RELEASE 1.1.2
-------------
- Add new plugin hook 'identity_create_after' providing the ID of the inserted identity (#1490358)
- Add option to place signature at bottom of the quoted text even in top-posting mode [sig_below]
- Fix handling of %-encoded entities in mailto: URLs (#1490346)
- Fix zipped messages downloads after selecting all messages in a folder (#1490339)
- Fix vpopmaild driver of password plugin
- Fix PHP warning: Non-static method PEAR::setErrorHandling() should not be called statically (#1490343)
- Fix tables listing routine on mysql and postgres so it skips system or other database tables and views (#1490337)
- Fix message list header in classic skin on window resize in Internet Explorer (#1490213)
- Fix so text/calendar parts are listed as attachments even if not marked as such (#1490325)
- Fix lack of signature separator for plain text signatures in html mode (#1490352)
- Fix font artifact in Google Chrome on Windows (#1490353)
- Fix bug where forced extwin page reload could exit from the extwin mode (#1490350)
- Fix bug where some unrelated attachments in multipart/related message were not listed (#1490355)
- Fix mouseup event handling when dragging a list record (#1490359)
- Fix bug where preview_pane setting wasn't always saved into user preferences (#1490362)
- Fix bug where messages count was not updated after message move/delete with skip_deleted=false (#1490372)
- Fix security issue in contact photo handling (#1490379)
- Fix possible memcache/apc cache data consistency issues (#1490390)
- Fix bug where imap_conn_options were ignored in IMAP connection test (#1490392)
- Fix bug where some files could have "executable" extension when stored in temp folder (#1490377)
- Fix attached file path unsetting in database_attachments plugin (#1490393)
- Fix issues when using moduserprefs.sh without --user argument (#1490399)
- Fix potential info disclosure issue by protecting directory access (#1490378)
- Fix blank image in html_signature when saving identity changes (#1490412)
- Installer: Use openssl_random_pseudo_bytes() (if available) to generate des_key (#1490402)
- Fix XSS vulnerability in _mbox argument handling (#1490417)
Update prepared in wip by Petar Bogdanovic.
* Remove INSTALL and add fix-map to rc-scripts instead (start_precmd).
* Remove dccm option because it was never properly tested. If someone
wants it back, let OWNER know.
* Remove dcc-spamassassin.pre. DCC.pm will use cdcc in order to obtain
homedir and therefore the location of the dccifd socket.
* Add several minor build/install patches.
* Remove do-install target since the default (DESTDIR-enabled) install
now works well enough.
CHANGES:
1.3.158
Do not flood any reports to peers with "leaf=0"
Fix crash in dccm, dccifd, and dccproc when time jumps backwards by
more than than 1 millisecond.
Adjust Makefiles for recent NetBSD.
1.3.155
Fix `cdcc "help flood"`
Try `cc -E -w` in ./configure to avoid fatal gcc warning about
CPPFLAGS=-D_FORTIFY_SOURCE=2 that currently breaks DCC packaging
on archlinux and will affect other systems.
1.3.154
Fix editline build problem in cdcc reported by Robert Pelletier.
1.3.153
Resolve confusion between dccifd ASCII protocol options "no-grey"
and "grey-off" pointed out by Mark Thomas.
1.3.152
In `cdcc clients` output, suppress individual client addresses covered
by an address block in the server /var/dcc/blacklist file except when
explicitly requested as in `cdcc "clients 10.2.3.0/24"`.
1.3.151
Compress bad client addresses for `cdcc clients`.
1.3.148
Answer clients with bad client-IDs and passwords as if they were
using the anonymous client-ID.
Improve counting by dccd of clients in address blocks.
1.3.147
Fix missing clients in `cdcc clients`.
Fix NetBSD threads problem 1.3.146 reported by Petar Bogdanovic.
1.3.146
Add -I to `cdcc clients`
Reduce dccifd thread stack size to 512 KBytes for busy 32-bit systems
Fix some problems in the Windows version of dccproc.
1.3.145
Suppress some error messages about broken DCC clients from dccd.
Fix default start and stop Linux run levels in rcDCC as suggested by
Herve Eychenne.
Change start-dccifd to use `kill` instead of `/bin/kill` to accommodate
Linux systems where /bin/kill does not understand `/bin/kill -9 -$PID`
as the way to kill a process group.
`cdcc src` now accepts a pair of IPv4,IPv6 addresses.
Requests from anonymous DCC clients to the public DCC servers are grouped
by IPv4 /24 or IPv6 /56 address blocks for inflating the delay.
1.3.144
Fix a rare crash of dccd, the server daemon.
Allow "." in -B for dccifd, dccm, and dccproc as the base domain
name of DNSBL to support detecting and rejecting mail containing
URLs listed in a response policy zone (RPZ).
1.3.143
Fix `dccifd -V` broken in 1.3.142 reported by Chris Burton.
