Hello community, here is the log from the commit of package dovecot23 for openSUSE:Factory checked in at 2019-12-18 14:45:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dovecot23 (Old) and /work/SRC/openSUSE:Factory/.dovecot23.new.4691 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dovecot23" Wed Dec 18 14:45:44 2019 rev:23 rq:757626 version:2.3.9.2 Changes: -------- --- /work/SRC/openSUSE:Factory/dovecot23/dovecot23.changes 2019-11-15 22:40:23.148475350 +0100 +++ /work/SRC/openSUSE:Factory/.dovecot23.new.4691/dovecot23.changes 2019-12-18 14:48:37.397946984 +0100 @@ -1,0 +2,116 @@ +Sat Dec 14 08:55:56 UTC 2019 - Michael Ströder <[email protected]> + +- update to 2.3.9.2 with security fixes: + * CVE-2019-19722: Mails with group addresses in From or To + fields caused crash in push notification drivers. + * Mails with empty From/To headers can also cause crash + in push notification drivers. + +------------------------------------------------------------------- +Wed Dec 4 21:46:28 UTC 2019 - Michael Ströder <[email protected]> + +- update to 2.3.9 and pigeonhole to 0.5.9 + + Dovecot 2.3.9 + * Changed several event field names for consistency and to avoid + conflicts in parent-child event relationships: + * SMTP server command events: Renamed "name" to "cmd_name" + * Events inheriting from a mailbox: Renamed "name" to "mailbox" + * Server connection events have only "remote_ip", "remote_port", + "local_ip" and "local_port". + * Removed duplicate "client_ip", "ip" and "port". + * Mail storage events: Removed "service" field. + Use "service:<name>" category instead. + * HTTP client connection events: Renamed "host" to "dest_host" and + "port" to "dest_port" + * auth: Drop Postfix socketmap support. It hasn't been working + with recent Postfix versions for a while now. + * push-notification-lua: The "subject" field is now decoded to UTF8 + instead of kept as MIME-encoded. + + push-notification-lua: Added new "from_address", "from_display_name", + "to_address" and "to_display_name" fields. The display names are + decoded to UTF8. + + Added various new fields to existing events. + See http://doc.dovecot.net/admin_manual/list_of_events.html + + Add lmtp_add_received_header setting. It can be used to prevent LMTP + from adding "Received:" headers. + + doveadm: Support SSL/STARTTLS for proxied doveadm connections based on + doveadm_ssl setting and proxy ssl/tls settings. + + Log filters support now "service:<name>", which matches all events for + the given service. It can also be used as a category. + + lib: Use libunwind to get abort backtraces with function names + where available. + + lmtp: When the LMTP proxy changes the username (from passdb lookup) + add an appropriate ORCPT parameter. + - lmtp: Add lmtp_client_workarounds setting to implement workarounds for + clients that send MAIL and RCPT commands with additional spaces before + the path and for clients that omit <> brackets around the path. + See example-config/conf.d/20-lmtp.conf. + - lda/lmtp: Invalid MAIL FROM addresses were rejcted too aggressively. + Now mails from addresses with unicode characters are delivered, but + their Return-Path header will be <> instead of the given MAIL FROM + address. + - lmtp: The lmtp_hdr_delivery_address setting is ignored. + - imap: imap_command_finished event's "args" and "human_args" parameters + were always empty. + - mbox: Seeking in zlib and bzip2 compressed input streams didn't work + correctly. + - imap-hibernate: Process crashed when client got destroyed while it was + attempted to be unhibernated, and the unhibernation fails. + - *-login: Proxying may have crashed if SSL handshake to the backend + failed immediately. This was unlikely to happen in normal operation. + - *-login: If TLS handshake to upstream server failed during proxying, + login process could crash due to invalid memory access. + - *-login: v2.3 regression: Using SASL authentication without initial + response may have caused SSL connections to hang. This happened often + at least with PHP's IMAP library. + - *-login: When login processes are flooded with authentication attempts + it starts