[SECURITY] Fedora 19 Update: dovecot-2.2.13-1.fc19

updates at fedoraproject.org updates at fedoraproject.org
Tue Jun 17 23:38:27 UTC 2014


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2014-6331
2014-05-13 18:32:16
--------------------------------------------------------------------------------

Name        : dovecot
Product     : Fedora 19
Version     : 2.2.13
Release     : 1.fc19
URL         : http://www.dovecot.org/
Summary     : Secure imap and pop3 server
Description :
Dovecot is an IMAP server for Linux/UNIX-like systems, written with security
primarily in mind.  It also contains a small POP3 server.  It supports mail
in either of maildir or mbox formats.

The SQL drivers and authentication plug-ins are in their subpackages.

--------------------------------------------------------------------------------
Update Information:

* Fixed a DoS attack against imap/pop3-login processes. If SSL/TLS handshake was started but wasn't finished, the login process attempted to eventually forcibly disconnect the client, but failed to do it correctly. This could have left the connections hanging arond for a long time. (Affected Dovecot v1.1+)

* mdbox: Added mdbox_purge_preserve_alt setting to keep the file within alt storage during purge.

* fts: Added support for parsing attachments via Apache Tika. Enable with: plugin { fts_tika = http://tikahost:9998/tika/ }

* virtual plugin: Delay opening backend mailboxes until it's necessary. This requires mailbox_list_index=yes to work. (Currently IMAP IDLE command still causes all backend mailboxes to be opened.)

* mail_never_cache_fields=* means now to disable all caching. This may be a useful optimization as doveadm/dsync parameter for some admin tasks which shouldn't really update the cache file.

* IMAP: Return SPECIAL-USE flags always for LSUB command.

* pop3 server was still crashing in v2.2.12 with some settings

* maildir: Various fixes and improvements to handling compressed mails, especially when they have broken/missing S=sizes in filenames.

* fts-lucene, fts-solr: Fixed crash on search when the index contained duplicate entries.

* Many fixes and performance improvements to dsync and replication

* director was somewhat broken when there were exactly two directors in the ring. It caused errors about "weak users" getting stuck.

* mail_attachment_dir: Attachments with the last base64-encoded line longer than the rest wasn't handled correctly.

* IMAP: SEARCH/SORT PARTIAL was handled completely wrong in v2.2.11+

* acl: Global ACL file handling was broken when multiple entries matched the mailbox name. (Only the first entry was used.)
--------------------------------------------------------------------------------
ChangeLog:

