From nobody Fri Aug 16 19:03:31 2024 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WlrxY6kf9z5TPg4 for ; Fri, 16 Aug 2024 19:03:45 +0000 (UTC) (envelope-from kevin.bowling@kev009.com) Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WlrxY4QR7z41rc for ; Fri, 16 Aug 2024 19:03:45 +0000 (UTC) (envelope-from kevin.bowling@kev009.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-qt1-x834.google.com with SMTP id d75a77b69052e-44fe188d25cso10279021cf.3 for ; Fri, 16 Aug 2024 12:03:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kev009.com; s=google; t=1723835023; x=1724439823; darn=freebsd.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=HaVtIIlFhPGeEwvrCreJM/tIvkB9NLeCaICg+uL6IZM=; b=OUkYGtcHETISvZmz4qBP2B1Zq0fHH4qqCHJ7yBLOMcm5Yy4ZJWSvML516Va98o00Bn Ccrd9VQh4fW1x2q0LZU5BZM6rVvSKNYVLZJ4MewPBThxerm4l6SvSu0BTgVDJUUQZfhj zy647ttuh/HF4gaxMeJD+JVHIvQS5kOqS6mQQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723835023; x=1724439823; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HaVtIIlFhPGeEwvrCreJM/tIvkB9NLeCaICg+uL6IZM=; b=evaP+aaciV35g1szS9TqWaYllMiuXClj0nbzRt8p2E/8P6QyQxUndZV2rec4OXfZI4 x99ORC2uAMo9AzAGjNXz0YXlvIhF6T7LM6fmL0Wbk6OTN6NjtgE/4UaR3u/D7yvnI+NU 4AE+ist8eLfBIiN9bKisPDKID5JpWh4e/Df4CLrWb0okVMs+sdiN+nPIit3pnsu3+P4K YTm12oAOtg1ROApiC1g7aVjGGTOxCXLQYNkqeiRDPpj3Lwi9Pbg7XaDzqG3tdmHz42As zSAP63qRaA71o2uqSn3JtaiieO3+lFeh0ZQbxdt9I31HJ3JSb81XRBf6JBffFdg9vZes Y6Lg== X-Forwarded-Encrypted: i=1; AJvYcCWD/8oegA0LMhoFtO79Zj3Xn0z8prnSlw/+Dk5xg2fBaJFcItz3VdGspVvgOxMqkmGp+jud0AWMA2MO4JAolQ1xiOiyqzctqQ/Ak1aAC9Nn6DpZ X-Gm-Message-State: AOJu0YwahLBJdLubElXqhylNaJV0r0TlwrSPqN7z1HGE6b2C4SqM989B zvG2bzYh/PHDyCmhpyM1tdRelV4BC9ueDlujbqWRNMP/Rl7k7C+0ofirj+rO8AAo39WEUSWnb9R uEafV66BpIxiYTvU1g+rYFOOTBFGQXscmk8RT X-Google-Smtp-Source: AGHT+IFCQidLzQW0X7GwzTFNe2mXUo4+Yde6aHhaxQiuSijXYIZzghyXLqKOM9nejvrZSIUZkw0mRqaKSf/++93BHcA= X-Received: by 2002:a05:622a:4a0b:b0:447:ee3c:9bad with SMTP id d75a77b69052e-45374246bccmr54704171cf.27.1723835022867; Fri, 16 Aug 2024 12:03:42 -0700 (PDT) List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-main@freebsd.org Sender: owner-dev-commits-ports-main@FreeBSD.org MIME-Version: 1.0 References: <202408161835.47GIZuZJ084942@gitrepo.freebsd.org> In-Reply-To: <202408161835.47GIZuZJ084942@gitrepo.freebsd.org> From: Kevin Bowling Date: Fri, 16 Aug 2024 12:03:31 -0700 Message-ID: Subject: =?UTF-8?B?UmU6IGdpdDogNzJkZDhkMmVlNjc2IC0gbWFpbiAtIG1haWwvZG92ZWNvdDogdXBkYXRlIA==?= =?UTF-8?B?Mi4zLjIxIOKGkiAyLjMuMjEuMSAoZml4ZXMgMiBDVkVzKQ==?