| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
Since redmine require mini_mime < 1.1, update to latest 1.0.3.
1.0.3 (2021-03-26)
* Update mime types from upstream
|
|
Postfix stable release 3.6.0 is available. This ends the support
for legacy release Postfix 3.2.
The main changes are below. See the RELEASE_NOTES file for further
details.
Incompatible changes:
* This release requires "postfix stop" before updating, or before
backing out to an earlier release, because some internal protocols
have changed. Otherwise, long-running daemons (pickup, qmgr,
verify, tlsproxy, postscreen) may fail to communicate with the
rest of Postfix, causing mail delivery delays until Postfix is
restarted.
* Respectful logging. Postfix version 3.6 deprecates terminology
that implies white is better than black. Instead, Postfix prefers
'allowlist', 'denylist', and variations on those words. This
change affects Postfix documentation, and postscreen parameters
and logging.
To keep the old postscreen logging set "respectful_logging =
no" in main.cf before setting "compatibility_level = 3.6". In
any case, the old postscreen parameter names will keep working
as before.
Other changes:
* The minimum supported OpenSSL version is 1.1.1, which will reach
the end of life by 2023-09-11. Postfix 3.6 is expected to reach
the end of support in 2025. Until then, Postfix will be updated
as needed for compatibility with OpenSSL.
The default fingerprint digest has changed from md5 to sha256
(Postfix 3.6 with compatibility_level >= 3.6). With a lower
compatibility_level setting, Postfix defaults to using md5, and
logs a warning when a Postfix configuration specifies no explicit
digest type.
The export-grade Diffie-Hellman key exchange is no longer
supported, and the tlsproxy_tls_dh512_param_file parameter is
ignored,
* Better error messages when someone configures an incorrect
program in master.cf. To recognize such mistakes, every Postfix
internal service, including the postdrop command, announces the
name of its protocol before doing any other I/O, and every
Postfix client program, including the Postfix sendmail command,
will verify that the protocol name matches what it expects.
* Fine-grained control over the envelope sender address for
submission with the Postfix sendmail (or postdrop) commands.
Example:
/etc/postfix/main.cf:
# Allow root and postfix full control, anyone else can only
# send mail as themselves. Use "uid:" followed by the numerical
# UID when the UID has no entry in the UNIX password file.
local_login_sender_maps =
inline:{ { root = *}, { postfix = * } },
pcre:/etc/postfix/login_senders
/etc/postfix/login_senders:
# Allow both the bare username and the user@domain forms.
/(.+)/ $1 $1@example.com
* Threaded bounces. This allows mail readers to present a
non-delivery, delayed delivery, or successful delivery notification
in the same email thread as the original message.
Unfortunately, this also makes it easy for users to mistakenly
delete the whole email thread (all related messages), instead
of deleting only the delivery status notification.
To enable, specify "enable_threaded_bounces = yes".
* Postfix by default no longer uses the services(5) database to
look up the TCP ports for SMTP and LMTP services. Instead, this
information is configured with the new known_tcp_ports configuration
parameter (default: lmtp=24, smtp=25, smtps=submissions=465,
submission=587). When a service is not specified in known_tcp_ports,
Postfix will still query the services(5) database.
* Starting with Postfix version 3.6, the compatibility level is
"3.6". In future Postfix releases, the compatibility level will
be the Postfix version that introduced the last incompatible
change. The level is formatted as 'major.minor.patch', where
'patch' is usually omitted and defaults to zero. Earlier
compatibility levels are 0, 1 and 2.
This also introduces main.cf and master.cf support for the
<=level, < level, and other operators to compare compatibility
levels. With the standard <=, <, etc. operators, compatibility
level 3.10 would be less than 3.9, which is undesirable.
|
|
change
|
|
|
|
|
|
Changes since 1.4.0 from the RELEASE_NOTES file
NOTE: In response to CVE-2019-20790, opendmarc has changed
how it evaluates headers added by previous
SPF milters. Users are encouraged to read the
CVE-2019-20790 file in the "SECURITY" folder
for more details. (#49, #158). Originally reported by
Jianjun Chen, feedback by Simon Wilson and
David Bürgin <dbuergin@gluet.ch>.
NOTE: OpenDMARC's internal SPF handling will be removed
in a future version. Users are encouraged to
build linked against libspf2. Many pre-built
packages provided by OS packagers already do this.
