Bug 240174 - mail/dovecot: Update to (Fixes CVE-2019-11500)
Summary: mail/dovecot: Update to (Fixes CVE-2019-11500)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Larry Rosenman
URL: https://dovecot.org/pipermail/dovecot...
Keywords: security
Depends on:
Reported: 2019-08-28 16:02 UTC by Christian Schwarz
Modified: 2019-08-29 14:56 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (ler)
ler: merge-quarterly+


Note You need to log in before you can comment on or make changes to this bug.
Description Christian Schwarz 2019-08-28 16:02:33 UTC
See https://dovecot.org/pipermail/dovecot/2019-August/116873.html

Should merge to quarterly
Comment 1 Larry Rosenman freebsd_committer 2019-08-28 16:03:53 UTC
Already committed the fix to head, and have an MFH request in.
Comment 2 Larry Rosenman freebsd_committer 2019-08-28 16:59:10 UTC
Unfortunately, MFH'ing this fix brings in a GCC change that I'd like a reading on from the SO folks.
Comment 3 Larry Rosenman freebsd_committer 2019-08-28 18:04:17 UTC
Can I get a ruling from ports-secteam?
Comment 4 Jochen Neumeister freebsd_committer 2019-08-29 06:56:52 UTC
Approved for MFH, see:

Xin LI 2019-08-28 16:21:08 UTC
Flags: merge-quarterly+
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2019-08-29 09:49:40 UTC
Committed to head in ports r510075

VuXMl entry added in ports r510074

@Larry Could you please include this PR: reference in the MFH to quarterly that that the commit is tracked in this bug.

After merge, set merge-quarterly to + and close as necessary
Comment 6 Larry Rosenman freebsd_committer 2019-08-29 14:37:07 UTC
The problem I'm having is I don't necessarily want to bring in the GCC change:

Tools/scripts/mfh 2019Q3 506460 506487 506821 506824 507181 507215 510075
which is all dovecot{,-pigeonhole}, but it gives a conflict with 507372.

On 08/28/2019 11:30 am, Larry Rosenman wrote:

Ugh.  I don't really want to mfh:

r507372 | gerald | 2019-07-26 15:46:53 -0500 (Fri, 26 Jul 2019) | 14 lines

Bump PORTREVISION for ports depending on the canonical version of GCC
as defined in Mk/bsd.default-versions.mk which has moved from GCC 8.3
to GCC 9.1 under most circumstances now after revision 507371.

This includes ports
- with USE_GCC=yes or USE_GCC=any,
- with USES=fortran,
- using Mk/bsd.octave.mk which in turn features USES=fortran, and
- with USES=compiler specifying openmp, nestedfct, c11, c++0x, c++11-lang,
c++11-lib, c++14-lang, c++17-lang, or gcc-c++11-lib
plus, everything INDEX-11 shows with a dependency on lang/gcc9 now.

PR: 238330

Is it ok to just fix the conflict?
Comment 7 Larry Rosenman freebsd_committer 2019-08-29 14:47:59 UTC
I manually fixed the conflicts, and committed it.
Comment 8 Larry Rosenman freebsd_committer 2019-08-29 14:56:23 UTC
merged in r510165.