From nobody Fri Aug 16 22:03:16 2024 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wlwx04kYkz5TdyF for ; Fri, 16 Aug 2024 22:03:32 +0000 (UTC) (envelope-from kevin.bowling@kev009.com) Received: from mail-qk1-x735.google.com (mail-qk1-x735.google.com [IPv6:2607:f8b0:4864:20::735]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wlwx020Vrz4Fsg for ; Fri, 16 Aug 2024 22:03:32 +0000 (UTC) (envelope-from kevin.bowling@kev009.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-qk1-x735.google.com with SMTP id af79cd13be357-7a501dd544eso135671585a.2 for ; Fri, 16 Aug 2024 15:03:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kev009.com; s=google; t=1723845810; x=1724450610; darn=freebsd.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=rLwEmW7nlgS44dnuw9AdnwMpejkHL2RndDrrwF05maw=; b=p5OHpWf8QHD6+IucHLmclrSs0OuzEZPflKviX8adJ+bDPHviwthxPdxBc0h+snQRrA ctaploE3gU3lwOgPQppMolQUTwfyNb8Dwc/CsBnuI68XJAljTFb6aAcolUZWdyrYzmA7 Ryy9sqaBbojqYxPU3JDBzH7q3GuuWathCIWCw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723845810; x=1724450610; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=rLwEmW7nlgS44dnuw9AdnwMpejkHL2RndDrrwF05maw=; b=gg64YdBbNS1Zi8ARgnqMWSXdYvgZyDyftxleASKu2R9i6UwFj4oA2/isKN4UYYd9mD VKSsKM/2DILkNsoHjHEP3YZjDzlgyExLvAmB5pGOhQA5V93vrIJKDRtg0sL1T/PqoCSI MzCORK8DafLjA/HDkitOOFhrCOKRKlh8kgI1tSyw/0FVM0gy7Utd6kTAdG2info7Fgls /zZX8zklk+8PTQEjqJ5NxPF4R4XWoO26nPWfNDLajQT3bDfOY2HbOHtKz7UUi8rVtmKf Og3bQGEAZ+zN3TDEKlikXuLP5Z35wApvP3PXfDcRWHXnSyYmKOYgA9pd1CU+RcfD1MvO Feyw== X-Forwarded-Encrypted: i=1; AJvYcCUCzLYvShxxH4cBHKgdo2lxy87P1g4XcKV1ADH+GDZ8c8zvfmxaMauwrI8kDO2MsGjdn/ISU6dR7ZJ9qZHq5su0KndE5kQ1DbfDBYFCM9zA7dJv X-Gm-Message-State: AOJu0YyU5x7EqNPJkzKbzwAstiOgsvG4NljWjR1cXbWbvH8fl4/qO3iU K8ZJGFdjUYAC0Idjiawp4bg0GH5/8dmpvY3DvoNebIaO+nRVmxYrdocCma29wPVUwCnZSS1kDAb 4wuvME9YRQzfLDfObCihG3bbCtPPIqrEXFJu9 X-Google-Smtp-Source: AGHT+IE3tuzz8kqOZRd85vG3iMWL1FOQDXGtFpQMLD6PIdubuX57caYvzqVTuRBgKf7DsZO8J/E+ycagEfyhCLkNXGU= X-Received: by 2002:a05:620a:4588:b0:79d:6349:32de with SMTP id af79cd13be357-7a5068f8103mr485820785a.7.1723845810349; Fri, 16 Aug 2024 15:03:30 -0700 (PDT) List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-main@freebsd.org Sender: owner-dev-commits-ports-main@FreeBSD.org MIME-Version: 1.0 References: <202408161835.47GIZuZJ084942@gitrepo.freebsd.org> <5b4df306-2998-4f98-b5fa-8bf168cd011a@freebsd.org> In-Reply-To: <5b4df306-2998-4f98-b5fa-8bf168cd011a@freebsd.org> From: Kevin Bowling Date: Fri, 16 Aug 2024 15:03:16 -0700 Message-ID: Subject: =?UTF-8?B?UmU6IGdpdDogNzJkZDhkMmVlNjc2IC0gbWFpbiAtIG1haWwvZG92ZWNvdDogdXBkYXRlIA==?= =?UTF-8?B?Mi4zLjIxIOKGkiAyLjMuMjEuMSAoZml4ZXMgMiBDVkVzKQ==?