Bug 240174

Summary: mail/dovecot: Update to 2.3.7.2 (Fixes CVE-2019-11500)
Product: Ports & Packages Reporter: Christian Schwarz <me>
Component: Individual Port(s)Assignee: Larry Rosenman <ler>
Status: Closed FIXED    
Severity: Affects Many People CC: delphij, joneum, ports-secteam
Priority: Normal Keywords: security
Version: LatestFlags: bugzilla: maintainer-feedback? (ler)
ler: merge-quarterly+
Hardware: Any   
OS: Any   
URL: https://dovecot.org/pipermail/dovecot/2019-August/116873.html

Description Christian Schwarz 2019-08-28 16:02:33 UTC 
See https://dovecot.org/pipermail/dovecot/2019-August/116873.html

Should merge to quarterly
Comment 1 Larry Rosenman freebsd_committer freebsd_triage 2019-08-28 16:03:53 UTC 
Already committed the fix to head, and have an MFH request in.
Comment 2 Larry Rosenman freebsd_committer freebsd_triage 2019-08-28 16:59:10 UTC 
Unfortunately, MFH'ing this fix brings in a GCC change that I'd like a reading on from the SO folks.
Comment 3 Larry Rosenman freebsd_committer freebsd_triage 2019-08-28 18:04:17 UTC 
Can I get a ruling from ports-secteam?
Comment 4 Jochen Neumeister freebsd_committer freebsd_triage 2019-08-29 06:56:52 UTC 
Approved for MFH, see:

Xin LI 2019-08-28 16:21:08 UTC
Flags: merge-quarterly+
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2019-08-29 09:49:40 UTC 
Committed to head in ports r510075

VuXMl entry added in ports r510074

@Larry Could you please include this PR: reference in the MFH to quarterly that that the commit is tracked in this bug.

After merge, set merge-quarterly to + and close as necessary
Comment 6 Larry Rosenman freebsd_committer freebsd_triage 2019-08-29 14:37:07 UTC 
The problem I'm having is I don't necessarily want to bring in the GCC change:

Tools/scripts/mfh 2019Q3 506460 506487 506821 506824 507181 507215 510075
which is all dovecot{,-pigeonhole}, but it gives a conflict with 507372.





On 08/28/2019 11:30 am, Larry Rosenman wrote:

Ugh.  I don't really want to mfh:

------------------------------------------------------------------------
r507372 | gerald | 2019-07-26 15:46:53 -0500 (Fri, 26 Jul 2019) | 14 lines

Bump PORTREVISION for ports depending on the canonical version of GCC
as defined in Mk/bsd.default-versions.mk which has moved from GCC 8.3
to GCC 9.1 under most circumstances now after revision 507371.

This includes ports
- with USE_GCC=yes or USE_GCC=any,
- with USES=fortran,
- using Mk/bsd.octave.mk which in turn features USES=fortran, and
- with USES=compiler specifying openmp, nestedfct, c11, c++0x, c++11-lang,
c++11-lib, c++14-lang, c++17-lang, or gcc-c++11-lib
plus, everything INDEX-11 shows with a dependency on lang/gcc9 now.

PR: 238330



Is it ok to just fix the conflict?
Comment 7 Larry Rosenman freebsd_committer freebsd_triage 2019-08-29 14:47:59 UTC 
I manually fixed the conflicts, and committed it.
Comment 8 Larry Rosenman freebsd_committer freebsd_triage 2019-08-29 14:56:23 UTC 
merged in r510165.