Fix "incompatible whitelist" SMTP bug in dccifd introduced in 1.3.139.
Deal with default -mstructure-size-boundary=8 in FreeBSD on ARM as
suggested by Ronald Klop. However, intermittent failures of
`cdcc "id 1; stats"` on FreeBSD 9.0-STABLE on a system with a
"Feroceon 88FR131 rev 1 (Marvell core)" seem to be caused by broken
consistency between write() and mmap(). That suggests that while
the DCC client software should generally work, the DCC server will
occassionally fail mysteriously.
Fix dccm parsing of Received headers for MX and MXDCC whiteclnt lines
that broke in verseion 1.3.139.
1.3.142
Improve physical page locality of the DCC server's use of the database
hash table and so improve server performance.
The nagios script in var/dcc/libexec/dcc-nagios now compares the clock
on the DCC server with the local clock.
`cdcc -VV` and other commands produce the ./configure parameters used to
build them.
Build cdcc with editline.
Add -P to dccproc, dccifd, dccm, and dccsight.
1.3.141
Fix "MTA-last" in dcc man page as suggested by Bram Grietens.
Fix no_forced-discard typo reported by Bram Grietens.
Fix dccm to honor `hackmc -R` and discard relay attacks.
misc/DCC.pm, which is generated from misc/DCC.pm.in, is now very
similar to what will probably be in SpamAssassin 3.4.
Fix problems finding native milter library for dccm pointed out by
Kevin A. McGrail.
Improve documentation or help output from the nagios plugin,
/var/dcc/libexec/dcc-nagios
Fix bug in misc/DCC.pm in dealing with mail that already has an
X-DCC header found and diagnosed by Herbert J. Skuhra.
1.3.140
tweak some HTML in the whiteclnt proof-of-concept pages
Fix bug in `wlist` display of address blocks reported by Rob McMahon.
Fix missing IP address in log files for mail from (as opposed to
relayed by) MX relays.
1.3.139
Give temporary rejections by dccm and dccifd for conflicting per-user
thresholds a separate message.
Add FreeBSD "faststart" to rcDCC.
1.3.138
Fix bad URL decoding reported by Kostik.
1.3.137
Fix some innocuous compilers warnings on Solaris and Ubuntu.
1.3.136
Fix dccd and cdcc for `cdcc clients` for large operation counts.
Deal with trailing '.' and other punctuation URLs in dccm, dccifd, and
dccproc as pointed out by Kostik. This changes the FUZ1 and FUZ2
checksums in some cases.
Fix a free(0).
1.3.135
/var/dcc/map on 32 and 64 bit versions of a system are now the same.
Dccproc, dccm, and dccifd decode HTML &#xxx character references in URLs.
Dccproc, dccm, and dccifd convert UTF-8 domain names to Punycode
before checking DNS blacklists.
Deal with Linux `logger` bug that does the wrong thing with something like
`logger message with -S dash S` as suggested by Leandro Santi.
1.3.134
Fix compile bug reported by Rob.McMahon involving old compilers
without "inline"
1.3.133
Fix DNSBL bugs in parsing http://example.com?parameter and
http://example.com:80 reported by Kostik
Increase number of distinct kinds of local or "substitute" headers that
can be locally white- or blacklisted to 8
1.3.132
Fix fstatfs() wrapper on Ubuntu and speed up dccd and dbclean when
a memory file system is used with -H.
1.3.131
Fix minor bug in updatedcc and fetch-testmsg-whitelist as suggested by
Taso N. Devetzis.
Find in_port_t in sys/types.h as reported by Josh Allen.
1.3.130
Fix serious bug reported by Bart Dumon in DNS whitelists on systems
without strlcpy().
1.3.129
Adjust dnswl.org in the sample dcc_conf file.
1.3.128
Support DNS whitelists. An example using dnswl.org is in the sample
homedir/dcc_conf file.
Fix dccproc, dccifd, and dccm crash in parsing Received: fields with
IPv6 addresses.
Parse IPv6 address literals lacking the "IPv6:" tag in Received: headers.
1.3.127
Fix problem with `dbclean -H` after a system reboot reported by Gary Mills.
Fix "duplicate symbol" problem on MacOS X or Darwin 10.3.0
reported by Robert Pelletier by removing the use of `ranlib -c`.
I hope this does not break things on older versions of MacOS X
or future DCC releases.
Fix printf compiler warnings on MacOS X.
1.3.126
Fix another problem in flooding server-ID types past server-ID mappings.
1.3.125
Fix stack corruption in version *.3.124.
1.3.124
Fix reporting of rogue server-IDs.
Remove vestiges of obsolete server-ID tracing.
Flood server-ID types past flod file mappings.
0.9.5:
* Avoid double free when extending HTTP message.
* Fix double free if multiple classifiers are defined.
* Fix misprint in spamassassin plugin.
* Fix cpuid invocation on i386.
* Fix ownership issues for zero-copy decode.
