-
Notifications
You must be signed in to change notification settings - Fork 288
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
18 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,21 @@ | ||
v2.3.21.1 2024-08-14 Aki Tuomi< [email protected]> | ||
|
||
- CVE-2024-23184: A large number of address headers in email resulted | ||
in excessive CPU usage. | ||
- CVE-2024-23185: Abnormally large email headers are now truncated or | ||
discarded, with a limit of 10MB on a single header and 50MB for all | ||
the headers of all the parts of an email. | ||
- oauth2: Dovecot would send client_id and client_secret as POST parameters | ||
to introspection server. These need to be optionally in Basic auth | ||
instead as required by OIDC specification. | ||
- oauth2: JWT key type check was too strict. | ||
- oauth2: JWT token audience was not validated against client_id as | ||
required by OIDC specification. | ||
- oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out | ||
protocol specific error message on all errors. This broke OIDC discovery. | ||
- oauth2: JWT aud validation was not performed if aud was missing | ||
from token, but was configured on Dovecot. | ||
|
||
v2.3.21 2023-09-15 Aki Tuomi <[email protected]> | ||
|
||
* lib-oauth2: Allow JWT tokens to be validated with missing typ field. | ||
|