[SECURITY] Fedora 20 Update: dovecot-2.2.13-1.fc20

updates at fedoraproject.org updates at fedoraproject.org
Sun May 18 22:56:49 UTC 2014


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2014-6338
2014-05-13 18:32:31
--------------------------------------------------------------------------------

Name        : dovecot
Product     : Fedora 20
Version     : 2.2.13
Release     : 1.fc20
URL         : http://www.dovecot.org/
Summary     : Secure imap and pop3 server
Description :
Dovecot is an IMAP server for Linux/UNIX-like systems, written with security
primarily in mind.  It also contains a small POP3 server.  It supports mail
in either of maildir or mbox formats.

The SQL drivers and authentication plug-ins are in their subpackages.

--------------------------------------------------------------------------------
Update Information:

* Fixed a DoS attack against imap/pop3-login processes. If SSL/TLS handshake was started but wasn't finished, the login process attempted to eventually forcibly disconnect the client, but failed to do it correctly. This could have left the connections hanging arond for a long time. (Affected Dovecot v1.1+)

* mdbox: Added mdbox_purge_preserve_alt setting to keep the file within alt storage during purge.

* fts: Added support for parsing attachments via Apache Tika. Enable with: plugin { fts_tika = http://tikahost:9998/tika/ }

* virtual plugin: Delay opening backend mailboxes until it's necessary. This requires mailbox_list_index=yes to work. (Currently IMAP IDLE command still causes all backend mailboxes to be opened.)

* mail_never_cache_fields=* means now to disable all caching. This may be a useful optimization as doveadm/dsync parameter for some admin tasks which shouldn't really update the cache file.

* IMAP: Return SPECIAL-USE flags always for LSUB command.

* pop3 server was still crashing in v2.2.12 with some settings

* maildir: Various fixes and improvements to handling compressed mails, especially when they have broken/missing S=sizes in filenames.

* fts-lucene, fts-solr: Fixed crash on search when the index contained duplicate entries.

* Many fixes and performance improvements to dsync and replication

* director was somewhat broken when there were exactly two directors in the ring. It caused errors about "weak users" getting stuck.

* mail_attachment_dir: Attachments with the last base64-encoded line longer than the rest wasn't handled correctly.

* IMAP: SEARCH/SORT PARTIAL was handled completely wrong in v2.2.11+

* acl: Global ACL file handling was broken when multiple entries matched the mailbox name. (Only the first entry was used.)
--------------------------------------------------------------------------------
ChangeLog:

* Mon May 12 2014 Michal Hlavinka <mhlavink at redhat.com> - 1:2.2.13-1
- dovecot updated to 2.2.13
- fixes CVE-2014-3430: denial of service through maxxing out SSL connections
- pop3 server was still crashing in v2.2.12 
- maildir: Various fixes and improvements to handling compressed mails
- fts-lucene, fts-solr: Fixed crash on search when the index contained
  duplicate entries.
- mail_attachment_dir: Attachments with the last base64-encoded line
  longer than the rest wasn't handled correctly.
- IMAP: SEARCH/SORT PARTIAL was handled completely wrong in v2.2.11+
- acl: Global ACL file handling was broken when multiple entries
  matched the mailbox name
* Fri Feb 14 2014 Michal Hlavinka <mhlavink at redhat.com> - 1:2.2.12-1
- dovecot updated to 2.2.12
- fixes pop3 crash
* Thu Feb 13 2014 Michal Hlavinka <mhlavink at redhat.com> - 1:2.2.11-1
- dovecot updated to 2.2.11
- imap: SEARCH/SORT PARTIAL reponses may have been too large.
- doveadm backup: Fixed assert-crash when syncing mailbox deletion.
* Thu Jan  2 2014 Michal Hlavinka <mhlavink at redhat.com> - 1:2.2.10-1
- dovecot updated to 2.2.10
- quota-status: quota_grace was ignored
- ldap: Fixed memory leak with auth_bind=yes and without
  auth_bind_userdn.
- imap: Don't send HIGHESTMODSEQ anymore on SELECT/EXAMINE when
  CONDSTORE/QRESYNC has never before been enabled for the mailbox.
- imap: Fixes to handling mailboxes without permanent modseqs.
  (When [NOMODSEQ] is returned by SELECT, mainly with in-memory
  indexes.)
- imap: Various fixes to METADATA support.
- stats plugin: Processes that only temporarily dropped privileges
  (e.g. indexer-worker) may have been logging errors about not being
  able to open /proc/self/io.
* Mon Nov 25 2013 Michal Hlavinka <mhlavink at redhat.com> - 1:2.2.9-1
- improved cache file handling exposed several old bugs related to fetching 
  mail headers.
- iostream handling changes were causing some connections to be disconnected
  before flushing their output
* Wed Nov 20 2013 Michal Hlavinka <mhlavink at redhat.com> - 1:2.2.8-1
- Fixed infinite loop in message parsing if message ends with
  "--boundary" and CR (without LF). Messages saved via SMTP/LMTP can't
  trigger this, because messages must end with an "LF.". A user could
  trigger this for him/herself though.
- lmtp: Client was sometimes disconnected before all the output was
  sent to it.
- replicator: Database wasn't being exported to disk every 15 minutes
  as it should have. Instead it was being imported, causing "doveadm
  replicator remove" commands to not work very well.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1096402 - CVE-2014-3430 dovecot: denial of service through maxxing out SSL connections
        https://bugzilla.redhat.com/show_bug.cgi?id=1096402
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use
su -c 'yum update dovecot' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


More information about the package-announce mailing list