox/'
[ Ian Zimmerman ]
* add --quiet option to silence warnings since --loglevel was broken
Update roundcube package to 1.4.9.
Roundcube Webmail 1.4.9 (2020-09-27)
This is a service update to the stable version 1.4 of Roundcube Webmail.
It contains fixes and general improvements from our issue tracker, mainly
related to email composition and UI oddities in Elastic skin and with the
TinyMCE richtext editor. See the full changelog below.
This version is considered stable and we recommend to update all productive
installations of Roundcube with it.
Please do backup your data before updating!
CHANGELOG
* Fix HTML editor in latest Chrome 85.0.4183.102, update to TinyMCE 4.9.11
(#7615)
* Add missing localization for some label/legend elements in userinfo plugin
(#7478)
* Fix importing birthday dates from Gmail vCards (BDAY:YYYYMMDD)
* Fix restoring Cc/Bcc fields from local storage (#7554)
* Fix jstz.min.js installation, bump version to 1.0.7
* Fix incorrect PDO::lastInsertId() use in sqlsrv driver (#7564)
* Fix link to closure compiler in bin/jsshrink.sh script (#7567)
* Fix bug where some parts of a message could have been missing in a
reply/forward body (#7568)
* Fix empty space on mail printouts in Chrome (#7604)
* Fix empty output from HTML5 parser when content contains XML tag (#7624)
* Fix scroll jump on key press in plain text mode of the HTML editor (#7622)
* Fix so autocompletion list does not hide on scroll inside it (#7592)
upstream changes:
-----------------
2.6: 30 Sep 2020
* [Conf] Add missing symbols
* [Conf] Add missing symbols
* [Conf] Fix fat-fingers typo
* [Conf] Fix wrong comment in options.inc
* [Conf] Neural: Fix the default name for max_trains
* [Conf] Register a known symbol
* [Conf] Spf: Add R_SPF_PERMFAIL symbol
* [CritFix] Arc: Fix ARC validation for chains of signatures
* [CritFix] Distinguish socketpairs between different fuzzy workers
* [CritFix] Fix IDNA dots parsing
* [CritFix] Fix test assertion method
* [CritFix] Fix usage of crypto_sign it should be crypto_sign_detached!
* [Feature] Add BOUNCE rule
* [Feature] Add controller plugins support and selectors plugin
* [Feature] Add maps query method
* [Feature] Add minimal delay to fuzzy storage
* [Feature] Add multiple base32 alphabets for decoding
* [Feature] Add preliminary support of BCH addresses
* [Feature] Add query_specific endpoint
* [Feature] Allow multiple base32 encodings in Lua API
* [Feature] Allow to specify nonces manually
* [Feature] Controller: Allow to pass query arguments to the lua webui plugins
* [Feature] Fuzzy_check: Add gen_hashes command
* [Feature] Fuzzy_check: Add weight_threshold option for fuzzy rules
* [Feature] Implement address retry on connection failure
* [Feature] Improve limits in pdf scanning
* [Feature] Initial support of subscribe command in lua_redis
* [Feature] Lua_cryptobox: Add secretbox API
* [Feature] Lua_text: Add encoding methods
* [Feature] Milter_headers: Allow to activate routines via users settings
* [Feature] PDF: Add timeouts for expensive operations
* [Feature] Preliminary maps addon for controller
* [Feature] Split pdf processing object and output object to allow GC
* [Feature] Support BLIS blas library
* [Feature] Support input vectorisation by recvmmsg call
* [Feature] Support multiple base32 alphabets
* [Feature] add queueid, uid, messageid and specific symbols to selectors [Minor] use only selectors to fill vars in force_actions message
* [Feature] allow variables in force_actions messages
* [Feature] extend lua api
* [Fix] #3249
* [Fix] Allow to adjust neurons in the hidden layer
* [Fix] Another try to fix email names parsing
* [Fix] Arc: Allow to reuse authentication results when doing multi-stage signing
* [Fix] Arc: Fix bug with arc chains verification where i>1
* [Fix] Arc: Sort headers by their i= value
* [Fix] Change neural plugin's loss function
* [Fix] Deal with double eqsigns when decoding headers
* [Fix] Default ANN names in clickhouse
* [Fix] Disable reuseport for TCP sockets as it causes too many troubles
* [Fix] Disable text detection heuristics for encrypted parts
* [Fix] Distinguish DKIM keys by md5
* [Fix] Distinguish type from flags in register_symbol
* [Fix] Dmarc: Unbreak reporting after cf2ae3292ac93da8b6e0624b48a62828a51803c9
* [Fix] Do not flag pre-result of virus scanners as least if action is reject
* [Fix] Do not use GC64 workaround on 32bit platforms, omg
* [Fix] Exclude damaged urls from html parser
* [Fix] Fix FREEMAIL_REPLYTO_NEQ_FROM_DOM
* [Fix] Fix FROM_NEQ_ENVFROM
* [Fix] Fix FWD_GOOGLE rule (#1815)
* [Fix] Fix adding of the empty archive file for gzip
* [Fix] Fix aliases in forged recipients and limit number of iterations
* [Fix] Fix authentication results insertion
* [Fix] Fix calling of methods in selectors
* [Fix] Fix clen length for hiredis...
