DOV-3784, CVE-2020-10957: Sending malformed NOOP command causes
crash in submission, submission-login or lmtp service.
DOV-3875, CVE-2020-10958: Sending command followed by sufficient
number of newlines triggers a use-after-free bug that might crash
submission-login, submission or lmtp service.
DOV-1745, CVE-2020-10967: Sending mail with empty quoted localpart
causes submission or lmtp component to crash.
This module analyzes mail objects in any of the classes handled by
Email::Abstract. It returns a Mail::ListDetector::List object
representing the mailing list.
The RFC2369 mailing list detector is also capable of matching some
Mailman and Ezmlm messages. It is deliberately checked last to allow
the more specific Mailman and Ezmlm parsing to happen first, and
more accurately identify the type of mailing list involved.
OK cwen@
Email::Filter::Rules is a simple way to route e-mail into folders
without having to touch your filter script. I used to edit my filter
script often to add or remove e-mail lists and often would fat
finger something and enter a typo. This would result in all my
e-mail bouncing and all in all would be a real bummer.
I wanted to make it syntax simple so it wouldn't end up looking
like to awful procmail recipe or some cryptic piece of junk.
OK cwen@
afresh1@ found out that the previous fix that targeted p5-Email-Filter was
actually for p5-Email-FolderType, so fix it there instead.
Module::Pluggable has been removed from core some times ago, add the module
to RUN_DEPENDS. While here make spacing consistent around '=', and add a
missing TEST_DEPENDS.
input and OK afresh1@
Module::Pluggable has been removed from core some times ago, add the module
to RUN_DEPENDS. While here remove the "BUILD_DEPENDS = ${RUN_DEPENDS}"
construct that is not needed.
OK afresh1@
* All tools now follow symlinks to mails.
* mdirs: add -a to list all subfolders, ignoring Maildir++ convention.
* mcom: add preview alias for show command.
* mrep/mbnc: allow only one message as argument.
* maddr: add -d to only print display name.
* mthread: add -r to reverse top-level order.
* mlist: print number of matches when message selection is in place.
* mpick: many improvements.
* Many bug fixes.
From Lucas (maintainer)
Enric Morales and Olivier Taïbi, ok abieber@ kmos@
Notmuch is a mail indexing program providing a fast tag-based email
reader with global search to use within a text editor.
"Notmuch is not much of an email program. It doesn't receive messages
(no POP or IMAP suport). It doesn't send messages (no mail composer,
no network code at all). And for what it does do (email search)
that work is provided by an external library, Xapian. So if Notmuch
provides no user interface and Xapian does all the heavy lifting,
then what's left here? Not much."
The code assumes that __POWERPC__ always means Mac OS, breaking the build
because we don't provide Gestalt. Change the ifdef to avoid getting it picked
up. Fix improved by Brad (thanks!)
Servers enforcing that clients send an SNI become more common.
Backport the mechanism for sending SNI from alpine 2.22.
Our new TLSv1.3 stack requires more retries than the old one
so retry SSL_write() if the API tells us to do so.
Issue reported, fix tested and "ok" procter.
ok jca sthen
Security fixes:
- Cross-Site Scripting (XSS) via malicious HTML content
- CSRF attack can cause an authenticated user to be logged out
- Remote code execution via crafted config options
- Path traversal vulnerability allowing local file inclusion via crafted
'plugins' option
The latter two vulnerabilities are classified minor because they only
affect Roundcube installations with public access to the Roundcube
installer. That’s generally a high-risk situation and is expected to be
rare or practically non-existent in productive Roundcube deployments.
However, the fixes are done in core in order to also prevent from future
and yet unknown attack vectors.
Changelog at https://github.com/roundcube/roundcubemail/releases/tag/1.4.4
Alexei dot Malinin at mail dot ru reported a compiler warning that,
in my opinion, probably indicates a security vulnerability, but due
to an incomplete description of the affected feature in the
documentation, it is unclear how it should be fixed. The program
appears to be sloppily written, sloppily documented, and abandoned
upstream 15 years ago.
OK ajacoutot@ for deleting it.
