2006-03-17 David F. Skoll
* VERSION 5.420 RELEASED
* Fix regression introduced in 5.419 -- quoted-printable
encoding would sometimes fail on "textual" MIME parts.
> 8.13.6/8.13.6 2006/03/22
> SECURITY: Replace unsafe use of setjmp(3)/longjmp(3) in the server
> and client side of sendmail with timeouts in the libsm I/O
> layer and fix problems in that code. Also fix handling of
> a buffer in sm_syslog() which could have been used as an
> attack vector to exploit the unsafe handling of
> setjmp(3)/longjmp(3) in combination with signals.
> Problem detected by Mark Dowd of ISS X-Force.
> Handle theoretical integer overflows that could triggered if
> the server accepted headers larger than the maximum
> (signed) integer value. This is prevented in the default
> configuration by restricting the size of a header, and on
> most machines memory allocations would fail before reaching
> those values. Problems found by Phil Brass of ISS.
> If a server returns 421 for an RSET command when trying to start
> another transaction in a session while sending mail, do
> not trigger an internal consistency check. Problem found
> by Allan E Johannesen of Worcester Polytechnic Institute.
> If a server returns a 5xy error code (other than 501) in response
> to a STARTTLS command despite the fact that it advertised
> STARTTLS and that the code is not valid according to RFC
> 2487 treat it nevertheless as a permanent failure instead
> of a protocol error (which has been changed to a
> temporary error in 8.13.5). Problem reported by Jeff
> A. Earickson of Colby College.
> Clear SMTP state after a HELO/EHLO command. Patch from John
> Myers of Proofpoint.
> Observe MinQueueAge option when gathering entries from the queue
> for sorting etc instead of waiting until the entries are
> processed. Patch from Brian Fundakowski Feldman.
> Set up TLS session cache to properly handle clients that try to
> resume a stored TLS session.
> Properly count the number of (direct) child processes such that
> a configured value (MaxDaemonChildren) is not exceeded.
> Based on patch from Attila Bruncsak.
> LIBMILTER: Remove superfluous backslash in macro definition
> (libmilter.h). Based on patch from Mike Kupfer of
> Sun Microsystems.
> LIBMILTER: Don't try to set SO_REUSEADDR on UNIX domain sockets.
> This generates an error message from libmilter on
> Solaris, though other systems appear to just discard the
> request silently.
> LIBMILTER: Deal with sigwait(2) implementations that return
> -1 and set errno instead of returning an error code
> directly. Patch from Chris Adams of HiWAAY Informations
> Services.
> Portability:
> Fix compilation checks for closefrom(3) and statvfs(2)
> in NetBSD. Problem noted by S. Moonesamy, patch from
> Andrew Brown.
> Major changes compared to the Turba H3 (2.1) version are:
> * Fixed losing sessions when editing address books.
> * Added upgrade script for Oracle to upgrade from 1.2 to 2.x.
> * Fixes and improvements to the create_default_histories.php and
> public_to_horde_share.php scripts.
> * Updated Danish, Dutch, German, Greek, Estonian and Japanese translations.
> * Small bugfixes and improvements.
>
> The full list of changes (from version H3 (2.1)) can be viewed here:
>
> http://cvs.horde.org/diff.php/turba/docs/CHANGES?r1=1.181.2.68&r2=1.181.2.80&ty=h
>
> Major changes compared to the Ingo H3 (1.1) version are:
> * Restored backward compatibility with Horde 3.0.x.
> * Enabled the filter setting to stop further filtering by default.
> * Small bug fixes and improvements.
> * New translations: Estonian, Greek.
> * Updated translations: Danish, Dutch, German.
>
> The full list of changes (from version H3 (1.1)) can be viewed here:
>
> http://cvs.horde.org/diff.php/ingo/docs/CHANGES?r1=1.55.2.39&r2=1.55.2.49&ty=h
changes since 1.0beta7:
* Fixed a security hole with mbox: "1 LIST .. *" command could
list all directories and files under the mbox root directory, so
if your mails were stored in eg. /var/mail/%u/ directory, the
command would list everything under /var/mail.
+ Unless nfs_check=no or mmap_disable=yes, check for the first login
if the user's index directory exists in NFS mount. If so, refuse to
run. This is done only on first login to avoid constant extra
overhead.
+ If we have plugins set and imap_capability unset, figure out the
IMAP capabilities automatically by running imap binary at startup.
The generated capability list isn't updated until Dovecot is
restarted completely, so if you add or remove IMAP plugins you
should restart. If you have problems related to this, set
imap_capabilities setting manually to work around it.