* Allow __len metamethod on rspamd{text}.
* Add base64 decoding lua utility.
* Fix build on FreeBSD
* Skip spaces at the beginning of mime messages.
* DBL_ABUSE_REDIR should not have significant weight.
* Allow to split by lua_regexp rspamd{text} objects.
* Allow to specify custom stop pattern for lua_tcp.
0.9.4:
* Fix critical bugs in tokenization algorithm
* Write unit tests for tokenization
* Add documentation for lua_tcp
* Switch off legacy tokenization by default.
* Fix critical bugs in words normalization
* Add lua bindings to tokenizer.
* Implement storing of HTTP headers inside task
* Add lua API to accerss HTTP headers data
* Implemented base64 encoding suitable for MIME
* Use caseless hash and equal functions for HTTP request headers.
* Improve debian architectures support (by @dottedmag)
0.9.3:
* Revert incorrect regexp change that broke the default rules
* Fix lua_tcp module
0.9.2:
* Fix error on spawning unique workers.
* Add preliminary version of generic LUA TCP requests API.
* Use lua 5.1 if luajit is not available (Arm64, PowerPC, s390x etc)
* Fix fuzzy mime strings with only type.
* Improve thunderbird sanity checks.
* Fix critical bug on matching regular expressions.
* Make hiredis optional dependency.
* Fix multiple bugs in daemon reloading
0.9.1:
* Restore utf8 validation for regular expressions to avoid crashes
* Fix symbols displaying in the interface
* Add symbol groups to the interface
* Fix maps ID parsing in the controller
* Add multimap and regexp modules documentation
* Backport fixes from libucl
* Fix debian package (by @dottedmag)
* Rework XXH32 invocations
0.9.0:
* Add support of the fast and secure protocol level encryption:
- curve25519 is used for key exchange;
- chacha20/poly1305 cryptobox construction for bulk encryption;
- zero latency overhead;
- encrypting and balancing HTTP proxy worker
* Rework expressions and create new expressions library:
- aggressive optimizations based on the abstract syntax tree;
- abstract expressions support (regular expressions, functions, lua modules
composites and so on)
- New comparision and '+' operators support
- New greedy algorithm to minimize execution time of expressions and
all symbols
- Dynamic expressions benchmark and reoptimizations
* Many improvements to the LUA API:
- reworked logger module allowing to do pretty print of the most of lua
types (including tables and userdata classes)
- reworked lua redis and lua HTTP to support more features
- added opaque type for passing large text chunks without copying
- new regexp module with many auxiliary functions (e.g. `re:split`)
* LuaJIT is now the default requirement for rspamd allowing to speed up lua
execution by a large margin (however, plain lua is still supported)
* New plugins:
- spamassassin rules plugin that allows to load and re-use the most of
SA rules natively
- DMARC plugin that evaluates SPF and DKIM policies to the domain policies
- many old plugins has been reworked to implement new features and improve
stability
* New aho-corasic trie implementation from @mischasan that allows to load and
use hundreds of thousands of patterns with no influence on load
* Support of PCRE JIT and PCRE JIT fast path modes that significantly improves
the performance of regular expressions if supported by PCRE
* New URLs parser and extractor:
- removed legacy code that was useless for url finding
- reworked algorithms of URL parsing for more precise and accurate results
- added top-level-domains tree from http://publicsuffix.org
- improved emails parsing
- removed many phishing false positives due to TLD tree check
* New statistics infrastructure:
- created a separate layer of statistic library
- improved OSB-Bayes by re-weighting tokens according to the original
academic paper and `crm114` implementation, which reduced false positives
rate significantly
- created learn cache to avoid double learning of statistics and providing
an efficient way to re-learn class for a message
- created abstract layers for different statistics backends
- implemented new tokenization algorithms with fast or secure (siphash)
hashes to generate statistics features
* Reworked utf8 tokenization that previously corrupted all UTF8 words (minor
incompatibility with old fuzzy hashes with utf-8 symbols)
* SPF module has been completely rewritten to support complex cases of
`include` and `redirect` within SPF records
* DKIM module now supports multiple signatures
* Controller passwords can now be stored encrypted by `PBKDF2-HMAC` in the
configuration file
* Many hand-written HTTP clients has been replaced with the common rspamd
http module
* New test framework:
- import lua `telescope` test framework
- add unit tests for many rspamd modules and routines
- create a unit test for each possible bug found
- use luajit ffi for testing C code
- added preliminary support of functional testing by creating tasks from lua
* Randomize hash seed to avoid certain hash tables vulnerabilities
* Documentation improvements:
- added documentation for the vast majority of rspamd modules
- added documentation for rspamd protocol
- added documentation for the most of rspamd LUA extensions
* Fixed tonns of bugs and memory leaks
* Added tonns of minor features
0.8.3:
* Various critical fixes in distribution (by @dottedmag and @fatalbanana)
* Fixed bugs in url detector to parse certain patterns
* Add default host and helo for a client
* Some sanity checks for tokenizer and classifier
* Reiterate on systemd support
* Fix missing symbol registration
* Add support of spamc compatible output
* Filter double-dots in rbl.lua validate_dns (by @fatalbanana)
* Update ucl submodule due to critical bugfix
0.8.2:
* Create fuzzy db if it does not exist
* Fix: Centos init script: configtest() (by @AlexeySa)
* Enable one_shot for RECEIVED_SPAMHAUS_XBL - Fixes#102 (by @fatalbanana)
* Update Exim patch (by @fatalbanana)
* Fix processing of unix sockets.
