use OpenSSL's implementation of HMAC
Remove autocreate, expire, snarf and mail-filter plugins.
Remove cydir storage driver.
Remove XZ/LZMA write support. Read support will be removed in future release.
CVE-2020-24386: Specially crafted command can cause IMAP hibernate to
allow logged in user to access other people's emails and filesystem
information.
Metric filter and global event filter variable syntax changed to a
SQL-like format.
auth: Added new aliases for %{variables}. Usage of the old ones is
possible, but discouraged.
auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth
mechanism and related password schemes.
auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail.
auth: Removed postfix postmap socket
CVE-2020-24386: Specially crafted command can cause IMAP hibernate to
allow logged in user to access other people's emails and filesystem
information.
Metric filter and global event filter variable syntax changed to a
SQL-like format.
auth: Added new aliases for %{variables}. Usage of the old ones is
possible, but discouraged.
auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth
mechanism and related password schemes.
auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail.
auth: Removed postfix postmap socket
have resulted in excessive CPU usage or a crash due to running out of
stack memory.
CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
message buffer size, which leads to reading past allocation which can
lead to crash.
CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
address that has the empty quoted string as local-part causes the lmtp
service to crash.
CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
zero-length message, which leads to assert-crash later on.
fixes CVE-2020-7046: Truncated UTF-8 can be used to DoS
submission-login and lmtp processes.
fixes CVE-2020-7957: Specially crafted mail can crash snippet generation.
fixes CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
when scanning data in quoted strings, leading to out of bounds heap
memory writes
doveconf hides more secrets now in the default output
NUL bytes in mail headers can cause truncated replies when fetched.
virtual plugin: Some searches used 100% CPU for many seconds
dsync assert-crashed with acl plugin in some situations.
imapc: Fixed various assert-crashes when reconnecting to server.