You are here
Home > Preporuke > Sigurnosni nedostatak programskog paketa dovecot

Sigurnosni nedostatak programskog paketa dovecot

——————————————————————————–
Fedora Update Notification
FEDORA-2014-6331
2014-05-13 18:32:16
——————————————————————————–

Name : dovecot
Product : Fedora 19
Version : 2.2.13
Release : 1.fc19
URL : http://www.dovecot.org/
Summary : Secure imap and pop3 server
Description :
Dovecot is an IMAP server for Linux/UNIX-like systems, written with security
primarily in mind. It also contains a small POP3 server. It supports mail
in either of maildir or mbox formats.

The SQL drivers and authentication plug-ins are in their subpackages.

——————————————————————————–
Update Information:

* Fixed a DoS attack against imap/pop3-login processes. If SSL/TLS handshake was started but wasn’t finished, the login process attempted to eventually forcibly disconnect the client, but failed to do it correctly. This could have left the connections hanging arond for a long time. (Affected Dovecot v1.1+)

* mdbox: Added mdbox_purge_preserve_alt setting to keep the file within alt storage during purge.

* fts: Added support for parsing attachments via Apache Tika. Enable with: plugin { fts_tika = http://tikahost:9998/tika/ }

* virtual plugin: Delay opening backend mailboxes until it’s necessary. This requires mailbox_list_index=yes to work. (Currently IMAP IDLE command still causes all backend mailboxes to be opened.)

* mail_never_cache_fields=* means now to disable all caching. This may be a useful optimization as doveadm/dsync parameter for some admin tasks which shouldn’t really update the cache file.

* IMAP: Return SPECIAL-USE flags always for LSUB command.

* pop3 server was still crashing in v2.2.12 with some settings

* maildir: Various fixes and improvements to handling compressed mails, especially when they have broken/missing S=sizes in filenames.

* fts-lucene, fts-solr: Fixed crash on search when the index contained duplicate entries.

* Many fixes and performance improvements to dsync and replication

* director was somewhat broken when there were exactly two directors in the ring. It caused errors about “weak users” getting stuck.

* mail_attachment_dir: Attachments with the last base64-encoded line longer than the rest wasn’t handled correctly.

* IMAP: SEARCH/SORT PARTIAL was handled completely wrong in v2.2.11+

* acl: Global ACL file handling was broken when multiple entries matched the mailbox name. (Only the first entry was used.)
——————————————————————————–
ChangeLog:

* Mon May 12 2014 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.13-1
– dovecot updated to 2.2.13
– fixes CVE-2014-3430: denial of service through maxxing out SSL connections
– pop3 server was still crashing in v2.2.12
– maildir: Various fixes and improvements to handling compressed mails
– fts-lucene, fts-solr: Fixed crash on search when the index contained
duplicate entries.
– mail_attachment_dir: Attachments with the last base64-encoded line
longer than the rest wasn’t handled correctly.
– IMAP: SEARCH/SORT PARTIAL was handled completely wrong in v2.2.11+
– acl: Global ACL file handling was broken when multiple entries
matched the mailbox name
* Fri Feb 14 2014 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.12-1
– dovecot updated to 2.2.12
– fixes pop3 crash
* Thu Feb 13 2014 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.11-1
– dovecot updated to 2.2.11
– imap: SEARCH/SORT PARTIAL reponses may have been too large.
– doveadm backup: Fixed assert-crash when syncing mailbox deletion.
* Thu Jan 2 2014 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.10-1
– dovecot updated to 2.2.10
– quota-status: quota_grace was ignored
– ldap: Fixed memory leak with auth_bind=yes and without
auth_bind_userdn.
– imap: Don’t send HIGHESTMODSEQ anymore on SELECT/EXAMINE when
CONDSTORE/QRESYNC has never before been enabled for the mailbox.
– imap: Fixes to handling mailboxes without permanent modseqs.
(When [NOMODSEQ] is returned by SELECT, mainly with in-memory
indexes.)
– imap: Various fixes to METADATA support.
– stats plugin: Processes that only temporarily dropped privileges
(e.g. indexer-worker) may have been logging errors about not being
able to open /proc/self/io.
* Mon Nov 25 2013 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.9-1
– improved cache file handling exposed several old bugs related to fetching
mail headers.
– iostream handling changes were causing some connections to be disconnected
before flushing their output
* Wed Nov 20 2013 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.8-1
– Fixed infinite loop in message parsing if message ends with
“–boundary” and CR (without LF). Messages saved via SMTP/LMTP can’t
trigger this, because messages must end with an “LF.”. A user could
trigger this for him/herself though.
– lmtp: Client was sometimes disconnected before all the output was
sent to it.
– replicator: Database wasn’t being exported to disk every 15 minutes
as it should have. Instead it was being imported, causing “doveadm
replicator remove” commands to not work very well.
* Thu Nov 14 2013 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.7-2
– fix ostream infinite loop (#1029906)
* Mon Nov 4 2013 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.7-1
– dovecot updated to 2.2.7
– master process was doing a hostname.domain lookup for each created
process, which may have caused a lot of unnecessary DNS lookups.
– dsync: Syncing over 100 messages at once caused problems in some
situations, causing messages to get new UIDs.
– fts-solr: Different Solr hosts for different users didn’t work.
* Thu Oct 17 2013 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.6-1
– dovecot updated to 2.2.6, pigeonhole updated to 0.4.2
– director: v2.2.5 changes caused “SYNC lost” errors
– dsync: Many fixes and error handling improvements
– doveadm -A: Don’t waste CPU by doing a separate config lookup
for each user
– Long-running ssl-params process no longer prevents Dovecot restart
– mbox: Fixed mailbox_list_index=yes to work correctly
* Wed Aug 7 2013 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.5-1
– dovecot updated to 2.2.5
– added some missing man pages (by Pascal Volk)
– director: Users near expiration could have been redirected to
different servers at the same time.
– pop3: Avoid assert-crash if client disconnects during LIST.
– mdbox: Corrupted index header still wasn’t automatically fixed.
– dsync: Various fixes to work better with imapc and pop3c storages.
– ldap: sasl_bind=yes caused crashes, because Dovecot’s lib-sasl
symbols conflicted with Cyrus SASL library.
* Wed Jul 10 2013 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.4-2
– fix name conflict with cyrus-sasl (#975869)
* Wed Jun 26 2013 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.4-1
– dovecot updated to 2.2.4
– imap/pop3 proxy: Master user logins were broken in v2.2.3
– sdbox/mdbox: A corrupted index header with wrong size was never
automatically fixed in v2.2.3.
– mbox: Fixed assert-crashes related to locking.
* Mon Jun 17 2013 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.3-1
– dovecot updated to 2.2.3
– IMAP: If subject contained only whitespace, Dovecot returned an
ENVELOPE reply with a huge literal value, effectively causing the
IMAP client to wait for more data forever.
– IMAP: Various URLAUTH fixes.
– imapc: Various bugfixes and improvements
– pop3c: Various fixes to make it work in dsync (without imapc)
– dsync: Fixes to syncing subscriptions. Fixes to syncing mailbox
renames.
——————————————————————————–
References:

[ 1 ] Bug #1096402 – CVE-2014-3430 dovecot: denial of service through maxxing out SSL connections
https://bugzilla.redhat.com/show_bug.cgi?id=1096402
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update dovecot’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

Top
More in Preporuke
Sigurnosni nedostatak programskog paketa lynis

Otkriven je sigurnosni nedostatak u programskom paketu lynis za operacijski sustav Fedora. Otkriveni nedostatak potencijalnim napadačima omogućuje stjecanje povećanih korisničkih...

Close