* [Fix] Fix endless loop if broken arc chain has been found
* [Fix] Fix false - operation
* [Fix] Fix get_urls table invocation
* [Fix] Fix group based composites
* [Fix] Fix headers passing in rspamd_proxy
* [Fix] Fix incomplete utf8 sequences handling
* [Fix] Fix lua_next invocation
* [Fix] Fix lua_parse_symbol_type function logic
* [Fix] Fix multiple listen configuration
* [Fix] Fix occasional encryption of the cached data
* [Fix] Fix parsing boundaries with spaces
* [Fix] Fix passing of methods arguments
* [Fix] Fix poor man allocator algorithm
* [Fix] Fix regexp selector and add flattening
* [Fix] Fix rfc base32 encode ordering (skip inverse bits)
* [Fix] Fix rfc based base32 decoding
* [Fix] Fix sockets leak in the client
* [Fix] Fix storing of the original smtp from
* [Fix] Fix types check and types usage in lua_cryptobox
* [Fix] Fix unused results
* [Fix] Fuzzy_check: Disable shingles for short texts (really)
* [Fix] Ical: Fix identation grammar
* [Fix] Improve part:is_attachment logic
* [Fix] Mmap return value must be checked versus MAP_FAILED
* [Fix] One more fix to skip images that are not urls
* [Fix] Pdf: Support some weird objects with no newline before endobj
* [Fix] Rbl: Fix ignore_defaults in conjunction with ignore_whitelists
* [Fix] Restore support for `for` and `id` parts in received headers
* [Fix] Segmentation fault in contrib/lua-lpeg/lpvm.c on ppc64el
* [Fix] Skip spaces at the boundary end
* [Fix] Slashing fix: fix captures matching API
* [Fix] Spamassassin: Rework metas processing
* [Fix] Store reference of upstream list in upstreams objects
* [Fix] Understand utf8 in content-disposition parser
* [Fix] Unify selectors digest functions
* [Fix] Use `abs` value when checking composites
* [Fix] Use strict IDNA for utf8 DNS names + add sanity checks for DNS names
* [Fix] Use unsigned char and better support of utf8 in ragel parser
* [Fix] add missing selector_cache declaration
* [Project] Add `L` flag for regexps to save start of the match in Hyperscan
* [Project] Add `lower` method to lua_text
* [Project] Add a simple matrix Lua library
* [Project] Add implicit bitcoincash prefix
* [Project] Add linalg ffi library for prototyping
* [Project] Add methods to append data to fuzzy requests
* [Project] Add routine to call a generic lua function
* [Project] Add ssyev method interface
* [Project] Add tensors index method
* [Project] Add text:sub method
* [Project] Allow rspamd_text based selectors
* [Project] Allow to specify re_conditions for regular expressions
* [Project] Attach extensions to the binary fuzzy commands
* [Project] Bitcoin: BTC cash addresses needs some checksum validation
* [Project] Cleanup the redis script
* [Project] Convert bitcoin rules to the new regexp conditions feature
* [Project] Detect memrchr in systems that supports it
* [Project] Do not listen sockets in the main process
* [Project] Implement 'probabilistic' learn mode for ANN
* [Project] Implement BTC polymod in C as it requires 64 bit ops
* [Project] Implement bitcoin cash validation in a proper way
* [Project] Implement extensions logic for fuzzy storage
* [Project] Implement symbols insertion in multiple results mode
* [Project] Lua_text: Add method memchr
* [Project] Neural: Add PCA loading logic
* [Project] Neural: Fix PCA based learning
* [Project] Neural: Fix matrix gemm
* [Project] Neural: Further PCA fixes
* [Project] Neural: Implement PCA in learning
* [Project] Neural: Implement PCA learning
* [Project] Neural: Implement PCA on ANN forward
* [Project] Neural: Implement PCA serialisation
* [Project] Neural: Start PCA implementation
* [Project] Neural: Use C version of scatter matrix producing
* [Project] Preliminary support of lua conditions for regexps
* [Project] Preliminary usage of the reuseport
* [Project] Process composites separately for each shadow result
* [Project] Remove old code
* [Project] Rework scan result functions to support shadow results
* [Project] Rework some more functions to work with shadow results
* [Project] Some more fixes
* [Project] Start results chain implementation
* [Project] Support fun iterators on rspamd_text objects
* [Project] Support multiply, minus and divide operators in expressions
* [Project] Tensor: Move scatter matrix calculation to C
* [Rework] Allow to specify exat metric result when adding a symbol
* [Rework] Change and improve openblas detection and usage
* [Rework] Close listen sockets in main after fork
* [Rework] Further rework of lua urls extraction API
* [Rework] Lua_cryptobox: Allow to store output of the hash function
* [Rework] Lua_task: Add more methods to deal with shadow results
* [Rework] Modernize logging for expressions
* [Rework] Remove empty prefilters feature - we are not prepared...
* [Rework] Remove old FindLua module, disable lua fallback when LuaJIT is enabled
* [Rework] Rework and refactor forged recipients plugin
* [Rework] Rework expressions processing
* [Rework] Rework fuzzy commands processing
* [Rework] Rework url flags handling API
* [Rework] Rework urls extraction
* [Rework] Split operations processing and add more debug logs
* [Rework] Update zstd to 1.4.5
* [Rework] Use google-ced instead of libicu chardet as the former sucks
* [Rework] add alias util:parse_addr for util:parse_mail_address
* [Rework] get rid of util:parse_addr duplicating the util:parse_mail_address, replace where used
* [Rules] Allow prefix for bitcoin cash addresses
* [Rules] More fixes for bitcoin cash addresses decoding
* [Rules] Refactor bleach32 addresses handling
pkgsrc changes:
---------------
* Remove a conditional test for very old and unmaintained releases of
NetBSD. The variable defined is this test seems to be absent from the
pkgsrc tree and pkglint warns about its use.
* Add a LICENSE to fetchmailconf
upstream changes:
-----------------
fetchmail-6.4.12 (released 2020-09-04, 27596 LoC):
# BUG FIXES:
* The README file is now the one from Git again. The makerelease.pl script
used to roll and upload the tarball sometimes clobbered the README file and
replaced its contents by a part of the NEWS file.
---------------------------------------------------------------------------------
fetchmail-6.4.11 (released 2020-08-28, 27596 LoC):
# REGRESSION FIX:
* configure: fetchmail 6.4.9 and 6.4.10 would miss checking for TLS v1.2 and
TLS v1.3 support if AC_LIB_LINKFLAGS came up with something such as
/path/to/libssl.so, rather than -lssl. (For instance on FreeBSD)
# KNOWN BUGS AND WORKAROUNDS
(This section floats upwards through the NEWS file so it stays with the
current release information)
* Fetchmail does not handle messages without Message-ID header well
(See sourceforge.net bug #780933)
* Fetchmail currently uses 31-bit signed integers in several places
where unsigned and/or wider types should have been used, for instance,
for mailbox sizes, and misreports sizes of 2 GibiB and beyond.
Fixing this requires C89 compatibility to be relinquished.
* BSMTP is mostly untested and errors can cause corrupt output.
* Fetchmail does not track pending deletes across crashes.
* The command line interface is sometimes a bit stubborn, for instance,
fetchmail -s doesn't work with a daemon running.
* Linux systems may return duplicates of an IP address in some circumstances if
no or no global IPv6 addresses are configured.
(No workaround. Ubuntu Bug#582585, Novell Bug#606980.)
* Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error
messages. This will not be fixed, because the maintainer has no Kerberos 5
server to test against. Use GSSAPI.
---------------------------------------------------------------------------------
fetchmail-6.4.10 (released 2020-08-27, 27596 LoC):
# REGRESSION FIX:
* configure: fetchmail 6.4.9's configure was unable to pick up OpenSSL
if it wasn't announced by pkg-config, for instance, on FreeBSD.
