Bug 97193 - mail/dovecot - Update to 1.0.b8 (fixes security hole)
Summary: mail/dovecot - Update to 1.0.b8 (fixes security hole)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Ion-Mihai "IOnut" Tetcu
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-05-13 08:30 UTC by Jeremy Chadwick
Modified: 2006-05-14 17:44 UTC (History)
0 users

See Also:


Attachments
file.diff (1.30 KB, patch)
2006-05-13 08:30 UTC, Jeremy Chadwick
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Chadwick 2006-05-13 08:30:16 UTC
	Update the mail/dovecot to 1.0.b8, which addresses numerous problems
	(including proper kqueue support -- that means us, BSD folks! ;) ),
	the most important of which is a security hole (individuals are
	allowed to list other users' mailboxes).

	I've labelled this as serious/medium because of the security hole.

	Official changelog between b7 and b8 is as follows:

	* Fixed a security hole with mbox: "1 LIST .. *" command could
	  list all directories and files under the mbox root directory, so
	  if your mails were stored in eg. /var/mail/%u/ directory, the
	  command would list everything under /var/mail.

	+ Unless nfs_check=no or mmap_disable=yes, check for the first login
	  if the user's index directory exists in NFS mount. If so, refuse to
	  run. This is done only on first login to avoid constant extra
	  overhead.
	+ If we have plugins set and imap_capability unset, figure out the
	  IMAP capabilities automatically by running imap binary at startup.
	  The generated capability list isn't updated until Dovecot is
	  restarted completely, so if you add or remove IMAP plugins you
	  should restart. If you have problems related to this, set
	  imap_capabilities setting manually to work around it.
	+ Added auth_username_format setting
	- pop3_lock_session setting wasn't really working
	- Lots of fixes related to quota handling. It's still not working
	  perfectly though.
	- Lots of index handling fixes, especially with mmap_disable=yes
	- Maildir: saving mails could have sometimes caused "Append with UID
	  n, but next_uid = m" errors
	- flock() locking never timeouted because ignoring SIGALRM caused the
	  system call just to be restarted when SIGALRM occurred (probably not
	  with all OSes though?)
	- kqueue: Fixed "Unrecognized event". Patch by Vaclav Haisman

Fix: Apply below patch.

How-To-Repeat: 	n/a
Comment 1 Edwin Groothuis freebsd_committer 2006-05-13 08:32:09 UTC
State Changed
From-To: open->feedback

Awaiting maintainers feedback
Comment 2 Robin Breathe 2006-05-13 10:41:46 UTC
This patch looks fine, please commit.
Comment 3 Ion-Mihai "IOnut" Tetcu freebsd_committer 2006-05-14 12:07:30 UTC
Responsible Changed
From-To: freebsd-ports-bugs->itetcu

I'll take it.
Comment 4 Ion-Mihai "IOnut" Tetcu freebsd_committer 2006-05-14 16:32:09 UTC
State Changed
From-To: feedback->open

Maintainer approved
Comment 5 Ion-Mihai "IOnut" Tetcu freebsd_committer 2006-05-14 17:44:02 UTC
State Changed
From-To: open->closed

Committed, with minor changes. Thanks!