Bug 97193

Summary: mail/dovecot - Update to 1.0.b8 (fixes security hole)
Product: Ports & Packages Reporter: Jeremy Chadwick <freebsd>
Component: Individual Port(s)Assignee: Ion-Mihai "IOnut" Tetcu <itetcu>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description Jeremy Chadwick 2006-05-13 08:30:16 UTC 
	Update the mail/dovecot to 1.0.b8, which addresses numerous problems
	(including proper kqueue support -- that means us, BSD folks! ;) ),
	the most important of which is a security hole (individuals are
	allowed to list other users' mailboxes).

	I've labelled this as serious/medium because of the security hole.

	Official changelog between b7 and b8 is as follows:

	* Fixed a security hole with mbox: "1 LIST .. *" command could
	  list all directories and files under the mbox root directory, so
	  if your mails were stored in eg. /var/mail/%u/ directory, the
	  command would list everything under /var/mail.

	+ Unless nfs_check=no or mmap_disable=yes, check for the first login
	  if the user's index directory exists in NFS mount. If so, refuse to
	  run. This is done only on first login to avoid constant extra
	  overhead.
	+ If we have plugins set and imap_capability unset, figure out the
	  IMAP capabilities automatically by running imap binary at startup.
	  The generated capability list isn't updated until Dovecot is
	  restarted completely, so if you add or remove IMAP plugins you
	  should restart. If you have problems related to this, set
	  imap_capabilities setting manually to work around it.
	+ Added auth_username_format setting
	- pop3_lock_session setting wasn't really working
	- Lots of fixes related to quota handling. It's still not working
	  perfectly though.
	- Lots of index handling fixes, especially with mmap_disable=yes
	- Maildir: saving mails could have sometimes caused "Append with UID
	  n, but next_uid = m" errors
	- flock() locking never timeouted because ignoring SIGALRM caused the
	  system call just to be restarted when SIGALRM occurred (probably not
	  with all OSes though?)
	- kqueue: Fixed "Unrecognized event". Patch by Vaclav Haisman

Fix: Apply below patch.

How-To-Repeat: 	n/a
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2006-05-13 08:32:09 UTC 
State Changed
From-To: open->feedback

Awaiting maintainers feedback
Comment 2 Robin Breathe 2006-05-13 10:41:46 UTC 
This patch looks fine, please commit.
Comment 3 Ion-Mihai "IOnut" Tetcu freebsd_committer freebsd_triage 2006-05-14 12:07:30 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->itetcu

I'll take it.
Comment 4 Ion-Mihai "IOnut" Tetcu freebsd_committer freebsd_triage 2006-05-14 16:32:09 UTC 
State Changed
From-To: feedback->open

Maintainer approved
Comment 5 Ion-Mihai "IOnut" Tetcu freebsd_committer freebsd_triage 2006-05-14 17:44:02 UTC 
State Changed
From-To: open->closed

Committed, with minor changes. Thanks!