---------------------------------------------------------------------------------
fetchmail-6.4.9: (not announced by e-mail, withdrawn)
## DOCUMENTATION UPDATE:
* manpage: mention that the SSL/TLS certificate fingerprint uses an MD5 hash.
## CHANGES:
* configure: try to use AC_LIB_LINKFLAGS to obtain proper link flags for
libcrypto and libssl if pkg-config failed.
This is an attempt to fix borderline issues when users building on systems
with obsolete OpenSSL try to use a local newer OpenSSL from a separate
directory.
## NEW TRANSLATION, with thanks to the translator:
* ro: Florentina Mușat [Romanian]
Changelog:
78.3.1
Fixes
Thunderbird crashed after updating to 78.3.0
78.3.0
Changes
OpenPGP: Improved decryption performance with large messages
OpenPGP: Do not show external key UI when disabled by preference
Account setup wizard will now open a popup when connecting to a server with a
self-signed SSL/TLS certificate
Installation of "legacy" MailExtensions now disabled
Reply-To header moved in compose window; now appears under From header
Calendar: Sidebar UI improvements
Fixes
Selecting "Cancel" on the Master Password prompt at startup incorrectly
reported corrupted OpenPGP data
OpenPGP: Creating a new key pair did not automatically select it for use
Dragging & Dropping recipient pills resulted in lost pills when an error was
present
Spellcheck suggestions were unreadable in dark theme
Calendar: Multiple password prompts opened
Linux Distributions: UI was not rendered completely when built without updater
MailExtensions: browser.folders.delete failed on IMAP folders
Various security fixes
Security fixes:
Mozilla Foundation Security Advisory 2020-44
#CVE-2020-15677: Download origin spoofing via redirect
#CVE-2020-15676: XSS when pasting attacker-controlled data into
a contenteditable element
#CVE-2020-15678: When recursing through layers while scrolling, an iterator may
have become invalid, resulting in a potential use-after-free scenario
#CVE-2020-15673: Memory safety bugs fixed in Thunderbird 78.3
Changes:
1.8.12
------
- msmtpd now supports session reuse and improves standards compliance
- Automatic account matching now supports subaddresses. For example,
user+detail@example.com will match account user@example.com.
2020-09-25 Richard Russon <rich@flatcap.org>
* Features
- Compose: display user-defined headers
- Address Book / Query: live sorting
- Address Book / Query: patterns for searching
- Config: Add '+=' and '-=' operators for String Lists
- Config: Add '+=' operator for Strings
- Allow postfix query ':setenv NAME?' for env vars
* Bug Fixes
- Fix crash when searching with invalid regexes
- Compose: Prevent infinite loop of `send2-hook`s
- Fix sidebar on new/removed mailboxes
- Restore indentation for named mailboxes
- Prevent half-parsing an alias
- Remove folder creation prompt for POP path
- Show error if `$message_cachedir` doesn't point to a valid directory
- Fix tracking LastDir in case of IMAP paths with Unicode characters
- Make sure all mail gets applied the index limit
- Add warnings to -Q query CLI option
- Fix index tracking functionality
* Changed Config
- Add `$compose_show_user_headers` (yes)
* Translations
- 100% Czech
- 100% Lithuanian
- Split up usage strings
* Build
- Run shellcheck on hcachever.sh
- Add the Address Sanitizer
- Move compose files to lib under compose/
- Move address config into libaddress
- Update to latest acutest - fixes a memory leak in the unit tests
* Code
- Implement ARRAY API
- Deglobalised the Config Sort functions
- Refactor the Sidebar to be Event-Driven
- Refactor the Color Event
- Refactor the Commands list
- Make ctx_update_tables private
- Reduce the scope/deps of some Validator functions
- Use the Email's IMAP UID instead of an increasing number as index
- debug: log window focus
CHANGES IN mime VERSION 0.9
MINOR CHANGES
o Added the MIME type for .jsonp files (thanks, @clabornd, #11).
CHANGES IN mime VERSION 0.8
MINOR CHANGES
o Added the MIME type for .scss files (thanks, @cpsievert, #10).
* Runtime depend on chat/libotr.
Changelog:
What's New
new Drag and Drop reordering of recipient pills now supported
Changes
changed OpenPGP: Some signature states reported as "mismatch" now report "unknown"
changed Privacy policy now displayed in a tab when updated
changed Chat: Non-functional Twitter support removed
Fixes
fixed OpenPGP: Improvements to key importing when failures occur
fixed OpenPGP: Decryption did not work with certain HTTP proxy configurations
fixed OpenPGP: "Discover keys online" option did not work when searching for an email address
fixed Email filters reported failure when moving a message to original folder
fixed Message filters: Filters shown as enabled in configuration dialog were not always enabled
fixed vCard 2.1 attachments not handled properly
fixed Sending messages sometimes failed when recipients were in LDAP address book
fixed Non-functional help menu items removed
fixed Adding custom headers in the addressing widget (preference mail.compose.other.header) did not work
fixed Calendar: Event reminder details were unreadable
fixed Windows 10 high-contrast theme fixes
fixed More theme fixes and improvements
version 3.42: Sun Feb 24 00:43:29 UTC 2019
- rt.cpan.org#12859: has_capability() changes in 3.41 broke imap4rev1()
[Gilles Lamiral and Gábor Leszlauer]
- updated http:// to https:// URLs for referenced resources
- updated copyright for 2019
version 3.41: Thu Feb 21 01:47:42 UTC 2019
- rt.cpan.org#128220: unseen(), messages() and related POD cleanup
[Dan Jacobson]
- rt.cpan.org#128264: parse_message() minor code/POD cleanup
[Dan Jacobson]
- rt.cpan.org#128215: verb missing in messages() POD
[Gilles Lamiral and Dan Jacobson]
- rt.cpan.org#127271: simplify capability handling via has_capability enhancements
+* has_capability() success returns(true) with server response data, not always '1'
+ enhanced t/capability.t test cases
+ updated POD for capability() and has_capability()
[Gilles Lamiral and Mark Overmeer]
- rt.cpan.org#122373: use of IO::Socket::IP led to connect(empty args) regression
[Gilles Lamiral]
- rt.cpan.org#128127: fix minor POD typo for search()
[Gregor Herrmann]
- folders()/subscribed() remove mailboxes with \Noselect attribute
[Ashley Willis]
- fetch_hash() remove quotes around header names (seen w/outlook.com)
[Ashley Willis]
- use first over grep for minor efficiency gains
- other minor POD cleanup
1.20200824 2020-08-24 UTC
* ARC::Signer: Set cv=none if message contains no ARC headers and no ARC result
Thanks to @dev-aaront-org
1.20200724 2020-07-24 UTC
* Fix test for change in live dns response
1.20200708 2020-07-08 UTC
* Safer internal use of eval
1.20200513.1 2020-05-13 UTC
* ARC: When sealing, don't die on an unparsable Authentication-Results header.
