- indexer crash if the client disconnects while waiting for command reply
(most likely if an IMAP search triggered slow fts indexing)
- "(i_stream_read_memarea): assertion failed: (!stream->blocking)" when
reading with lz4 compression if the header was read only partially.
CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
JWT tokens. This may be used to supply attacker controlled keys to
validate tokens, if attacker has local access.
CVE-2021-33515: On-path attacker could have injected plaintext commands
before STARTTLS negotiation that would be executed after STARTTLS
finished with the client.
Note that some components have been removed in this release, summarised
below but check changelogs before updating. https://dovecot.org/doc/NEWS
* Remove autocreate, expire, snarf and mail-filter plugins.
expire and autocreate can be replaced by "autoexpunge" and "auto"
mailbox settings instead. mail-filter was a bit problematic anyway.
snarf is not often used.
* Remove cydir storage driver.
This was meant for benchmarking and stress testing index handling
and is not normally used in a real server.
* Remove XZ/LZMA write support. Read support will be removed in future release.
If you're using XZ/LZMA then disable it for writes in your configuration
(mailboxes can have a mixture of different types of compression, or some
and no compression) and plan to migrate your existing storage to either
no compression or alternative compression.
built against the exact version and this is handled correctly by PKGSPEC
but the scripts used to decide which packages to build for -stable can't
cope with this
add warnings to all the ports known to have this type of version check
DOV-3784, CVE-2020-10957: Sending malformed NOOP command causes
crash in submission, submission-login or lmtp service.
DOV-3875, CVE-2020-10958: Sending command followed by sufficient
number of newlines triggers a use-after-free bug that might crash
submission-login, submission or lmtp service.
DOV-1745, CVE-2020-10967: Sending mail with empty quoted localpart
causes submission or lmtp component to crash.
(which is not) throughout the ports Makefiles.
* Replace find|xargs with find -exec {} +
* Replace -exec {} \; with -exec {} + if applicable.
* Use the -delete operator to remove files and empty directories.
* Combine and tweak some find(1) invocations while here.
ok kn@ rsadowski@ espie@
CVE-2020-7046
lib-smtp doesn't handle truncated command parameters properly, resulting
in infinite loop taking 100% CPU for the process. This happens for LMTP
(where it doesn't matter so much) and also for submission-login where
unauthenticated users can trigger it.
CVE-2020-7957
Snippet generation crashes if:
- message is large enough that message-parser returns multiple body blocks
- The first block(s) don't contain the full snippet (e.g. full of whitespace)
- input ends with '>'
Sending specially crafted email can cause mailbox to have permanently
unaccessible mail, or the mail can be stuck in delivery.
- CVE-2019-11494: Submission-login crashed with signal 11 due to null
pointer access when authentication was aborted by disconnecting.
- CVE-2019-11499: Submission-login crashed when authentication was
started over TLS secured channel and invalid authentication message was
sent.
Remove mention about full-text search since the internal FTS indexer
was removed and it's out-of-process now. Requested by sthen@
No feedback from maintainer.
CVE-2019-10691: Trying to login with 8bit username containing invalid
UTF8 input causes auth process to crash if auth policy is enabled. This
could be used rather easily to cause a DoS. Similar crash also happens
during mail delivery when using invalid UTF8 in From or Subject header
when OX push notification driver is used.
ok brad (maintainer)
* CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted
certificate with missing username field (ssl_cert_username_field), under
some configurations Dovecot mistakenly trusts the username provided via
authentication instead of failing.
* ssl_cert_username_field setting was ignored with external SMTP
AUTH, because none of the MTAs (Postfix, Exim) currently send the
cert_username field. This may have allowed users with trusted
certificate to specify any username in the authentication. This bug
didn't affect Dovecot's Submission service.
convert ssl_protocols strings to min/max values. Patch to neuter the autoconf
check because this code doesn't work correctly (in particular it doesn't
handle strings with !SSLv2) and fallback to the old working code instead.
No reply to https://www.dovecot.org/pipermail/dovecot/2018-March/111260.html
but the code is different in Dovecot master/2.3 (it looks like they did it
this way in 2.2 so they could use the 1.1-api functions without config
changes, but it backfired).
ok Brad
protocol string to avoid using !SSLv2 which is not supported. ok juanfra@ Brad
* CVE-2017-15130: TLS SNI config lookups may lead to excessive memory usage,
causing imap-login/pop3-login VSZ limit to be reached and the process
restarted. This happens only if Dovecot config has local_name { } or local
{ } configuration blocks and attacker uses randomly generated SNI servernames.
* CVE-2017-14461: Parsing invalid email addresses may cause a crash or leak
memory contents to attacker. For example, these memory contents might contain
parts of an email from another user if the same imap process is reused for
multiple users.
* CVE-2017-15132: Aborted SASL authentication leaks memory in login process.