(See https://www.libspf2.org)
Addition of defines for MUSL C Library. (#129/#133). Patches by
Marco Rebhan.
Updated opendmarc.conf manpage and opendmarc.conf.sample to point to
https://publicsuffix.org/list/.
Added a CONTRIBUTING document.
Fix two #ifdefs in arc functions for strlcpy. (#138). Reported by
Leo Bicknell.
Fixes to MySQL Schema (#98/#99). Patch by Bond Keevil.
LIBSPF2 calls would not compile on OpenBSD due to OpenBSD not
having the ns_type definition in arpa/resolv.h.
Added detection to configure script. (#134)
Reworked hcreate_r calls to use hcreate, to compile natively on
OpenBSD and MacOS. (Part of #94) Reported by Rupert
Gallagher.
Add compatibility with AutoConf 2.70. (#95)
Documentation updates about SourceForge being deprecated. (#101)
Only accept results from Received-SPF fields that indicate clearly
which identifier was being evaluated, since DMARC specifically
only wants results based on MAIL FROM.
Many build-time fixes (#100, #91, #90, #86, #85, #84, #83, #82, #81)
Patches provided by Rupert Gallagher (ruga@protonmail.com)
Added config option HoldQuarantinedMessages (default false), which
controls if messages with p=quarantine will be passed on to
the mail stream (if False) or placed in the MTA's "hold"
queue (if True). Issue #105. Patch by Marcos Moraes, on
the OpenDMARC mailing list.
Remove "--with-wall" from "configure". Suggested by Leo Bicknell.
LIBOPENDMARC: Fix bug #50: Ignore all RRTYPEs other than TXT.
Problem reported by Jan Bouwhuis.
LIBOPENDMARC: Fix bug #89: Repair absurd RRTYPE test in SPF code.
LIBOPENDMARC: Fix bug #104: Fix bogus header field parsing code.
LIBOPENDMARC: Fix bug #161: Don't pass the client IP address through
htonl() since it's already in network byte order. This
was causing SPF errors when the internal SPF
implementation was in use.
LIBOPENDMARC: Fix numerous problems with the internal SPF
implementation.
|
|
|
|
|
|
S-nail (later S-mailx) provides a simple and friendly environment for
sending and receiving mail. It is intended to provide the functionality
of the POSIX mailx(1) command, but is MIME capable and optionally offers
extensions for line editing, S/MIME, SMTP and POP3, among others.
It divides incoming mail into its constituent messages and allows the
user to deal with them in any order, offers many commands and variables
for manipulating messages and sending mail, as well as line editing, and
increasingly powerful scripting capabilities.
|
|
upstream changes:
-----------------
fetchmail-6.4.19 (released 2021-04-24, 30026 LoC):
# CHANGE:
* fetchmailconf: properly catch and report option parsing errors
# BUG FIX:
* LMTP: do not try to validate the last component of a UNIX-domain LMTP socket
as though it were a TCP port. Reported by Christoph Heitkamp, Gitlab issue #33.
# TRANSLATION UPDATE:
This fine person has contributed an updated translation:
* sr: Мирослав Николић (Miroslav Nikolić) [Serbian]
--------------------------------------------------------------------------------
fetchmail-6.4.18 (released 2021-03-27, 30011 LoC):
# REGRESSION FIX:
* fetchmailconf: fetchmail 6.4.16 added --sslcertfile to the configuration dump,
but fetchmailconf support was incomplete in Git 7349f124 and it could not
parse sslcertfile, thus the user settings editor came up empty with console
errors printed. Fix configuration parser in fetchmailconf.
# ROBUSTNESS FIXES:
* fetchmailconf: do not require fetchmail for -V. do not require Tk (Tkinter)
for -d option. This is to fail more gracefully on incomplete installs.
* TLS code: remove OPENSSL_NO_DEPRECATED macros to avoid portability issues
with OpenSSL v3 - these are for development purposes, not production.
* TLS futureproofing: use SSL_use_PrivateKey_file instead of
SSL_use_RSAPrivateKey_file, the latter will be deprecated with OpenSSL v3,
and the user's key file might be something else than RSA.