* Allow applying settings to authenticated users (by @fatalbanana)
* Make settings priorities work as documented (by @fatalbanana)
* Fix race condition in symbols planner
* Add DNSWL_BLOCKED symbol (by @fatalbanana)
* Make Exim pass usernames to rspamd (by @fatalbanana)
* Update RBL module (by @fatalbanana):
- fix indentation;
- collapse loops;
- avoid calling for un-needed information;
- allow disabling RBLs for authenticated users
* once_received.lua: Fix indentation & add exclusion for authenticated users (by @fatalbanana)
* hfilter.lua: Add exclusion for authenticated users (by @AlexeySa)
* Updates to hfilter rules (by @AlexeySa)
* Set empty <> user or addr for msgs without FROM (by @eneq123)
* Fix: attempt to index field '?' (a nil value) (by @eneq123)
* Fix: if not exist Date-header (by @AlexeySa)
* Add task:get_content() method.
* rbl.lua: Ignore private IP space (by @fatalbanana)
* Allow to check radix maps from lua by rspamd{ip}
* Make local exclusions configurable per-RBL (by @fatalbanana)
* Add rspamd_config:radix_from_config() (by @fatalbanana)
* Support emails dnsbl in rbl (by @fatalbanana)
* Complete rework of url extraction logic
* Allow customizations for unix sockets. (fixes#182)
* Set lua path according to rspamd settings.
* Import lua-functional for plugins stuff.
* Completely rewrite multimap plugin in functional style.
* Fix FORGED_MUA_THUNDERBIRD_MSGID (fixes#186)
* Check IPv6 addresses at dnswl.org and Spamhaus whitelist (by @fatalbanana)
* Add lowercase utility for utf8 strings.
* Various fixes to build system
* Updated debian configuration infrastructure (by @dottedmag)
to detect the platform.
Link-in the up to date copy of config.guess we provide as the version bundled
with the package is from 2002 and it causes bulkbuilds to hang due to waiting
for manual input if it doesn't recognise the platform.
- work around brain-damaged change in Python's poplib which causes
message retrieval errors if any line of a message has more than
2048 characters in it.
- restore link to moved Marc mailing list archive. Thanks: David
J. Weller-Fahy.
Upstream changes:
1.300018 2015-05-27 15:28:44-04:00 America/New_York
- stable release of changes from 1.300017
1.300017 2015-05-14 13:17:39-04:00 America/New_York (TRIAL RELEASE)
- cope with a double-encoding but in Net::SMTP
for details, https://rt.cpan.org/Ticket/Display.html?id=104433
Changelog:
Fixed in Thunderbird 31.7
2015-57 Privilege escalation through IPC channel messages
2015-54 Buffer overflow when parsing compressed XML
2015-51 Use-after-free during text processing with vertical text enabled
2015-48 Buffer overflow with SVG content and CSS
2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer
2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)
- change rights for the spool, log and tmp directories from 0755 to 0750,
they contain sensitive information depending on configuration;
- fix the default paths of potential mime.types files;
- change config.inc.php to respect pkgsrc paths especially VARBASE;
No regression expected. Bump rev.
ok taca@.
v0.4.8 15-05-2015 Stephan Bosch <stephan@rename-it.nl>
* LDA Sieve plugin: Dovecot changed the deliver_log_format setting to include
%{delivery_time}. This prompted changes in Pigeonhole that make this release
dependent on Dovecot v2.2.17.
+ Implemented magic to make sieve_default script visible from ManageSieve
under a configurable name. This way, users can see the default rules, edit
them and store a private adjusted version. This could also be achieved by
copying the default script into the user's script storage, but updates to
the global sieve_default script would be ignored that way.
+ ManageSieve: Implemented support for reporting command statistics at
disconnect. Statistics include the number of bytes and scripts uploaded/
downloaded/checked and the number of scripts deleted/renamed.
- Fixed problem in address test: erroneously decoded mime-encoded words in
address headers.
- extprograms plugin: Fixed failure occurring when connecting to script
service without the need to read back the output from the external program.
- Fixed bug in script storage path normalization occurring with relative
symbolic links below root.
- Fixed and updated various parts of the documentation
- ManageSieve: Used "managesieve" rather than "sieve" as login service name,
which means that all managesieve-specific settings where ignored.
