Mercurial > dovecot > original-hg > dovecot-2.1
changeset 7391:c73d6224a96b HEAD 1.1.rc3
Released v1.1.rc3.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Sun, 09 Mar 2008 12:51:51 +0200 |
parents | 04297ce26b78 |
children | 88f0c016f766 |
files | NEWS TODO configure.in |
diffstat | 3 files changed, 13 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/NEWS Sun Mar 09 12:51:06 2008 +0200 +++ b/NEWS Sun Mar 09 12:51:51 2008 +0200 @@ -1,3 +1,14 @@ +v1.1.rc3 2008-03-09 Timo Sirainen <tss@iki.fi> + + * Fixed a security hole in blocking passdbs (MySQL always. PAM, passwd + and shadow if blocking=yes) where user could specify extra fields + in the password. The main problem here is when specifying + "skip_password_check" introduced in v1.0.11 for fixing master user + logins, allowing the user to log in as anyone without a valid + password. + + - mail_privileged_group was broken in some systems (OS X, Solaris?) + v1.1.rc2 2008-03-08 Timo Sirainen <tss@iki.fi> * mail_extra_groups setting was commonly used insecurely. This setting
--- a/TODO Sun Mar 09 12:51:06 2008 +0200 +++ b/TODO Sun Mar 09 12:51:51 2008 +0200 @@ -12,6 +12,7 @@ - nfs support (cache flushes, how can write fail with ESTALE?) - is locking done right? it reads header without file being locked? - split after ~8 bytes? + - expunges are delayed until more mails are added - test replacement chars (SEARCH / SORT / Squat) - cache: compress when we can drop temporary fields.