pkgsrc changes:
* Use PKG_SYSCONFSUBDIR, there are a number of extra files supported in
the configuration file so everything should live in a sub-directory.
HEADS-UP! Users will need to migrate over to new config file location.
* Create opendmarc user/group, not currently used in rc.d script.
* Fix build on SunOS and add SMF support.
* Split multi-file patch correctly into separate files.
* Add TEST_TARGET.
* Various pkglint and cleanup.
opendmarc changes:
1.4.2 2021/12/19
Fix issue #175: Don't reject a multi-valued From when all of the
domains match.
Fix issue #179: Don't crash when a value in a multi-valued From field
is missing a domain name. Resolves CVE-2021-34555.
v2.3.19
+ Added mail_user_session_finished event, which is emitted when the mail
user session is finished (e.g. imap, pop3, lmtp). It also includes
fields with some process statistics information.
See https://doc.dovecot.org/admin_manual/list_of_events/ for more
information.
+ Added process_shutdown_filter setting. When an event matches the filter,
the process will be shutdown after the current connection(s) have
finished. This is intended to reduce memory usage of long-running imap
processes that keep a lot of memory allocated instead of freeing it to
the OS.
+ auth: Add cache hit indicator to auth passdb/userdb finished events.
See https://doc.dovecot.org/admin_manual/list_of_events/ for more
information.
+ doveadm deduplicate: Performance is improved significantly.
+ imapc: COPY commands were sent one mail at a time to the remote IMAP
server. Now the copying is buffered, so multiple mails can be copied
with a single COPY command.
+ lib-lua: Add a Lua interface to Dovecot's HTTP client library. See
https://doc.dovecot.org/admin_manual/lua/ for more information.
- auth: Cache lookup would use incorrect cache key after username change.
- auth: Improve handling unexpected LDAP connection errors/hangs.
Try to fix up these cases by reconnecting to the LDAP server and
aborting LDAP requests earlier.
- auth: Process crashed if userdb iteration was attempted while auth-workers
were already full handling auth requests.
- auth: db-oauth2: Using %{oauth2:name} variables caused unnecessary
introspection requests.
- dict: Timeouts may have been leaked at deinit.
- director: Ring may have become unstable if a backend's tag was changed.
It could also have caused director process to crash.
- doveadm kick: Numeric parameter was treated as IP address.
- doveadm: Proxying can panic when flushing print output. Fixes
Panic: file ioloop.c: line 865 (io_loop_destroy): assertion failed:
(ioloop == current_ioloop).
- doveadm sync: BROKENCHAR was wrongly changed to '_' character when
migrating mailboxes. This was set by default to %, so any mailbox
names containing % characters were modified to "_25".
- imapc: Copying or moving mails with doveadm to an imapc mailbox could
have produced "Error: Syncing mailbox '[...]' failed" Errors. The
operation itself succeeded but attempting to sync the destination
mailbox failed.
- imapc: Prevent index log synchronization errors when two or more imapc
sessions are adding messages to the same mailbox index files, i.e.
INDEX=MEMORY is not used.
- indexer: Process was slowly leaking memory for each indexing request.
- lib-fts: fts header filters caused binary content to be sent to the
indexer with non-default configuration.
- doveadm-server: Process could hang in some situations when printing
output to TCP client, e.g. when printing doveadm sync state.
- lib-index: dovecot.index.log files were often read and parsed entirely,
rather than only the parts that were actually necessary. This mainly
increased CPU usage.
- lmtp-proxy: Session ID forwarding would cause same session IDs being
used when delivering same mail to multiple backends.
- log: Log prefix update may have been lost if log process was busy.
This could have caused log prefixes to be empty or in some cases
reused between sessions, i.e. log lines could have been logged for the
wrong user/session.
- mail_crypt: Plugin crashes if it's loaded only for some users. Fixes
Panic: Module context mail_crypt_user_module missing.
- mail_crypt: When LMTP was delivering mails to both recipients with mail
encryption enabled and not enabled, the non-encrypted recipients may
have gotten mails encrypted anyway. This happened when the first
recipient was encrypted (mail_crypt_save_version=2) and the 2nd
recipient was not encrypted (mail_crypt_save_version=0).
- pop3: Session would crash if empty line was sent.
- stats: HTTP server leaked memory.
- submission-login: Long credentials, such as OAUTH2 tokens, were refused
during SASL interactive due to submission server applying line length
limits.
