1.5.3 (2022-06-26)
* Enigma: Fix initial synchronization of private keys
* Enigma: Fix double quoted-printable encoding of pgp-signed messages with
no attachments (#8413)
* Fix various PHP8 warnings (#8392)
* Fix mail headers injection via the subject field on mail compose (#8404)
* Fix bug where small message/rfc822 parts could not be decoded (#8408)
* Fix setting HTML mode on reply/forward of a signed message (#8405)
* Fix handling of RFC2231-encoded attachment names inside of a
message/rfc822 part (#8418)
* Fix bug where some mail parts (images) could have not be listed as
attachments (#8425)
* Fix bug where attachment icons were stuck at the top of the messages list
in Safari (#8433)
* Fix handling of message/rfc822 parts that are small and are multipart
structures with a single part (#8458)
* Fix bug where session could time out if DB and PHP timezone were different
(#8303)
* Fix bug where DSN flag state wasn't stored with a draft (#8371)
* Fix broken encoding of HTML content encapsulated in a RTF attachment
(#8444)
* Fix problem with aria-hidden=true on toolbar menus in the Elastic
skin (#8517)
* Fix bug where title tag content was displayed in the body if it contained
HTML tags (#8540)
* Fix support for DSN specification without host e.g. pgsql:///dbname
(#8558)
3.7.0 (2022-02-07)
* Support to inline the content of small cidr:, pcre:, and regexp:
tables in Postfix parameter values. An example is the new
smtpd_forbidden_commands default value, "CONNECT GET POST
regexp:{{/^[^A-Z]/ Thrash}}", to quickly drop connections from
clients that send garbage.
* To make the maillog_file feature more useful, including stdout
logging from a container, the postlog(1) command is now set-gid
postdrop, so that unprivileged programs can use it to write
logging through the postlogd(8) daemon. This required hardening
the postlog(1) command against privilege escalation attacks.
* Support for library APIs: OpenSSL 3.0.0, PCRE2, Berkeley DB 18.
* Postfix programs now randomize the initial state of in-memory
hash tables, to defend against hash collision attacks involving
a large number of attacker-chosen lookup keys. Presently, the
only known opportunity for such attacks involves remote SMTP
client IPv6 addresses in the anvil(8) service, and requires
making hundreds of short-lived connections per second while
cycling through thousands of different client IP addresses.
* Updated defense against remote clients or servers that 'trickle'
SMTP or LMTP traffic. This replaces the old per-record deadlines
with per-request deadlines and minimum data rates.
* Many typofixes by raf and Wietse.
3.7.1 (2022-04-18)
* (problem introduced: Postfix 2.7) The milter_header_checks maps
are now opened before the cleanup(8) server enters the chroot
jail. Problem reported by Jesper Dybdal.
* In an internal client module, "host or service not found" was
a fatal error, causing the milter_default_action setting to be
ignored. It is now a non-fatal error, just like a failure to
connect. Problem reported by Christian Degenkolb.
* The proxy_read_maps default value was missing up to 27 parameter
names. The corresponding lookup tables were not automatically
authorized for use with the proxymap(8) service. The parameter
names were ending in _checks, _reply_footer, _reply_filter,
_command_filter, and _delivery_status_filter.
* (problem introduced: Postfix 3.0) With dynamic map loading
enabled, an attempt to create a map with "postmap regexp:path"
would result in a bogus error message "Is the postfix-regexp
package installed?" instead of "unsupported map type for this
operation". This happened with all non-dynamic map types (static,
cidr, etc.) that have no 'bulk create' support. Problem reported
by Greg Klanderman.
* In PCRE_README, "pcre2 --libs" should be "pcre2 --libs8". Problem
reported by Carlos Velasco.
* Documented in the postlogd(8) daemon manpage that the Postfix
>= 3.7 postlog(1) command can run with setgid permissions.
3.7.2 (2022-04-28)
This reverts an overly complex change in the postscreen SMTP engine
(made during Postfix 3.7 development), and replaces it with much
simpler code. The bad change was crashing postscreen on some systems
after receiving malformed input (for example, a TLS "hello" message).