# TRANSLATION UPDATE:
This fine person has contributed an updated translation:
* fi: Lauri Nurmi [Finnish]
--------------------------------------------------------------------------------
fetchmail-6.4.17 (released 2021-03-07, 29998 LoC):
# BUG FIXES
* IMAP client: it used to leak memory for username and password when trying
the LOGIN (password-based) authentication and encountered a timeout situation.
* dist-tools/getstats.py: also counts lines in *.py files, shown above.
# CHANGES
* fetchmail.man: now mentions that you may need to add --ssl when specifying
a TLS-wrapped port.
* fetchmailconf: --version (-V) now prints the Python version in use.
# TRANSLATION UPDATE:
This fine person has contributed an updated translation:
* ja: Takeshi Hamasaki [Japanese]
--------------------------------------------------------------------------------
fetchmail-6.4.16 (released 2021-02-08, 27707 LoC):
# BUG FIXES
* fetchmail's --configdump, and fetchmailconf, lacked support for the
sslcertfile option. --configdump support added by Earl Chew,
Gitlab issue #25, merge request !28.
* fetchmail's manual page was never updated to reflect 6.2.5's change about the
duplicate-killer code for multidrop mode, which read
"* Dup-killer code now keys on an MD5 hash of the raw headers."
...instead of just the Message-ID. [commit 9dd8400, 2003-10-10 by esr]
The manual page was now updated accordingly and documents
historic behaviour:
start to 5.0.7 no duplicate suppression;
5.0.8 to 6.2.4 duplicate suppression only by Message-ID;
6.2.5 to 6.4.X duplicate suppression by entire raw header.
Manpage bug found by Julian Bane debugging "duplicate message" behaviour.
* ./configure no longer runs AC_LIB_LINKFLAGS (how to link) checks
when called --without-ssl
# FEATURES
* fetchmail --version [fetchmail -V] now queries and prints the SSL/TLS
library's "SSL default trusted certificate" file or directory (mind the word
"default"), where the OpenSSL-compatible TLS implementation will look for
trusted root, meaning certification authority (CA), certificates.
NOTE 1: watch the output carefully if the line prints the defaults
or the configured path (without "default").
NOTE 2: SSL_CERT_DIR and SSL_CERT_FILE are documented environment variables
for OpenSSL 1.1.1 to override the *default* locations (those compiled into
OpenSSL or possibly in its configuration file).
This was added when Gene Heskett was debugging his setup and the
information "where does OpenSSL look" was missing.
* fetchmail --version now prints version of the OpenSSL library that
it was compiled against, and that it is using at runtime, and also
the OPENSSL_DIR and OPENSSL_ENGINES_DIR (if available).
# TRANSLATION UPDATES
These fine people have contributed updated translations for fetchmail,
in no particular order:
* sq: Besnik Bleta [Albanian]
* eo: Keith Bowes [Esperanto]
* cs: Petr Pisar [Czech]
* pl: Jakub Bogusz [Polish]
* sv: Göran Uddeborg [Swedish]
* fr: Frédéric Marchal [French]
|
|
|
|
|
|
* Sync with mail/thunderbird-78.10.2.
|
|
Changelog:
78.10.2
What's New
Added support for importing OpenPGP keys without a primary secret key
Add-ons manager displays a preferences icon for mail extensions that include an
options page
Fixes
OpenPGP messages with a high compression ratio (over 10x) could not be
decrypted
Selected OpenPGP key was lost after opening the Key Properties dialog in
Account Settings
Parsing some OpenPGP user IDs failed
Various improvements to OpenPGP partial encryption reminders
Troubleshooting information page did not display row labels on macOS
Mail toolbar buttons were too big when displaying both icons and text
Various security fixes
Security fixes:
#CVE-2021-29957: Partial protection of inline OpenPGP message not indicated
#CVE-2021-29956: Thunderbird stored OpenPGP secret keys without master password
protection
78.10.1
Changes
Removed the fix for bug 1689804 introduced in Thunderbird 78.9.0, restoring the
previous behavior
Fixes
Various security fixes
Security fixes:
#CVE-2021-29951: Thunderbird Maintenance Service could have been started or
stopped by domain users
|
|
Fix long -> time_t
|
|
pkgsrc changes:
---------------
* Change HOMEPAGE since the development lead is now on Github.
* Add a composer.lock file to avoid PLIST breaking each time a dependency
is updated.
upstream changes:
-----------------
Version 4.1.1 (to 4.1.0)
o Fix: A fatal error would be raised when a password could not be decrypted,
only on photo download. This would not be notable to the user (except for
the photo not being displayed), but show up in the logs.
o Fix #339: Allow adding public/shared addressbooks by giving full URL.
