src/homepage/_posts/2021-12-02-james-3.6.1.markdown - james-project - Git at Google

 ---
 layout: post
 title:  "Apache James Server 3.6.1"
 date:   2021-12-02  01:16:30 +0200
 categories: james update
 ---

 The Apache James developers are pleased to announce James server 3.6.1 release.

 Early adopters can [download it][download], any issue can be reported on our issue [tracker][tracker].

 ## Announcements

 This release fixes the following vulnerability issues, that are present prior to 3.6.1:

  - *CVE-2021-38542*: Apache James vulnerable to STARTTLS command injection (IMAP and POP3)
  - *CVE-2021-40110*: Apache James IMAP vulnerable to a ReDoS
  - *CVE-2021-40111*: Apache James IMAP parsing Denial Of Service
  - *CVE-2021-40525*: Apache James: Sieve file storage vulnerable to path traversal attacks

 We recommend users to upgrade to this version.

 ## Release changelog

 Here are some points we worked on:
 ### Fixed
 - JAMES-3676 Avoid S3 connection leaks
 - JAMES-3477 Mail::duplicate did lead to file leak in various places
 - JAMES-3646 Sanitize some File based components
    - Prevent directory traversal on top of maildir mailbox (#659)
    - FileMailRepository shoud reject URL outside of James root
    - SieveFileRepository should validate underlying files belong to its root
 - JAMES-1862 Generalize STARTTLS sanitizing fix
 - JAMES-1862 Prevent Session fixation via STARTTLS
 - JAMES-3634 + JAMES-3635 Apply fuzzing to Apache James
    - Upgrade PrefixedRegex to RE2J
    - Fuzzed input throws String out of bound exception for FETCH
    - Prevent String OutOfBoundException for IMAP APPEND
    - Prevent infinite loop for IMAP STATUS command parser
    - Prevent infinite loop for IMAP APPEND command parser
 - JAMES-3571 MimeMessageWrapper getSize was incorrect for empty messages
 - JAMES-3525 verifyIdentity should not fail on null sender
 - JAMES-3556 Fix JMAP eventUrl s/closeAfter/closeafter/
 - JAMES-3432 JMAP Uploads could alter the underlying byte source
 - JAMES-3537 (Email/set create should allow to attach mails)
 - JAMES-3558 JMAP Email/changes: When created + updated return both
 - JAMES-3558 JMAP Email/changes: moves should be considered as updates
 - JAMES-3557 Changes collectors should be ordered
 - JAMES-3277 Distinct uids before calling toRanges
 - JAMES-3434 Refactoring: EmailSubmissionSetMethod should not rely on nested clases
 - JAMES-3557 JMAP */changes: Increase default maxChanges 5 -> 256
 - JAMES-3557 */changes: Fail explicitly when too much entries on a single change

 ### Improvements
 - JAMES-3261 ZIP packaging for Guice Apps

 [tracker]: https://issues.apache.org/jira/browse/JAMES
 [download]: http://james.apache.org/download.cgi#Apache_James_Serverc
	---
	layout: post
	title: "Apache James Server 3.6.1"
	date: 2021-12-02 01:16:30 +0200
	categories: james update
	---

	The Apache James developers are pleased to announce James server 3.6.1 release.

	Early adopters can [download it][download], any issue can be reported on our issue [tracker][tracker].

	## Announcements

	This release fixes the following vulnerability issues, that are present prior to 3.6.1:

	- CVE-2021-38542: Apache James vulnerable to STARTTLS command injection (IMAP and POP3)
	- CVE-2021-40110: Apache James IMAP vulnerable to a ReDoS
	- CVE-2021-40111: Apache James IMAP parsing Denial Of Service
	- CVE-2021-40525: Apache James: Sieve file storage vulnerable to path traversal attacks

	We recommend users to upgrade to this version.

	## Release changelog

	Here are some points we worked on:
	### Fixed
	- JAMES-3676 Avoid S3 connection leaks
	- JAMES-3477 Mail::duplicate did lead to file leak in various places
	- JAMES-3646 Sanitize some File based components
	- Prevent directory traversal on top of maildir mailbox (#659)
	- FileMailRepository shoud reject URL outside of James root
	- SieveFileRepository should validate underlying files belong to its root
	- JAMES-1862 Generalize STARTTLS sanitizing fix
	- JAMES-1862 Prevent Session fixation via STARTTLS
	- JAMES-3634 + JAMES-3635 Apply fuzzing to Apache James
	- Upgrade PrefixedRegex to RE2J
	- Fuzzed input throws String out of bound exception for FETCH
	- Prevent String OutOfBoundException for IMAP APPEND
	- Prevent infinite loop for IMAP STATUS command parser
	- Prevent infinite loop for IMAP APPEND command parser
	- JAMES-3571 MimeMessageWrapper getSize was incorrect for empty messages
	- JAMES-3525 verifyIdentity should not fail on null sender
	- JAMES-3556 Fix JMAP eventUrl s/closeAfter/closeafter/
	- JAMES-3432 JMAP Uploads could alter the underlying byte source
	- JAMES-3537 (Email/set create should allow to attach mails)
	- JAMES-3558 JMAP Email/changes: When created + updated return both
	- JAMES-3558 JMAP Email/changes: moves should be considered as updates
	- JAMES-3557 Changes collectors should be ordered
	- JAMES-3277 Distinct uids before calling toRanges
	- JAMES-3434 Refactoring: EmailSubmissionSetMethod should not rely on nested clases
	- JAMES-3557 JMAP */changes: Increase default maxChanges 5 -> 256
	- JAMES-3557 */changes: Fail explicitly when too much entries on a single change

	### Improvements
	- JAMES-3261 ZIP packaging for Guice Apps

	[tracker]: https://issues.apache.org/jira/browse/JAMES
	[download]: http://james.apache.org/download.cgi#Apache_James_Serverc