0.58
2019-11-13: Marc Bradshaw <marc@marcbradshaw.net>
Thanks to Martin Sluka <fany@cpan.org>
* Prevent outer $SIG{__DIE__} handlers from being called
Thanks to Todd Richmond
* Lowercase q tag before use
* Lowercase domain check
* Strip quotes from PublicKey.pm in addition to other whitespace chars
* Fix regex performance issue
0.57
2019-10-08: Marc Bradshaw <marc@marcbradshaw.net>
* Correct the $self->{result_reason} variable name for $self->{details} that is
used by the parent class in Mail::DKIM::ARC::Signer
0.56
2019-08-21: Marc Bradshaw <marc@marcbradshaw.net>
* Properly verify the domain, not the instance, of an ARC signature.
This allows ARC signatures by keys marked as no subdomains to
validate correctly.
version 3.009: Tue 18 Aug 09:49:44 CEST 2020
Improvements:
- for file-per-message based folders, you can now address the message
via its filename. rt.cpan.org#132823 [Alexander Adolf]
version 3.008: Fri 4 Oct 08:34:32 CEST 2019
Fixes:
- MH reading message did not unlock after processing.
rt.cpan.org#130193 [Sergey Poznyakoff]
Improvements:
- test suite can now run in parallel [Corion, Max Maischein]
1.300034 2019-12-02 22:21:58-05:00 America/New_York
- add documentation for the SMTP "hosts" parameter!
1.300033 2019-11-26 14:44:51-05:00 America/New_York
- no changes since 1.300031
1.300032 2019-11-15 00:32:03-05:00 America/New_York (TRIAL RELEASE)
- SMTP transport can now accept a "hosts" init arg instead of just
"host"; this argument is an arrayref of host names to try in order
(thanks, Marc Bradshaw!)
1.949 2020-05-24 10:25:36-04:00 America/New_York
- no changes since trial release
1.948 2020-05-09 14:57:17-04:00 America/New_York (TRIAL RELEASE)
- fixes to handling of content-type parameters (thanks, dlucredativ and
Pali Rohár)
1.947 2020-05-09 14:30:06-04:00 America/New_York (TRIAL RELEASE)
- add $Email::MIME::MAX_DEPTH and refuse to parse deeper than that many
parts; current default: 10
1.024 2020-05-24 10:19:20-04:00 America/New_York
- no changes since stable release
1.023 2020-05-09 14:51:41-04:00 America/New_York (TRIAL RELEASE)
- All of this release is thanks to Pali Rohár, who suffered through a
long period of waiting while RJBS, the maintainer, let the module
languish. Thank you for your patience, Pali and everybody else.
- silence an uninitalized value warning
- avoid allowing non-Latin digits in numbers
- add new functions build_content_type() and build_content_disposition
----- July 2010 - Version 1.8 released -----
3. Complete overhaul of ppf_mime. Determine the MIME message boundary
using more reliable (albeit more complex) means, and special case
a lot of client behavior to allow verification of a wider variety
of messages. For display, de-code more of the MIME en-coding so that
the messages are much more readable. Use the same tricks to display
decrypted messages in ppf_mime_decrypt.
These changes have several major benefits:
a. Support for PGP/MIME messages generated by well over a dozen MUAs.
b. Support for verifying signatures on attachments, and a clear
indication that attachments are signed (or not).
c. Greatly improved readability. With the exception of text coloring
(URLs, signatures, etc.), 8-bit characters, and some types of
messages sent with format=flowed, messages displayed by the filter
are identical to the display in Alpine.
2. For ppf_{decrypt|encrypt|sign|verify} add 'clear' commands so that
nothing is left behind in the "user interface" area between scripts.
For _verify, add a message indicating that we are verifying, along
with a helpful hint about delays caused by auto-key-retrieve.
1. Add /opt/bin and /opt/local/bin to the gpg[2] search path in configure
in case it is located there, and that's not going to be $PREFIX.
----- April 2010 - Version 1.7 released -----
2. Add support for the OpenPGP header in ppf_sign and ppf_encrypt, and
use the same method to sanitize the key ID as was already done for
the other headers.
1. Use a more reliable method to find the signature and message parts
in the ppf_mime script.
Changelog:
What's new in notmuch 0.31
=========================
Emacs
-----
Notmuch now supports Emacs 27.1. You may need to set
`mml-secure-openpgp-sign-with-sender` and/or
`mml-secure-smime-sign-with-sender` to continue signing messages.
The minimum supported major version of GNU Emacs is now 25.1.
Add support for moving between threads after notmuch-tree-from-search-thread.
New `notmuch-unthreaded` mode (added in Notmuch 0.30)
Unthreaded view is a mode where each matching message is shown on a
separate line.
The main key entries to unthreaded view are
'u' enter a query to view in unthreaded mode (works in hello,
search, show and tree mode)
'U' view the current query in unthreaded mode (works from search,
show and tree)
Saved searches can also specify that they should open in unthreaded
view.
Currently it is not possible to specify the sort order: it will
always be newest first.
Notmuch-Mutt
------------
The shell pipeline executed by notmuch-mutt, which symlinked matched
files to a maildir for mutt to access is replaced with internal perl
processing. This search operation is now more portable, and somewhat
faster.
Library
-------
Improve exception handling in the library. This should
largely eliminate terminations inside the library due to uncaught
exceptions or internal errors. No doubt there are a few uncovered
code paths still; please report them as bugs.
Add `notmuch_message_get_flag_st` and
`notmuch_message_has_maildir_flag_st`, and deprecate the existing
non-status providing versions.
Move memory de-allocation from `notmuch_database_close` to
`notmuch_database_destroy`.
Handle relative filenames in `notmuch_database_index_file`, as
promised in the documentation.
Python Bindings
---------------
Documentation for the python bindings is merged into the main
sphinx-doc documentation tree. The merged documentation can be built
with e.g. `make sphinx-html`
Dependencies
------------
We now support building notmuch against Xapian 1.5 (the current
development version).
