Bug 280866

Summary: mail/dovecot: 2.3.21.1 now available, fixes 2 CVEs
Product: Ports & Packages Reporter: doctor
Component: Individual Port(s)Assignee: Larry Rosenman <ler>
Status: Closed FIXED    
Severity: Affects Many People CC: ler, vvd
Priority: --- Flags: ler: maintainer-feedback+
ler: merge-quarterly+
Version: Latest   
Hardware: Any   
OS: Any   
URL: https://dovecot.org/mailman3/hyperkitty/list/dovecot-news@dovecot.org/thread/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/
Attachments:
Description Flags
v1: pet portclippy vvd: maintainer-approval?

Description doctor 2024-08-16 16:34:42 UTC
Please commit.  This fixes 2 CVEs
Comment 1 Larry Rosenman freebsd_committer freebsd_triage 2024-08-16 16:59:50 UTC
Please feel free to commit as I am afk in the hospital for a bit
Comment 2 Vladimir Druzenko freebsd_committer freebsd_triage 2024-08-16 17:02:43 UTC
(In reply to Larry Rosenman from comment #1)
Ok.
I'll create patch and commit tonight.

I hope everything will be okay with you.
Comment 3 Vladimir Druzenko freebsd_committer freebsd_triage 2024-08-16 17:46:56 UTC
I see a lot of warnings from portclippy, but I won't fix them in this commit. I might make a patch later if you don't mind.
Comment 4 Larry Rosenman freebsd_committer freebsd_triage 2024-08-16 17:48:28 UTC
Feel free to update to fix the portclippy warnings
Comment 5 Vladimir Druzenko freebsd_committer freebsd_triage 2024-08-16 18:35:43 UTC
(In reply to Larry Rosenman from comment #4)
Ok.

Tested update:
- build in poudriere 14.1 amd64 and i386;
- build and work on live systems 13.3 and 14.1 amd64.
Comment 6 commit-hook freebsd_committer freebsd_triage 2024-08-16 18:36:58 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=72dd8d2ee6760ed9a0f22fb2c2e750d5875518d4

commit 72dd8d2ee6760ed9a0f22fb2c2e750d5875518d4
Author:     Vladimir Druzenko <vvd@FreeBSD.org>
AuthorDate: 2024-08-16 18:31:04 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2024-08-16 18:31:04 +0000

    mail/dovecot: update 2.3.21 → 2.3.21.1 (fixes 2 CVEs)

    - CVE-2024-23184: A large number of address headers in email resulted
      in excessive CPU usage.
    - CVE-2024-23185: Abnormally large email headers are now truncated or
      discarded, with a limit of 10MB on a single header and 50MB for all
      the headers of all the parts of an email.
    - oauth2: Dovecot would send client_id and client_secret as POST parameters
      to introspection server. These need to be optionally in Basic auth
      instead as required by OIDC specification.
    - oauth2: JWT key type check was too strict.
    - oauth2: JWT token audience was not validated against client_id as
      required by OIDC specification.
    - oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out
      protocol specific error message on all errors. This broke OIDC discovery.
    - oauth2: JWT aud validation was not performed if aud was missing
      from token, but was configured on Dovecot.
    https://dovecot.org/mailman3/hyperkitty/list/dovecot-news@dovecot.org/thread/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/

    PR:             280866
    Approved by:    ler (maintainer)
    MFH:            2024Q3

 mail/dovecot/Makefile | 4 +---
 mail/dovecot/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 6 deletions(-)
Comment 7 commit-hook freebsd_committer freebsd_triage 2024-08-16 18:38:59 UTC
A commit in branch 2024Q3 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=39a56197775a955eccce929c856f1c7952e226ab

commit 39a56197775a955eccce929c856f1c7952e226ab
Author:     Vladimir Druzenko <vvd@FreeBSD.org>
AuthorDate: 2024-08-16 18:31:04 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2024-08-16 18:37:50 +0000

    mail/dovecot: update 2.3.21 → 2.3.21.1 (fixes 2 CVEs)

    - CVE-2024-23184: A large number of address headers in email resulted
      in excessive CPU usage.
    - CVE-2024-23185: Abnormally large email headers are now truncated or
      discarded, with a limit of 10MB on a single header and 50MB for all
      the headers of all the parts of an email.
    - oauth2: Dovecot would send client_id and client_secret as POST parameters
      to introspection server. These need to be optionally in Basic auth
      instead as required by OIDC specification.
    - oauth2: JWT key type check was too strict.
    - oauth2: JWT token audience was not validated against client_id as
      required by OIDC specification.
    - oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out
      protocol specific error message on all errors. This broke OIDC discovery.
    - oauth2: JWT aud validation was not performed if aud was missing
      from token, but was configured on Dovecot.
    https://dovecot.org/mailman3/hyperkitty/list/dovecot-news@dovecot.org/thread/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/

