Re: git: 72dd8d2ee676 - main - mail/dovecot: update 2.3.21 → 2.3.21.1 (fixes 2 CVEs)

From: Kevin Bowling <kevin.bowling_at_kev009.com>
Date: Fri, 16 Aug 2024 22:03:16 UTC 
On Fri, Aug 16, 2024 at 2:57 PM Vladimir Druzenko <vvd@freebsd.org> wrote:

> 16.08.2024 22:03, Kevin Bowling пишет:
> > CVEs should come with an update to security/vuxml/vuln/2024.xml
>
> I don't know how to do this correctly.
>

You should seek help or abstain from doing security updates then.  It is
just an xml file that you update, the wiki https://wiki.freebsd.org/VuXML
 and the link inside to the PHB have all necessary instructions.



> > On Fri, Aug 16, 2024 at 11:36 AM Vladimir Druzenko <vvd@freebsd.org>
> wrote:
> >> The branch main has been updated by vvd:
> >>
> >> URL:
> https://cgit.FreeBSD.org/ports/commit/?id=72dd8d2ee6760ed9a0f22fb2c2e750d5875518d4
> >>
> >> commit 72dd8d2ee6760ed9a0f22fb2c2e750d5875518d4
> >> Author:     Vladimir Druzenko <vvd@FreeBSD.org>
> >> AuthorDate: 2024-08-16 18:31:04 +0000
> >> Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
> >> CommitDate: 2024-08-16 18:31:04 +0000
> >>
> >>      mail/dovecot: update 2.3.21 → 2.3.21.1 (fixes 2 CVEs)
> >>
> >>      - CVE-2024-23184: A large number of address headers in email
> resulted
> >>        in excessive CPU usage.
> >>      - CVE-2024-23185: Abnormally large email headers are now truncated
> or
> >>        discarded, with a limit of 10MB on a single header and 50MB for
> all
> >>        the headers of all the parts of an email.
> >>      - oauth2: Dovecot would send client_id and client_secret as POST
> parameters
> >>        to introspection server. These need to be optionally in Basic
> auth
> >>        instead as required by OIDC specification.
> >>      - oauth2: JWT key type check was too strict.
> >>      - oauth2: JWT token audience was not validated against client_id as
> >>        required by OIDC specification.
> >>      - oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out
> >>        protocol specific error message on all errors. This broke OIDC
> discovery.
> >>      - oauth2: JWT aud validation was not performed if aud was missing
> >>        from token, but was configured on Dovecot.
> >>
> https://dovecot.org/mailman3/hyperkitty/list/dovecot-news@dovecot.org/thread/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/
> >>
> >>      PR:             280866
> >>      Approved by:    ler (maintainer)
> >>      MFH:            2024Q3
> >> ---
> >>   mail/dovecot/Makefile | 4 +---
> >>   mail/dovecot/distinfo | 6 +++---
> >>   2 files changed, 4 insertions(+), 6 deletions(-)
> >>
> >> diff --git a/mail/dovecot/Makefile b/mail/dovecot/Makefile
> >> index c789da0a2294..44f42b27f94f 100644
> >> --- a/mail/dovecot/Makefile
> >> +++ b/mail/dovecot/Makefile
> >> @@ -9,8 +9,7 @@
> >>   ######################################################################
> >>
> >>   PORTNAME=      dovecot
> >> -PORTVERSION=   2.3.21
> >> -PORTREVISION=  6
> >> +DISTVERSION=   2.3.21.1
> >>   CATEGORIES=    mail
> >>   MASTER_SITES=  https://dovecot.org/releases/2.3/
> >>
> >> @@ -27,7 +26,6 @@ USES=         cpe iconv libtool pkgconfig ssl
> >>   USE_RC_SUBR=   dovecot
> >>
> >>   GNU_CONFIGURE= yes
> >> -GNU_CONFIGURE_MANPREFIX=       ${PREFIX}/share
> >>   CONFIGURE_ARGS=        --localstatedir=/var \
> >>                  --with-docs \
> >>                  --with-ssl=openssl \
> >> diff --git a/mail/dovecot/distinfo b/mail/dovecot/distinfo
> >> index e9e4c683e46c..97f77b78a427 100644
> >> --- a/mail/dovecot/distinfo
> >> +++ b/mail/dovecot/distinfo
> >> @@ -1,3 +1,3 @@
> >> -TIMESTAMP = 1695133264
> >> -SHA256 (dovecot-2.3.21.tar.gz) =
> 05b11093a71c237c2ef309ad587510721cc93bbee6828251549fc1586c36502d
> >> -SIZE (dovecot-2.3.21.tar.gz) = 7837242
> >> +TIMESTAMP = 1723829732
> >> +SHA256 (dovecot-2.3.21.1.tar.gz) =
> 2d90a178c4297611088bf7daae5492a3bc3d5ab6328c3a032eb425d2c249097e
> >> +SIZE (dovecot-2.3.21.1.tar.gz) = 7842044
>
>
> --
> Best regards,
> Vladimir Druzenko
>
>