- submission-login: When proxying to remote host, authentication was not
using interactive SASL when logging in using long credentials such as
OAUTH2 tokens. This caused authentication to fail due to line length
constraints in SMTP protocol.
- submission: Terminating the client connection with QUIT command after
mail transaction is started with MAIL command and before it is
finished with DATA/BDAT can cause a segfault crash.
- virtual: doveadm search queries with mailbox-guid as the only parameter
crashes: Panic: file virtual-search.c: line 77 (virtual_search_get_records):
assertion failed: (result != 0)
## Rails 6.1.5.1 (April 26, 2022) ##
* No changes.
## Rails 6.1.5 (March 09, 2022) ##
* Add `attachments` to the list of permitted parameters for inbound emails conductor.
When using the conductor to test inbound emails with attachments, this prevents an
unpermitted parameter warning in default configurations, and prevents errors for
applications that set:
```ruby
config.action_controller.action_on_unpermitted_parameters = :raise
```
*David Jones*, *Dana Henke*
Notmuch 0.36 (2022-04-25)
=========================
Library
-------
Add the `sexp` prefix to the infix (traditional) query parser. This
allows specific subqueries to be parsed by the sexp parser (with
appropropriate quoting). See `notmuch-search-terms(7)` for details.
Add another heuristic to regexp fields to prevent phrase parsing of
bracketed sub-expressions.
Command Line Interface
----------------------
Envelope from ("From ") headers are now escaped as X-Envelope-From: in
input to `notmuch-insert`. This prevents creating mbox files when
calling `notmuch-insert` from e.g. `postfix`.
Python (CFFI) Bindings
----------------------
Use the `config_pairs` API in ConfigIterator. This returns all
matching key-value pairs, not just those that happen to be stored in
the database.
Documentation
-------------
Reorganize documention for `notmuch-config`. Add a few links from
other man pages.
Emacs
-----
Bind the usual undo key sequences to new command
"notmuch-tag-undo". This allows transparent undo of tagging
operations.
Tests
-----
Fix smime.4 with newer gmime. Unset `XDG_DATA_HOME` and `MAILDIR` for tests.
New add-on tool: notmuch-web
-----------------------------
The new devel/ tool `notmuch-web` is a very thin web client. It
supports a full search interface for one user: there is no facility
for multiple users provided today. See the notmuch-web README file
for more information.
Be careful about running it on a network-connected system: it will
expose a web interface that requires no authentication but exposes
your mail store.
2022-04-29 Richard Russon <rich@flatcap.org>
* Bug Fixes
- Do not crash on an invalid use_threads/sort combination
- Fix: stuck browser cursor
- Resolve (move) the cursor after <edit-label>
- Index: fix menu size on new mail
- Don't overlimit LMDB mmap size
- OpenBSD y/n translation fix
- Generic: split out OP_EXIT binding
- Fix parsing of sendmail cmd
- Fix: crash with menu_move_off=no
- Newsrc: bugfix; nntp_user and nntp_pass ignored
- Menu: ensure config changes cause a repaint
- Mbox: fix sync duplicates
- Make sure the index redraws all that's needed
* Translations
- 100% Chinese (Simplified)
- 100% Czech
- 100% German
- 100% Hungarian
- 100% Lithuanian
- 100% Serbian
- 100% Turkish
* Docs
- add missing pattern modifier ~I for external_search_command
* Code
- menu: eliminate custom_redraw()
- modernise mixmaster
- Kill global and Propagate display attach status through State
Upstream changes:
1.15 28 February 2022
Fix RT#141577: Add missing test file to package so that tests don't fail.
1.14 27 February 2022
Fix `make test` so it actually fails if there's a test failure.
Fix RT#20388: Support whitespace after :include: in Sendmail format.
Fix Sendmail format so it no longer ignores the last alias in the file if it
ends with a continuation line and there aren't any blank lines or comments
after it.
Fix RT#19419: Don't mask INC in _include_file.
1.13 26 February 2022
New maintainer: Jonathan Kamens <jik@kamens.us>
Fix syntax error under recent versions of Perl, i.e., make the module work
again.