= To: Vladimir Druzenko Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Content-Type: multipart/alternative; boundary="0000000000002c876f061fd42145" X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4Wlwx020Vrz4Fsg --0000000000002c876f061fd42145 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, Aug 16, 2024 at 2:57=E2=80=AFPM Vladimir Druzenko = wrote: > 16.08.2024 22:03, Kevin Bowling =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > > CVEs should come with an update to security/vuxml/vuln/2024.xml > > I don't know how to do this correctly. > You should seek help or abstain from doing security updates then. It is just an xml file that you update, the wiki https://wiki.freebsd.org/VuXML and the link inside to the PHB have all necessary instructions. > > On Fri, Aug 16, 2024 at 11:36=E2=80=AFAM Vladimir Druzenko > wrote: > >> The branch main has been updated by vvd: > >> > >> URL: > https://cgit.FreeBSD.org/ports/commit/?id=3D72dd8d2ee6760ed9a0f22fb2c2e75= 0d5875518d4 > >> > >> commit 72dd8d2ee6760ed9a0f22fb2c2e750d5875518d4 > >> Author: Vladimir Druzenko > >> AuthorDate: 2024-08-16 18:31:04 +0000 > >> Commit: Vladimir Druzenko > >> CommitDate: 2024-08-16 18:31:04 +0000 > >> > >> mail/dovecot: update 2.3.21 =E2=86=92 2.3.21.1 (fixes 2 CVEs) > >> > >> - CVE-2024-23184: A large number of address headers in email > resulted > >> in excessive CPU usage. > >> - CVE-2024-23185: Abnormally large email headers are now truncate= d > or > >> discarded, with a limit of 10MB on a single header and 50MB for > all > >> the headers of all the parts of an email. > >> - oauth2: Dovecot would send client_id and client_secret as POST > parameters > >> to introspection server. These need to be optionally in Basic > auth > >> instead as required by OIDC specification. > >> - oauth2: JWT key type check was too strict. > >> - oauth2: JWT token audience was not validated against client_id = as > >> required by OIDC specification. > >> - oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out > >> protocol specific error message on all errors. This broke OIDC > discovery. > >> - oauth2: JWT aud validation was not performed if aud was missing > >> from token, but was configured on Dovecot. > >> > https://dovecot.org/mailman3/hyperkitty/list/dovecot-news@dovecot.org/thr= ead/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/ > >> > >> PR: 280866 > >> Approved by: ler (maintainer) > >> MFH: 2024Q3 > >> --- > >> mail/dovecot/Makefile | 4 +--- > >> mail/dovecot/distinfo | 6 +++--- > >> 2 files changed, 4 insertions(+), 6 deletions(-) > >> > >> diff --git a/mail/dovecot/Makefile b/mail/dovecot/Makefile > >> index c789da0a2294..44f42b27f94f 100644 > >> --- a/mail/dovecot/Makefile > >> +++ b/mail/dovecot/Makefile > >> @@ -9,8 +9,7 @@ > >> ####################################################################= ## > >> > >> PORTNAME=3D dovecot > >> -PORTVERSION=3D 2.3.21 > >> -PORTREVISION=3D 6 > >> +DISTVERSION=3D 2.3.21.1 > >> CATEGORIES=3D mail > >> MASTER_SITES=3D https://dovecot.org/releases/2.3/ > >> > >> @@ -27,7 +26,6 @@ USES=3D cpe iconv libtool pkgconfig ssl > >> USE_RC_SUBR=3D dovecot > >> > >> GNU_CONFIGURE=3D yes > >> -GNU_CONFIGURE_MANPREFIX=3D ${PREFIX}/share > >> CONFIGURE_ARGS=3D --localstatedir=3D/var \ > >> --with-docs \ > >> --with-ssl=3Dopenssl \ > >> diff --git a/mail/dovecot/distinfo b/mail/dovecot/distinfo > >> index e9e4c683e46c..97f77b78a427 100644 > >> --- a/mail/dovecot/distinfo > >> +++ b/mail/dovecot/distinfo > >> @@ -1,3 +1,3 @@ > >> -TIMESTAMP =3D 1695133264 > >> -SHA256 (dovecot-2.3.21.tar.gz) =3D > 05b11093a71c237c2ef309ad587510721cc93bbee6828251549fc1586c36502d > >> -SIZE (dovecot-2.3.21.tar.gz) =3D 7837242 > >> +TIMESTAMP =3D 1723829732 > >> +SHA256 (dovecot-2.3.21.1.tar.gz) =3D > 2d90a178c4297611088bf7daae5492a3bc3d5ab6328c3a032eb425d2c249097e > >> +SIZE (dovecot-2.3.21.1.tar.gz) =3D 7842044 > > > -- > Best regards, > Vladimir Druzenko > > --0000000000002c876f061fd42145 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Fri, Aug 16, 2024 at 2:57=E2=80=AFPM Vladimir Druzenko &= lt;vvd@freebsd.org> wrote:
16.08.2024 22:03, Kevin Bowling =D0=BF=D0=B8=D1=88=D0= =B5=D1=82:
> CVEs should come with an update to security/vuxml/vuln/2024.xml

I don't know how to do this correctly.

You should seek = help or abstain from doing security updates then.=C2=A0 It is just an xml f= ile that you update, the wiki=C2=A0https://wiki.freebsd.org/VuXML
=C2=A0and the link inside to the P= HB have all necessary instructions.



> On Fri, Aug 16, 2024 at 11:36=E2=80=AFAM Vladimir Druzenko <vvd@freebsd.org> wrote= :
>> The branch main has been updated by vvd:
>>
>> URL: ht= tps://cgit.FreeBSD.org/ports/commit/?id=3D72dd8d2ee6760ed9a0f22fb2c2e750d58= 75518d4
>>
>> commit 72dd8d2ee6760ed9a0f22fb2c2e750d5875518d4
>> Author:=C2=A0 =C2=A0 =C2=A0Vladimir Druzenko <vvd@FreeBSD.org&g= t;
>> AuthorDate: 2024-08-16 18:31:04 +0000
>> Commit:=C2=A0 =C2=A0 =C2=A0Vladimir Druzenko <vvd@FreeBSD.org&g= t;
>> CommitDate: 2024-08-16 18:31:04 +0000
>>
>>=C2=A0 =C2=A0 =C2=A0 mail/dovecot: update 2.3.21 =E2=86=92 2.3.21.1= (fixes 2 CVEs)
>>
>>=C2=A0 =C2=A0 =C2=A0 - CVE-2024-23184: A large number of address he= aders in email resulted
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 in excessive CPU usage.
>>=C2=A0 =C2=A0 =C2=A0 - CVE-2024-23185: Abnormally large email heade= rs are now truncated or
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 discarded, with a limit of 10MB on a si= ngle header and 50MB for all
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 the headers of all the parts of an emai= l.
>>=C2=A0 =C2=A0 =C2=A0 - oauth2: Dovecot would send client_id and cli= ent_secret as POST parameters
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 to introspection server. These need to = be optionally in Basic auth
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 instead as required by OIDC specificati= on.
>>=C2=A0 =C2=A0 =C2=A0 - oauth2: JWT key type check was too strict. >>=C2=A0 =C2=A0 =C2=A0 - oauth2: JWT token audience was not validated= against client_id as
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 required by OIDC specification.