logging errors about "Authentication server sent unknown id". + This is still expected. However, it also caused the login process to + disconnect from auth server and potentially log some user's password + in the error message. + - dict-sql: SQL prepared statements were not shared between sessions. + This resulted in creating a lot of prepared statements, which was + especially inefficient when using Cassandra backend with a lot of + Cassandra nodes. + - auth: auth_request_finished event didn't have success=yes parameter + set for successful authentications. + - auth: userdb dict - Trying to list users crashed. + - submission: Service could be configured to allow anonymous + authentication mechanism and anonymous user access. + - LAYOUT=index: Corrupted dovecot.list.index caused folder creation to + panic. + - doveadm: HTTP server crashes if request target starts with double "/". + - dsync: Remote dsync started hanging if the initial doveadm + "dsync-server" command was sent in the same TCP packet as the + following dsync handshake. v2.3.8 regression. + - lib: Several "input streams" had a bug that in some rare situations + might cause it to access freed memory. This could lead to crashes or + corruption. + The only currently known effect of this is that using zlib plugin with + external mail attachments (mail_attachment_dir) could cause fetching + the mail to return a few bytes of garbage data at the beginning of the + header. Note that the mail wasn't saved corrupted, but fetching it + caused corrupted mail to be sent to the client. + - lib-storage: If a mail only has quoted content, use the quoted text + for generating message snippet (IMAP PREVIEW) instead of returning + empty snippet. + - lib-storage: When vsize header was rebuilt, newly calculated message + sizes were added to dovecot.index.cache instead of being directly + saved into vsize records in dovecot.index. + - lib: JSON generator was escaping UTF-8 characters unnecessarily. + + Pigeonhole 0.5.8 + + Added events for Sieve and ManageSieve, see + https://doc.dovecot.org/admin_manual/list_of_events/#pigeonhole + + Pigeonhole: Implement the Sieve "special-use" extension described in + RFC 8579. + - duplicate: Test only compared the handles which would cause + different values to be cached as the same duplicate test. Fix to also + compare the actual hashes. + - imap_sieve_filter: IMAP FILTER Command had various bugs in error + handling. Errors may have been duplicated for each email, errors + may have been missing entirely, command tag and ERRORS/WARNINGS + parameters were swapped. + +------------------------------------------------------------------- @@ -781 +897 @@ - affected encrypt and zlib compress ostreams, which could have + affected encrypt and zlib compress ostreams, which have Old: ---- dovecot-2.3-pigeonhole-0.5.8.tar.gz dovecot-2.3-pigeonhole-0.5.8.tar.gz.sig dovecot-2.3.8.tar.gz dovecot-2.3.8.tar.gz.sig New: ---- dovecot-2.3-pigeonhole-0.5.9.tar.gz dovecot-2.3-pigeonhole-0.5.9.tar.gz.sig dovecot-2.3.9.2.tar.gz dovecot-2.3.9.2.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dovecot23.spec ++++++ --- /var/tmp/diff_new_pack.zVYCH1/_old 2019-12-18 14:48:38.069947292 +0100 +++ /var/tmp/diff_new_pack.zVYCH1/_new 2019-12-18 14:48:38.073947294 +0100 @@ -19,11 +19,11 @@ %global _lto_cflags %{nil} Name: dovecot23 -Version: 2.3.8 +Version: 2.3.9.2 Release: 0 %define pkg_name dovecot -%define dovecot_version 2.3.8 -%define dovecot_pigeonhole_version 0.5.8 +%define dovecot_version 2.3.9.2 +%define dovecot_pigeonhole_version 0.5.9 %define dovecot_branch 2.3 %define dovecot_pigeonhole_source_dir %{pkg_name}-%{dovecot_branch}-pigeonhole-%{dovecot_pigeonhole_version} %define dovecot_pigeonhole_docdir %{_docdir}/%{pkg_name}/dovecot-pigeonhole ++++++ dovecot-2.3-pigeonhole-0.5.8.tar.gz -> dovecot-2.3-pigeonhole-0.5.9.tar.gz ++++++ ++++ 52465 lines of diff (skipped) ++++++ dovecot-2.3-pigeonhole-0.5.8.tar.gz -> dovecot-2.3.9.2.tar.gz ++++++ /work/SRC/openSUSE:Factory/dovecot23/dovecot-2.3-pigeonhole-0.5.8.tar.gz /work/SRC/openSUSE:Factory/.dovecot23.new.4691/dovecot-2.3.9.2.tar.gz differ: char 5, line 1