- Managesieve: Storage quota was not always enforced properly for scripts
uploaded as quoted string. Nobody uses that, but it is allowed in the
specification and we support it, so it should work properly.
v2.2.18 2015-05-15 Timo Sirainen <tss@iki.fi>
- director: Login UNIX sockets were normally detected as doveadm or
director ring sockets, causing it to break in existing installations.
- sdbox: When copying a mail in alt storage, place the destination to
alt storage as well.
v2.2.17 2015-05-13 Timo Sirainen <tss@iki.fi>
* Dovecot no longer checks or warns if a mountpoint is removed. This
was causing more trouble than it was worth. Make sure that all the
mountpoints that Dovecot accesses aren't writable by mail processes
when they're unmounted.
* dict server wasn't properly escaping/unescaping data. Fixing this
broke backwards compatibility with data that contains line feeds.
This hopefully affects only very few installations. If you're using
dict to save multiline data (Sieve scripts to SQL), you may be
affected.
* imap: SPECIAL-USE capability is no longer advertised if there are
no special_use flags specified for any mailboxes.
+ lmtp: Added lmtp_hdr_delivery_address setting to specify whether
to include email address in Delivered-To: and Received: headers.
+ Added initial version of full text search library, which includes
language-specific text normalization and filtering. This is still
in development, but it's already possible to use for testing with
fts-lucene and fts-solr.
+ lda, lmtp: deliver_log_format can now include %{delivery_time},
which expands to how many milliseconds it took to deliver the mail.
With LMTP %{session_time} also expands to how many milliseconds the
LMTP session took, not including the delivery time.
+ lmtp proxy: Mail delivery logging includes timing information.
+ imap: Most IMAP commands now include in the tagged reply how many
milliseconds it took to run the command (not counting the time spent
on waiting for the IMAP client to read/write data).
+ director: Implemented director_proxy_maybe passdb extra field to
be able to run director and backend in the same Dovecot instance.
(LMTP doesn't support mixed proxy/non-proxy destinations currently.)
+ doveadm: Added -F <file> parameter to read a list of users from the
given file and run the command for all the users. This is similar to
-A parameter reading the list of users from userdb lookup.
+ Implemented initial Cassandra CQL support as lib-sql backend. It's
only usable as dict backend currently.
+ Added quota-clone plugin to copy current quota usage to a dict.
- auth: If auth_master_user_separator was set, auth process could be
crashed by trying to log in with empty master username.
- imap-login, pop3-login: Fixed crash on handshake failures with new
OpenSSL versions (v1.0.2) when SSLv3 was disabled.
- auth: If one passdb fails allow_nets check, it shouldn't have failed
all the other passdb checks later on.
- imap: Server METADATA couldn't be accessed
- imapc: Fixed \Muted label handling in gmail-migration.
- imapc: Various bugfixes and improvements.
- Trash plugin fixes by Alexei Gradinari
- mbox: Fixed crash/corruption in some situations
* Fix bug in logic that coalesces multiparts to single-parts if
possible; the bug broke DKIM signing.
MIMEDefang 2.77 RELEASED
* Change old author's name to "Dianne Skoll" in many places.
MIMEDefang 2.76 RELEASED
* mimedefang.pl.in: Get rid of all Perl function prototypes.
Perl prototypes are badly-implemented and consensus among
modern Perl 5 programmers is they shouldn't be used.
https://www.securecoding.cert.org/confluence/display/perl/DCL00-PL.+Do+not+use+subroutine+prototypes
* Add support for filter_wrapup callback. This is called at the
very end and permits header modifications, but not body
modifications. Useful for DKIM-signing.
* mimedefang.pl.in: Fix typo: SOPHOS should have been SAVSCAN
* mimedefang.c: Don't add a MIME-Version header if there is already
one.
* Fix https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=646347
* Minor clarifications to mimedefang-filter man page.
* Add "All / Summary" button to watch-multiple-mimedefangs.tcl
Fixed a typo in the README file for the OpenSSL "dhparam" command. Thanks to
Eric Shubert for reporting this one.
Removed unused variables from the dns* commands in the utils folder to fix
compiler warnings.
Fixed a bug in read_file() that returned uninitialized pointers if a file
contained blank lines or comments at the top, causing segfaults when they
were free()d. Thanks to Jeffrey Gordon and Quinn Comendant for reporting
this one.
Changed the directory naming scheme in the "generator" program to include the
flowchart step numbers in the name. The old pattern was just too hard to
follow visually and far too difficult to search for a specific test.
Added more steps to the recipient validation flowchart and spamdyke-qrv's
recipient validation filter to correctly handle addresses that are forwarded
to an external address. Thanks to Stephen Marley for reporting this one.
Changed search_file() in spamdyke-qrv to return a "not found" result when the
file does not exist, instead of an error.