+ Added auth_username_format setting
- pop3_lock_session setting wasn't really working
- Lots of fixes related to quota handling. It's still not working
perfectly though.
- Lots of index handling fixes, especially with mmap_disable=yes
- Maildir: saving mails could have sometimes caused "Append with UID
n, but next_uid = m" errors
- flock() locking never timeouted because ignoring SIGALRM caused the
system call just to be restarted when SIGALRM occurred (probably not
with all OSes though?)
- kqueue: Fixed "Unrecognized event". Patch by Vaclav Haisman
general idea is that the client should never know that it's not talking to
the real IMAP server. The only thing that makes this a slightly unique Imap
Proxy server is that it caches server connections.
RELEASE 3.6.5-STABLE
MAINT: PgSQL SQL tuning
MAINT: WebUI aesthetic and functional fixes
MAINT: Added --disable-syslog and --with-logfile= configuration flags
MAINT: Added -t flag for dspam_stats to total stats
MAINT: Markov result used as X-DSPAM-Confidence when Markov used
MAINT: Support for separate read/write servers to be used with mysql_drv
BUGFIX: Spam are quarantined when --deliver=summary
BUGFIX: Admin graphs malformatted when subject contains newline character
BUGFIX: WebUI does not use MAX_COL_LEN
BUGFIX: Output for dspam_admin aggr pref incorrect
BUGFIX: Flat-file preference writes fail on some systems
BUGFIX: Failure to connect to ClamAV causes segmentation fault
BUGFIX: NULL username in system causes segmentation fault
BUGFIX: ClamAV processing and cleanup issues
BUGFIX: Fragment files overwritten on retrain
BUGFIX: Miscellaneous invalid read / segmentation fault bugs
BUGFIX: If TrainingMode not specified in dspam.conf or passed in, segmentation fault
BUGFIX: No output returned when using --deliver=summary with dspamc
RELEASE 3.6.4-STABLE
DOC: Documented user preferences in README
MAINT: Added dspam_train tool, replacing most functions of dspam_corpus
MAINT: Code cleanup and performance improvements
MAINT: Significant improvements in accuracy, specifically reduced false pos.
MAINT: Removed experimental neural collaboration functions
MAINT: Added ClassAlias configuration directive to dspam.conf
MAINT: Added undo option for retraining via WebUI
MAINT: Added storeFragments support to WebUI
MAINT: Added mass-retraining support to WebUI
BUGFIX: DSPAM segfaults when invalid UID specified using UIDInSignature
BUGFIX: No output when using --classify with --client
BUGFIX: dspam_corpus overrides default dspam.conf settings
BUGFIX: Multi-driver builds fail when preferences-extension is not supported
Prior to this release, there are security vulnerability the same as
squirrelmail 1.4.5.
This update made with temporary Japanese patch based on the patch
for 1.4.5.
symmetry between installation from source and from binary package.
Annoate MESSAGE accordingly, so that those using apop can do it
themselves. Bump revision
be created just before its "configure" phase, obviating the need
for the hackish dependency on a qmail-users package. Since the new
functionality in bsd.pkginstall.mk also records and enforces numeric
UIDs and GIDs in binary packages, remove the note on that matter
from MESSAGE.
Bump PKGREVISION.
+ Add an INSTALL script that detects the presence of the old
sqwebmail state directory and that informs the admin to move it
to the new location.
+ Install some more of the HTML documentation in the location expected
by courier-mta.
* Complete re-implementation of the LDAP addressbook.
* Increase the maximum size of the CGI environment to avoid certain
classes of browser/website problems.
+ Install some more of the HTML documentation in the location expected
by courier-mta.
+ Moved the default locations for the imapd and pop3d SSL certificates
into ${PKG_SYSCONFDIR}. These paths may be changed directly in the
imapd-ssl and pop3d-ssl configuration files by modifying TLS_CERTFILE.
* New capability to control announcements of IMAP ACL support when
starting imapd.
* Optimization: Skip going through the motions of outputting the results
of a SORT if the number of sorted messages is 0.
* Have CREATE and RENAME also create courierimapuidlist.
* Log total bytes sent/received in IMAP and POP3 sessions.
+ Install the makedat documentation; even though "makedat" is part
of courier-authlib, that package installs no doucmentation for
it, and "makedat" is used quite frequently in conjunction with
maildrop.
* fix for RFC822 compliance -- encode spaces that precede a newline.