3.2: 26 Mar 2022
* [Conf] Score MIME_OBFUSCATED_ARCHIVE to 8 points
* [Conf] Set one_shot for URIBL rules by default
* [CritFix] Fix upstreams name resolution when there is also a port
* [Feature] Add ROC feature to neural network plugin
* [Feature] Add public suffic compilation utility
* [Feature] Add support of Cloudmark
* [Feature] Allow hyperscan for ppc64, as vectorscan now suports it.
* [Feature] Allow to skip DNS resolution for keep-alive connections
* [Feature] Aws_s3: Allow to store large parts separately
* [Feature] BIMI: Add preliminary version of the BIMI plugin
* [Feature] JSON endpoint for querying maps
* [Feature] Lua_magic: Add a sane CSV heuristic
* [Feature] Lua_mime: Add schema for message transfer
* [Feature] Output average scan time in /stat endpoint
* [Feature] Show average scan time in `rspamc stat` output
* [Fix] Add guards to avoid race condition on TCP connection
* [Fix] Allow spaces in DKIM key records
* [Fix] Apply the similar fix to the url_reputation
* [Fix] Avoid overwriting whitelisted_signers_map
* [Fix] Backport PR from libucl
* [Fix] Clear SSL errors
* [Fix] ClickHouse cleanup of old partitions
* [Fix] Do not double call error handler on ssl errors in the timeout path
* [Fix] Do not forget to clear pointers on IOC reset
* [Fix] External_relay: Remove useless check of the map value
* [Fix] Find suspicious url encodings that could break url extraction
* [Fix] Fix HTTP(s) client timeout
* [Fix] Fix exclude flags setting
* [Fix] Fix expanding of the variables
* [Fix] Fix host header usage in lua_http
* [Fix] Fix http maps shared memory cache cleanup
* [Fix] Fix logic in HTML processing FSM
* [Fix] Fix parsing of the compound mailto urls
* [Fix] Fix processing captures from pcre2
* [Fix] Fix removing from khash
* [Fix] Fix stuctured headers pushing
* [Fix] Further fix for i386 compilation
* [Fix] Improve duplicate settings error reporting
* [Fix] Lua: task:remove_result didn't work in some cases
* [Fix] Output service parts as well
* [Fix] Phishing: Deal with phishing + redirected URL
* [Fix] Phishing: Fix finding domains in the phishing map
* [Fix] Plug memory leak by using mempool for a copied address
* [Fix] Properly find the request and the number of requested entries
* [Fix] Rbl: Fix inversed logic of the url_full_hostname
* [Fix] Read file maps if they were not pre-read during preload
* [Fix] Restrict x86_64 assembly to x86_64
* [Fix] Return a real number of recipients when dealing with aliases
* [Fix] Rework unshedule DNS request function
* [Fix] Support definition of ungrouped symbol in conf file, use group info from lua or other conf file
* [Fix] Unschedule DNS request when clearing IO channel
* [Fix] When checking for phishing, we need to convert punicode -> UTF8, not vice versa
* [Fix] lua_cfg_transform - actions without score (discard)
* [Fix] lua_cfg_transform - silly break break actions
* [Fix] ratelimit - symbol per bucket
* [Project] BIMI: Fix helper integration issues
* [Project] Further DNS over TCP architecturing
* [Project] Rdns: Add more functions for TCP based requests
* [Project] Rdns: Add preliminary reading logic for TCP channels
* [Project] Rdns: Add reaper for inactive TCP connections
* [Project] Rdns: Add timeout logic for TCP requests
* [Project] Rdns: Do not treat TCP channels failure as fatal
* [Project] Rdns: Fix TCP connection mess
* [Project] Rdns: Fix TCP stuff cleanup
* [Project] Rdns: Fix various ownership issues
* [Project] Rdns: Implement TCP writing logic
* [Project] Rdns: Initial support of TCP IO channels
* [Project] Rdns: More fixes in TCP handling
* [Project] Rdns: Restore the previous EDNS0 size
* [Project] Rdns: Send truncated replies via TCP
* [Project] Rdns: Unregister TCP requests
* [Rework] Allow to restore SSL handlers after keepalive pooling
* [Rework] Allow to set a different behaviour for actions from settings
* [Rework] Include SSL flag into keepalive hash
* [Rework] Make `rspamadm dmarc_report` default behaviour more sane
* [Rework] Mempool: Use explicit alignment
* [Rework] Rdns: Use faster and more compact hash table for DNS requests
* [Rework] Rework SSL flag operations
* [Rework] Take disabled flag into account
* [Rework] Timeouts are now global per event and not reseted by IO activity
* [Rework] Use xxh3 as a default hash and fix memory/alignment issues
* [Rules] Fix old rules to stop global functions usage
* [Rules] Fix symbol for DKIM temporary failure
* [Rules] Remove ancient and inefficient rules
* [Rules] Slightly reduce MULTIPLE_FROM score
Rails 7.0.3.1 (2022-07-12) updates databases/ruby-activerecord70 only.