Test Suite
----------
Test suite fixes for compatibility with Emacs 27.1.
Build System
------------
Man pages are now compressed reproducibly.
* Lightning cannot be disabled by users in build time.
Remove mozilla-lightning option.
Changelog:
78.2.1
Changes
changed OpenPGP enabled by default
changed OpenPGP: Disabled the use of MD5/SM2/SM3 algorithms
Fixes
fixed OpenPGP: Users with sub-identities were unable to encrypt or sign messages when switching identities
fixed OpenPGP message security window did not support dark mode
78.2.0
Changes
changed OpenPGP Key generation now disabled when there is no default mail account configured
changed OpenPGP: Encrypt saved drafts when OpenPGP is enabled
changed Twitter search removed
changed Calendar: Event summary dialog is now themeable
changed MailExtensions: Some APIs now use defineLazyPreferenceGetter in order to benefit from caching
Fixes
fixed OpenPGP Key Manager search function did not work
fixed OpenPGP Key Properties dialog was sometimes too small
fixed OpenPGP: Encrypted email would not send if address contained uppercase characters
fixed OpenPGP: "Key ID" column could not be resized in Key Manage
fixed OpenPGP: Keys containing invalid UTF-8 strings could not be imported
fixed OpenPGP: Enable automatic signing for encrypted messages in additional scenarios
fixed Many more OpenPGP bug fixes and improvements
fixed IMAP fetch chunk size was always 65536 bytes
fixed IMAP server capabilities were not rechecked after upgrading to SSL/TLS connection
fixed Message Composer: Order of attachments could not be modified using drag & drop
fixed Composing messages with a "fixed width" font did not work
fixed Drag and drop of address book contacts did not work in some situations
fixed Address book migration failed when there was a dot in the file name
fixed Address book: "Always prefer display name over message header" was always checked when editing a contact
fixed Address book performance optimizations
fixed Dialog to add a new mail account from "Account Settings" did not open
fixed "Select All" (Ctrl+A) in message source did not work until focused with a mouse click
fixed Ctrl+scroll wheel not zooming in message reader
fixed Setting/changing a signature from a file lost when closing account settings
fixed Adaptive Junk Mail settings could not be disabled
fixed Message filter dialog fixes: Missing scrollbar, drop-down list not wide enough
fixed Various UX and theme improvements
78.1.1
Changes
changed Building OpenPGP shared library linked to system libraries now supported
changed MailExtension errors now shown in Developer Tools console by default
changed MailExtensions: Dynamic registration of calendar providers now supported
Fixesr
fixed OpenPGP improvements
fixed Message preview was sometimes blank after upgrading from Thunderbird 68
fixed Email addresses whitelisted for remote content not displayed in preferences
fixed Importing data from Seamonkey did not work
fixed Renaming a mail list did not update the side bar
fixed MailExtensions: messenger.* namespace was undefined
78.1.0
What's New
new OpenPGP support is now feature complete. Improvements: new Key Wizard, online searching for OpenPGP keys, and more
new The preferences tab now has a search field
Changes
changed Dark background in message reader is now disabled
Fixes
fixed Thunderbird startup was slow when using folder color customizations with many folders. Previously configured colors will not be migrated.
fixed Mail quota usage in status bar did not support terabyte folder sizes
fixed Changing Junk mail settings with keyboard toggled wrong setting
fixed Advanced IMAP server preferences not saved in Account Manager
fixed Address book migration updates and fixes
fixed Address book: Last Modified Date was not updated
fixed Dark mode improvements
fixed Various security fixes
Security fixes:
#CVE-2020-15652: Potential leak of redirect targets when loading scripts in a worker
#CVE-2020-6514: WebRTC data channel leaks internal address to peer
#CVE-2020-15655: Extension APIs could be used to bypass Same-Origin Policy
#CVE-2020-15653: Bypassing iframe sandbox when allowing popups
#CVE-2020-6463: Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
#CVE-2020-15656: Type confusion for special arguments in IonMonkey
#CVE-2020-15658: Overriding file type when saving to disk
#CVE-2020-15657: DLL hijacking due to incorrect loading path
#CVE-2020-15654: Custom cursor can overlay user interface
#CVE-2020-15659: Memory safety bugs fixed in Thunderbird 78.1
78.0.1
What's New
new OpenPGP: Key revocation, extending key expiration, and secret key backup
Fixes
fixed Drag & Drop multiple attachments to macOS Finder created duplicate files
fixed Faceted search date and relevance settings not saved
fixed FileLink attachments included as a link and file when added from a network drive via drag & drop
fixed About Thunderbird dialog keyboard shortcuts did not work
fixed CC'd recipients sometimes displayed collapsed in header pane
fixed Incremental search in contacts sidebar did not always display local results when an LDAP server was also in use
fixed Contacts sidebar search results cleared after removing a contact
fixed OpenPGP: Messages with long Armor Header lines did not display
fixed OpenPGP: Messages containing non-UTF-8 text were not supported
fixed Various UI and theming fixes
fixed Chat: Participants list did not display operator flags
Changelog:
With "smtp_tls_connection_reuse = yes", tlsproxy(8) was using the wrong global
TLS context for connections that use DANE trust anchors or that use non-DANE
trust anchors. This resulted in a global certificate verify function pointer
race, between TLS handshakes that use trust achors and concurrent TLS
handshakes that use PKI. No memory was corrupted in the course of all this.
Reference: http://www.postfix.org/announcements/postfix-3.5.7.html
upstream changes:
-----------------
fetchmail-6.4.8 (released 2020-06-14, 27596 LoC):
## NEW TRANSLATION, with thanks to the translator:
* sr: Мирослав Николић (Miroslav Nikolić) [Serbian]
- Sorry, this was missed earlier because my translation scripts did not properly
report new translations.
# KNOWN BUGS AND WORKAROUNDS
(This section floats upwards through the NEWS file so it stays with the
current release information)
* Fetchmail does not handle messages without Message-ID header well
(See sourceforge.net bug #780933)
* Fetchmail currently uses 31-bit signed integers in several places
where unsigned and/or wider types should have been used, for instance,
for mailbox sizes, and misreports sizes of 2 GibiB and beyond.
Fixing this requires C89 compatibility to be relinquished.
* BSMTP is mostly untested and errors can cause corrupt output.
* Fetchmail does not track pending deletes across crashes.
* The command line interface is sometimes a bit stubborn, for instance,
fetchmail -s doesn't work with a daemon running.