Upstream changes:
1.952 2021-12-14 09:57:27-05:00 America/New_York
- exactly 1.951, except will install on 5.8.8
- **ACHTUNG!** Do not expect any future release to work on Perl v5.8
1.951 2021-12-14 09:41:01-05:00 America/New_York
- non-trial release of 1.950 changes
1.950 2020-11-02 19:21:52-05:00 America/New_York (TRIAL RELEASE)
- when computing filename, start from raw Content-Disposition (thanks,
Mishrakk)
- avoid a potentially very slow regex in parsing (thanks, ivulfson)
2022-04-15 Richard Russon <rich@flatcap.org>
* Security
- Fix uudecode buffer overflow (CVE-2022-1328)
* Features
- Colours, colours, colours
* Bug Fixes
- Pager: fix pager_stop
- Merge colours with normal
- Color: disable mono command
- Fix forwarding text attachments when honor_disposition is set
- Pager: drop the nntp change-group bindings
- Use mailbox_check flags coherently, add IMMEDIATE flag
- Fix: tagging in attachment list
- Fix: misalignment of mini-index
- Make sure to update the menu size after a resort
* Translations
- 100% Hungarian
* Build
- Update acutest
* Code
- Unify pipe functions
- Index: notify if navigation fails
- Gui: set colour to be merged with normal
- Fix: leak in tls_check_one_certificate()
* Upstream
- Flush iconv() in mutt_convert_string()
- Fix integer overflow in mutt_convert_string()
- Fix uudecode cleanup on unexpected eof
This is a bug-fix release, addressing CVE-2022-1328: a buffer overread in
the uuencoded decoder routine.
Also fixed were a possible integer overflow issue in the general iconv and
rfc2047-conversion iconv functions. These are not believed to be
exploitable.
2022-04-08 Richard Russon <rich@flatcap.org>
* Features
- Compose multipart emails
* Bug Fixes
- Fix screen mode after attempting decryption
- imap: increase max size of oauth2 token
- Fix autocrypt
- Unify Alias/Query workflow
- Fix colours
- Say which file exists when saving attachments
- Force SMTP authentication if `smtp_user` is set
- Fix selecting the right email after limiting
- Make sure we have enough memory for a new email
- Don't overwrite with zeroes after unlinking the file
- Fix crash when forwarding attachments
- Fix help reformatting on window resize
- Fix poll to use PollFdsCount and not PollFdsLen
- regex: range check arrays strictly
- Fix Coverity defects
- Fix out of bounds write with long log lines
- Apply `fast_reply` to 'to', 'cc', or 'bcc'
- Prevent warning on empty emails
* Changed Config
- New default: `set rfc2047_parameters = yes`
* Translations
- 100% German
- 100% Lithuanian
- 100% Serbian
- 100% Czech
- 100% Turkish
- 72% Hungarian
* Docs
- Improve header cache explanation
- Improve description of some notmuch variables
- Explain how timezones and `!`s work inside `%{}`, `%[]` and `%()`
- Document config synonyms and deprecations
* Build
- Create lots of GitHub Actions
- Drop TravisCI
- Add automated Fuzzing tests
- Add automated ASAN tests
- Create Dockers for building Centos/Fedora
- Build fixes for Solaris 10
- New libraries: browser, enter, envelope
- New configure options: `--fuzzing` `--debug-color` `--debug-queue`
* Code
- Split Index/Pager GUIs/functions
- Add lots of function dispatchers
- Eliminate `menu_loop()`
- Refactor function opcodes
- Refactor cursor setting
- Unify Alias/Query functions
- Refactor Compose/Envelope functions
- Modernise the Colour handling
- Refactor the Attachment View
- Eliminate the global `Context`
- Upgrade `mutt_get_field()`
- Refactor the `color quoted` code
- Fix lots of memory leaks
- Refactor Index resolve code
- Refactor PatternList parsing
- Refactor Mailbox freeing
- Improve key mapping
- Factor out charset hooks
- Expose mutt_file_seek API
- Improve API of `strto*` wrappers
* Upstream
- imap QRESYNC fixes
- Allow an empty To: address prompt
- Fix argc==0 handling
- Don't queue IMAP close commands
- Fix IMAP UTF-7 for code points >= U+10000
- Don't include inactive messages in msgset generation
This is a bug-fix release, fixing a few smaller issues. Of note, the
<edit-fcc> and IMAP create/rename mailbox prompts were fixed to use the
mailbox history list.
Changes are in devel/ruby-activestorage70 only.
Rails 7.0.2.3 (March 08, 2022)
* Added image transformation validation via configurable allow-list.
Variant now offers a configurable allow-list for
transformation methods in addition to a configurable deny-list for arguments.
[CVE-2022-21831]
Ruby on Rails 6.1.4.7 is not latest version but it should be easy to pull-up
to pkgsrc-2021Q4.
Changes are in devel/ruby-activestorage61 only.
