DAVMail 6.6.0 Fixes Regex Vulnerability, Enhances Microsoft Graph Integration
Organizations Using DavMail to Bridge Standard Mail Clients to Microsoft Exchange or Office 365 Receive Update
DavMail, a popular tool for bridging standard mail clients to Microsoft Exchange or Office 365, has been updated to address a critical security vulnerability and advance its Microsoft Graph backend.
- Version 6.6.0 includes several significant changes aimed at improving stability, performance, and security.
- The update patches a regex flaw identified through code-scanning, replacing a regular expression in the replaceIcal4Principal method with simple substring calls, mitigating the potential risks associated with regex-based parsing.
- This change addresses a previously reported security alert flagged in GitHub’s code-scanning system, which highlighted the vulnerability to ReDoS (Regular Expression Denial of Service) attacks when processing attacker-controlled input.
- The update also adjusts OAuth redirect handling to conform to a recent Microsoft change, defaulting to a custom redirect URI (https://localhost/common/oauth2/nativeclient) to restore the authentication flow affected by Microsoft’s OIDC redirect endpoint modification.
- This change ensures seamless integration with the modified Microsoft authentication process.
Protocol-Specific Fixes
- Two IMAP RFC 3501 compliance issues have been resolved:
- One related to complex search queries using a NOT condition.
- Another ensuring envelope header values are consistently encoded for compatibility with specific mail clients.
- DavMail now allows sending multiple messages with the same message ID when addressed to different recipient lists.
- The smtpAllowDuplicateSend flag logic has been refined.
Additional Changes
- CardDAV improvements:
- Support for the VCARD4 birthday format (yyyyMMdd).
- Switching contact photo encoding to RFC 2397 data URL format.
- The CalDAV getCalendarEmail method now correctly resolves shared calendar addresses from the calendar mailbox instead of the connected user’s mailbox.
According to the DavMail team, “This release represents a significant step forward in the development of DavMail, providing enhanced security, improved stability, and increased performance.”
Linux Compliance
- The update complies with the XDG Base Directory Specification, affecting the default configuration file location.
Debian Package Updates
- The update enables JDK 21.
- Moves the SWT dependency from suggests to depends.
- Upgrades SWT to version 4.37 for Windows packages.
- Introduces a new davmail swt command to retrieve the latest SWT jar in the platform-independent package.
Tray Icon Behavior
- The davmail.enableTray setting now controls tray icon behavior, with the tray disabled by default on Linux.
- Users can override this setting using the -notray and -tray command-line flags.
About Author
English