Re:_git:_72dd8d2ee676_-_main_-_mail/dovecot:_update 2.3.21 → 2.3.21.1 (fixes 2 CVEs)

Reply: Kevin Bowling : "Re: git: 72dd8d2ee676 - main - mail/dovecot: update 2.3.21 → 2.3.21.1 (fixes 2 CVEs)"
In reply to: Kevin Bowling : "Re: git: 72dd8d2ee676 - main - mail/dovecot: update 2.3.21 → 2.3.21.1 (fixes 2 CVEs)"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Vladimir Druzenko <vvd_at_freebsd.org>
Date: Sat, 17 Aug 2024 00:07:57 UTC
17.08.2024 01:03, Kevin Bowling пишет:
> On Fri, Aug 16, 2024 at 2:57 PM Vladimir Druzenko <vvd@freebsd.org> 
> wrote:
>
>     16.08.2024 22:03, Kevin Bowling пишет:
>     > CVEs should come with an update to security/vuxml/vuln/2024.xml
>
>     I don't know how to do this correctly.
>
>
> You should seek help or abstain from doing security updates then.  It 
> is just an xml file that you update, the wiki 
> https://wiki.freebsd.org/VuXML
>  and the link inside to the PHB have all necessary instructions.
>
I wouldn't do that, but ler@ (maintainer) is in hospital and asked to 
update his port.
Also, I use dovecot so I can test it in real work before committing, 
which I did.

If you can and are willing to help, then just help. Just like we all 
help with updating ports from maintainers without commit bits or fixing 
broken ports builds.

Peace.

>
>     > On Fri, Aug 16, 2024 at 11:36 AM Vladimir Druzenko
>     <vvd@freebsd.org> wrote:
>     >> The branch main has been updated by vvd:
>     >>
>     >> URL:
>     https://cgit.FreeBSD.org/ports/commit/?id=72dd8d2ee6760ed9a0f22fb2c2e750d5875518d4
>     <https://cgit.FreeBSD.org/ports/commit/?id=72dd8d2ee6760ed9a0f22fb2c2e750d5875518d4>
>     >>
>     >> commit 72dd8d2ee6760ed9a0f22fb2c2e750d5875518d4
>     >> Author:     Vladimir Druzenko <vvd@FreeBSD.org>
>     >> AuthorDate: 2024-08-16 18:31:04 +0000
>     >> Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
>     >> CommitDate: 2024-08-16 18:31:04 +0000
>     >>
>     >>      mail/dovecot: update 2.3.21 → 2.3.21.1 (fixes 2 CVEs)
>     >>
>     >>      - CVE-2024-23184: A large number of address headers in
>     email resulted
>     >>        in excessive CPU usage.
>     >>      - CVE-2024-23185: Abnormally large email headers are now
>     truncated or
>     >>        discarded, with a limit of 10MB on a single header and
>     50MB for all
>     >>        the headers of all the parts of an email.
>     >>      - oauth2: Dovecot would send client_id and client_secret
>     as POST parameters
>     >>        to introspection server. These need to be optionally in
>     Basic auth
>     >>        instead as required by OIDC specification.
>     >>      - oauth2: JWT key type check was too strict.
>     >>      - oauth2: JWT token audience was not validated against
>     client_id as
>     >>        required by OIDC specification.
>     >>      - oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not
>     giving out
>     >>        protocol specific error message on all errors. This
>     broke OIDC discovery.
>     >>      - oauth2: JWT aud validation was not performed if aud was
>     missing
>     >>        from token, but was configured on Dovecot.
>     >>
>     https://dovecot.org/mailman3/hyperkitty/list/dovecot-news@dovecot.org/thread/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/
>     >>
>     >>      PR:             280866
>     >>      Approved by:    ler (maintainer)
>     >>      MFH:            2024Q3
>     >> ---
>     >>   mail/dovecot/Makefile | 4 +---
>     >>   mail/dovecot/distinfo | 6 +++---
>     >>   2 files changed, 4 insertions(+), 6 deletions(-)
>     >>
>     >> diff --git a/mail/dovecot/Makefile b/mail/dovecot/Makefile
>     >> index c789da0a2294..44f42b27f94f 100644
>     >> --- a/mail/dovecot/Makefile
>     >> +++ b/mail/dovecot/Makefile
>     >> @@ -9,8 +9,7 @@
>     >>
>      ######################################################################
>     >>
>     >>   PORTNAME=      dovecot
>     >> -PORTVERSION=   2.3.21
>     >> -PORTREVISION=  6
>     >> +DISTVERSION=   2.3.21.1
>     >>   CATEGORIES=    mail
>     >>   MASTER_SITES= https://dovecot.org/releases/2.3/
>     >>
>     >> @@ -27,7 +26,6 @@ USES=         cpe iconv libtool pkgconfig ssl
>     >>   USE_RC_SUBR=   dovecot
>     >>
>     >>   GNU_CONFIGURE= yes
>     >> -GNU_CONFIGURE_MANPREFIX=       ${PREFIX}/share
>     >>   CONFIGURE_ARGS=        --localstatedir=/var \
>     >>                  --with-docs \
>     >>                  --with-ssl=openssl \
>     >> diff --git a/mail/dovecot/distinfo b/mail/dovecot/distinfo
>     >> index e9e4c683e46c..97f77b78a427 100644
>     >> --- a/mail/dovecot/distinfo
>     >> +++ b/mail/dovecot/distinfo
>     >> @@ -1,3 +1,3 @@
>     >> -TIMESTAMP = 1695133264
>     >> -SHA256 (dovecot-2.3.21.tar.gz) =
>     05b11093a71c237c2ef309ad587510721cc93bbee6828251549fc1586c36502d
>     >> -SIZE (dovecot-2.3.21.tar.gz) = 7837242
>     >> +TIMESTAMP = 1723829732
>     >> +SHA256 (dovecot-2.3.21.1.tar.gz) =
>     2d90a178c4297611088bf7daae5492a3bc3d5ab6328c3a032eb425d2c249097e
>     >> +SIZE (dovecot-2.3.21.1.tar.gz) = 7842044
>
>
>     -- 
>     Best regards,
>     Vladimir Druzenko
>

-- 
Best regards,
Vladimir Druzenko