These packages are susceptible to bugs when confronted with non-ASCII
characters.
See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94182.
It takes some time to analyze and fix these individually, therefore they
are only marked as "needs work".
Changes:
- Bugfixes on QUOTA
- Various warning fixes & build fixes
- Added IMAP CLIENTID / SMTP CLIENTID support
- Use Cyrus SASL 2.1.27
- Support of TLS SNI
- LMDB for cache DB
- Fixed build with recent versions of curl
upstream changes:
-----------------
Postfix versions 3.5.2, 3.4.12, 3.2.10, 3.2.15:
* A TLS error for a database client caused a false 'lost connection' error for an SMTP over TLS session in the same Postfix process. Reported by Alexander Vasarab, diagnosed by Viktor Dukhovni. This bug was introduced with Postfix 2.2.
* The same bug existed in the tlsproxy(8) daemon, where a TLS error for one TLS session could cause a false 'lost connection' error for a concurrent TLS session in the same process. This bug was introduced with Postfix 2.8.
* The Postfix build now disables DANE support on Linux systems with libc-musl, because libc-musl provides no indication whether DNS responses are authentic. This broke DANE support without a clear explanation.
* Due to implementation changes in the ICU library, some Postfix daemons reported file access errrors (U_FILE_ACCESS_ERROR) after chroot(). This was fixed by initializing the ICU library before making the chroot() call.
* Minor code changes to silence a compiler that special-cases string literals.
Postfix 3.5.2, 3.4.12:
* Segfault in the tlsproxy(8) client role when the server role was disabled. This typically happened on systems that do not receive mail, after configuring connection reuse for outbound SMTP over TLS.
* The date portion of the maillog_file_rotate_suffix default value used the minute (%M) instead of the month (%m). Reported by Larry Stone.
Update dovecot2 to 2.3.10.1.
v2.3.10.1 2020-05-18 Aki Tuomi <aki.tuomi@open-xchange.com>
- CVE-2020-10957: lmtp/submission: A client can crash the server by
sending a NOOP command with an invalid string parameter. This occurs
particularly for a parameter that doesn't start with a double quote.
This applies to all SMTP services, including submission-login, which
makes it possible to crash the submission service without
authentication.
- CVE-2020-10958: lmtp/submission: Sending many invalid or unknown
commands can cause the server to access freed memory, which can lead
to a server crash. This happens when the server closes the connection
with a "421 Too many invalid commands" error. The bad command limit
depends on the service (lmtp or submission) and varies between 10 to
20 bad commands.
- CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
address that has the empty quoted string as local-part causes the lmtp
service to crash.
from GitHub user @sjorge + extra patch from me
Closes NetBSD/pkgsrc#60
2.5: 01 Apr 2020
* [Conf] Mark Rspamd emailbl as ignore whitelist
* [Conf] RBL: Add missing emails = true option
* [Feature] Add support for scripts in fuzzy storage
* [Feature] Arc: Add whitelisted_signers_map option
* [Feature] Implement hosts file processing
* [Feature] Neural: Introduce classes bias that allows non-equal classes learning
* [Feature] Update libev to 4.33
* [Fix] Another brain damage html standard adoptions
* [Fix] Another fix for brain damaged obs-fws state
* [Fix] Fix flags that caused force_actions failure
* [Fix] Fix logging issue
* [Fix] Fix lua symbols scores registration when config does not define scores
* [Fix] Fix opaque maps logic
* [Fix] Fix parsing of the html tags with no spaces after attributes
* [Fix] Fix some corner cases in urls parsing, add limits
* [Fix] Fix tlds extraction if custom composition rules are used
* [Fix] Fix variables replacement in mempool
* [Fix] Improve base64 detection
* [Fix] Normalize dynamic scores in ANN correctly
* [Fix] Plug memory leak introduced by #3153
* [Fix] Stat_redis_backend: Fix memory leak and simplify learn path
* [Fix] Try hard to deal with ghost workers
* [Fix] metadata_exporter default formatter
