——————————————————————————–
Fedora Update Notification
FEDORA-2015-7159
2015-04-29 08:02:54
——————————————————————————–
Name : dovecot
Product : Fedora 20
Version : 2.2.16
Release : 2.fc20
URL : http://www.dovecot.org/
Summary : Secure imap and pop3 server
Description :
Dovecot is an IMAP server for Linux/UNIX-like systems, written with security
primarily in mind. It also contains a small POP3 server. It supports mail
in either of maildir or mbox formats.
The SQL drivers and authentication plug-ins are in their subpackages.
——————————————————————————–
Update Information:
fixes CVE-2015-3420: SSL/TLS handshake failures leading to a crash of the login process
– dovecot updated to 2.2.16
– auth: Don’t crash if master user login is attempted without
any configured master=yes passdbs
– Parsing UTF-8 text for mails could have caused broken results
sometimes if buffering was split in the middle of a UTF-8 character.
This affected at least searching messages.
– String sanitization for some logged output wasn’t done properly:
UTF-8 text could have been truncated wrongly or the truncation may
not have happened at all.
– fts-lucene: Lookups from virtual mailbox consisting of over 32
physical mailboxes could have caused crashes.
– dovecot updated to 2.2.16
– auth: Don’t crash if master user login is attempted without
any configured master=yes passdbs
– Parsing UTF-8 text for mails could have caused broken results
sometimes if buffering was split in the middle of a UTF-8 character.
This affected at least searching messages.
– String sanitization for some logged output wasn’t done properly:
UTF-8 text could have been truncated wrongly or the truncation may
not have happened at all.
– fts-lucene: Lookups from virtual mailbox consisting of over 32
physical mailboxes could have caused crashes.
——————————————————————————–
ChangeLog:
* Tue Apr 28 2015 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.16-2
– fix CVE-2015-3420: SSL/TLS handshake failures leading to a crash of the login process
* Mon Mar 16 2015 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.16-1
– dovecot updated to 2.2.16
– auth: Don’t crash if master user login is attempted without
any configured master=yes passdbs
– Parsing UTF-8 text for mails could have caused broken results
sometimes if buffering was split in the middle of a UTF-8 character.
This affected at least searching messages.
– String sanitization for some logged output wasn’t done properly:
UTF-8 text could have been truncated wrongly or the truncation may
not have happened at all.
– fts-lucene: Lookups from virtual mailbox consisting of over 32
physical mailboxes could have caused crashes.
* Thu Feb 5 2015 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.15-3
– fix mbox istream crashes (#1189198, #1186504)
* Mon Jan 5 2015 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.15-2
– fix crash related to logging BYE notifications (#1176282)
– update pigeonhole to 0.4.6
* Thu Oct 30 2014 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.15-1
– dovecot updated to 2.2.15
– various race condition fixes to LAYOUT=index
– v2.2.14 virtual plugin crashed in some situations
* Fri Oct 17 2014 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.14-1
– dovecot updated to 2.2.14, pigeonhole updated to 0.4.3
– fixed several race conditions with dovecot.index.cache handling that
may have caused unnecessary “cache is corrupted” errors.
– auth: If auth client listed userdb and disconnected before finishing,
the auth worker process got stuck
– imap-login, pop3-login: Fixed potential crashes when client
disconnected unexpectedly.
– imap proxy: The connection was hanging in some usage patterns.
* Thu Aug 21 2014 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.13-2
– use network-online target instead of just network (#1119814)
* Mon May 12 2014 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.13-1
– dovecot updated to 2.2.13
– fixes CVE-2014-3430: denial of service through maxxing out SSL connections
– pop3 server was still crashing in v2.2.12
– maildir: Various fixes and improvements to handling compressed mails
– fts-lucene, fts-solr: Fixed crash on search when the index contained
duplicate entries.
– mail_attachment_dir: Attachments with the last base64-encoded line
longer than the rest wasn’t handled correctly.
– IMAP: SEARCH/SORT PARTIAL was handled completely wrong in v2.2.11+
– acl: Global ACL file handling was broken when multiple entries
matched the mailbox name
* Fri Feb 14 2014 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.12-1
– dovecot updated to 2.2.12
– fixes pop3 crash
* Thu Feb 13 2014 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.11-1
– dovecot updated to 2.2.11
– imap: SEARCH/SORT PARTIAL reponses may have been too large.
– doveadm backup: Fixed assert-crash when syncing mailbox deletion.
* Thu Jan 2 2014 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.10-1
– dovecot updated to 2.2.10
– quota-status: quota_grace was ignored
– ldap: Fixed memory leak with auth_bind=yes and without
auth_bind_userdn.
