If we need to make an exception we can do it and properly document the
reason but by default we should just use the default login class.
rc.d uses daemon or the login class provided in login.conf.d so this has
no impact there.
discussed with sthen@, tb@ and robert@
praying that my grep/sed skills did not break anything and still
believing in portbump :-)
CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
JWT tokens. This may be used to supply attacker controlled keys to
validate tokens, if attacker has local access.
CVE-2021-33515: On-path attacker could have injected plaintext commands
before STARTTLS negotiation that would be executed after STARTTLS
finished with the client.
Note that some components have been removed in this release, summarised
below but check changelogs before updating. https://dovecot.org/doc/NEWS
* Remove autocreate, expire, snarf and mail-filter plugins.
expire and autocreate can be replaced by "autoexpunge" and "auto"
mailbox settings instead. mail-filter was a bit problematic anyway.
snarf is not often used.
* Remove cydir storage driver.
This was meant for benchmarking and stress testing index handling
and is not normally used in a real server.
* Remove XZ/LZMA write support. Read support will be removed in future release.
If you're using XZ/LZMA then disable it for writes in your configuration
(mailboxes can have a mixture of different types of compression, or some
and no compression) and plan to migrate your existing storage to either
no compression or alternative compression.
- CVE-2019-11494: Submission-login crashed with signal 11 due to null
pointer access when authentication was aborted by disconnecting.
- CVE-2019-11499: Submission-login crashed when authentication was
started over TLS secured channel and invalid authentication message was
sent.
Remove mention about full-text search since the internal FTS indexer
was removed and it's out-of-process now. Requested by sthen@
No feedback from maintainer.
protocol string to avoid using !SSLv2 which is not supported. ok juanfra@ Brad
* CVE-2017-15130: TLS SNI config lookups may lead to excessive memory usage,
causing imap-login/pop3-login VSZ limit to be reached and the process
restarted. This happens only if Dovecot config has local_name { } or local
{ } configuration blocks and attacker uses randomly generated SNI servernames.
* CVE-2017-14461: Parsing invalid email addresses may cause a crash or leak
memory contents to attacker. For example, these memory contents might contain
parts of an email from another user if the same imap process is reused for
multiple users.
* CVE-2017-15132: Aborted SASL authentication leaks memory in login process.
* passdb/userdb dict: Don't double-expand %variables in keys. If dict
was used as the authentication passdb, using specially crafted
%variables in the username could be used to cause DoS (CVE-2017-2669)
CVE-2016-8652 (the version in 6.0 isn't affected): "If auth-policy
component has been activated in Dovecot, then remote user can use
SASL authentication to crash auth component. Workaround is to disable
auth-policy component until fix is in place."
