Comments on: JWRD Dovecot initial release, aka version 2.4.0

By: Regrinding Busybox archive extraction, fixing directory timestamps, symlink attacks, a buffer overflow and more « Fixpoint

Sat, 04 May 2024 03:34:31 +0000

[...] the sake of showing and explaining the work, I've again formatted my git commits as patch files.(ii) They are given as I made them, with mistakes and later [...]

By: Jacob Welsh

Jacob Welsh — Thu, 28 Sep 2023 15:49:11 +0000

A second patch fixes parallel 'make' when invoked from the top-level project directory.

By: Jacob Welsh

Jacob Welsh — Sat, 09 Sep 2023 21:54:03 +0000

For a first of those necessary refinements, here's a patch I'm currently running which improves user experience by removing spurious slowdowns on first and/or failed login, and by the same stroke removes what might assist an unauthenticated attacker to tie up server resources at minimal cost to himself.

auth, anvil: remove ill-conceived and ill-functioning feature for penalizing failed logins with delayed responses. It's an open invitation to denial-of-service attack, especially when used behind a webmail or similar gateway, and the workarounds suggested for supporting that use case are variously broken and ridiculous. Some related pieces are not fully removed, search on "penalty" for details, but everything builds.

As reported in the #jwrd logs. I plan to include this or something like it in a 2.4.1 release.

By: That frog prince story as seen from the home castle « Fixpoint

That frog prince story as seen from the home castle « Fixpoint — Fri, 21 Jul 2023 21:31:55 +0000

[...] things? Or I dunno, maybe it's not even a secret strictly speaking, but could just as well be since nobody reads code anyway and there's no way to verify it's built from the advertised sources. Which nobody can do anymore [...]