* Linux systems may return duplicates of an IP address in some circumstances if
no or no global IPv6 addresses are configured.
(No workaround. Ubuntu Bug#582585, Novell Bug#606980.)
* Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error
messages. This will not be fixed, because the maintainer has no Kerberos 5
server to test against. Use GSSAPI.
---------------------------------------------------------------------------------
fetchmail-6.4.7 (released 2020-06-14, 27596 LoC):
## TRANSLATION UPDATE, with thanks to the translator:
* sv: Göran Uddeborg [Swedish]
-------------------------------------------------------------------------------
fetchmail-6.4.6 (released 2020-05-29, 27596 LoC):
## TRANSLATION UPDATE, with thanks to the translator:
* eo: Felipe Castro [Esperanto]
--------------------------------------------------------------------------------
fetchmail-6.4.5 (released 2020-05-07, 27596 LoC):
## REGRESSION FIX:
* fetchmail 6.4.0 and 6.4.1 changed the resolution of the home directory
in a way that requires SUSv4 semantics of realpath(), which leads to
'Cannot find absolute path for... directory' error messages followed by aborts
on systems where realpath() follows strict SUSv2 semantics and returns
EINVAL if the 2nd argument is NULL.
On such systems, for instance, Solaris 10, fetchmail requires PATH_MAX to be
defined, and will then work again. Regression reported by David Hough.
On systems that neither provide auto-allocation semantics for realpath(),
nor PATH_MAX, fetchmail will print this error and abort. Such systems
are unsupported, see README.
## CHANGES:
* Add a test program fm_realpath, and a t.realpath script, neither to be
installed. These will test resolution of the current working directory.
## TRANSLATION UPDATES in reverse alphabetical order of language codes,
## with my thanks to the translators:
* zh_CN: Boyuan Yang [Chinese (simplified)]
* sv: Göran Uddeborg [Swedish]
* sq: Besnik Bleta [Albanian]
* pl: Jakub Bogusz [Polish]
* ja: Takeshi Hamasaki [Japanese]
* fr: Frédéric Marchal [French]
* cs: Petr Pisar [Czech]
--------------------------------------------------------------------------------
fetchmail-6.4.4 (released 2020-04-26, 27530 LoC):
## UPDATED TRANSLATIONS - WITH THANKS TO THE TRANSLATOR:
* ja: Takeshi Hamasaki [Japanese]
--------------------------------------------------------------------------------
fetchmail-6.4.3 (released 2020-04-05, 27530 LoC):
## BUGFIXES:
* Plug memory leaks when parts of the configuration (defaults, rcfile, command
line) override one another.
* fetchmail terminated the placeholder command string too late and included
garbage from the heap at the end of the string. Workaround: don't use place-
holders %h or %p in the --plugin string. Bug added in 6.4.0 when merging
Gitlab merge request !5 in order to fix an input buffer overrun.
Faulty commit 418cda65f752e367fa663fd13884a45fcbc39ddd.
Reported by Stefan Thurner, Gitlab issue #16.
* Fetchmail now checks for errors when trying to read the .idfile,
Gitlab issue #3.
* Fetchmail's error messages that reports that the defaults entry isn't the
first was made more precise. It could be misleading if there was a poll or
skip statement before the defaults.
## CHANGES:
* Fetchmail documentation was updated to require OpenSSL 1.1.1.
OpenSSL 1.0.2 reached End Of Life status at the end of the year 2019.
Fetchmail will tolerate, but warn about, 1.0.2 for now on the assumption that
distributors backport security fixes as the need arises.
Fetchmail will also warn if another SSL library that is API-compatible
with OpenSSL lacks TLS v1.3 support.
* If the trust anchor is missing, fetchmail refers the user to README.SSL.
## INTERNAL CHANGES:
* The AC_DECLS(getenv) check was removed, its only user was broken and not
accounting for that AC_DECLS always defines HAVE_DECL_... to 0 or 1, so
fetchmail never declared a missing getenv() symbol (it was testing with
#ifdef). Remove the backup declaration. getenv is mandated by SUSv2 anyways.
## UPDATED TRANSLATIONS - WITH THANKS TO THE TRANSLATORS:
* sq: Besnik Bleta [Albanian]
* zh_CN: Boyuan Yang [Chinese (simplified)]
* pl: Jakub Bogusz [Polish]
* cs: Petr Pisar [Czech]
* fr: Frédéric Marchal [French]
* sv: Göran Uddeborg [Swedish]
* eo: Felipe Castro [Esperanto]
upstream changes:
-----------------
Fixed in Postfix versions 3.5.6, 3.4.16, 3.3.14, 3.2.19:
* One fix for memory leaks in the Postfix TLS library was back-ported to the wrong place, resulting in undefined program behavior.
Fixed in Postfix versions 3.5.6, 3.4.16:
* The workaround for allowed TLS protocol versions did not explictly override the system-wide OpenSSL configuration, for sessions where the remote SMTP client sends SNI. It's better to be safe than sorry.
Fixed in Postfix versions 3.5.5, 3.4.15, 3.3.13, 3.2.18:
* Workaround for unexpected TLS interoperability problems when Postfix runs on OS distributions with system-wide OpenSSL configurations.
* Memory leaks in the Postfix TLS library, the largest one involving multiple kBytes per peer certificate.
Update based on wip/mailman by Jesus Cea.
Clean some pkglint while here.
2.1.34 (26-Jun-2020)
i18n
- The Spanish translation has been updated by Omar Walid Llorente.
Bug Fixes and other patches
- The fix for LP: #1859104 can result in ValueError being thrown on
attempts to subscribe to a list. This is fixed and extended to apply
REFUSE_SECOND_PENDING to unsubscription as well. (LP: #1878458)
- DMARC mitigation no longer misses if the domain name returned by DNS
contains upper case. (LP: #1881035)
- A new WARN_MEMBER_OF_SUBSCRIBE setting can be set to No to prevent
mailbombing of a member of a list with private rosters by repeated
subscribe attempts. (LP: #1883017)
- Very long filenames for scrubbed attachments are now truncated.
(LP: #1884456)
Although the package itself builds when pkgsrc is bootstrapped in
unprivileged mode, the pkgsrc +INSTALL/+DEINSTALL scripts fail, causing
bulk build noise:
=> Creating binary package /wrk/mail/qmail/work/.packages/qmail-1.03nb49.tgz
fatal: unable to find user alias
===========================================================================
ERROR: instchown exited 111.