## Rails 6.1.4.7 (March 08, 2022) ##
* Added image transformation validation via configurable allow-list.
Variant now offers a configurable allow-list for
transformation methods in addition to a configurable deny-list for arguments.
[CVE-2022-21831]
Changes are in devel/ruby-activestorage60 only.
## Rails 6.0.4.7 (March 08, 2022) ##
* Added image transformation validation via configurable allow-list.
Variant now offers a configurable allow-list for
transformation methods in addition to a configurable deny-list for arguments.
[CVE-2022-21831]
Ruby on Rails 5.2.6.3 is not latest version but it should be easy to pull-up
to pkgsrc-2021Q4.
Changes are in devel/ruby-activestorage52 only.
Rails 5.2.6.3 (March 08, 2022)
* Added image transformation validation via configurable allow-list.
Variant now offers a configurable allow-list for
transformation methods in addition to a configurable deny-list for arguments.
[CVE-2022-21831]
- Set QMAILPPID for filters to know grandparent PID. Filters can log
this information to help sysadmins correlate rejections with
qmail-smtpd sessions.
- qmail-qfilter.1: Fix typo regarding file descriptor 5, and some
spellings and phrasings.
- README: Drop the stanza about setting TMPDIR, no longer relevant.
- Relicense from gnu-gpl-v2 to unlicense.
This is a bug-fix release, fixing a header-cache and body-cache naming
regression. Some internal URL handling fixes accidentally resulted in the
username being omitted from the header cache in some cases.
Notmuch 0.35 (2022-02-06)
=========================
Library
-------
Implement the `date` and `lastmod` fields in the S-expression parser.
Ignore trailing `/` for pathnames in both query parsers.
Rename configuration option `built_with.sexpr_query` to
`built_with.sexp_queries`.
Do not assume a default mail root in split (e.g. XDG) configurations.
Fix some small memory leaks in `notmuch_database_open_with_config`.
CLI
---
Improve handling of leading/trailing punctation and space for
configuration lists.
Only ignore `.notmuch` at the top level in `notmuch new`.
Optionally show extra headers in `notmuch show`. See
`show.extra_headers` in notmuch-config(1).
Emacs
-----
Drop `C-TAB` binding in hello mode, document `backtab`.
Fix visual glitch in search mode by running `notmuch-search-hook`
lazily.
Don't add space to completion candidates, improves compatibility with
third party completion frameworks.
Make citation formating more robust against whitespace.
Use `--excludes=false` when generating the 'All tags' section.
Use cached copy of message body for `Fcc`, avoiding variant bodies for
signed and/or encrypted messages.
Add notmuch-logo.svg and use it in notmuch-hello view, replacing
the .png version.
Make header line in show buffers optional.
Add customizable names for search buffers.
Build
-----
Fix out-of-tree build for `python-cffi` bindings.
Rearrange position of {C,CXX,CPP,LD}FLAGS, prevent some clashes with
installed version of notmuch.
Ignore more configure options.
Test Suite
----------
Replace some uses of `gdb` in the test suite with `LD_PRELOAD` based
shims.
Use `--with-colons` for gpgsm, fix compatibility with newer gnupg.
Python bindings
---------------
Add `matched` property to message objects.
Users are reminded that the old python bindings in bindings/python are
deprecated; this will probably be the last major release that ships
them.
Completion
----------
Use `database.mail_root` for path completion in bash/zsh.
Changes since version 2.1.5:
+ $pager_skip_quoted_context determines the number of lines to show
before unquoted text when using <skip-quoted> in the pager.
! Quadoption prompts and a few boolean prompts now have a '?' choice,
which will display the associated configuration variable.
! <enter>, <return>, and <keypadenter> can be bound to separate
functions/macros.
+ $sort_thread_groups can be used to sort top-level thread groups differently
than subthreads.
! contrib/smime.rc now uses the cms utility for SMIME encryption/decryption.
+ $compose_confirm_detach_first helps prevent accidentally deleting your
typed message in the compose menu.
+ The $attach_save_charset_convert quadoption prompts to allow charset
conversion of received text-type attachments when saving them to disk.
+ --with-gsasl allows configuration with the GNU SASL library, as an
alternative to Cyrus.
! $reply_regexp is now localizable by translators, to add other
non-standard prefixes used in the locale. "aw" was removed from the
default value.
! $rfc2047_parameters is enabled by default.
This update contains security fix for CVE-2022-23633 in ruby-actionpack61.
Active Support 6.1.4.6 (2022-02-11)
* Fix Reloader method signature to work with the new Executor signature.