* Mon May 12 2014 Michal Hlavinka <mhlavink at redhat.com> - 1:2.2.13-1
- dovecot updated to 2.2.13
- fixes CVE-2014-3430: denial of service through maxxing out SSL connections
- pop3 server was still crashing in v2.2.12 
- maildir: Various fixes and improvements to handling compressed mails
- fts-lucene, fts-solr: Fixed crash on search when the index contained
  duplicate entries.
- mail_attachment_dir: Attachments with the last base64-encoded line
  longer than the rest wasn't handled correctly.
- IMAP: SEARCH/SORT PARTIAL was handled completely wrong in v2.2.11+
- acl: Global ACL file handling was broken when multiple entries
  matched the mailbox name
* Fri Feb 14 2014 Michal Hlavinka <mhlavink at redhat.com> - 1:2.2.12-1
- dovecot updated to 2.2.12
- fixes pop3 crash
* Thu Feb 13 2014 Michal Hlavinka <mhlavink at redhat.com> - 1:2.2.11-1
- dovecot updated to 2.2.11
- imap: SEARCH/SORT PARTIAL reponses may have been too large.
- doveadm backup: Fixed assert-crash when syncing mailbox deletion.
* Thu Jan  2 2014 Michal Hlavinka <mhlavink at redhat.com> - 1:2.2.10-1
- dovecot updated to 2.2.10
- quota-status: quota_grace was ignored
- ldap: Fixed memory leak with auth_bind=yes and without
  auth_bind_userdn.
- imap: Don't send HIGHESTMODSEQ anymore on SELECT/EXAMINE when
  CONDSTORE/QRESYNC has never before been enabled for the mailbox.
- imap: Fixes to handling mailboxes without permanent modseqs.
  (When [NOMODSEQ] is returned by SELECT, mainly with in-memory
  indexes.)
- imap: Various fixes to METADATA support.
- stats plugin: Processes that only temporarily dropped privileges
  (e.g. indexer-worker) may have been logging errors about not being
  able to open /proc/self/io.
* Mon Nov 25 2013 Michal Hlavinka <mhlavink at redhat.com> - 1:2.2.9-1
- improved cache file handling exposed several old bugs related to fetching 
  mail headers.
- iostream handling changes were causing some connections to be disconnected
  before flushing their output
* Wed Nov 20 2013 Michal Hlavinka <mhlavink at redhat.com> - 1:2.2.8-1
- Fixed infinite loop in message parsing if message ends with
  "--boundary" and CR (without LF). Messages saved via SMTP/LMTP can't
  trigger this, because messages must end with an "LF.". A user could
  trigger this for him/herself though.
- lmtp: Client was sometimes disconnected before all the output was
  sent to it.
- replicator: Database wasn't being exported to disk every 15 minutes
  as it should have. Instead it was being imported, causing "doveadm
  replicator remove" commands to not work very well.
* Thu Nov 14 2013 Michal Hlavinka <mhlavink at redhat.com> - 1:2.2.7-2
- fix ostream infinite loop (#1029906)
* Mon Nov  4 2013 Michal Hlavinka <mhlavink at redhat.com> - 1:2.2.7-1
- dovecot updated to 2.2.7
- master process was doing a hostname.domain lookup for each created
  process, which may have caused a lot of unnecessary DNS lookups.
- dsync: Syncing over 100 messages at once caused problems in some
  situations, causing messages to get new UIDs.
- fts-solr: Different Solr hosts for different users didn't work.
* Thu Oct 17 2013 Michal Hlavinka <mhlavink at redhat.com> - 1:2.2.6-1
- dovecot updated to 2.2.6, pigeonhole updated to 0.4.2
- director: v2.2.5 changes caused "SYNC lost" errors
- dsync: Many fixes and error handling improvements
- doveadm -A: Don't waste CPU by doing a separate config lookup
  for each user
- Long-running ssl-params process no longer prevents Dovecot restart
- mbox: Fixed mailbox_list_index=yes to work correctly
* Wed Aug  7 2013 Michal Hlavinka <mhlavink at redhat.com> - 1:2.2.5-1
- dovecot updated to 2.2.5
- added some missing man pages (by Pascal Volk)
- director: Users near expiration could have been redirected to
  different servers at the same time.
- pop3: Avoid assert-crash if client disconnects during LIST.
- mdbox: Corrupted index header still wasn't automatically fixed.
- dsync: Various fixes to work better with imapc and pop3c storages.
- ldap: sasl_bind=yes caused crashes, because Dovecot's lib-sasl
  symbols conflicted with Cyrus SASL library.
* Wed Jul 10 2013 Michal Hlavinka <mhlavink at redhat.com> - 1:2.2.4-2
- fix name conflict with cyrus-sasl (#975869)
* Wed Jun 26 2013 Michal Hlavinka <mhlavink at redhat.com> - 1:2.2.4-1
- dovecot updated to 2.2.4
- imap/pop3 proxy: Master user logins were broken in v2.2.3
- sdbox/mdbox: A corrupted index header with wrong size was never
  automatically fixed in v2.2.3.
- mbox: Fixed assert-crashes related to locking.
* Mon Jun 17 2013 Michal Hlavinka <mhlavink at redhat.com> - 1:2.2.3-1
- dovecot updated to 2.2.3
- IMAP: If subject contained only whitespace, Dovecot returned an
  ENVELOPE reply with a huge literal value, effectively causing the
  IMAP client to wait for more data forever.
- IMAP: Various URLAUTH fixes.
- imapc: Various bugfixes and improvements
- pop3c: Various fixes to make it work in dsync (without imapc)
- dsync: Fixes to syncing subscriptions. Fixes to syncing mailbox
  renames.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1096402 - CVE-2014-3430 dovecot: denial of service through maxxing out SSL connections
        https://bugzilla.redhat.com/show_bug.cgi?id=1096402
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use
su -c 'yum update dovecot' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


More information about the package-announce mailing list