Permissions are likely wrong, and/or the queue may be uninitialized.
===========================================================================
pkg_add: install script returned error status
pkg_add: 1 package addition failed
2020-08-21 Richard Russon <rich@flatcap.org>
* Bug Fixes
- fix maildir flag generation
- fix query notmuch if file is missing
- notmuch: don't abort sync on error
- fix type checking for send config variables
* Changed Config
- `$sidebar_format` - Use `%D` rather than `%B` for named mailboxes
* Translations
- 96% Lithuanian
- 90% Polish
The check whether a block of memory is tainted erroneously returns true
if the block in question starts the very next byte after a block in the
tainted pool. Depending on the memory allocator, this can cause problems.
For example, on NetBSD/amd64 9.0, this seems to allocate the first tainted
block immediately before log_buffer. This leads to a recursive error in
log_write the first time anything is written to the log, leading to a
segmentation fault when the stack fills up.
3.2.5
Added
IMAP Daemon: added switch to control the diffential state reload
(mailbox_update_strategy=2), more information in dbmail.conf,
mailbox_update_strategy_2_max_iterations [#81]
IMAP Daemon: added switch to control UNSEEN first message in SELECT commands
Changed
IMAP Daemon: allow reporting UID COPY success in case of various failures
(except quota), reporting issues are sent to error log as warnings [#87]
Optimizations
optimizing differential state [#81]
optimizing fetch message headers [#85]
Issues
fixing issue related to copy message in regard to RFC 3501, section 6.4.8
fixing issues related group_concat for PostgreSql [#75], [#78]
fixing issue related to lastRowId [#71]
fixing issues related with differential update [#70], [#73]
fixing proc not being used in BSD systems [#74]
IMAP Daemon: segmentation fault [#68]
3.2.4
Added
IMAP Daemon: mailbox-update-strategy switch (see dbmail.conf), experimental
support for application_name in database connection uri
IMAP Daemon: mailbox_search_strategy switch (see dbmail.conf)
Changed
systemd unit changed to type notify
mailbox state is build using only valid messages [#39]
Optimizations
IMAP Daemon: optimization of sql queries in relation to message headers
libevent increased priority on accepting new connections
libevent optimization on reading and writing to sockets
simplify libzdb configuration (AC_CHECK_HEADERS)
Issues
fix segmentation fault in imap_append_hash_as_string [#12]
dbmail-users: sql issue on deleting alias user [#18]
IMAP Daemon: generation of invalid BODYSTRUCTURE in Content-Type field [#23]
fix support for jemalloc latest version [#35]
IMAP Deamon: BYE Command now offers optional message even on normal operations
IMAP Deamon: idle message now offers optional message (* OK Still Here)
IMAP Daemon: random hangs when single user is connected [#37]
fix fd leaks
IMAP Daemon: fix MODIFIED keyword, too many '[' and ']'
fix segmentation fault in find_end_of_header
fix gcc 10 compilation issue, duplicated definition
2020-08-14 Richard Russon <rich@flatcap.org>
* Security
- Add mitigation against DoS from thousands of parts
* Features
- Allow index-style searching in postpone menu
- Open NeoMutt using a mailbox name
- Add `cd` command to change the current working directory
- Add tab-completion menu for patterns
- Allow renaming existing mailboxes
- Check for missing attachments in alternative parts
- Add one-liner docs to config items
* Bug Fixes
- Fix logic in checking an empty From address
- Fix Imap crash in `cmd_parse_expunge()`
- Fix setting attributes with S-Lang
- Fix: redrawing of `$pager_index_lines`
- Fix progress percentage for syncing large mboxes
- Fix sidebar drawing in presence of indentation + named mailboxes
- Fix retrieval of drafts when "postponed" is not in the mailboxes list
- Do not add comments to address group terminators
- Fix alias sorting for degenerate addresses
- Fix attaching emails
- Create directories for nonexistent file hcache case
- Avoid creating mailboxes for failed subscribes
- Fix crash if rejecting cert
* Changed Config
- Add `$copy_decode_weed`, `$pipe_decode_weed`, `$print_decode_weed`
- Change default of `$crypt_protected_headers_subject` to "..."
- Add default keybindings to history-up/down
* Translations
- 100% Czech
- 100% Spanish
* Build
- Allow building against Lua 5.4
- Fix when sqlite3.h is missing
* Docs
- Add a brief section on stty to the manual
- Update section "Terminal Keybindings" in the manual
- Clarify PGP Pseudo-header `S<id>` duration
* Code
- Clean up String API
- Make the Sidebar more independent
- De-centralise the Config Variables
- Refactor dialogs
- Refactor: Help Bar generation
- Make more APIs Context-free
- Adjust the edata use in Maildir and Notmuch
- Window refactoring
- Convert libsend to use Config functions
- Refactor notifications to reduce noise
- Convert Keymaps to use STAILQ
- Track currently selected email by msgid
- Config: no backing global variable
- Add events for key binding
* Upstream
- Fix imap postponed mailbox use-after-free error
- Speed up thread sort when many long threads exist
- Fix ~v tagging when switching to non-threaded sorting
- Add message/global to the list of known "message" types
- Print progress meter when copying/saving tagged messages
- Remove ansi formatting from autoview generated quoted replies
- Change postpone mode to write Date header too
- Unstuff `format=flowed`
Distfile changes.
1. Official annoucne says "The only change here is that the configure.ac
file has correctly formatted version number."
2. Name of distfile is changed to match previous file naming scheme.
Old distfile is still available.
3. automake 1.15.1 is used instead of previous 1.15. So, generated files
by it are changed.
4. Other files are not changed, so there is no functional change.
Bump PKGREVISION.
correct install_name_tool -id on macOS, where this fixes CHECK_SHLIBS
(and probably runtime behavior too). While here, the patch to link with
-lrt on NetBSD has been upstreamed; remove. Bump PKGREVISION.
Update dovecot2-pigeonhole to 0.5.11.
v0.5.11 2020-08-12 Aki Tuomi <aki.tuomi@open-xchange.com>
* managesieve: managesieve_max_line_length setting is now a "size" type
instead of just number of bytes. This allows using e.g. "64k" as the
value.
- lib-sieve: When folding white space is used in the Message-ID header,
it is not stripped away correctly before the message ID value is used,
causing e.g. garbled log lines at delivery.
Update roundcube to 1.4.8, security release.