Discovery is still used if the given URL does not point to an addressbook
directly, or points to an addressbook inside the user's addressbook home.
Version 4.1.0 (to 4.0.4)
o Fix: Prefer labels from X-ABLabel extension if available over standard
labels
o Fix #317: Support specification of department with empty organization
o Support several levels of departments separated by semicolon that end up as
structured value in the VCard
o Fix #318: Some attributes (e.g. gender) could not be deleted when updating
a contact
o Fix #53: Only create displayname when not present in VCard / not provided
by roundcube
o Fix #325: Roundcube setting for contact sorting field was not used
o Fix #279: More specific error message when syntactically wrong URL is
entered for new addressbook
o Fix #328: Contact search with MySQL might not have returned all results
o Fix #332: When adding a new contact via "add to addressbook" from mail
view, the email address was missing in the new card
o New: Download externally referenced photos on demand, drastically speeding
up sync with when photos are stored separately from the VCard (e.g.
iCloud). For details see #247.
o New: Support for instant messaging data fields and maiden name (resolves
#46). Interoperability with other CardDAV clients suffers some caveats, but
I tried my best to achieve maximum possible interoperability. See IMPP.md
for the gory details.
o Removed a workaround that appears to be needed in the part to provide
address data to the calendar plugin. It seems this is no longer the case
for current versions of calendar.
|
|
Changelog:
Notmuch 0.32.1 (2021-05-15)
===========================
General
-------
Restore handling of relative values for `database.path` that was
broken by 0.32. Extend this handling to `database.mail_root`,
`database.backup_dir`, and `database.hook_dir`.
Reload certain metadata from Xapian database in
notmuch_database_reopen. This fixes a bug when adding messages to the
database in a pre-new hook.
Fix default of `$HOME/mail` for `database.path`. In release 0.32, this
default worked only in "notmuch config".
Emacs
-----
Restore the dynamically bound variables `tag-changes` and `query` in
in `notmuch-before-tag-hook` and `notmuch-after-tag-hook`.
|
|
* Fix crash on html-mail entries with no URL
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NFCI.
|
|
Bumps PKGREVISION.
|
|
|
|
|
|
Real changes are in www/ruby-actionpack61 only.
## Rails 6.1.3.2 (May 05, 2021) ##
* Prevent open redirects by correctly escaping the host allow list
CVE-2021-22903
* Prevent catastrophic backtracking during mime parsing
CVE-2021-22902
* Prevent regex DoS in HTTP token authentication
CVE-2021-22904
* Prevent string polymorphic route arguments.
`url_for` supports building polymorphic URLs via an array
of arguments (usually symbols and records). If a developer passes a
user input array, strings can result in unwanted route helper calls.
CVE-2021-22885
*Gannon McGibbon*
|
|
Real changes are in www/ruby-actionpack60 only.
## Rails 6.0.3.7 (May 05, 2021) ##
* Prevent catastrophic backtracking during mime parsing
CVE-2021-22902
* Prevent regex DoS in HTTP token authentication
CVE-2021-22904
* Prevent string polymorphic route arguments.
`url_for` supports building polymorphic URLs via an array
of arguments (usually symbols and records). If a developer passes a
user input array, strings can result in unwanted route helper calls.
CVE-2021-22885
*Gannon McGibbon*
|
|
|
|
This release fixes several bugs, including a $imap_qresync bug. If you use
that feature, please do upgrade.
|
|
This includes a number of serious security fixes (one of which was
included in a now obsoleted pkgsrc patch)
CVE-2020-28016
CVE-2020-BDATA
CVE-2020-EXOPT
CVE-2020-PFPSN
CVE-2020-RCPTL
CVE-2020-SLCWD
CVE-2020-SPRSS
Since Exim version 4.94
-----------------------
JH/02 Bug 2587: Fix pam expansion condition. Tainted values are commonly used
as arguments, so an implementation trying to copy these into a local
buffer was taking a taint-enforcement trap. Fix by using dynamically
created buffers. Similar fix for radius expansion condition.