Action Pack 6.1.4.5 (2022-02-11)
* Under certain circumstances, the middleware isn't informed that the
response body has been fully closed which result in request state
not being fully reset before the next request.
[CVE-2022-23633]
Other packages have no change.
This update contains security fix for CVE-2022-23633 in ruby-actionpack60.
Active Support 6.0.4.6 (2022-02-11)
* Fix Reloader method signature to work with the new Executor signature.
Action Pack 6.0.4.6
6.0.4.5 (2022-02-11)
* Under certain circumstances, the middleware isn't informed that the
response body has been fully closed which result in request state
not being fully reset before the next request.
[CVE-2022-23633]
Other packages have no change.
This update contains security fix for CVE-2022-23633 in
Active Support 5.2.6.2 (2022-02-11)
* Fix Reloader method signature to work with the new Executor signature.
Action Pack 5.2.6.2 (2022-02-11)
* Under certain circumstances, the middleware isn't informed that the
response body has been fully closed which result in request state
not being fully reset before the next request.
[CVE-2022-23633]
3.2022.0105 (2022-01-05)
* Updated the Apache and IANA media registry entries as of release date.
* Fixed an incorrect definition of image/bmp, which had been marked obsolete
and later registered. Fixed#48, found by William T. Nelson.
deliver messages for any addresses given on the command line. If your
qmail installation used non-default values for conf-qmail, conf-break,
or the alias user, you can specify them in the $QMAIL, $QMAILBREAK, and
$QMAILALIAS environment variables. For example:
# env QMAILBREAK=+ qtraceaddr address@example.org
Set DIST_SUBDIR and update package.
setuptools_scm works fine now, and additional tests are installed.
Update PLIST.
Simplify package.
Bump PKGREVISION.
v0.5.18
- duplicate: Users without a home directory can crash with Sieve when
using duplicate database. v2.3.17 regression.
- imapsieve: When mail was expunged when processing imapsieve events, a
crash could occur. Fixes Panic: file mail-index-map.c:
line 558 (mail_index_map_lookup_seq_range): assertion failed: (first_uid > 0)
- managesieve-login: Proxy didn't support forwarding the forward_* passdb fields.
- redirect: Sieve would crash if redirect after keep-equivalent action failed.
- sieve: Interpreter crashes when the Sieve index extension is used with
index zero.
- vnd.dovecot.filter: Envelope sender string may become corrupted when
Sieve scripts are using vnd.dovecot.filter. This could end up
corrupting mbox's From line and return wrong envelope sender string in
Sieve tests.
v2.3.18
* Removed mail_cache_lookup_finished event. This event wasn't especially
useful, but it increased CPU usage significantly.
* fts: Don't index inline base64 encoded content in FTS indexes using
the generic tokenizer. This reduces the FTS index sizes by removing
input that is very unlikely to be searched for. See
https://doc.dovecot.org/configuration_manual/fts/tokenization for
details on how base64 is detected. Only applies when using libfts.
* lmtp: Session IDs are now preserved through proxied connections, so
LMTP sessions can be tracked. This slightly changes the LMTP session
ID format by appending ":Tn" (transaction), ":Pn" (proxy connection)
and ":Rn" (recipient) counters after the session ID prefix.
+ Events now have "reason_code" field, which can provide a list of
reasons why the event is happening. See
https://doc.dovecot.org/admin_manual/event_reasons/
+ New events are added. See https://doc.dovecot.org/admin_manual/list_of_events/
+ fts: Added fts_header_excludes and fts_header_includes settings to
specify which headers to index. See
https://doc.dovecot.org/settings/plugin/fts-plugin#plugin-fts-setting-fts-header-excludes
for configuration details.
+ fts: Initialize the textcat language detection library only once per
process. This can reduce CPU usage if fts_languages setting has multiple
languages listed and service indexer-worker { service_count } isn't 1.
Only applies when using libfts.
+ lib-storage: Reduced CPU usage significantly for some operations that
accessed lots of emails (e.g. fetching all flags in a folder, SORT, ...)
+ lib: DOVECOT_PREREQ() - Add micro version which enables compiling
external plugins against different versions of Dovecot.
+ lmtp: Added new lmtp_verbose_replies setting that makes errors sent to
the LMTP client much more verbose with details about why exactly
backend proxy connections or commands are failing.
+ submission: Support implicit SASL EXTERNAL with
submission_client_workarounds=implicit-auth-external. This allows
automatically logging in when SSL client certificate is present.