databases/ruby-activerecord70
* Change ActiveRecord::Coders::YAMLColumn default to safe_load
This adds two new configuration options The configuration options are as
follows:
o config.active_storage.use_yaml_unsafe_load
When set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but
leaving the possible escalation vulnerability in place. Setting this
option to true is *not* recommended, but can aid in upgrading.
o config.active_record.yaml_column_permitted_classes
The "safe YAML" loading method does not allow all classes to be
deserialized by default. This option allows you to specify classes deemed
"safe" in your application. For example, if your application uses Symbol
and Time in serialized data, you can add Symbol and Time to the allowed
list as follows:
config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
[CVE-2022-32224]
Rails 6.1.6.1 (2022-07-12) updates databases/ruby-activerecord61 only.
databases/ruby-activerecord61
* Change ActiveRecord::Coders::YAMLColumn default to safe_load
This adds two new configuration options The configuration options are as
follows:
o config.active_storage.use_yaml_unsafe_load
When set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but
leaving the possible escalation vulnerability in place. Setting this
option to true is *not* recommended, but can aid in upgrading.
o config.active_record.yaml_column_permitted_classes
The "safe YAML" loading method does not allow all classes to be
deserialized by default. This option allows you to specify classes deemed
"safe" in your application. For example, if your application uses Symbol
and Time in serialized data, you can add Symbol and Time to the allowed
list as follows:
config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
[CVE-2022-32224]
Rails 6.0.5.1 (2022-07-12) updates databases/ruby-activerecord60 only.
databases/ruby-activerecord60
* Change ActiveRecord::Coders::YAMLColumn default to safe_load
This adds two new configuration options The configuration options are as
follows:
o config.active_storage.use_yaml_unsafe_load
When set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but
leaving the possible escalation vulnerability in place. Setting this
option to true is *not* recommended, but can aid in upgrading.
o config.active_record.yaml_column_permitted_classes
The "safe YAML" loading method does not allow all classes to be
deserialized by default. This option allows you to specify classes deemed
"safe" in your application. For example, if your application uses Symbol
and Time in serialized data, you can add Symbol and Time to the allowed
list as follows:
config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
[CVE-2022-32224]
Rails 5.2.8.1 (2022-07-12) updates databases/ruby-activerecord52 only.
databases/ruby-activerecord52
* Change ActiveRecord::Coders::YAMLColumn default to safe_load
This adds two new configuration options The configuration options are as
follows:
o config.active_storage.use_yaml_unsafe_load
When set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but
leaving the possible escalation vulnerability in place. Setting this
option to true is *not* recommended, but can aid in upgrading.
o config.active_record.yaml_column_permitted_classes
The "safe YAML" loading method does not allow all classes to be
deserialized by default. This option allows you to specify classes deemed
"safe" in your application. For example, if your application uses Symbol
and Time in serialized data, you can add Symbol and Time to the allowed
list as follows:
config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
[CVE-2022-32224]
New stuff we've added since 4.95:
- A new ACL condition: seen. Records/tests a timestamp against a key.
- A variant of the "mask" expansion operator to give normalised IPv6.
- UTC output option for exim_dumpdb, exim_fixdb.
- An event for failing TLS connects to the daemon.
- The ACL "debug" control gains options "stop", "pretrigger" and "trigger".
- Query-style lookups are now checked for quoting, if the query string is
built using untrusted data ("tainted"). For now lack of quoting is merely
logged; a future release will upgrade this to an error.
- The expansion conditions match_<list-type> and inlist now set $value for
the expansion of the "true" result of the ${if}. With a static list, this
can be used for de-tainting.