* [Rework] Change the way to extract URLs when dealing with alternative parts
* [Rework] Fix various url extraction issues
* [Rework] Re cache: Load compiled hyperscan in the main process as well
* [Rework] Re cache: Load hyperscan early
* [Rework] Rework URL structure: adjust tld part
* [Rework] Rework URL structure: host field
* [Rework] Rework URL structure: more structure optimisations
* [Rework] Rework URL structure: user field
* [Rework] URL: Another update for urls extraction logic
* [Rework] Urls: Improve query urls handling
* [Rework] Urls: adopt html related stuff
* [Rework] Urls: more rework of the urls sets
* [Rework] Urls: process query urls in HTML urls correctly
* [Rework] Urls: rework urls hash structure
* [Rework] Urls: update lua libraries
* [Rework] Use multiple search tries for different url extraction types
2.4: 26 Feb 2020
* [CritFix] Fix parsing of the content type attributes
* [Feature] Clickhouse: Add extra columns support
* [Feature] Rbl: Add url_compose_map option for RBL rules
* [Fix] 'R' flag is for all headers regexp
* [Fix] Allow to reset settings id from Lua (e.g. because of the priority)
* [Fix] Avoid collisions in mempool variables by changing fuzzy caching logic
* [Fix] Avoid strdup usage for symbols options
* [Fix] Do not trust stat(2) it lies
* [Fix] Filter all options for symbols to have sane characters
* [Fix] Fix all headers iteration
* [Fix] Fix allowed_settings for neural
* [Fix] Fix listen socket parsing
* [Fix] Fix maps expressions evaluation
* [Fix] Fix sentinel connections leak by using async connections
* [Fix] Fix smtp message on passthrough result
* [Fix] Fix tld compositon rules
* [Fix] Fuzzy_storage: Do not check for shingles if a direct hash has been found
* [Fix] Lua_mime: Do not perform QP encoding for 7bit parts
* [Fix] Neural: Distinguish missing symbols from symbols with low scores
* [Fix] Support listening on systemd sockets by name
* [Project] Add lua_urls_compose library
* [Project] Allow to set a custom log function to the logger
* [Project] CDB maps: Start making cdb a first class citizen
* [Project] Clickhouse: Add extra columns concept
* [Project] Fix urls composition rules, add unit tests
* [Project] Unify cdb maps
* [Rework] Logger infrastructure rework
* [Rework] Refactor libraries structure
* [Rework] Rework SSL caching
* [Rework] Update snowball stemmer to 2.0 and remove all crap aside of UTF8
Without this escaping, mk/subst.mk sees that there are no actual changes
with the default setup. Nevertheless, mk/scripts/subst-identity.awk does
not classify the sed command as an identity transformation because there
_might_ be the text /etc/policyd-weightXconf, and the X would match the
dot. Therefore, subst.mk aborts the build when it is in SUBST_NOOP_OK=no
mode.
Update ruby-actionmailbox60 to 6.0.3.
## Rails 6.0.3 (May 06, 2020) ##
* Update Mandrill inbound email route to respond appropriately to HEAD requests for URL health checks from Mandrill.
*Bill Cromie*
Additions include:
* Support for XOAUTH2 authentication method in Gmail.
* PC-Alpine builds with LibreSSL and supports S/MIME.
* NTLM authentication support with the ntlm library, in Unix systems. Based
on code provided by Maciej W. Rozycki.
* Add /tls1_3 flag for servers that support it. Read more information in the
secure protocols help.
* To increase user's privacy, remove phone-home code that would prompt users
to send an email message upon starting Alpine for the first time for
purposes of counting. Your use of Alpine does not disclose information
about you or your use of Alpine to the developers of Alpine.
* New variable encryption-protocol-range that allows users to configure
versions of the SSL/TLS protocol that Alpine is restricted to try when
establishing a secure connection SSL/TLS to a remote server. The default
can be set at compilation time.
* Add -dict option to PC-Pico, which allows users to choose a dictionary when
spelling. Sample usage: -dict "en_US, de_DE, fr_FR".
* Improvements to the configure stage of compilation. Some of these
contributed by Helmut Grohne. See Bug 876164 in Debian.