- *-login: Statistics were disabled if stats process connection was lost.
- auth: Authentication master user login fails with SCRAM-* SASL mechanisms.
- auth: With auth_cache_verify_password_with_worker=yes, passdb extra
fields in the auth cache got lost.
- doveadm: Fixed crash if zlib_save_level setting was specified,
but zlib_save was unset. v2.3.15 regression.
- doveadm: Proxying can panic when flushing print output. v2.3.17
regression. Fixes:
Panic: file ioloop.c: line 865 (io_loop_destroy): assertion failed:
(ioloop == current_ioloop)
- doveadm: stats add --group-by parameter didn't work.
- fts: Using email-address fts tokenizer could result in excessive memory
usage with garbage email input. This could cause the indexer-worker
processes to fail due to reaching the VSZ memory size limit.
Only applies when using libfts.
- imap: A SEARCH command timing out while fts returns indexes may timeout
returning "NO [SERVERBUG]", while it should return "NO [INUSE]" instead.
- imap: LIST-EXTENDED doesn't return STATUS for all folders. Sending
LIST .. RETURN (SUBSCRIBED STATUS (...)) did not return STATUS for
folders that are not subscribed when they have a child folder that is
subscribed as mandated by IMAP RFCs.
- imapc: Mailbox vsize calculation crashed with
Panic: file index-mailbox-size.c: line 344 (index_mailbox_vsize_hdr_add_missing):
assertion failed: (mails_left > 0)
- indexer: If indexer-worker crashes, the request it was processing gets
stuck in the indexer process. This stops indexing for the folder until
indexer process is restarted. v2.3.14 regression.
- indexer: Process was slowly leaking memory for each indexing request.
- lib-event: Unnamed events were wrongly filtered out for event/metric
filters like "event=abc OR something_independent_of_event_name".
- lib-index: 64-bit big endian CPUs handle last_used field in
dovecot.index.cache wrong.
- lib-ssl-iostream: Fix buggy OpenSSL error handling without assert-crashing.
If there is no error available, log it as an error instead of crashing.
The previous fix for this in v2.3.11 was incomplete. Fixes
Panic: file istream-openssl.c: line 51 (i_stream_ssl_read_real):
assertion failed: (errno != 0)
- lmtp: Out-of-memory issues can happen when proxying large messages to
LMTP backend servers that accept the message data too slow.
- master: HAProxy header parsing has read buffer overflow if provided
header size is invalid. This happens only if inet_listener
{ haproxy=yes } is configured and only if the remote IP address is in
haproxy_trusted_networks.
- old_stats: Plugin kept increasing memory usage, which became
noticeable with long-running imap sessions.
- stats: Dynamically adding same metric multiple times causes multiple stats.
- submission-login: Authentication does not accept OAUTH2 token (or
other very long credentials) because it considers the line to be too long.
- submission-login: Process can crash if HELO is pipelined with an
invalid domain.
- submission-proxy: Don't use SASL-IR if it would make the AUTH command
line longer than 512 bytes.
- submission: Service would crash if relay server authentication failed.
- virtual: FTS search in a virtual folder could crash if there are
duplicate mailbox GUIDs. This mainly happened when user had both INBOX
and INBOX/INBOX folders and the namespace prefix was INBOX/. Fixes
Panic: file hash.c: line 252 (hash_table_insert_node):
assertion failed: (opcode == HASH_TABLE_OP_UPDATE)
- virtual: If mailbox opening fails, the backend mailbox is leaked and
process crashes when client disconnects. Fixes
Panic: file mail-user.c: line 232 (mail_user_deinit):
assertion failed: ((*user)->refcount == 1)
- virtual: Searching headers in virtual folders didn't always use
full-text search indexes, if fts_enforced=no or body.
ship accumulated bugfixes and catchup with wayback machine changes.
special thanks to Paul Wise for the immesurable patience on
the wayback plugin and test suite, and to Jelmer Vernooij for the
Debian Janitor.
New features:
* Add support for saving page resources to the Wayback Machine too,
thanks Paul Wise!