JH/03 Bug 2586: Fix listcount expansion operator. Using tainted arguments is
reasonable, eg. to count headers. Fix by using dynamically created
buffers rather than a local. Do similar fixes for ACL actions "dcc",
"log_reject_target", "malware" and "spam"; the arguments are expanded
so could be handling tainted values.
JH/04 Bug 2590: Fix -bi (newaliases). A previous code rearrangement had
broken the (no-op) support for this sendmail command. Restore it
to doing nothing, silently, and returning good status.
JH/05 Bug 2593: Fix "vacation" in Exim filter. Previously, when a "once"
record path was given (or the default used) without a leading directory
path, an error occurred on trying to open it. Use the transport's working
directory.
JH/06 Bug 2594: Change the name used for certificate name checks in the smtp
transport. Previously it was the name on the DNS A-record; use instead
the head of the CNAME chain leading there (if there is one). This seems
to align better with RFC 6125.
JH/07 Bug 2597: Fix a resource leak. Using a lookup in obtaining a value for
smtp_accept_max_per_host allocated resources which were not released
when the limit was exceeded. This eventually crashed the daemon. Fix
by adding a relase action in that path.
JH/08 Bug 2598: Fix verify ACL condition. The options for the condition are
expanded; previously using tainted values was rejected. Fix by using
dynamically-created buffers.
JH/10 Bug 2603: Fix coding of string copying to only evaluate arguments once.
Previously a macro used one argument twice; when called with the
argument as an expression having side-effects, incorrect operation
resulted. Use an inlineable function.
JH/11 Bug 2604: Fix request to cutthrough-deliver when a connection is already
held open for a verify callout. Previously this wan not accounted for
and a corrupt onward SMTP conversation resulted.
JH/13 Fix dsearch "subdir" filter to ignore ".". Previously only ".." was
excluded, not matching the documentation.
JH/14 Bug 2606: Fix a segfault in sqlite lookups. When no, or a bad, filename
was given for the sqlite_dbfile a trap resulted.
JH/15 Bug 2620: Fix "spam" ACL condition. Previously, tainted values for the
"name" argument resulted in a trap. There is no reason to disallow such;
this was a coding error.
JH/16 Bug 2615: Fix pause during message reception, on systems that have been
suspended/resumed. The Linux CLOCK_MONOTONIC does not account for time
spent suspended, ignoring the Posix definition. Previously we assumed
it did and a constant offset from real time could be used as a correction.
Change to using the same clock source for the start-of-message and the
post-message next-tick-wait. Also change to using CLOCK_BOOTTIME if it
exists, just to get a clock slightly more aligned to reality.
JH/17 Bug 2295: Fix DKIM signing to always semicolon-terminate. Although the
RFC says it is optional some validators care. The missing char was not
intended but triggered by a line-wrap alignement. Discovery and fix by
Guillaume Outters, hacked on by JH.
JH/18 Bug 2617: Fix a taint trap in parse_fix_phrase(). Previously when the
name being quoted was tainted a trap would be taken. Fix by using
dynamicaly created buffers. The routine could have been called by a
rewrite with the "h" flag, by using the "-F" command-line option, or
by using a "name=" option on a control=submission ACL modifier.
JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion.
Previously when a whitespace character was specified it was not inserted
after removing the newline.
JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for
is_tainted() had an off-by-one error in the overenthusiastic direction.
Find and fix by Gavan. Although NetBSD is not a supported platform for
4.94 this bug could affect other platforms.
JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for
is_tainted() had an off-by-one error in the overenthusiastic direction.
Find and fix by Gavan. Although NetBSD is not a supported platform for
4.94 this bug could affect other platforms.
JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion.
Previously when a whitespace character was specified it was not inserted
after removing the newline.
JH/22 Bug 2265: Force SNI usage for smtp transport DANE'd connections, to be
the domain part of the recipient address. This overrides any tls_sni
option set, which was previously used.
JH/23 Logging: with the +tls_sni log_selector, do not wrap the received SNI
in quotes.
JH/26 Bug 2646: fix a memory usage issue in ldap lookups. Previously, when more
than one server was defined and depending on the platform memory layout
details, an internal consistency trap could be hit while walking the list
of servers.
JH/27 Bug 2648: fix the passing of an authenticator public-name through spool
files. The value is used by the authresults expansion item. Previously
if this was used in a router or transport, a crash could result.