    PR:             280866
    Approved by:    ler (maintainer)
    MFH:            2024Q3

    (cherry picked from commit 72dd8d2ee6760ed9a0f22fb2c2e750d5875518d4)

 mail/dovecot/Makefile | 4 +---
 mail/dovecot/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 6 deletions(-)
Comment 8 commit-hook freebsd_committer freebsd_triage 2024-08-16 23:04:34 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=6dcc035f8311c4be6ecc61a1d139b78b603b3aab

commit 6dcc035f8311c4be6ecc61a1d139b78b603b3aab
Author:     Vladimir Druzenko <vvd@FreeBSD.org>
AuthorDate: 2024-08-16 23:03:13 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2024-08-16 23:03:13 +0000

    mail/dovecot-*: bump after update mail/dovecot as described in Makefile

    mail/dovecot updated in 72dd8d2ee676.

    While here:
     - remove GNU_CONFIGURE_MANPREFIX;
     - replace PORTVERSION on DISTVERSION.

    PR:             280866
    Approved by:    ler (maintainer)
    MFH:            2024Q3

 mail/dovecot-coi/Makefile           | 4 ++--
 mail/dovecot-fts-elastic/Makefile   | 4 ++--
 mail/dovecot-fts-flatcurve/Makefile | 1 +
 mail/dovecot-fts-xapian/Makefile    | 2 +-
 mail/dovecot-pigeonhole/Makefile    | 5 ++---
 mail/dovecot-xaps/Makefile          | 2 +-
 6 files changed, 9 insertions(+), 9 deletions(-)
Comment 9 commit-hook freebsd_committer freebsd_triage 2024-08-16 23:06:35 UTC
A commit in branch 2024Q3 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=5079405681b82008b9f49d939f6d79fbc04f022b

commit 5079405681b82008b9f49d939f6d79fbc04f022b
Author:     Vladimir Druzenko <vvd@FreeBSD.org>
AuthorDate: 2024-08-16 23:03:13 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2024-08-16 23:06:03 +0000

    mail/dovecot-*: bump after update mail/dovecot as described in Makefile

    mail/dovecot updated in 72dd8d2ee676.

    While here:
     - remove GNU_CONFIGURE_MANPREFIX;
     - replace PORTVERSION on DISTVERSION.

    PR:             280866
    Approved by:    ler (maintainer)
    MFH:            2024Q3

    (cherry picked from commit 6dcc035f8311c4be6ecc61a1d139b78b603b3aab)

 mail/dovecot-coi/Makefile           | 4 ++--
 mail/dovecot-fts-elastic/Makefile   | 4 ++--
 mail/dovecot-fts-flatcurve/Makefile | 1 +
 mail/dovecot-fts-xapian/Makefile    | 2 +-
 mail/dovecot-pigeonhole/Makefile    | 5 ++---
 mail/dovecot-xaps/Makefile          | 2 +-
 6 files changed, 9 insertions(+), 9 deletions(-)
Comment 10 Vladimir Druzenko freebsd_committer freebsd_triage 2024-08-17 00:11:00 UTC
Created attachment 252836 [details]
v1: pet portclippy

There are a lot of changes - it's better to have someone else look at them.
Comment 11 Vladimir Druzenko freebsd_committer freebsd_triage 2024-08-22 16:13:55 UTC
(In reply to Vladimir Druzenko from comment #10)
Larry, what do you think about this patch?
Comment 12 Larry Rosenman freebsd_committer freebsd_triage 2024-08-22 16:27:51 UTC
LGTM --- Tests in progress
Comment 13 commit-hook freebsd_committer freebsd_triage 2024-08-22 16:40:18 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=3df350526aed62de7bc91d3cb291a05b3a096d87

commit 3df350526aed62de7bc91d3cb291a05b3a096d87
Author:     Larry Rosenman <ler@FreeBSD.org>
AuthorDate: 2024-08-22 16:38:37 +0000
Commit:     Larry Rosenman <ler@FreeBSD.org>
CommitDate: 2024-08-22 16:40:12 +0000

    mail/dovecot: pet portclippy

    PR:     280866
    Reported by:    vvd

 mail/dovecot/Makefile | 139 ++++++++++++++++++++++++--------------------------
 1 file changed, 66 insertions(+), 73 deletions(-)
Comment 14 Larry Rosenman freebsd_committer freebsd_triage 2024-08-22 16:40:58 UTC
committed -- thanks