API changes:
* we now generate a standard message-id, which has brackets around it
Bugfixes:
* fix rare crash in feed2exec parse with an empty `mailbox` setting
* fix feedparser dependencies for newer python
* catchup with html2text again (2020.1.16)
* add failing test and fix for cachecontrol 0.12.10 new API (Closes: GL#22)
* do not cache requests in plugins (Closes: #1001412, GL#26)
* Require feedparser 5 as minimum version for Python 3, thanks Paul Wise
Documentation:
* mention (lack of) Gemini and other protocol support
* leave Freenode for oftc.net
Cleanup, CI, linting:
* avoid dateparser bug workaround in newer versions
* drop support for python 3.5, add 3.9
* enforce black in tox, but not in CI
* first pass at type checking with mypy, with failures allowed
* switch to setup.cfg as much as possible
* fix rst syntax since we are not hacking it anymore
* mention build module, which may be necessary for newer setuptools_scm
* move fixtures to conftest.py
* use pytest.mark.network instead of xfail
upstream changes:
-----------------
fetchmail-6.4.27 (released 2022-01-26, 31661 LoC):
# BREAKING CHANGES:
* Bump wolfSSL minimum required version to 5.1.1 to pull in security fix.
# TRANSLATIONS: language translations were updated by this fine person:
* ro: Remus-Gabriel Chelu [Romanian]
Redo some of the patches from the previous change set (PR pkg/56645) so
that they reflect the upstream project's method for including its
version of portable_utime(), rather than what was done previously,
which broke non-BSD builds, e.g., on Solaris derivates:
ld: fatal: symbol 'portable_utime' is multiply-defined:
(file .libs/osdep.o type=FUNC; file .libs/utime.o type=FUNC);
ld: fatal: file processing errors. No output written to .libs/libc-client.so.5.0.0
Compile tested on NetBSD 9.2_STABLE, NetBSD 9.99.93, OmniOS r151038,
and Fedora Linux 34.
This update contains security fix.
Roundcube Webmail 1.5.1 (2021-11-28)
This is the first service release to update the new stable version 1.5. It
provides a bunch of small fixes and improvements after getting your feedback
from the 1.5.0 release. See the full changelog below.
Important note for MySQL and MariaDB database backends
The change to full UTF-8 support in MySQL/MariaDB didn't work for everybody
migrating an existing DB. Hence here's an important notice from the
UPGRADING instructions:
If you use MySQL < 5.7.7 or MariaDB < 10.2.2 make sure to configure it with:
innodb_large_prefix=1
innodb_file_per_table=1
innodb_file_format=Barracuda
This version is considered stable and we recommend to update all productive
installations of Roundcube with it. Please do backup your data before
updating!
CHANGELOG
* Fix importing contacts with no email address (#8227)
* Fix so session's search scope is not used if search is not active (#8199)
* Fix some PHP8 warnings (#8239)
* Fix so dark mode state is retained after closing the browser (#8237)
* Fix bug where new messages were not added to the list on refresh if
skip_deleted=true (#8234)
* Fix colors on "Show source" page in dark mode (#8246)
* Fix handling of dark_mode_support:false setting in skins meta.json - also
when devel_mode=false (#8249)
* Fix database initialization if db_prefix is a schema prefix (#8221)
* Fix undefined constant error in Installer on Windows (#8258)
* Fix installation/upgrade on MySQL 5.5 - Index column size too large (#8231)
* Fix regression in setting of contact listing name (#8260)
* Fix bug in Larry skin where headers toggle state was reset on full page
preview (#8203)
* Fix bug where \u200b characters were added into the recipient input
preventing mail delivery (#8269)
* Fix charset conversion errors on PHP < 8 for charsets not supported by
mbstring (#8252)
* Fix bug where adding a contact to trusted senders via "Always allow
from..." button didn't work (#8264, #8268)
* Fix bug with show_images setting where option 1 and 3 were swapped (#8268)
* Fix PHP fatal error on an undefined constant in contacts import action
(#8277)
* Fix fetching headers of multiple message parts at once in
rcube_imap_generic::fetchMIMEHeaders() (#8282)
* Fix bug where attachment download could sometimes fail with a CSRF check
error (#8283)
* Fix an infinite loop when parsing environment variables with float/integer
values (#8293)
* Fix so 'small-dark' logo has more priority than the 'small' logo (#8298)
Roundcube Webmail 1.5.2 (2021-12-30)
This is the second service release to update the new stable version 1.5. It
provides a bunch of small fixes and improvements to the OAuth feature as
well as a security fix to a recently reported XSS vulnerability. See the
full changelog below.
Security fix
* Cross-site scripting (XSS) via HTML messages with malicious CSS content
This version is considered stable and we recommend to update all productive
installations of Roundcube with it. Please do backup your data before
updating!
