Bug 252415

Summary: mail/dovecot: Update to 2.3.13 (security)
Product: Ports & Packages Reporter: Evilham <contact>
Component: Individual Port(s)Assignee: Kurt Jaeger <pi>
Status: Closed FIXED    
Severity: Affects Only Me CC: contact, fluffy, i.dani, pi, ports-secteam
Priority: --- Keywords: patch, security
Version: LatestFlags: pi: maintainer-feedback+
pi: maintainer-feedback+
fluffy: merge-quarterly+
Hardware: Any   
OS: Any   
URL: https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=252435
Attachments:
Description Flags
vuxml: add entry for dovecot 2.3.13
none
dovecot: update to 2.3.13
none
dovecot: update to 2.3.13 remove VPOPMAIL OPTION none

Description Evilham 2021-01-04 17:26:19 UTC
This version publishes some security patches for the 2.3 line.

Testing build on poudriere before adding a patch here.
Comment 1 Evilham 2021-01-04 17:30:10 UTC
Created attachment 221272 [details]
vuxml: add entry for dovecot 2.3.13
Comment 2 Evilham 2021-01-04 17:55:06 UTC
Created attachment 221273 [details]
dovecot: update to 2.3.13

I tested this port by building it with poudriere.

Only build test: DOCS LIBWRAP VPOPMAIL LDAP
Build + runtime test: DOCS LIBWRAP LDAP.

It looks like some headers have disappeared that are related to VPOPMAIL, but I wouldn't know how to test if that affects the port negatively when using that OPTION, I did test that it still builds and compared current pkg-plist with the output for make makeplist.
Comment 3 Dima Panov freebsd_committer 2021-01-05 11:28:37 UTC
VPOPMAIL support was dropped upstream so feel free to remove the option.

LGTM, Dima on behalf of the ports-secteam@
Comment 4 Evilham 2021-01-05 13:20:18 UTC
Created #252435 to track removal of the VPOPMAIL OPTION.
Comment 5 Dima Panov freebsd_committer 2021-01-05 15:28:07 UTC
(In reply to Evilham from comment #4)
Why? It is a part of update and should be applied in one diff
Comment 6 Evilham 2021-01-05 16:10:04 UTC
Created attachment 221292 [details]
dovecot: update to 2.3.13 remove VPOPMAIL OPTION

Because I was in a rush and had missed the removal in 2.3.13 release notes; thank you for pointing that out.

Taking a fresh look at this again, I noticed the note about bumping revision for mail/dovecot-fts-xapian and mail/dovecot-pigeonhole (it links to PR 146029).

Since there was also a dovecot-pigeonhole release, I added that to the PR.
Release notes: https://dovecot.org/pipermail/dovecot-news/2021-January/000449.html
Comment 7 commit-hook freebsd_committer 2021-01-06 14:11:48 UTC
A commit references this bug:

Author: pi
Date: Wed Jan  6 14:11:36 UTC 2021
New revision: 560521
URL: https://svnweb.freebsd.org/changeset/ports/560521

Log:
  security/vuxml: add dovecot CVE-2020-24386

  PR:		252415
  Submitted by:	Evilham <contact@evilham.com>
  Relnotes:	https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html

Changes:
  head/security/vuxml/vuln.xml
Comment 8 Kurt Jaeger freebsd_committer 2021-01-06 14:20:44 UTC
maintainer approval received by mail
Comment 9 commit-hook freebsd_committer 2021-01-06 14:59:00 UTC
A commit references this bug:

Author: pi
Date: Wed Jan  6 14:58:37 UTC 2021
New revision: 560527
URL: https://svnweb.freebsd.org/changeset/ports/560527

Log:
  mail/dovecot: update 2.3.11.3 -> 2.3.13, fix CVE in non-default config
  mail/dovecot-pigeonhole: update 0.5.11 -> 0.5.13

  - please note: option VPOPMAIl was removed from upstream

  PR:		252415
  Submitted by:	Evilham <contact@evilham.com>
  Reviewed by:	fluffy
  Approved by:	ler (maintainer)
  MFH:		2021Q1
  Relnotes:	https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html
  		https://dovecot.org/pipermail/dovecot-news/2021-January/000449.html
  Security:	CVE-2020-24386, CVE-2020-25275

Changes:
  head/UPDATING
  head/mail/dovecot/Makefile
  head/mail/dovecot/distinfo
  head/mail/dovecot/pkg-plist
  head/mail/dovecot-fts-xapian/Makefile
  head/mail/dovecot-pigeonhole/Makefile
  head/mail/dovecot-pigeonhole/distinfo
Comment 10 commit-hook freebsd_committer 2021-01-06 15:03:02 UTC
A commit references this bug:

Author: pi
Date: Wed Jan  6 15:02:17 UTC 2021
New revision: 560528
URL: https://svnweb.freebsd.org/changeset/ports/560528

Log:
  MFH: r560527

  mail/dovecot: update 2.3.11.3 -> 2.3.13, fix CVE in non-default config
  mail/dovecot-pigeonhole: update 0.5.11 -> 0.5.13

  - please note: option VPOPMAIl was removed from upstream

  PR:		252415
  Submitted by:	Evilham <contact@evilham.com>
  Reviewed by:	fluffy
  Approved by:	ler (maintainer)
  Relnotes:	https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html
  		https://dovecot.org/pipermail/dovecot-news/2021-January/000449.html
  Security:	CVE-2020-24386, CVE-2020-25275
  Approved by:	ports-secteam (fluffy)

Changes:
_U  branches/2021Q1/
  branches/2021Q1/UPDATING
  branches/2021Q1/mail/dovecot/Makefile
  branches/2021Q1/mail/dovecot/distinfo
  branches/2021Q1/mail/dovecot/pkg-plist
  branches/2021Q1/mail/dovecot-fts-xapian/Makefile
  branches/2021Q1/mail/dovecot-pigeonhole/Makefile
  branches/2021Q1/mail/dovecot-pigeonhole/distinfo
Comment 11 Kurt Jaeger freebsd_committer 2021-01-06 15:10:25 UTC
Committed, thanks!