* Add "remove password" command to the management screen for the password
file encryption key. This allows users to use their password file without
entering a master password.
* Add the "g" option to the select command that works in IMAP servers that
implement the X-GM-EXT-1 capability (such as the one offered by Gmail.)
This allows users to do selection in Alpine as if they were doing a search
in the web interface for Gmail.
* New variable close-connection-timeout, which tells Alpine to close a
connection that is having problems being kept alive after the number of
seconds configured in this variable, if the connection has not recovered.
The default is 0, which means to keep the connection alive and wait for the
connection to recover.
* When a message is of type multipart/mixed, and its first part is multipart/
signed, Alpine will include the text of the original message in a reply
message, instead of including a multipart attachment. Suggested by Barry
Landy.
* S/MIME: Some clients do not transform messages to canonical form when
signing first and encrypting second, which makes Alpine fail to parse the
signed data after encryption. Reported by Holger Trapp.
* Add /auth=XYZ to the way to define a server. This allows users to select
the method to authenticate to an IMAP, SMTP or POP3 server. Examples are /
auth=plain, or /auth=gssapi, etc.
* Add backward search in the index screen. Based on patch by Astyanax Foo,
submitted in 2009, but resubmitted by Erich Eckner on 2019.
* SMIME: When Alpine is set to validate a message using the user's store, and
user agrees to save a certificate of another user, use the saved
certificate immediately to verify the smime message. Reported by Stefan
Mueller.
* Do not use a delay when printing messages to screen when the initial
keystroke sequence of commands is active. Based on a report from Holger
Trapp.
* In PC-Alpine, when the decoded name of an attachment does not agree with
its encoded name, Alpine will offer to save the file using the UTF8 encoded
name.
Bugs that have been addressed include:
* Width of characters is not always determined correctly when wcwidth is
used. Revert to using code for the Windows operating system. Reported by
Andrew Ho.
* The call realpath(..., NULL) gives an error in Solaris, which means that we
need to allocate memory for storing the resolved path. Reported by Fabian
Schmidt.
* Crash when attempting to bounce a message due to lack of space in allocated
space for key menu array. Reported by David Sewell.
* Crash when a CA certificate failed to load, and user attempted to view
certificate information of other certificate authorities.
* Crash in the S/MIME configuration screen when a user turned off S/MIME, and
then re-enabled it. Also crash when attempting to enter the S/MIME
configuration screen if S/MIME was turned off.
* Deactivate some color code from Pico (as standalone editor in the windows
version) until I find a way to activate it again. This is not critical and
it is not something that PC-Pico must have (some of it already exists in
other ways, like color support, what does not exist is the more complex
code that Unix-Pico has with color codes for specific colors.)
* When a message is multipart, and the first part is flowed text, then
forwarding the message will set the first part to be flowed, and sent that
way even when the option Do Not Send Flowed Text is enabled. Reported by
Holger Trapp.
* When a message/rfc822 part of a message is encoded with
Content-Transfer-Encoding: QUOTED-PRINTABLE, Alpine will stop processing
that message. Later this causes Alpine to crash because when it displays
messages, it assumes that both header and body parts are processed.
Reported by Mark Crispin in 2010, in the Alpine-info list (message with
subject "crash bug in alpine/mailpart.c:format_msg_att()") with no example,
and reported now by Holger Trapp, with an example.
* In addition to the previous report, Alpine encodes message/rfc822 messages
as QUOTED-PRINTABLE, in contradiction with RFC 2045, when it receives a
report that its encoding is 8bit. We preserve the encoding reported by the
IMAP server, and do not encode in QUOTED-PRINTABLE.
* Update build.bat file to add /DWINVER=0x0501 so that Alpine can build when
using Visual Studio 2017. Fix contributed by Ulf-Dietrich Braunmann.
* When the locale is not set up to UTF-8, alpine might determine the width of
a character incorrectly. Reported by Alexandre Fedotov.
* In some rare cases, when attachments are deleted before saving emails, the
filenames will be displayed in RFC1522 representation, instead of in
decoded form. Reported and patched by Wang Kang.
