From 7d252eda5456e305fdb9215901481fa5f2b22c3d Mon Sep 17 00:00:00 2001 From: ellie timoney Date: Wed, 8 May 2024 10:19:57 +1000 Subject: [PATCH] docs: release notes for 3.10.0-rc1 --- .../release-notes/3.10/x/3.10.0-rc1.rst | 157 ++++++++++++++++++ 1 file changed, 157 insertions(+) create mode 100644 docsrc/imap/download/release-notes/3.10/x/3.10.0-rc1.rst diff --git a/docsrc/imap/download/release-notes/3.10/x/3.10.0-rc1.rst b/docsrc/imap/download/release-notes/3.10/x/3.10.0-rc1.rst new file mode 100644 index 0000000000..0c5e4b04f6 --- /dev/null +++ b/docsrc/imap/download/release-notes/3.10/x/3.10.0-rc1.rst @@ -0,0 +1,157 @@ +:tocdepth: 3 + +===================================== +Cyrus IMAP 3.10.0-rc1 Release Notes +===================================== + +Download from GitHub: + +* https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.10.0-rc1/cyrus-imapd-3.10.0-rc1.tar.gz +* https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.10.0-rc1/cyrus-imapd-3.10.0-rc1.tar.gz.sig + +.. _relnotes-3.10.0-rc1_changes: + +Major changes since the 3.8 series +================================== + +* URLs found in HTML ````, ```` and ```` tags, as well as "alt" + text in ```` tags, are now indexed for search and snippets +* :cyrusman:`cyr_expire(8)` now supports non-day durations in the + archive/delete/expire annotations +* :cyrusman:`cyr_expire(8)` no longer supports fractional durations in command + line arguments. Installations that passed fractional durations such as + "1.5d" to any of the ``-E``, ``-X``, ``-D``, or ``-A`` arguments must adapt + these to only use integer durations such as "1d12h" +* :cyrusman:`cyr_expire(8)` now supports the 'noexpire_until' annotation to + disable cyr_expire per user +* JMAP calendar default alarms are now stored in a non-DAV mailbox annotation. + See :ref:`upgrade_jmap_default_alarms` for upgrading instructions if you are + already using the experimental JMAP Calendars API +* Removes support for parsing and generating bytecode for the deprecated + denotify action and notify actions using the legacy (pre-:rfc:`5435`) syntax. + Existing bytecode containing these actions will still be executed. Scripts + that contain the deprecated denotify action should be rewritten to remove + them. Scripts that contain notify actions using the legacy syntax should be + rewritten to use the syntax in :rfc:`5435` +* Adds support for the "exp" and "nbf" JSON Web Token claims. Thanks Bruno + Thomas +* Adds support for IMAP Version 4rev2 (:rfc:`9051`) +* Adds support for IMAP NOTIFY (:rfc:`5465`). Only available if ``idled`` is + running +* Refresh interval for APNS subscriptions to DAV resources is now configurable. + See the ``aps_expiry`` :cyrusman:`imapd.conf(5)` option +* Upgrade IMAP Quota support to :rfc:`9208`. Sites running a Murder will be + unable to set ANNOTATION-STORAGE or MAILBOX quotas (formerly known as + X-ANNOTATION-STORAGE and X-NUM_FOLDERS) in a mixed-version environment until + frontends are upgraded. Upgraded frontends know how to negotiate with older + backends. +* Adds support for IMAP REPLACE (:rfc:`8508`) +* Adds support for IMAP UIDONLY extension (:draft:`draft-ietf-extra-imap-uidonly`) +* Adds experimental support for JMAP Contacts per upcoming IETF standards. + Requires the not-yet-released + `libicalvcard `_ +* :cyrusman:`squatter(8)` now supports the "wait=y" :cyrusman:`cyrus.conf(5)` + option when started in rolling mode from the ``DAEMON`` section +* :cyrusman:`master(8)` now touches a ready file to indicate it is "ready for + work". See :ref:`upgrade_master_pid_ready_files` +* :cyrusman:`master(8)` now gets its pidfile name from the ``master_pid_file`` + :cyrusman:`imapd.conf(5)` option. See :ref:`upgrade_master_pid_ready_files` +* Adds pcre2 support. Prefers pcre2 over pcre if both are available. See + :ref:`upgrade_pcre2_support` +* The ``proc`` :cyrusman:`cyr_info(8)` subcommand now also reports DAEMON and + EVENTS processes +* JMAP CalendarEventNotification objects are now automatically pruned. + The ``jmap_max_calendareventnotifs`` :cyrusman:`imapd.conf(5)` option can be + used to tune this behaviour +* Cyrus now requires libical >= 3.0.10 for HTTP support +* Sieve [current]date ``:zone`` parameter now accepts either a UTC offset or an + IANA time zone ID +* Adds an ``implicit_keep_target`` Sieve action to change the target mailbox + for an implicit keep +* :cyrusman:`squatter(8)` no longer holds a mailbox lock while extracting text + from attachments +* IMAP ``RENAME`` command no longer emits non-standard per-folder updates. Use + the new ``XRENAME`` command if you need this behaviour + +.. _relnotes_3.10.0-beta2_storage_changes: + +Storage changes +=============== + +* None in 3.10. But if your upgrade is skipping over 3.6 and 3.8, please do + not miss :ref:`3.6.0 Storage changes ` + and :ref:`3.8.0 Storage changes ` + +Updates to default configuration +================================ + +The :cyrusman:`cyr_info(8)` `conf`, `conf-all` and `conf-default` subcommands +accept an `-s ` argument to highlight :cyrusman:`imapd.conf(5)` +options that are new or whose behaviour has changed since the specified +version. We recommend using this when evaluating a new Cyrus version to +check which configuration options you will need to examine and maybe set or +change during the process. + +* The master pidfile name is now read from imapd.conf, and defaults + to ``{configdirectory}/master.pid``. If you have something that + looks for this file, you should either update it to look in the new + default location, or set ``master_pid_file`` in :cyrusman:`imapd.conf(5)` + to override the default. The ``-p`` option to :cyrusman:`master(8)` + can still be used to override it + +Security fixes +============== + +* Fixed CVE-2024-34055_: + Cyrus-IMAP through 3.8.2 and 3.10.0-beta2 allow authenticated attackers + to cause unbounded memory allocation by sending many LITERALs in a + single command. + + The IMAP protocol allows for command arguments to be LITERALs of + negotiated length, and for these the server allocates memory to + receive the content before instructing the client to proceed. The + allocated memory is released when the whole command has been received + and processed. + + The IMAP protocol has a number commands that specify an unlimited + number of arguments, for example SEARCH. Each of these arguments can + be a LITERAL, for which memory will be allocated and not released + until the entire command has been received and processed. This can run + a server out of memory, with varying consequences depending on the + server's OOM policy. + + Discovered by Damian Poddebniak. + + Two limits, with corresponding :cyrusman:`imapd.conf(5)` options, have + been added to address this: + + * ``maxargssize`` (default: unlimited): limits the overall length of a + single IMAP command. Deployments should configure this to a size that + suits their system resources and client usage patterns + * ``maxliteral`` (default: 128K): limits the length of individual IMAP + LITERALs + + Connections sending commands that would exceed these limits will see the + command fail, or the connection closed, depending on the specific context. + The error message will contain the ``[TOOBIG]`` response code. + + These limits may be set small without affecting message uploads, as the + APPEND command's message literal is limited by ``maxmessagesize``, not by + these new options. + +.. _CVE-2024-34055: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34055 + +Significant bugfixes +==================== + +* Fixed: squat db reindexes are no longer always incremental +* Fixed: squat db corruption from unintentional indexing of fields + intended to be skipped +* Fixed: squat db out of bounds access in incremental reindex docID map +* Fixed :issue:`4692`: squat db searches now handle unindexed messages + correctly again (thanks Gabriele Bulfon) +* Restored functionality of the sync_client ``-o``/``--connect-once`` option +* Fixed :issue:`4654`: copying/moving messages from split conversations is now + correct +* Fixed :issue:`4758`: fix renaming mailbox between users +* Fixed :issue:`4804`: mailbox_maxmessages limits now applied correctly