This is a maintenance & security release.
- fixed CVE-2021-3578: possible remote code execution
- fixed crash on invalid CAPABILITY response code
- tolerate INBOX mis-casing in Path setting
OK msg
I messed this up when updating the patch from 1.3.x to 1.4.x,
found by anton the hard way.
While here, account for UserCmd the same way as for PassCmd.
- The 'isync' compatibility wrapper was removed.
- Added support for disabling TLS v1.3 - adjust SSLVersions if you set it.
- Removed support for obsolete/insecure SSL v3.
- The IMAP '$Forwarded' / Maildir 'P' (passed) flag is supported now.
- Support for configuring a TLS cipher string was added.
- IMAP mailbox subscriptions are supported now.
- The IMAP user query can be scripted now.
- Added built-in support for macOS Keychain.
- Messages excluded by MaxSize will now result in placeholders.
- The use of Master/Slave terminology has been deprecated.
OK remi
Fixes CVE-2021-20247: reject funny mailbox names from IMAP LIST/LSUB in
particular, '..' in the name could be used to escape the Path/Inbox of a
Maildir Store, which could be exploited for stealing or deleting data,
or staging a (mild) DoS attack.
OK kn@ (maintainer)
A minor maintenance release:
- fixed PassCmd for even bigger XOAUTH2 tokens
- fixed crash on syncing multiple Channels which refer to different
Stores which use a common IMAPAccount
- fixed crash on IMAP connection breaking down while using -Dd
On timestamps such as " 4-Mar-2018 16:49:25 -0500", mbsync would abort if
the Channel option `CopyArrivalDate' was set.
The IMAP protocol specifies a date format beginning with a day-of-month
space-padded to two characters. The "%d" specifier in glibc's strptime(3)
will consume a space-padded day of month, but OpenBSD's "%d" only accepts
leading zeroes.
Prodded by this issue, our strptime(3) now strips leading spaces with "%e"
as of lib/libc/time/strptime.c r1.25.
Found, analysed and patch (using "%n%d" instead of "%e") from
Evan Silberman <evan at jklol dot net>, thanks!
Only required for password prompting when neither `Pass' nor `PassCmd' is
specified but added unconditionally for the sake of simplicity as suggested
by jca.
OK jca
LibreSSL 2.7.1 started providing X509_OBJECT_get0_X509 and
X509_STORE_get0_objects, so use them.
While here fix a format string warning (%hu vs %d).
ok kn@ (maintainer)
- don't crash if neither host nor tunnel are specified
- give the implicitly created imap account config the name of the store
- handle failure to store messages
- don't hang after failed start_tls
- deal with UIDVALIDITY of 0 properly
- fix memory access error (used memcpy for overlapping regions)
While here, GROFF is not needed and the patch was applyed upstream.
Ok giovanni@