* When colors are edited from the main setup configuration screen, some color
settings are not updated until Alpine is restarted. Reported by Andrew
Hill.
* If the first part of a message is multipart/alternative, and the first part
of this is also a multipart type, then Alpine might fail to select the
first text part when replying to a message. Reported by Lucio Chiappetti.
* TLS 1.2 works does not work if Alpine is compiled with openssl >= 1.1.0.
Reported and patched by Kyle George.
* If the directory where Alpine saves the certificates is empty, alpine would
not create a self-signed certificate to encrypt the password file.
* S/MIME: The list of public certificates is freed before it is reused when a
signature fails to verify. This causes Alpine to crash. Patch submitted by
Linus Torvalds.
* S/MIME: A message could fail to verify its signature even if the
certificate was saved when the message was open. Based on a report by David
Woodhouse to the RedHat bugzilla system.
* When there are time changes in the clock, Alpine might go to sleep for big
amounts of time while displaying messages in the screen. Reset sleep time
to 5 seconds in case it finds it needs to sleep more than 5 seconds or a
negative amount of time.
* Restore recognition of empty directories. It was deleted by mistake when
added support for internationalization in folders. Based on a report by
Michael Rutter.
* Alpine stops parsing the mailcap file when it finds an invalid entry.
Reported by Matt Roberds to the Debian bug system at https://
bugs.debian.org/cgi-bin/bugreport.cgi?bug=886370.
* Crash with error "Lock when already locked" when an attempt to check for
new mail on a locked stream that is being used for a save operation.
Reported by Carlos E.R.
* Alpine removes trailing spaces from passwords, making a longin attempt
fail. Reported by R. Lyons.
* Alpine crashes when opening a remote imap folder and computing scores.
Reported by Paul DeStefano.
* When more than one server was given in the server-name configuration option
of rldap servers, none of them worked. Reported by Robert Wolf.
From jcea via pkgsrc-wip
2.1.33 (07-May-2020)
Security
- A content injection vulnerability via the private login page has been
fixed. (LP: #1877379)
2.1.32 (05-May-2020)
i18n
Fixed a typo in the Spanish translation and uptated mailman.pot and
the message catalog for 2.1.31 security fix.
2.1.31 (05-May-2020)
Security
- A content injection vulnerability via the options login page has been
discovered and reported by Vishal Singh. This is fixed. (LP: #1873722)
i18n
- The Spanish translation has been updated by Omar Walid Llorente.
Bug Fixes and other patches
- Bounce recognition for a non-compliant Yahoo format is added.
- Archiving workaround for non-ascii in string.lowercase in some Python
packages is added.
2.1.30 (13-Apr-2020)
New Features
- Thanks to Jim Popovitch, there is now a dmarc_moderation_addresses
list setting that can be used to apply dmarc_moderation_action to mail
From: addresses listed or matching listed regexps. This can be used
to modify mail to addresses that don't accept external mail From:
themselves.
- There is a new MAX_LISTNAME_LENGTH setting. The fix for LP: #1780874
obtains a list of the names of all the all the lists in the installation
in order to determine the maximum length of a legitimate list name. It
does this on every web access and on sites with a very large number of
lists, this can have performance implications. See the description in
Defaults.py for more information.
- Thanks to Ralf Jung there is now the ability to add text based captchas
(aka textchas) to the listinfo subscribe form. See the documentation
for the new CAPTCHA setting in Defaults.py for how to enable this. Also
note that if you have custom listinfo.html templates, you will have to
add a <mm-captcha-ui> tag to those templates to make this work. This
feature can be used in combination with or instead of the Google
reCAPTCHA feature added in 2.1.26.
- Thanks to Ralf Hildebrandt the web admin Membership Management section
now has a feature to sync the list's membership with a list of email
addresses as with the bin/sync_members command.
- There is a new drop_cc list attribute set from DEFAULT_DROP_CC. This
controls the dropping of addresses from the Cc: header in delivered
messages by the duplicate avoidance process. (LP: #1845751)
- There is a new REFUSE_SECOND_PENDING mm_cfg.py setting that will cause
a second request to subscribe to a list when there is already a pending
confirmation for that user. This can be set to Yes to prevent
mailbombing of a third party by repeatedly posting the subscribe form.
