Skip to content

Commit

Permalink
NEWS: Add news for 2.3.21.1
Browse files Browse the repository at this point in the history
  • Loading branch information
cmouse committed Nov 29, 2024
1 parent 5d096d1 commit 28ca71c
Showing 1 changed file with 18 additions and 0 deletions.
18 changes: 18 additions & 0 deletions NEWS
Original file line number Diff line number Diff line change
@@ -1,3 +1,21 @@
v2.3.21.1 2024-08-14 Aki Tuomi< [email protected]>

- CVE-2024-23184: A large number of address headers in email resulted
in excessive CPU usage.
- CVE-2024-23185: Abnormally large email headers are now truncated or
discarded, with a limit of 10MB on a single header and 50MB for all
the headers of all the parts of an email.
- oauth2: Dovecot would send client_id and client_secret as POST parameters
to introspection server. These need to be optionally in Basic auth
instead as required by OIDC specification.
- oauth2: JWT key type check was too strict.
- oauth2: JWT token audience was not validated against client_id as
required by OIDC specification.
- oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out
protocol specific error message on all errors. This broke OIDC discovery.
- oauth2: JWT aud validation was not performed if aud was missing
from token, but was configured on Dovecot.

v2.3.21 2023-09-15 Aki Tuomi <[email protected]>

* lib-oauth2: Allow JWT tokens to be validated with missing typ field.
Expand Down

0 comments on commit 28ca71c

Please sign in to comment.