JH/30 Bug 2677: fix matching of long addresses. Since 4.93 a limit of 256 was
applied. This resulted, if any header-line rewrite rules were configured,
in a panic-log trigerrable by sending a message with a long address in
a header. Fix by increaing the arbitrary limit to larger than a single
(dewrapped) 5322 header line maximum size.
JH/31 The ESMTP option name advertised for the SUPPORT_EARLY_PIPE build option
is changed from X_PIPE_CONNECT to PIPE_CONNECT. This is in line with
RFC 6648 which deprecates X- options in protocols as a general practice.
Changeover between the implementations is handled by the mechanisms
alrready coded.
JH/32 Bug 2599: fix delay of delivery to a local address where there is also
a remote which uses callout/hold. Previously the local was queued.
JH/33 Fix a taint trap in the ${listextract } expansion when the source data
was tainted.
JH/35 Bug 2343: Harden exim_tidydb against corrupt wait- files.
JH/36 Bug 2687: Fix interpretation of multiple ^ chars in a plaintext
authenticator client_send option. Previously the next char, after a pair
was collapsed, was taken verbatim (so ^^^foo became ^^foo; ^^^^foo became
^^\x00foo). Fixed to get ^\x00foo and ^^foo respectively to match the
documentation. There is still no way to get a leading ^ immediately
after a NUL (ie. for the password of a PLAIN method authenticator.
JH/39 Bug 2691: fix $local_part_data. When the matching list element
referred to a file, bad data was returned. This likely also affected
$domain_part_data.
JH/41 Fix daemon SIGHUP on FreeBSD. Previously, a named socket for IPC was
left undeleted; the attempt to re-create it then failed - resulting in
the usual "SIGHUP tp have daemon reload configuration" to not work.
This affected any platform not supporting "abstract" Unix-domain
sockets (i.e. not Linux).
JH/42 Bug 2692: Harden against a peer which reneges on a 452 "too many
recipients" response to RCPT in a later response, with a 250. The
previous coding assumed this would not happen, and under PIPELINING
would result in both lost and duplicate recipients for a message.
JH/43 Bug 2694: Fix weighted distribution of work to multiple spamd servers.
Previously the weighting was incorrectly applied. Similar fix for socks
proxies. Found and fixed by Heiko Schlichting.
JH/44 Bug 2701: Fix list-expansion of dns_ipv4_lookup. Previously, it did
not handle sub-lists included using the +namedlist syntax. While
investigating, the same found for dns_trust_aa, dns_again_means_nonexist,
dnssec_require_domains, dnssec_request_domains, srv_fail_domains,
mx_fail_domains.
HS/01 Enforce absolute PID file path name.
HS/02 Handle SIGINT as we handle SIGTERM: terminate the Exim process.
PP/01 Add a too-many-bad-recipients guard to the default config's RCPT ACL.
PP/02 Bug 2643: Correct TLS DH constants.
A missing NUL termination in our code-generation tool had led to some
incorrect Diffie-Hellman constants in the Exim source.
Reported by kylon94, code-gen tool fix by Simon Arlott.
PP/03 Impose security length checks on various command-line options.
Fixes CVE-2020-SPRSS reported by Qualys.
PP/04 Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX
better. Reported by Qualys.
PP/05 Fix security issue CVE-2020-PFPSN and guard against cmdline invoker
providing a particularly obnoxious sender full name.
Reported by Qualys.
PP/06 Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in parse_fix_phrase()
PP/07 Refuse to allocate too little memory, block negative/zero allocations.
Security guard.
PP/08 Change default for recipients_max from unlimited to 50,000.
PP/09 Fix security issue with too many recipients on a message (to remove a
known security problem if someone does set recipients_max to unlimited,
or if local additions add to the recipient list).
Fixes CVE-2020-RCPTL reported by Qualys.
PP/10 Fix security issue in SMTP verb option parsing
Fixes CVE-2020-EXOPT reported by Qualys.
PP/11 Fix security issue in BDAT state confusion.
Ensure we reset known-good where we know we need to not be reading BDAT
data, as a general case fix, and move the places where we switch to BDAT
mode until after various protocol state checks.
Fixes CVE-2020-BDATA reported by Qualys.
HS/03 Die on "/../" in msglog file names
QS/01 Creation of (database) files in $spool_dir: only uid=0 or the uid of
the Exim runtime user are allowed to create files.
QS/02 PID file creation/deletion: only possible if uid=0 or uid is the Exim
runtime user.
QS/03 When reading the output from interpreted forward files we do not
pass the pipe between the parent and the interpreting process to
executed child processes (if any).
QS/04 Always die if requested from internal logging, even is logging is
disabled.
|
|
Changelog:
Notmuch 0.32 (2021-05-02)
=========================
General
-------
This release includes a significant overhaul of the configuration
management facilities for notmuch. The previous distinction between
configuration items that can be modified via plain text configuration
files and those that must be set in the database via the "notmuch
config" subcommand is gone, and all configuration items can be set in
both ways. The external configuration file overrides configuration
items in the database. The location of database, hooks, and
configuration files is now more flexible, with several new
configuration variables. In particular XDG locations are now supported
as fallbacks for database, configuration and hooks. For more
information see `notmuch-config(1)`.
Library
-------
To support the new configuration facilities, several functions and
constants have been added to the notmuch API. Most notably:
- `notmuch_database_create_with_config`
- `notmuch_database_open_with_config`
- `notmuch_database_load_config`
- `notmuch_config_get`
A previously requested API change is that `notmuch_database_reopen` is
now exposed (and generalized).
The previously severe slowdowns from large numbers calls to
notmuch_database_remove_message or notmuch_message_delete in one
session has been fixed.
As always, the canonical source of API documentation is
`lib/notmuch.h`, or the doxygen formatted documentation in `notmuch(3)`
CLI
---
The `notmuch config set` subcommand gained a `--database` argument to
specify that the database should be updated, rather than a config file.
The speed of `notmuch new` and `notmuch reindex` in dealing with large
numbers of mail file deletions is significantly improved.
Emacs
-----
Completion related updates include: de-duplicating tags offered for
completion, use the actual initial input in address completion, allow
users to opt out of notmuch address completion, and do not force Ido
when prompting for senders.
Some keymaps used to contain bindings for unnamed commands. These
lambda expressions have been replaced by named commands (symbols), to
ease customization.
Lexical binding is now used in all notmuch-emacs libraries.
Fix bug in calling `notmuch-mua-mail` with a non-nil RETURN-ACTION.
Removed, inlined or renamed functions and variables:
`notmuch-address-locate-command`,
`notmuch-documentation-first-line`, `notmuch-folder`,
`notmuch-hello-trim', `notmuch-hello-versions` => `notmuch-version`,
`notmuch-remove-if-not`, `notmuch-search-disjunctive-regexp`,
`notmuch-sexp-eof`, `notmuch-split-content-type`, and
`notmuch-tree-button-activate`.
|
|
|
|
|
|
Now it should be more obvious when a package needs it as a dependency,
as it will fail loudly if it isn't declared as a tool.
While here, some duplicate dependencies on itstool were removed from the
MATE packages
|
|
|
|
upstream changes:
-----------------
Fixed in 3.5.10:
o Missing null pointer checks (introduced in Postfix 3.4) after an internal I/O error during the smtp(8) to tlsproxy(8) handshake. Found by Coverity, reported by Jaroslav Skarvada. Based on a fix by Viktor Dukhovni.
o Null pointer bug (introduced in Postfix 3.0) and memory leak (introduced in Postfix 3.4) after an inline: table syntax error in main.cf or master.cf. Found by Coverity, reported by Jaroslav Skarvada. Based on a fix by Viktor Dukhovni.
o Incomplete null pointer check (introduced: Postfix 2.10) after truncated HaProxy version 1 handshake message. Found by Coverity, reported by Jaroslav Skarvada. Fix by Viktor Dukhovni.
o Missing null pointer check (introduced: Postfix alpha) after null argv[0] value.
|
|
* Sync with mail/thunderbird-78.10.0.
|
|
Changelog:
Fixes:
Usability & theme improvements on Windows
Various security fixes
Security fixes:
#CVE-2021-23994: Out of bound write due to lazy initialization
#CVE-2021-23995: Use-after-free in Responsive Design Mode
#CVE-2021-23998: Secure Lock icon could have been spoofed
#CVE-2021-23961: More internal network hosts could have been probed by a
malicious webpage
#CVE-2021-23999: Blob URLs may have been granted additional privileges
#CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an
encoded URL
#CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to
null-reads
#CVE-2021-29948: Race condition when reading from disk while verifying
signatures
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