(LP: #1859104)
i18n
- The Japanese translation has been updated by Yasuhito FUTATSUKI.
- The German translation has been updated by Ludwig Reiter.
- The Spanish translation has been updated by Omar Walid Llorente.
- The Brazilian Portugese translation has been updated by Emerson de Mello.
Bug Fixes and other patches
- Fixed the confirm CGI to catch a rare TypeError on simultaneous
confirmations of the same token. (LP: #1785854)
- Scrubbed application/octet-stream MIME parts will now be given a
.bin extension instead of .obj.
- Added bounce recognition for a non-compliant opensmtpd DSN with
Action: error. (LP: #1805137)
- Corrected and augmented some security log messages. (LP: #1810098)
- Implemented use of QRUNNER_SLEEP_TIME for bin/qrunner --runner=All.
(LP: #1818205)
- Leading/trailing spaces in provided email addresses for login to private
archives and the user options page are now ignored. (LP: #1818872)
- Fixed the spelling of the --no-restart option for mailmanctl.
- Fixed an issue where certain combinations of charset and invalid
characters in a list's description could produce a List-ID header
without angle brackets. (LP: #1831321)
- With the Postfix MTA and virtual domains, mappings for the site list
-bounces and -request addresses in each virtual domain are now added
to data/virtual-mailman (-owner was done in 2.1.24). (LP: #1831777)
- The paths.py module now extends sys.path with the result of
site.getsitepackages() if available. (LP: #1838866)
- A bug causing a UnicodeDecodeError in preparing to send the confirmation
request message to a new subscriber has been fixed. (LP: #1851442)
- The SimpleMatch heuristic bounce recognizer has been improved to not
return most invalid email addresses. (LP: #1859011)
Thunderbird is no longer Mozilla-branded. It no longer uses gtk2.
Future versions of Thunderbird will not have ESR releases because
every Thunderbird release is now an ESR release.
Changelog:
Fixes
Account Manager: text fields were too small in some cases
Account Manager: Authentication method did not update when selecting an SMTP server
Links with embedded credentials did not open on Windows
Messages were sometimes sent with a badly formed address when filled from the address book
Accessibility: Screen readers were reporting too many activities from the status bar
MailExtensions: Setting IMAP messages as read with browser.messages.updated failed to persist
Various security fixes
Security fixes:
#CVE-2020-12397: Sender Email Address Spoofing using encoded Unicode characters
#CVE-2020-12387: Use-after-free during worker shutdown
#CVE-2020-6831: Buffer overflow in SCTP chunk input validation
#CVE-2020-12392: Arbitrary local file access with 'Copy as cURL'
#CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection
#CVE-2020-12395: Memory safety bugs fixed in Thunderbird 68.8.0
The package-specific options.mk is included by djbware.mk and must
therefore not be included by the package Makefile itself. This fixes the
PKG_SUPPORTED_OPTIONS displayed by show-options.
Found by making the package-settable variables in mk/bsd.options.mk
read-only.
Changes:
1.8.10
------
- The msmtpq script was fixed (it was accidently broken in 1.8.8)
[that was partially fixed in 1.8.9, that was omitted in the release notes]
- Updated translations.
- New serbian translation is included.
1.8.8
-----
- Added a new socket command and --socket option to connect via local sockets.
- Added a new tls_host_override command and --tls-host-override option to
override the host name used for TLS verification.
- Added a new set_from_header command and --set-from-header option with three
settings:
- on: always set a From header, possibly replacing an existing one
- off: never set a From header
- auto: add a From header if there is none (this is the default).
This replaces the add_missing_from_header option (which remains supported).
- Added a new set_date_header command and --set-date-header option with two
settings:
- off: never set a Date header
- auto: add a Date header if there is none (this is the default).
This replaces the add_missing_date_header option (which remains supported).
- Fixed the handling of empty From headers with --read-recipients/-t.