>>=C2=A0 =C2=A0 =C2=A0 - oauth2: XOAUTH2 and OAUTHBEARER mechanisms w= ere not giving out
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 protocol specific error message on all = errors. This broke OIDC discovery.
>>=C2=A0 =C2=A0 =C2=A0 - oauth2: JWT aud validation was not performed= if aud was missing
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 from token, but was configured on Dovec= ot.
>>=C2=A0 =C2=A0 =C2=A0 https://dovecot.org/mailman3/hyperki= tty/list/dovecot-news@dovecot.org/thread/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/<= /a>
>>
>>=C2=A0 =C2=A0 =C2=A0 PR:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0280866
>>=C2=A0 =C2=A0 =C2=A0 Approved by:=C2=A0 =C2=A0 ler (maintainer)
>>=C2=A0 =C2=A0 =C2=A0 MFH:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = 2024Q3
>> ---
>>=C2=A0 =C2=A0mail/dovecot/Makefile | 4 +---
>>=C2=A0 =C2=A0mail/dovecot/distinfo | 6 +++---
>>=C2=A0 =C2=A02 files changed, 4 insertions(+), 6 deletions(-)
>>
>> diff --git a/mail/dovecot/Makefile b/mail/dovecot/Makefile
>> index c789da0a2294..44f42b27f94f 100644
>> --- a/mail/dovecot/Makefile
>> +++ b/mail/dovecot/Makefile
>> @@ -9,8 +9,7 @@
>>=C2=A0 =C2=A0######################################################= ################
>>
>>=C2=A0 =C2=A0PORTNAME=3D=C2=A0 =C2=A0 =C2=A0 dovecot
>> -PORTVERSION=3D=C2=A0 =C2=A02.3.21
>> -PORTREVISION=3D=C2=A0 6
>> +DISTVERSION=3D=C2=A0 =C2=A02.3.21.1
>>=C2=A0 =C2=A0CATEGORIES=3D=C2=A0 =C2=A0 mail
>>=C2=A0 =C2=A0MASTER_SITES=3D=C2=A0 https://dovecot.org/rele= ases/2.3/
>>
>> @@ -27,7 +26,6 @@ USES=3D=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0cpe ico= nv libtool pkgconfig ssl
>>=C2=A0 =C2=A0USE_RC_SUBR=3D=C2=A0 =C2=A0dovecot
>>
>>=C2=A0 =C2=A0GNU_CONFIGURE=3D yes
>> -GNU_CONFIGURE_MANPREFIX=3D=C2=A0 =C2=A0 =C2=A0 =C2=A0${PREFIX}/sh= are
>>=C2=A0 =C2=A0CONFIGURE_ARGS=3D=C2=A0 =C2=A0 =C2=A0 =C2=A0 --localst= atedir=3D/var \
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 --wi= th-docs \
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 --wi= th-ssl=3Dopenssl \
>> diff --git a/mail/dovecot/distinfo b/mail/dovecot/distinfo
>> index e9e4c683e46c..97f77b78a427 100644
>> --- a/mail/dovecot/distinfo
>> +++ b/mail/dovecot/distinfo
>> @@ -1,3 +1,3 @@
>> -TIMESTAMP =3D 1695133264
>> -SHA256 (dovecot-2.3.21.tar.gz) =3D 05b11093a71c237c2ef309ad587510= 721cc93bbee6828251549fc1586c36502d
>> -SIZE (dovecot-2.3.21.tar.gz) =3D 7837242
>> +TIMESTAMP =3D 1723829732
>> +SHA256 (dovecot-2.3.21.1.tar.gz) =3D 2d90a178c4297611088bf7daae54= 92a3bc3d5ab6328c3a032eb425d2c249097e
>> +SIZE (dovecot-2.3.21.1.tar.gz) =3D 7842044


--
Best regards,
Vladimir Druzenko

--0000000000002c876f061fd42145--