Added a delay loop to exec_command_argv() in spamdyke and spamdyke-qrv to work
around a race condition -- sometimes the child process will close its pipes
in preparation for exiting and the parent's waitpid() will fire before the
child has fully exited. This leads to erroneous returns showing the child
has not exited when it really only needed another timeslice or two. This is
fixed by looping with nanosleep() to wait a few tenths of a second after
seeing this return code.
Added a way to stop a test script run by creating a file named "stop". This
allows it to be stopped without killing the process and potentially leaving
the test platform in a partially (mis)configured state.
Fixed the accessor function for the header-blacklist-entry and
header-blacklist-file options to find their data in the filter_settings
object instead of the option_set object. This is because the data is moved
from the option_set immediately after it is set so the blacklist effect is
cumulative when set from configuration directories. Reading from the wrong
location meant the config-test feature was never testing those options at
all. Thanks to Stefan for reporting this one.
Fixed a pair of bugs in process_config_file(): one that would add empty values
to the end of a list of blacklist/whitelist files if a directive was
followed by a blank line and a commented-out directive (causing errors when
the values are used), the other that would throw errors if a line in a
configuration file contained only one space. Thanks to Les Fenison for
reporting these.
Fixed a bug in middleman() that would return an improper greeting when
injecting both AUTH and STARTTLS banners into the EHLO response. Clients
seeing this improper greeting would hang forever and eventually timeout.
Thanks to Elliot Denk for reporting this one and sending a patch!
Fixed a major thinko in smtp_filter that was carrying over the rejection data
between recipients, even if a recipient had a configuration directory file
that altered the overall configuration. This was leading to some
recipients being incorrectly rejected under very specific (and likely very
rare) conditions, which just happened to be met on my own server.
Fixed a bug in copy_base_options that was not copying the "reason" data from
the last rejection.
Fixed an infinite loop in dnsdummy when priorities over 0 are used.
Fixed a typo in dnsdummy that was truncating data when the verbose flags were
used (weird, yes).
Changed dnsdummy to fork a child process to return each query. This was the
easiest solution to implement to allow new queries to be processed while
waiting n seconds to send answers to previous queries. This is a fragile
and wasteful solution -- if dnsdummy were intended for production use, a
queue would be a much better solution.
Changed all of the "verbose"-level error messages to include the name of the
function, file and line that generated it. Every other message prefixed
with "ERROR" already did this, so this makes things more consistent.
Renamed all of the "FILTER" messages and added a new logging macro to print
them named SPAMDYKE_LOG_FILTER(). This way they can continue to be output
without function, file and line information.
Renamed the SPAMDYKE_LOG_CONFIG_TEST() macro to
SPAMDYKE_LOG_CONFIG_TEST_ERROR() and changed it to use LOG_LEVEL_ERROR
instead of having a special LOG_LEVEL_CONFIG_TEST setting. This way the
config-test messages can be changed to emit file, function and lines if
needed (or not).
Added SPAMDYKE_LOG_CONFIG_TEST_INFO() and SPAMDYKE_LOG_CONFIG_TEST_VERBOSE()
as analogs to SPAMDYKE_LOG_CONFIG_TEST_ERROR().
Changed dnsdummy to encode multiple answers in the same response, if its
config file contains multiple matches for the same query.
Fixed a bug in dnsdummy that was adding extra bytes to the end of each
answer. This turned out to be covering a matching (compensating) bug in
spamdyke's DNS parsing code. I really hate it when that happens!
Fixed a serious bug in nihdns_expand() that was causing spamdyke to
incorrectly parse DNS responses with multiple answers; it would use the
first answer, then skip the wrong number of bytes, causing it to conclude
any subsequent answers were corrupted.
Changed nihdns_expand() to return separate values for the number of bytes in
the decoded string and the number of bytes the string occupies in the DNS
packet. Due to packet compression, the numbers can be very different.
Changed generator to add records to the named configuration so domains will
resolve correctly during testing. Since using port numbers in resolv.conf
is not allowed, there is no easy way to use dnsdummy for these tests.
Discovered qmail-send does not check the percenthack or virtualdomains files
when resolving forward addresses, only locals and assign. Updated
spamdyke-qrv to behave the same way.
Refined the success/failure detection in generator after learning more about
qmail's behavior. If only it had some kind of accurate documentation...
Extended the tests created by generator to also test conditions where
spamdyke-qrv calls vpopmail to look up addresses. This increased the
number of spamdyke-qrv tests more than tenfold!
Added a "diagnostic output" flag to spamdyke-qrv to print the decision path
it used to evaluate the address. Also added a test to the test generator
to compare the diagnostic output with the expected decision path, to
catch tests that may be producing the desired effect for the wrong reason.
Fixed a bug in set_config_value() to make it possible to set
CONFIG_TYPE_NAME_MULTIPLE options to "none" or unset specific values.
Thanks to Konstantin for reporting this one.
Added flags to smtpdummy to advertise STARTTLS support in response to EHLO.