- Fixed the source_ip command for proxies.
Update roundcube, roundcube-plugin-enigma and roundcube-plugin-zipdownload to
1.4.4. This includes security fixes..
RELEASE 1.4.4
-------------
- Fix bug where attachments with Content-Id were attached to the message on reply (#7122)
- Fix identity selection on reply when both sender and recipient addresses are included in identities (#7211)
- Elastic: Fix text selection with Shift+PageUp and Shift+PageDown in plain text editor when using Chrome (#7230)
- Elastic: Fix recipient input bug when using click to select a contact from autocomplete list (#7231)
- Elastic: Fix color of a folder with recent messages (#7281)
- Elastic: Restrict logo size in print view (#7275)
- Fix invalid Content-Type for messages with only html part and inline images - Mail_Mime-1.10.7 (#7261)
- Fix missing contact display name in QR Code data (#7257)
- Fix so button label in Select image/media dialogs is "Close" not "Cancel" (#7246)
- Fix regression in testing database schema on MSSQL (#7227)
- Fix cursor position after inserting a group to a recipient input using autocompletion (#7267)
- Fix string literals handling in IMAP STATUS (and various other) responses (#7290)
- Fix bug where multiple images in a message were replaced by the first one on forward/reply/edit (#7293)
- Fix handling keyservers configured with protocol prefix (#7295)
- Markasjunk: Fix marking as spam/ham on moving messages with Move menu (#7189)
- Markasjunk: Fix bug where moving to Junk was failing on messages selected with Select > All (#7206)
- Fix so imap error message is displayed to the user on folder create/update (#7245)
- Fix bug where a special folder couldn't be created if a special-use flag is not supported (#7147)
- Mailvelope: Fix bug where recipients with name were not handled properly in mail compose (#7312)
- Fix characters encoding in group rename input after group creation/rename (#7330)
- Fix bug where some message/rfc822 parts could not be attached on forward (#7323)
- Make install-jsdeps.sh script working without the 'file' program installed (#7325)
- Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331)
- Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
- Security: Fix XSS issue in handling of CDATA in HTML messages
- Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
- Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
- Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
RELEASE 1.4.3
-------------
- Enigma: Fix so key list selection is reset when opening key creation form (#7154)
- Enigma: Fix so using list checkbox selection does not load the key preview frame
- Enigma: Fix generation of key pairs for identities with IDN domains (#7181)
- Enigma: Display IDN domains of key users and identities in UTF8
- Enigma: Fix bug where "Send unencrypted" button didn't work in Elastic skin (#7205)
- Managesieve: Fix bug where it wasn't possible to save flag actions (#7188)
- Markasjunk: Fix bug where marking as spam/ham didn't work on moving messages with drag-and-drop (#7137)
- Elastic: Fix disappearing sidebar in mail compose after clicking Mail button
- Elastic: Fix incorrect aria-disabled attribute on Mail taskmenu button in mail compose
- Elastic: Fix bug where it was possible to switch editor mode when 'htmleditor' was in 'dont_override' (#7143)
- Elastic: Fix text selection in recipient inputs (#7129)
- Elastic: Fix missing Close button in "more recipients" dialog
- Elastic: Fix non-working folder subscription checkbox for newly added folders (#7174)
- Fix regression where "Open in new window" action didn't work (#7155)
- Fix PHP Warning: array_filter() expects parameter 1 to be array, null given in subscriptions_option plugin (#7165)
- Fix unexpected error message when mail refresh involves folder auto-unsubscribe (#6923)
- Fix recipient duplicates in print-view when the recipient list has been expanded (#7169)
- Fix bug where files in skins/ directory were listed on skins list (#7180)
- Fix bug where message parts with no Content-Disposition header and no name were not listed on attachments list (#7117)
- Fix display issues with mail subject that contains line-breaks (#7191)
- Fix invalid Content-Transfer-Encoding on multipart messages - Mail_Mime fix (#7170)
- Fix regression where using an absolute path to SQLite database file on Windows didn't work (#7196)
- Fix using unix:///path/to/socket.file in memcached driver (#7210)
