Re: git: 72dd8d2ee676 - main - mail/dovecot: update 2.3.21 → 2.3.21.1 (fixes 2 CVEs)

In reply to: Vladimir Druzenko : "Re:_git:_72dd8d2ee676_-_main_-_mail/dovecot:_update 2.3.21 → 2.3.21.1 (fixes 2 CVEs)"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kevin Bowling <kevin.bowling_at_kev009.com>
Date: Sat, 17 Aug 2024 04:40:57 UTC
On Fri, Aug 16, 2024 at 5:08 PM Vladimir Druzenko <vvd@freebsd.org> wrote:

> 17.08.2024 01:03, Kevin Bowling пишет:
>
> On Fri, Aug 16, 2024 at 2:57 PM Vladimir Druzenko <vvd@freebsd.org>
> wrote:
>
>> 16.08.2024 22:03, Kevin Bowling пишет:
>> > CVEs should come with an update to security/vuxml/vuln/2024.xml
>>
>> I don't know how to do this correctly.
>>
>
> You should seek help or abstain from doing security updates then.  It is
> just an xml file that you update, the wiki https://wiki.freebsd.org/VuXML
>  and the link inside to the PHB have all necessary instructions.
>
> I wouldn't do that, but ler@ (maintainer) is in hospital and asked to
> update his port.
> Also, I use dovecot so I can test it in real work before committing, which
> I did.
>
> If you can and are willing to help, then just help. Just like we all help
> with updating ports from maintainers without commit bits or fixing broken
> ports builds.
>
I have given you the information you need.  It is editing a declarative
text file which is simpler in both concept and execution of the port update
in question.  The wiki linked covers the obstinate behavior already so read
what was given before replying.

Peace.
>
>
>> > On Fri, Aug 16, 2024 at 11:36 AM Vladimir Druzenko <vvd@freebsd.org>
>> wrote:
>> >> The branch main has been updated by vvd:
>> >>
>> >> URL:
>> https://cgit.FreeBSD.org/ports/commit/?id=72dd8d2ee6760ed9a0f22fb2c2e750d5875518d4
>> >>
>> >> commit 72dd8d2ee6760ed9a0f22fb2c2e750d5875518d4
>> >> Author:     Vladimir Druzenko <vvd@FreeBSD.org> <vvd@FreeBSD.org>
>> >> AuthorDate: 2024-08-16 18:31:04 +0000
>> >> Commit:     Vladimir Druzenko <vvd@FreeBSD.org> <vvd@FreeBSD.org>
>> >> CommitDate: 2024-08-16 18:31:04 +0000
>> >>
>> >>      mail/dovecot: update 2.3.21 → 2.3.21.1 (fixes 2 CVEs)
>> >>
>> >>      - CVE-2024-23184: A large number of address headers in email
>> resulted
>> >>        in excessive CPU usage.
>> >>      - CVE-2024-23185: Abnormally large email headers are now
>> truncated or
>> >>        discarded, with a limit of 10MB on a single header and 50MB for
>> all
>> >>        the headers of all the parts of an email.
>> >>      - oauth2: Dovecot would send client_id and client_secret as POST
>> parameters
>> >>        to introspection server. These need to be optionally in Basic
>> auth
>> >>        instead as required by OIDC specification.
>> >>      - oauth2: JWT key type check was too strict.
>> >>      - oauth2: JWT token audience was not validated against client_id
>> as
>> >>        required by OIDC specification.
>> >>      - oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out
>> >>        protocol specific error message on all errors. This broke OIDC
>> discovery.
>> >>      - oauth2: JWT aud validation was not performed if aud was missing
>> >>        from token, but was configured on Dovecot.
>> >>
>> https://dovecot.org/mailman3/hyperkitty/list/dovecot-news@dovecot.org/thread/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/
>> >>
>> >>      PR:             280866
>> >>      Approved by:    ler (maintainer)
>> >>      MFH:            2024Q3
>> >> ---
>> >>   mail/dovecot/Makefile | 4 +---
>> >>   mail/dovecot/distinfo | 6 +++---
>> >>   2 files changed, 4 insertions(+), 6 deletions(-)
>> >>
>> >> diff --git a/mail/dovecot/Makefile b/mail/dovecot/Makefile
>> >> index c789da0a2294..44f42b27f94f 100644
>> >> --- a/mail/dovecot/Makefile
>> >> +++ b/mail/dovecot/Makefile
>> >> @@ -9,8 +9,7 @@
>> >>
>>  ######################################################################
>> >>
>> >>   PORTNAME=      dovecot
>> >> -PORTVERSION=   2.3.21
>> >> -PORTREVISION=  6
>> >> +DISTVERSION=   2.3.21.1
>> >>   CATEGORIES=    mail
>> >>   MASTER_SITES=  https://dovecot.org/releases/2.3/
>> >>
>> >> @@ -27,7 +26,6 @@ USES=         cpe iconv libtool pkgconfig ssl
>> >>   USE_RC_SUBR=   dovecot
>> >>
>> >>   GNU_CONFIGURE= yes
>> >> -GNU_CONFIGURE_MANPREFIX=       ${PREFIX}/share
>> >>   CONFIGURE_ARGS=        --localstatedir=/var \
>> >>                  --with-docs \
>> >>                  --with-ssl=openssl \
>> >> diff --git a/mail/dovecot/distinfo b/mail/dovecot/distinfo
>> >> index e9e4c683e46c..97f77b78a427 100644
>> >> --- a/mail/dovecot/distinfo
>> >> +++ b/mail/dovecot/distinfo
>> >> @@ -1,3 +1,3 @@
>> >> -TIMESTAMP = 1695133264
>> >> -SHA256 (dovecot-2.3.21.tar.gz) =
>> 05b11093a71c237c2ef309ad587510721cc93bbee6828251549fc1586c36502d
>> >> -SIZE (dovecot-2.3.21.tar.gz) = 7837242
>> >> +TIMESTAMP = 1723829732
>> >> +SHA256 (dovecot-2.3.21.1.tar.gz) =
>> 2d90a178c4297611088bf7daae5492a3bc3d5ab6328c3a032eb425d2c249097e
>> >> +SIZE (dovecot-2.3.21.1.tar.gz) = 7842044
>>
>>
>> --
>> Best regards,
>> Vladimir Druzenko
>>
>>
> --
> Best regards,
> Vladimir Druzenko
>
>