Notable removals since 4.95:
- the "allow_insecure_tainted_data" main config option and the
"taint" log_selector. These were deprecated in the 4.95 release.
Ruby on Rails 6.1.6 (2022-05-12)
Active Support
* Fix and add protections for XSS in ActionView::Helpers and ERB::Util.
Add the method ERB::Util.xml_name_escape to escape dangerous characters in
names of tags and names of attributes, following the specification of XML.
Action View
* Fix and add protections for XSS in ActionView::Helpers and ERB::Util.
Escape dangerous characters in names of tags and names of attributes in
the tag helpers, following the XML specification. Rename the option
:escape_attributes to :escape, to simplify by applying the option to the
whole tag.
Action Pack
* Allow Content Security Policy DSL to generate for API responses.
Ruby on Rails 6.0.5 (2022-05-12)
Active Support
* Fix tag helper regression.
Action Text
* Disentangle Action Text from ApplicationController
Allow Action Text to be used without having an ApplicationController
defined.
This makes sure:
- Action Text attachments render the correct URL host in mailers.
- an ActionController::Renderer isn't allocated per request.
- Sidekiq doesn't hang with the "classic" autoloader.
Ruby on Rails 5.2.8 (2022-05-12)
Active Support
* Fix tag helper regression.
Action View
* Make `LoadInterlockAwareMonitor` work in Ruby 2.7.
* Retain Ruby 2.2 compatibility.
pkgsrc changes:
- Remove OAUTHBEARER patches for IMAP, part of 2.1 release
Changes:
2.1
---
- Add support for LMTP
- Add support for XOAUTH2 for IMAP
- Add support for OAUTHBEARER for IMAP
- Several bug fixes and improvements
Upstream changes:
version 3.012: Fri 11 Feb 11:34:31 CET 2022
Fixes:
- ::Field::Attributes should be stored case intensively
rt.cpan.org#140894 [Yanyan Yang]
- ::Field::Full phrase with encoding qp parsing failed when
the qp contains non-atext characters. Github#2 [Andy Beverley]
- ::Field::Full QP encoding must be more strict for use in
MIME headers. Github#3 [Andy Beverley]
- Coercion from Mail::Address to Mail::Message::Full::Address
is too lazy. Github#4 [Andy Beverley]
Improvements:
- extend date in mbox-separator to accept 203X as well.
Upstream changes:
1.20220520 2022-05-20 UTC
+ Change default algorithm in dkimsign.pl to sha-256
+ Use Getopt::Long::Descriptive in scripts for better command help
1.20220408 2022-04-08 UTC
+ Add support for signatures with an Expiration value
upstream changes:
-----------------
fetchmail-6.4.30 (released 2022-04-26, 31666 LoC):
# BREAKING CHANGES:
* Bump wolfSSL minimum required version to 5.2.0 to pull in security fix.
# CHANGES:
* Using OpenSSL 1.* before 1.1.1n elicits a compile-time warning.
* Using OpenSSL 3.* before 3.0.2 elicits a compile-time warning.
* configure.ac was tweaked in order to hopefully fix cross-compilation issues
report, and different patch suggested, by Fabrice Fontaine,
https://gitlab.com/fetchmail/fetchmail/-/merge_requests/42
# TRANSLATIONS: language translations were updated by this fine person:
* ro: Remus-Gabriel Chelu [Romanian]
--------------------------------------------------------------------------------
fetchmail-6.4.29 (released 2022-03-20, 31661 LoC):
# TRANSLATIONS: language translations were updated by this fine person:
* vi: Trần Ngọc Quân [Vietnamese]
--------------------------------------------------------------------------------
fetchmail-6.4.28 (released 2022-03-05, 31661 LoC):
# DOCUMENTATION:
* Fix a typo in the manual page, courtesy of Jeremy Petch.
# TRANSLATIONS: language translations were updated by this fine person:
* es: Cristian Othón Martínez Vera [Spanish]
This milter implemets SRS (Sender Rewriting Scheme) that can be used to
fix envelope MAIL FROM for forwarded mails protected by SPF. It can be
configured in two modes for:
* Incoming mail -- rewrite RCPT TO addresses in SRS format back
* Outgoing mail -- rewrite MAIL FROM address to SRS format