It doesn't actually do TLS, it just advertises it.
Fixed smtp_filter() to block a client's STARTTLS command if tls-level is
"none". Thanks to Les Fenison for reporting this one.
Added a flag to the configure script for both spamdyke and spamdyke-qrv to
compile with the address sanitizer library to catch memory access errors.
Adjusted the version string to show when the sanitizer is in use.
Changed the test scripts to always compile spamdyke with the address
sanitizer (if available) when testing. The tests run a lot slower, but
the sanitizer is too awesome to not use.
Fixed a buffer underrun in examine_entry that was causing segfaults when
searching files where wildcards are allowed at the beginning of the lines.
Thanks to Dirk Kannapinn for reporting this one.
Discovered a horrible problem with snprintf()'s %n format -- it returns the
number of bytes it _would_have_ written *if* there were infinite space, not
the number of bytes *actually* written as the man page states. So using %n
at the end of the format string as a substitute for immediately calling
strlen() is not safe. Good thing I don't ever do that, right? ...wait,
I use that feature EVERYWHERE! (grrrrr) Thanks to the Google Address
Sanitizer team for finding this one. Whoever implemented the %n feature
in glibc can report to me any time for a free punch in the throat.
I want my weekend back.
Reverted the (apparently) useless change from 4.3.0 to use %n in snprintf()
instead of the return value and replaced snprintf() with a macro named
SNPRINTF() that explicitly compares the return value with the size of the
buffer and returns the number of bytes ACTUALLY written.
Fixed a harmless buffer overrun in sub_examine_tcprules_entry() that could
have overwritten one byte of another variable on the stack with a null
byte. Since the address was valid and that other variable is set just
after the overwrite anyway, it wasn't actually a problem. But fixing it
makes the address sanitizer happy, so it's fixed.
Fixed a pair of huge buffer overruns in config_test_file_read() and
config_test_file_read_write() that could load 63K of file contents past
the end of the buffer (on the stack). Fortunately, these functions are
only used by the config-test feature, never during normal operation.
Fixed a buffer overflow in find_address() that would overwrite a single byte
in the caller's stack with a null byte when parsing BATV addresses. From
what I can tell, the effect of this bug would be to either truncate the
parsed address or cause a segfault.
Added undo_softlimit() to try to increase the "soft" limits on address space,
stack size and memory size to maximum if they are less than infinite (and
squawk if they cannot be reset to maximum). This will (hopefully) prevent
problems caused by DJB's "softlimit" program, which is a useless piece of
trash many qmail install guides *still* recommend using.
Fixed a bug in the logging code of tls_read() that was using an "error"
message to log at "verbose" level. The error message had more printf()
format specifiers than the verbose logger was providing, which was leading
to segfaults when the message was printed. Many thanks to Konstanin for
a lot of help tracking this one down.
This is a very large change, and incorporates the 4.8, 4.10, and 4.12 major
Xfce releases since 4.6.2, our previous pkgsrc release. For more information
about the thousands of changes in each major release since then, please see:
Xfce 4.12 announcement:
http://www.xfce.org/about/news
Xfce 4.12 tour:
http://www.xfce.org/about/tour
Xfce 4.10 announcement:
http://www.xfce.org/about/news/?post=1335571200
Xfce 4.10 tour:
http://www.xfce.org/about/tour410
Xfce 4.8 announcement:
http://www.xfce.org/about/news/?post=1295136000
Xfce 4.8 tour:
http://www.xfce.org/about/tour48
The pkgsrc changes since then are:
New packages:
archivers/xfce4-thunar-archive
graphics/elementary-xfce-icon-theme
mail/xfce4-mailwatch-plugin
misc/xfce4-time-out-plugin
multimedia/xfce4-thunar-media-tags
sysutils/xfce4-mount-plugin
sysutils/xfce4-taskmanager
sysutils/xfce4-thunar-vcs
sysutils/xfce4-verve-plugin
x11/xfce4-garcon
x11/xfce4-notifyd
x11/xfce4-tumbler
x11/xfce4-whiskermenu-plugin
Renamed packages:
devel/xfconf to devel/xfce4-conf
x11/libxfce4menu to x11/libxfce4ui
x11/xfce4-screenshooter-plugin to x11/xfce4-screenshooter
Updated packages:
audio/xfce4-mixer
audio/xfce4-xmms-plugin
devel/xfce4-dev-tools
editors/xfce4-mousepad
graphics/ristretto
meta-pkgs/xfce4-extras
meta-pkgs/xfce4
misc/xfce4-weather-plugin
multimedia/xfce4-mpc-plugin
net/xfce4-wavelan-plugin
sysutils/xfce4-appfinder
sysutils/xfce4-battery-plugin
sysutils/xfce4-cpugraph-plugin
sysutils/xfce4-diskperf-plugin
sysutils/xfce4-fsguard-plugin
sysutils/xfce4-genmon-plugin
sysutils/xfce4-netload-plugin
sysutils/xfce4-quicklauncher-plugin
sysutils/xfce4-systemload-plugin
sysutils/xfce4-thunar
sysutils/xfce4-xarchiver
sysutils/xfce4-xkb-plugin
textproc/xfce4-dict-plugin
time/xfce4-datetime-plugin
time/xfce4-orage
time/xfce4-timer-plugin
wm/xfce4-wm-themes
wm/xfce4-wm
x11/libxfce4gui
x11/libxfce4util
x11/xfce4-clipman-plugin
x11/xfce4-desktop
x11/xfce4-exo
x11/xfce4-eyes-plugin
x11/xfce4-gtk2-engine
x11/xfce4-notes-plugin
x11/xfce4-panel
x11/xfce4-places-plugin
x11/xfce4-session
x11/xfce4-settings
x11/xfce4-terminal
Removed packages:
sysutils/xfce4-volman
x11/xfce4-utils
This is based on a huge amount of work by the NetBSDfr team and Youri Mouton,
who takes over as MAINTAINER, and has been tested by Youri on a large number
of platforms prior to commit. A massive thanks to them. Any issues with the
import are mine alone as the committer-by-proxy.