RELEASE 1.4.8
-------------
- Security: Fix potential XSS issue in HTML editor of the identity signature input (#7507)
- Managesieve: Fix too-small input field in Elastic when using custom headers (#7498)
- Fix support for an error as a string in message_before_send hook (#7475)
- Elastic: Fix redundant scrollbar in plain text editor on mail reply (#7500)
- Elastic: Fix deleted and replied+forwarded icons on messages list (#7503)
- Managesieve: Allow angle brackets in out-of-office message body (#7518)
- Fix bug in conversion of email addresses to mailto links in plain text messages (#7526)
- Fix format=flowed formatting on plain text part derived from the HTML content (#7504)
- Fix incorrect rewriting of internal links in HTML content (#7512)
- Fix handling links without defined protocol (#7454)
- Fix paging of search results on IMAP servers with no SORT capability (#7462)
- Fix detecting special folders on servers with both SPECIAL-USE and LIST-STATUS (#7525)
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145]
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious math content
* Drop support for EOL Python 3.4, add support for Python 3.8
* Add List_ID and List_Post headers to the generated emails
* Add a new `reply-changes` setting
* Improve configurability of text wrapping for the emails
* Use `platform.node()` instead of "dev.null.invalid" in
"Message-ID" header
* Improve locking support for when multiple rss2email instances are run
in parallel
* Fix handling of __VERSION__ and __URL__ in user-agent strings
* Fix opmlexport
Use res_ndestroy() instead of res_nclose() to properly cleanup resources
on NetBSD (and others that use __res_ndestroy() or res_ndestroy() instead
of res_nclose()). Original patch by Roy Marples.
Upstream changes:
version 3.005: Wed 22 Jul 10:40:05 CEST 2020
Improvements:
- warn to use ::SMTP, not ::SendMail on bulk messages.
- much lower elapse time on ::SMTP (local?) delivery.
version 3.004: Fri 3 May 09:29:07 CEST 2019
Improvements:
- add imap/imap4
Enigmail 2.1.7
Released 2020-06-27, works with Thunderbird 68 and Postbox 7.
Notable Changes
This release displays information about the upcoming release of Thunderbird 78.
This is a bug-fix release fixing a problem resetting access times that snuck
in starting with 1.11.0. This only affected relative-path mailboxes, but
caused Mutt to "forget" new mail in mbox files.
Changelog:
Notmuch 0.30 (2020-07-10)
=========================
S/MIME
------
Handle S/MIME (PKCS#7) messages -- one-part signed messages, encrypted
messages, and multilayer messages. Treat them symmetrically to
OpenPGP messages. This includes handling protected headers
gracefully.
If you're using Notmuch with S/MIME, you currently need to configure
gpgsm appropriately.
Mixed-up MIME Repair
--------------------
Detect and automatically repair a common form of message mangling
created by Microsoft Exchange (see index.repaired=mixedup in
notmuch-properties(7)).
Protected Headers
-----------------
Avoid indexing the legacy-display part of an encrypted message that
has protected headers (see
index.repaired=skip-protected-headers-legacy-display in
notmuch-properties(7)).
Python
------
Drop support for python2, focus on python3.
Introduce new CFFI-based python bindings in the python module named
"notmuch2". Officially deprecate (but still support) the older
"notmuch" module.
Dependencies
------------
Support for Xapian 1.2 is removed. The minimum supported version of
Xapian is now 1.4.0.
Notmuch 0.29.3 (2019-11-27)
===========================
General
-------
Fix for use-after-free in notmuch_config_list_{key,val}.
Fix for double close of file in notmuch-dump.
Debian
------
Drop python2 support from shipped debian packaging.
Notmuch 0.29.2 (2019-10-19)
===========================
General
-------
Fix for file descriptor leak when opening gzipped mail files. Thanks
to James Troup for the bug report and the fix.
Notmuch 0.29.1 (2019-06-11)
===========================
Build
-----
Fix for installation failure with `configure --without-emacs`.
Update roundcube to 1.4.7.
RELEASE 1.4.7
-------------
- Fix bug where subfolders of special folders could have been duplicated on folder list
- Increase maximum size of contact jobtitle and department fields to 128 characters
- Fix missing newline after the logged line when writing to stdout (#7418)
- Elastic: Fix context menu (paste) on the recipient input (#7431)
- Fix problem with forwarding inline images attached to messages with no HTML part (#7414)
- Fix problem with handling attached images with same name when using database_attachments/redundant_attachments (#7455)
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace
Changelog:
Fixes
fixed Chat: Topics displayed some characters improperly
fixed Calendar: Filtering tasks did not work when "Incomplete Tasks" was selected
Security fixes:
CVE-2020-12417: Memory corruption due to missing sign-extension for ValueTags on ARM64
#CVE-2020-12418: Information disclosure due to manipulated URL object
#CVE-2020-12419: Use-after-free in nsGlobalWindowInner
#CVE-2020-12420: Use-After-Free when trying to connect to a STUN server
#MFSA-2020-0001: Automatic account setup leaks Microsoft Exchange login credentials
#CVE-2020-12421: Add-On updates did not respect the same certificate trust rules as software updates
Update postfix to 3.5.4.
Fixed in Postfix 3.5.4, 3.4.14:
* The connection_reuse attribute in smtp_tls_policy_maps always
resulted in an "invalid attribute name" error. Fix by Thorsten
Habich.
* SMTP over TLS connection reuse always failed for Postfix SMTP
client configurations that specify explicit trust anchors (remote
SMTP server certificates or public keys). Reported by Thorsten
Habich.
Fixed in Postfix versions 3.5.4, 3.4.14, 3.3.12, 3.2.17:
* The Postfix SMTP client's DANE implementation would always send
an SNI option with the name in a destination's MX record, even
if the MX record pointed to a CNAME record. MX records that
point to CNAME records are not conformant with RFC5321, and so
are rare.
Based on the DANE survey of ~2 million hosts it was found that
with the corrected SMTP client behavior, sending SNI with the
CNAME-expanded name, the SMTP server would not send a different
certificate. This fix should therefore be safe.
Instead:
1. Package makefiles including their own options.mk
2. Packages say "SUBST_CLASSES+=djberrno" to get the hack, if needed
3. Packages adjust SUBST_FILES.djberrno, if needed
Should fix bulk build failures due to multiple inclusions of options.mk
and/or incorrect definitions of DJB_ERRNO_HACK.
Approved during the freeze by wiz@.
This release fixes a regression from the 1.14.3 release. Encryption settings
are no longer checked when using $tunnel to connect to a preauthenticated IMAP
server.
