Summary: | mail/dovecot: 2.3.21.1 now available, fixes 2 CVEs | ||||||
---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | doctor | ||||
Component: | Individual Port(s) | Assignee: | Larry Rosenman <ler> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Many People | CC: | ler, vvd | ||||
Priority: | --- | Flags: | ler:
maintainer-feedback+
ler: merge-quarterly+ |
||||
Version: | Latest | ||||||
Hardware: | Any | ||||||
OS: | Any | ||||||
URL: | https://dovecot.org/mailman3/hyperkitty/list/dovecot-news@dovecot.org/thread/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/ | ||||||
Attachments: |
|
Description
doctor
2024-08-16 16:34:42 UTC
Please feel free to commit as I am afk in the hospital for a bit (In reply to Larry Rosenman from comment #1) Ok. I'll create patch and commit tonight. I hope everything will be okay with you. I see a lot of warnings from portclippy, but I won't fix them in this commit. I might make a patch later if you don't mind. Feel free to update to fix the portclippy warnings (In reply to Larry Rosenman from comment #4) Ok. Tested update: - build in poudriere 14.1 amd64 and i386; - build and work on live systems 13.3 and 14.1 amd64. A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=72dd8d2ee6760ed9a0f22fb2c2e750d5875518d4 commit 72dd8d2ee6760ed9a0f22fb2c2e750d5875518d4 Author: Vladimir Druzenko <vvd@FreeBSD.org> AuthorDate: 2024-08-16 18:31:04 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2024-08-16 18:31:04 +0000 mail/dovecot: update 2.3.21 → 2.3.21.1 (fixes 2 CVEs) - CVE-2024-23184: A large number of address headers in email resulted in excessive CPU usage. - CVE-2024-23185: Abnormally large email headers are now truncated or discarded, with a limit of 10MB on a single header and 50MB for all the headers of all the parts of an email. - oauth2: Dovecot would send client_id and client_secret as POST parameters to introspection server. These need to be optionally in Basic auth instead as required by OIDC specification. - oauth2: JWT key type check was too strict. - oauth2: JWT token audience was not validated against client_id as required by OIDC specification. - oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out protocol specific error message on all errors. This broke OIDC discovery. - oauth2: JWT aud validation was not performed if aud was missing from token, but was configured on Dovecot. https://dovecot.org/mailman3/hyperkitty/list/dovecot-news@dovecot.org/thread/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/ PR: 280866 Approved by: ler (maintainer) MFH: 2024Q3 mail/dovecot/Makefile | 4 +--- mail/dovecot/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 6 deletions(-) A commit in branch 2024Q3 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=39a56197775a955eccce929c856f1c7952e226ab commit 39a56197775a955eccce929c856f1c7952e226ab Author: Vladimir Druzenko <vvd@FreeBSD.org> AuthorDate: 2024-08-16 18:31:04 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2024-08-16 18:37:50 +0000 mail/dovecot: update 2.3.21 → 2.3.21.1 (fixes 2 CVEs) - CVE-2024-23184: A large number of address headers in email resulted in excessive CPU usage. - CVE-2024-23185: Abnormally large email headers are now truncated or discarded, with a limit of 10MB on a single header and 50MB for all the headers of all the parts of an email. - oauth2: Dovecot would send client_id and client_secret as POST parameters to introspection server. These need to be optionally in Basic auth instead as required by OIDC specification. - oauth2: JWT key type check was too strict. - oauth2: JWT token audience was not validated against client_id as required by OIDC specification. - oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out protocol specific error message on all errors. This broke OIDC discovery. - oauth2: JWT aud validation was not performed if aud was missing from token, but was configured on Dovecot. https://dovecot.org/mailman3/hyperkitty/list/dovecot-news@dovecot.org/thread/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/ PR: 280866 Approved by: ler (maintainer) MFH: 2024Q3 (cherry picked from commit 72dd8d2ee6760ed9a0f22fb2c2e750d5875518d4) mail/dovecot/Makefile | 4 +--- mail/dovecot/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 6 deletions(-) A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=6dcc035f8311c4be6ecc61a1d139b78b603b3aab commit 6dcc035f8311c4be6ecc61a1d139b78b603b3aab Author: Vladimir Druzenko <vvd@FreeBSD.org> AuthorDate: 2024-08-16 23:03:13 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2024-08-16 23:03:13 +0000 mail/dovecot-*: bump after update mail/dovecot as described in Makefile mail/dovecot updated in 72dd8d2ee676. While here: - remove GNU_CONFIGURE_MANPREFIX; - replace PORTVERSION on DISTVERSION. PR: 280866 Approved by: ler (maintainer) MFH: 2024Q3 mail/dovecot-coi/Makefile | 4 ++-- mail/dovecot-fts-elastic/Makefile | 4 ++-- mail/dovecot-fts-flatcurve/Makefile | 1 + mail/dovecot-fts-xapian/Makefile | 2 +- mail/dovecot-pigeonhole/Makefile | 5 ++--- mail/dovecot-xaps/Makefile | 2 +- 6 files changed, 9 insertions(+), 9 deletions(-) A commit in branch 2024Q3 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=5079405681b82008b9f49d939f6d79fbc04f022b commit 5079405681b82008b9f49d939f6d79fbc04f022b Author: Vladimir Druzenko <vvd@FreeBSD.org> AuthorDate: 2024-08-16 23:03:13 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2024-08-16 23:06:03 +0000 mail/dovecot-*: bump after update mail/dovecot as described in Makefile mail/dovecot updated in 72dd8d2ee676. While here: - remove GNU_CONFIGURE_MANPREFIX; - replace PORTVERSION on DISTVERSION. PR: 280866 Approved by: ler (maintainer) MFH: 2024Q3 (cherry picked from commit 6dcc035f8311c4be6ecc61a1d139b78b603b3aab) mail/dovecot-coi/Makefile | 4 ++-- mail/dovecot-fts-elastic/Makefile | 4 ++-- mail/dovecot-fts-flatcurve/Makefile | 1 + mail/dovecot-fts-xapian/Makefile | 2 +- mail/dovecot-pigeonhole/Makefile | 5 ++--- mail/dovecot-xaps/Makefile | 2 +- 6 files changed, 9 insertions(+), 9 deletions(-) Created attachment 252836 [details]
v1: pet portclippy
There are a lot of changes - it's better to have someone else look at them.
(In reply to Vladimir Druzenko from comment #10) Larry, what do you think about this patch? LGTM --- Tests in progress A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=3df350526aed62de7bc91d3cb291a05b3a096d87 commit 3df350526aed62de7bc91d3cb291a05b3a096d87 Author: Larry Rosenman <ler@FreeBSD.org> AuthorDate: 2024-08-22 16:38:37 +0000 Commit: Larry Rosenman <ler@FreeBSD.org> CommitDate: 2024-08-22 16:40:12 +0000 mail/dovecot: pet portclippy PR: 280866 Reported by: vvd mail/dovecot/Makefile | 139 ++++++++++++++++++++++++-------------------------- 1 file changed, 66 insertions(+), 73 deletions(-) committed -- thanks |