CHANGELOG
* OAuth: pass 'id_token' to 'oauth_login' plugin hook (#8214)
* OAuth: fix expiration of short-lived oauth tokens (#8147)
* OAuth: fix relative path to assets if /index.php/foo/bar url is used
(#8144)
* OAuth: no auto-redirect on imap login failures (#8370)
* OAuth: refresh access token in 'refresh' plugin hook (#8224)
* Fix so folder search parameters are honored by subscriptions_option plugin
(#8312)
* Fix password change with Directadmin driver (#8322, #8329)
* Fix so css files in plugins/jqueryui/themes will be minified too (#8337)
* Fix handling of unicode/special characters in custom From input (#8357)
* Fix some PHP8 compatibility issues (#8363)
* Fix chpass-wrapper.py helper compatibility with Python 3 (#8324)
* Fix scrolling and missing Close button in the Select image dialog in
Elastic/mobile (#8367)
* Security: fix cross-site scripting (XSS) via HTML messages with malicious
CSS content
upstream changes:
-----------------
Fixed in Postfix 3.6.4, 3.5.14, 3.4.24, 3.3.21:
o Bug introduced in bugfix 20210708: duplicate bounce_notice_recipient
entries in postconf output. This was caused by an incomplete fix to send
SMTP session transcripts to $bounce_notice_recipient. Reported by Vincent
Lefevre.
o Bug introduced in Postfix 3.0: the proxymap daemon did not automatically
authorize proxied maps inside pipemap (example:
pipemap:{proxy:maptype:mapname, ...}) or inside unionmap. Problem reported
by Mirko Vogt.
o Bug introduced in Postfix 2.5: off-by-one error while writing a string
terminator. This code passed all memory corruption tests, presumably
because it wrote over an alignment padding byte, or over an adjacent
character byte that was never read. Reported by Robert Siemer.
Fixed in Postfix 3.6.4, 3.5.14, 3.4.24:
o The proxymap daemon did not automatically authorize map features added
after Postfix 3.3, caused by missing *_maps parameter names in the
proxy_read_maps default value. Found during code maintenance.
c-client library were incorrect. Unfortunately, on 32-bit systems, the the bug went unnoticed
because all the bits lined up correctly. On 64-bit systems, this happenstance doesn't work,
meaning the mtime and atime time stamps this software modifies are completely wrong, usually
defaulting to the beginning of the epoch, but only because the random memory locations pointed
to by the incorrect pointers are 0.
Fortunately, the software package includes a portable version of the utime library call that
converts the internal usage of this function to one that's compatible with the one resident in
libc on NetBSD, FreeBSD and other BSD systems. This patch simply enables that portable code
when compiling this package on BSD systems while using the pkgsrc system.
These patches have been compiled and are running in production on a 64-bit NetBSD/amd64
system running NetBSD-9.2.
Fixes pkg/pr-56645
upstream changes:
-----------------
fetchmail-6.4.26 (released 2021-12-26, 31661 LoC):
# FIXES:
* When using wolfSSL 5.0.0, work around a bug that appears to hit wolfSSL when
receiving handshake records while still in SSL_peek(). Workaround is to read
1 byte and cache it, then call SSL_peek() again.
This affects only some servers. https://github.com/wolfSSL/wolfssl/issues/4593
# TRANSLATIONS: language translations were updated by this fine person:
* sr: Мирослав Николић (Miroslav Nikolić) [Serbian]
Changelog:
What's new in notmuch 0.34.3
=========================
Library
-------
Do not crash when presented with a .notmuch directory without a
xapian/ subdirectory.
Python Bindings (notmuch2)
--------------------------
Database constructor now searches for configuration by default. Pass
`config=Database.CONFIG.EMPTY` to disable.
The `Message.replies()` method now returns OwnedMessage objects, to
prevent certain memory de-allocation errors.
Fix for importing `notmuch2` module when building bindings
documentation.
This flag should be set for packages that import pkg_resources
and thus need setuptools after the build step.
Set this flag for packages that need it and bump PKGREVISION.
* Caution! The tools mdeliver and mexport were buggy in handling and
generation of trailing empty lines in MBOX-RD. Do not import
mbox files generated by mexport >=1.2 with mdeliver <1.2 if you
require verbatim message delivery.
* mshow: add "-A all" to render all attachments
* msed: match header names case insensitively
* mless: prefer setting LESSKEYIN and using .mlesskey
* mcom: take Delivered-To into account for choosing From address
* mcom: allow tilde prefixed path for profile's outbox setting
* mcom: detect and report mmime errors
* add contrib/mmailto, a handler for mailto: links
* Many bug fixes.