Fixed in Postfix 3.0 and 2.11:
* Preparation for OpenSSL 1.2 API changes.
Fixed in all supported releases:
* The sender_dependent_relayhost_maps feature ignored the relayhost
setting in the case of a DUNNO lookup result. It would use the
recipient domain instead.
--- 2.009 (2013-07-21 03:30)
Mail::SPF:
* Default to querying only TXT type RRs (query_rr_types = Mail::SPF::Server->
query_rr_type_txt). Experience has shown that querying SPF type RRs is
impractical.
--- 2.008 (2012-01-30 08:15)
Mail::SPF:
* Sanitize result local_explanation (as well as result object string
representation) by replacing all non-printable or non-ascii characters
with their hex-escaped representation (e.g., "\x00").
(Addresses: bugs.launchpad.net #806926)
Miscellaneous:
* Change openspf.org URLs to openspf.net because openspf.org is unreachable
indefinitely.
* Change <http://www.ietf.org/rfc/….txt> URLs
to <http://tools.ietf.org/html/…>.
* META.yml: configure_requires: Module::Build 0.2805
* META.yml: requires: Net::DNS 0.62 (was: 0.52) (Closes: rt.cpan.org #28545)
* META.yml: Revert to flat version numbers for perl and Net::DNS::Resolver::
Programmable build requirements to avoid Module::Build::Compat/Makefile.PL
incompatibilities. (Closes: rt.cpan.org #53231)
* Attempt to prevent a cascading failure in t/00.03-class-result.t that seems
to happen under rare, unknown circumstances. (Closes: rt.cpan.org #39099)
Debian:
* Declare Debian source package format as 3.0.
* Standards-Version: 3.9.2 (was: 3.8.3)
* Bump debhelper compatibility level to 7 (was: 5) and simplify debian/rules
using debhelper 7 features.
* debian/control: Simplify depdendencies under the assumption that package
will be installed on Debian Lenny (oldstable at the time of writing) or
later (or the Ubuntu equivalent).
* debian/watch: Use dist-based URL.
CHangelog:
Fixed in Thunderbird 31.6
2015-40 Same-origin bypass through anchor navigation
2015-37 CORS requests should not follow 30x redirections after preflight
2015-33 resource:// documents can load privileged pages
2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin
2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6)
pkgsrc changes:
- gnome-keyring option has changed to secret option to reflect the upstream
change. For more information please read the changelog below.
Changes:
Version 1.6.1:
- The new configure option --with-tls replaces --with-ssl.
- A new configure option --disable-gai-idn was added.
Version 1.6.0:
- Support for SOCKS proxies was added. This allows msmtp to be used with Tor.
- GNOME Keyring support now uses libsecret instead of libgnome-keyring. It is
now documented how to use secret-tool to manage passwords for msmtp; the
obsolete msmtp-gnome-tool script is removed.
- Configuration file security is now only checked if the file actually contains
secrets such as passwords. (If you still store passwords in the configuration
file, consider using the passwordeval command or a key ring instead.)
- The GSSAPI authentication method is not chosen automatically anymore, you have
to request it manually if you really want to use it.
- From: and Date: headers are now added to mails if necessary, for compatibility
with sendmail, postfix, exim, and other MTAs. This can be disabled with the
add_missing_from_header and add_missing_date_header commands.
- Libidn is not required for IDN support anymore on systems where getaddrinfo()
supports the AI_IDN flag and the GnuTLS version is >= 3.4.0.
- The new remove_bcc_headers command replaces the old keepbcc command (but the
old command is still supported for compatibility).
- SSLv3 is disabled, and the obsolete tls_force_sslv3 command and
--tls-force-sslv3 option have no effect anymore.