– imap: Don’t send HIGHESTMODSEQ anymore on SELECT/EXAMINE when
CONDSTORE/QRESYNC has never before been enabled for the mailbox.
– imap: Fixes to handling mailboxes without permanent modseqs.
(When [NOMODSEQ] is returned by SELECT, mainly with in-memory
indexes.)
– imap: Various fixes to METADATA support.
– stats plugin: Processes that only temporarily dropped privileges
(e.g. indexer-worker) may have been logging errors about not being
able to open /proc/self/io.
* Mon Nov 25 2013 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.9-1
– improved cache file handling exposed several old bugs related to fetching
mail headers.
– iostream handling changes were causing some connections to be disconnected
before flushing their output
* Wed Nov 20 2013 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.8-1
– Fixed infinite loop in message parsing if message ends with
“–boundary” and CR (without LF). Messages saved via SMTP/LMTP can’t
trigger this, because messages must end with an “LF.”. A user could
trigger this for him/herself though.
– lmtp: Client was sometimes disconnected before all the output was
sent to it.
– replicator: Database wasn’t being exported to disk every 15 minutes
as it should have. Instead it was being imported, causing “doveadm
replicator remove” commands to not work very well.
——————————————————————————–
References:
[ 1 ] Bug #1216057 – CVE-2015-3420 dovecot: SSL/TLS handshake failures leading to a crash of the login process.
https://bugzilla.redhat.com/show_bug.cgi?id=1216057
——————————————————————————–
This update can be installed with the “yum” update program. Use
su -c ‘yum update dovecot’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce
——————————————————————————–
Fedora Update Notification
FEDORA-2015-7089
2015-04-29 07:54:03
——————————————————————————–
Name : dovecot
Product : Fedora 21
Version : 2.2.16
Release : 2.fc21
URL : http://www.dovecot.org/
Summary : Secure imap and pop3 server
Description :
Dovecot is an IMAP server for Linux/UNIX-like systems, written with security
primarily in mind. It also contains a small POP3 server. It supports mail
in either of maildir or mbox formats.
The SQL drivers and authentication plug-ins are in their subpackages.
——————————————————————————–
Update Information:
fixes CVE-2015-3420: SSL/TLS handshake failures leading to a crash of the login process
– dovecot updated to 2.2.16
– auth: Don’t crash if master user login is attempted without
any configured master=yes passdbs
– Parsing UTF-8 text for mails could have caused broken results
sometimes if buffering was split in the middle of a UTF-8 character.
This affected at least searching messages.
– String sanitization for some logged output wasn’t done properly:
UTF-8 text could have been truncated wrongly or the truncation may
not have happened at all.
– fts-lucene: Lookups from virtual mailbox consisting of over 32
physical mailboxes could have caused crashes.
– dovecot updated to 2.2.16
– auth: Don’t crash if master user login is attempted without
any configured master=yes passdbs
– Parsing UTF-8 text for mails could have caused broken results
sometimes if buffering was split in the middle of a UTF-8 character.
This affected at least searching messages.
– String sanitization for some logged output wasn’t done properly:
UTF-8 text could have been truncated wrongly or the truncation may
not have happened at all.
– fts-lucene: Lookups from virtual mailbox consisting of over 32
physical mailboxes could have caused crashes.
——————————————————————————–
ChangeLog:
* Tue Apr 28 2015 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.16-2
– fix CVE-2015-3420: SSL/TLS handshake failures leading to a crash of the login process
* Mon Mar 16 2015 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.16-1
– dovecot updated to 2.2.16
– auth: Don’t crash if master user login is attempted without
any configured master=yes passdbs
– Parsing UTF-8 text for mails could have caused broken results
sometimes if buffering was split in the middle of a UTF-8 character.
This affected at least searching messages.
– String sanitization for some logged output wasn’t done properly:
UTF-8 text could have been truncated wrongly or the truncation may
not have happened at all.
– fts-lucene: Lookups from virtual mailbox consisting of over 32
physical mailboxes could have caused crashes.
* Thu Feb 5 2015 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.15-3
– fix mbox istream crashes (#1189198, #1186504)
* Mon Jan 5 2015 Michal Hlavinka <mhlavink@redhat.com> – 1:2.2.15-2
– fix crash related to logging BYE notifications (#1176282)
– update pigeonhole to 0.4.6
——————————————————————————–
References:
[ 1 ] Bug #1216057 – CVE-2015-3420 dovecot: SSL/TLS handshake failures leading to a crash of the login process.
https://bugzilla.redhat.com/show_bug.cgi?id=1216057
——————————————————————————–
This update can be installed with the “yum” update program. Use
su -c ‘yum update dovecot’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce