From $url: http://dovecot.org/releases/1.2/dovecot-1.2.15.tar.gz http://dovecot.org/releases/1.2/dovecot-1.2.15.tar.gz.sig See the "ACL handling bugs" message for more details about the ACL merging bug. * acl: Fixed the logic of merging multiple ACL entries. Now it works as documented, while previously it could have done slightly different things depending on the order of the entries. (Note: The above is CVE-2010-3707) * acl: Don't give admin rights to all owner mailboxes. This was originally done to make sure that mailbox owner couldn't accidentally remove their own admin rights. But this is already prevented by SETACL command, so it's not necessary. Also sysadmin may have intentionally removed some admin rights from some mailboxes (especially when using symlinked shared mailboxes). (Note: The above is CVE-2010-3706) - Maildir: Fixed potential "Duplicate file entry" in dovecot-uidlist file errors. - Maildir: Avoid unnecessary uidlist recreation during mail delivery. - imap: When SELECT fails, it didn't close the previous mailbox. - Dovecot master process could have died if it got SIGCHLD signals very rapidly while it was trying to log. This could have happened for example if a lot of imap/pop3 sessions disconnected at the exact same time.
Adding proper CC's
There is no sieve release yet for dovecot-1.2.15, i.e. we cannot bump without major loss of function. I have contacted upstream and asked for a status update regarding sieve release.
Created attachment 249608 [details] dovecot-1.2.15.ebuild Sieve is released in the meantime. Attached please find dovecot-1.2.15.ebuild. Please add to the tree. Changelog: Version bump - security bug #339776
added, +*dovecot-1.2.15 (05 Oct 2010) + + 05 Oct 2010; Jeremy Olexa <darkside@gentoo.org> +dovecot-1.2.15.ebuild: + Version bump - security bug #339776 This version won't really get tested in ~arch because 2.x is in ~arch already. Should be fine to add arches for stabilization though.
Arches, please test and mark stable: =net-mail/dovecot-1.2.15 Target keywords : "alpha amd64 ppc sparc x86"
amd64 done
x86 stable
Stale on alpha.
sparc stable
I forgot to close bug 335383 and stable arm was added to a security vulnerable version. Adding arm@g.o here with apologies.
ppc done
arm stable, all arches done.
Thanks, folks. GLSA Vote: No.
Vote: YES; remote DoS possible.
GLSA Vote: no -> Closing. Feel free to reopen if you disagree.