= To: Vladimir Druzenko Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4WlrxY4QR7z41rc CVEs should come with an update to security/vuxml/vuln/2024.xml On Fri, Aug 16, 2024 at 11:36=E2=80=AFAM Vladimir Druzenko wrote: > > The branch main has been updated by vvd: > > URL: https://cgit.FreeBSD.org/ports/commit/?id=3D72dd8d2ee6760ed9a0f22fb2= c2e750d5875518d4 > > commit 72dd8d2ee6760ed9a0f22fb2c2e750d5875518d4 > Author: Vladimir Druzenko > AuthorDate: 2024-08-16 18:31:04 +0000 > Commit: Vladimir Druzenko > CommitDate: 2024-08-16 18:31:04 +0000 > > mail/dovecot: update 2.3.21 =E2=86=92 2.3.21.1 (fixes 2 CVEs) > > - CVE-2024-23184: A large number of address headers in email resulted > in excessive CPU usage. > - CVE-2024-23185: Abnormally large email headers are now truncated or > discarded, with a limit of 10MB on a single header and 50MB for all > the headers of all the parts of an email. > - oauth2: Dovecot would send client_id and client_secret as POST para= meters > to introspection server. These need to be optionally in Basic auth > instead as required by OIDC specification. > - oauth2: JWT key type check was too strict. > - oauth2: JWT token audience was not validated against client_id as > required by OIDC specification. > - oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out > protocol specific error message on all errors. This broke OIDC disc= overy. > - oauth2: JWT aud validation was not performed if aud was missing > from token, but was configured on Dovecot. > https://dovecot.org/mailman3/hyperkitty/list/dovecot-news@dovecot.org= /thread/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/ > > PR: 280866 > Approved by: ler (maintainer) > MFH: 2024Q3 > --- > mail/dovecot/Makefile | 4 +--- > mail/dovecot/distinfo | 6 +++--- > 2 files changed, 4 insertions(+), 6 deletions(-) > > diff --git a/mail/dovecot/Makefile b/mail/dovecot/Makefile > index c789da0a2294..44f42b27f94f 100644 > --- a/mail/dovecot/Makefile > +++ b/mail/dovecot/Makefile > @@ -9,8 +9,7 @@ > ###################################################################### > > PORTNAME=3D dovecot > -PORTVERSION=3D 2.3.21 > -PORTREVISION=3D 6 > +DISTVERSION=3D 2.3.21.1 > CATEGORIES=3D mail > MASTER_SITES=3D https://dovecot.org/releases/2.3/ > > @@ -27,7 +26,6 @@ USES=3D cpe iconv libtool pkgconfig ssl > USE_RC_SUBR=3D dovecot > > GNU_CONFIGURE=3D yes > -GNU_CONFIGURE_MANPREFIX=3D ${PREFIX}/share > CONFIGURE_ARGS=3D --localstatedir=3D/var \ > --with-docs \ > --with-ssl=3Dopenssl \ > diff --git a/mail/dovecot/distinfo b/mail/dovecot/distinfo > index e9e4c683e46c..97f77b78a427 100644 > --- a/mail/dovecot/distinfo > +++ b/mail/dovecot/distinfo > @@ -1,3 +1,3 @@ > -TIMESTAMP =3D 1695133264 > -SHA256 (dovecot-2.3.21.tar.gz) =3D 05b11093a71c237c2ef309ad587510721cc93= bbee6828251549fc1586c36502d > -SIZE (dovecot-2.3.21.tar.gz) =3D 7837242 > +TIMESTAMP =3D 1723829732 > +SHA256 (dovecot-2.3.21.1.tar.gz) =3D 2d90a178c4297611088bf7daae5492a3bc3= d5ab6328c3a032eb425d2c249097e > +SIZE (dovecot-2.3.21.1.tar.gz) =3D 7842044