1
v1.0.13 2008-03-09 Timo Sirainen <tss@iki.fi>
3
* Fixed a security hole in blocking passdbs (MySQL always. PAM, passwd
4
and shadow if blocking=yes) where user could specify extra fields
5
in the password. The main problem here is when specifying
6
"skip_password_check" introduced in v1.0.11 for fixing master user
7
logins, allowing the user to log in as anyone without a valid
10
- mail_privileged_group was broken in some systems (OS X, Solaris?)
11
- IMAP THREAD: Fixed some correctness problems
13
v1.0.12 2008-03-05 Timo Sirainen <tss@iki.fi>
15
- Using mail_privileged_group with dotlock_use_excl=no worked, but it
16
logged "access denied" errors.
18
v1.0.11 2008-03-04 Timo Sirainen <tss@iki.fi>
20
* mail_extra_groups setting was commonly used insecurely. This setting
21
is now deprecated. Most users should switch to using
22
mail_privileged_group setting, but if you really need the old
23
functionality use mail_access_groups instead.
25
- mbox: Dropped some of the physical size fetch optimizations added
26
in v1.0.8. This makes some commands slower, but should fix the rest
28
- IMAP: SEARCH BEFORE/ON/SINCE didn't handle timezones correctly.
29
- ldap: auth_bind was doing lookups using subtree scope instead of
30
the scope specified in config file.
31
- zlib plugin crashfixes by Richard Platel
32
- master passdbs: pass=yes setting was broken with blocking passdbs
1
35
v1.0.10 2007-12-29 Timo Sirainen <tss@iki.fi>
3
37
* Security hole with LDAP+auth cache: If base setting contained