From nobody Sat Aug 17 04:40:57 2024 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wm5lp5fLQz5SCVv for ; Sat, 17 Aug 2024 04:41:10 +0000 (UTC) (envelope-from kevin.bowling@kev009.com) Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wm5lp3bl1z3wsW for ; Sat, 17 Aug 2024 04:41:10 +0000 (UTC) (envelope-from kevin.bowling@kev009.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-qt1-x834.google.com with SMTP id d75a77b69052e-44fea44f725so21478001cf.1 for ; Fri, 16 Aug 2024 21:41:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kev009.com; s=google; t=1723869669; x=1724474469; darn=freebsd.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3VDejL6FzrgR5/s+IW587CfXFqtUiGLp5Cn59DWkApI=; b=PlcyXtSCHH5KwjEkd18+xUSIez/HGo7uPvgNsm/rMsM1iHWoGRyJeuTjmDRUco4J+E NQ8PrgEltwTAakozQe/XXhEqex4/p2cU7/0S5nFPpqizwGmVFGVLKwpgxCS5qb4uWijO uro84dBSN9mD4PL1FREKC5+9IVXxZF/7BQPro= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723869669; x=1724474469; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3VDejL6FzrgR5/s+IW587CfXFqtUiGLp5Cn59DWkApI=; b=AS8q6fXUZTZBclf9qzLnjjNlWMEzz9mIXu/79DvxNopkjowhDOOqe4Z/4L9CEoMntp wuWHDyOs3SBXUVW6NVfvZmtAXH/8Pkn7vMLQTc324s1FXG1e7xlZI7ujTAupZp4LU/dU fXIBdkX5wcCz95j2TtEDe7Ld+ZzX2QfWYGEvPFxEIBupiWeisfJmEi74FuYbK2xV1U6R YUvZ/hFDuCanVMvWfzW8q7Q3JV/Ig7f8kKPve9Y/rerevjuuxEoAjaGOzKm/vTbtaB9+ ScAwS8YwnV/pQ400xzKjiNhjK5LRxphvS3rviNr0YqVIjvrn76pZTaRbvVdPhgdP8tJU vknQ== X-Forwarded-Encrypted: i=1; AJvYcCXFQYFDyPMTO4bRo25WtVltFT9IcH3/vDziEgg9x8K0HgiYJVoH8KD7f+jQMQN4BG9g6pYg9Uhc7/7HpNLqIiXGigs+iGcHrkl2qvvxUs8EebYq X-Gm-Message-State: AOJu0YxXBcaCLKGZznn9VBEfuBXKu3y7wKx+gS53vVHJDaHM2tQtahTD OU/cgogbIeBhc49AtWgDrbkYI+zVtthvYCd4dg1zrE99+ki1vYfqPZAuuQbZtbzsJUgDpEeRarE V8WKqdTScAoy4sZs1+hIma19KhSEKhyIsQkN6 X-Google-Smtp-Source: AGHT+IGggmS/giC1s83gC2SLv9Y8WnQFtttytdq8CbEDwEyQ6cu4m/qOWnZENHRW9mdrotTvdT/lwhjkzpziFOzBuz8= X-Received: by 2002:a05:622a:588e:b0:44f:ff0c:80e6 with SMTP id d75a77b69052e-4537522450fmr98413111cf.18.1723869669311; Fri, 16 Aug 2024 21:41:09 -0700 (PDT) List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-main@freebsd.org Sender: owner-dev-commits-ports-main@FreeBSD.org MIME-Version: 1.0 References: <202408161835.47GIZuZJ084942@gitrepo.freebsd.org> <5b4df306-2998-4f98-b5fa-8bf168cd011a@freebsd.org> <46cd3411-017c-4efa-8f75-e1e3acecce09@freebsd.org> In-Reply-To: <46cd3411-017c-4efa-8f75-e1e3acecce09@freebsd.org> From: Kevin Bowling Date: Fri, 16 Aug 2024 21:40:57 -0700 Message-ID: Subject: =?UTF-8?B?UmU6IGdpdDogNzJkZDhkMmVlNjc2IC0gbWFpbiAtIG1haWwvZG92ZWNvdDogdXBkYXRlIA==?= =?UTF-8?B?Mi4zLjIxIOKGkiAyLjMuMjEuMSAoZml4ZXMgMiBDVkVzKQ==?= To: Vladimir Druzenko Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Content-Type: multipart/alternative; boundary="000000000000475f7e061fd9afe0" X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4Wm5lp3bl1z3wsW --000000000000475f7e061fd9afe0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, Aug 16, 2024 at 5:08=E2=80=AFPM Vladimir Druzenko = wrote: > 17.08.2024 01:03, Kevin Bowling =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > > On Fri, Aug 16, 2024 at 2:57=E2=80=AFPM Vladimir Druzenko > wrote: > >> 16.08.2024 22:03, Kevin Bowling =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >> > CVEs should come with an update to security/vuxml/vuln/2024.xml >> >> I don't know how to do this correctly. >> > > You should seek help or abstain from doing security updates then. It is > just an xml file that you update, the wiki https://wiki.freebsd.org/VuXML > and the link inside to the PHB have all necessary instructions. > > I wouldn't do that, but ler@ (maintainer) is in hospital and asked to > update his port. > Also, I use dovecot so I can test it in real work before committing, whic= h > I did. > > If you can and are willing to help, then just help. Just like we all help > with updating ports from maintainers without commit bits or fixing broken > ports builds. > I have given you the information you need. It is editing a declarative text file which is simpler in both concept and execution of the port update in question. The wiki linked covers the obstinate behavior already so read what was given before replying. Peace. > > >> > On Fri, Aug 16, 2024 at 11:36=E2=80=AFAM Vladimir Druzenko >> wrote: >> >> The branch main has been updated by vvd: >> >> >> >> URL: >> https://cgit.FreeBSD.org/ports/commit/?id=3D72dd8d2ee6760ed9a0f22fb2c2e7= 50d5875518d4 >> >> >> >> commit 72dd8d2ee6760ed9a0f22fb2c2e750d5875518d4 >> >> Author: Vladimir Druzenko >> >> AuthorDate: 2024-08-16 18:31:04 +0000 >> >> Commit: Vladimir Druzenko >> >> CommitDate: 2024-08-16 18:31:04 +0000 >> >> >> >> mail/dovecot: update 2.3.21 =E2=86=92 2.3.21.1 (fixes 2 CVEs) >> >> >> >> - CVE-2024-23184: A large number of address headers in email >> resulted >> >> in excessive CPU usage. >> >> - CVE-2024-23185: Abnormally large email headers are now >> truncated or >> >> discarded, with a limit of 10MB on a single header and 50MB fo= r >> all >> >> the headers of all the parts of an email. >> >> - oauth2: Dovecot would send client_id and client_secret as POST >> parameters >> >> to introspection server. These need to be optionally in Basic >> auth >> >> instead as required by OIDC specification. >> >> - oauth2: JWT key type check was too strict. >> >> - oauth2: JWT token audience was not validated against client_id >> as >> >> required by OIDC specification. >> >> - oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out >> >> protocol specific error message on all errors. This broke OIDC >> discovery. >> >> - oauth2: JWT aud validation was not performed if aud was missin= g >> >> from token, but was configured on Dovecot. >> >> >> https://dovecot.org/mailman3/hyperkitty/list/dovecot-news@dovecot.org/th= read/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/ >> >> >> >> PR: 280866 >> >> Approved by: ler (maintainer) >> >> MFH: 2024Q3 >> >> --- >> >> mail/dovecot/Makefile | 4 +--- >> >> mail/dovecot/distinfo | 6 +++--- >> >> 2 files changed, 4 insertions(+), 6 deletions(-) >> >> >> >> diff --git a/mail/dovecot/Makefile b/mail/dovecot/Makefile >> >> index c789da0a2294..44f42b27f94f 100644 >> >> --- a/mail/dovecot/Makefile >> >> +++ b/mail/dovecot/Makefile >> >> @@ -9,8 +9,7 @@ >> >> >> ###################################################################### >> >> >> >> PORTNAME=3D dovecot >> >> -PORTVERSION=3D 2.3.21 >> >> -PORTREVISION=3D 6 >> >> +DISTVERSION=3D 2.3.21.1 >> >> CATEGORIES=3D mail >> >> MASTER_SITES=3D https://dovecot.org/releases/2.3/ >> >> >> >> @@ -27,7 +26,6 @@ USES=3D cpe iconv libtool pkgconfig ssl >> >> USE_RC_SUBR=3D dovecot >> >> >> >> GNU_CONFIGURE=3D yes >> >> -GNU_CONFIGURE_MANPREFIX=3D ${PREFIX}/share >> >> CONFIGURE_ARGS=3D --localstatedir=3D/var \ >> >> --with-docs \ >> >> --with-ssl=3Dopenssl \ >> >> diff --git a/mail/dovecot/distinfo b/mail/dovecot/distinfo >> >> index e9e4c683e46c..97f77b78a427 100644 >> >> --- a/mail/dovecot/distinfo >> >> +++ b/mail/dovecot/distinfo >> >> @@ -1,3 +1,3 @@ >> >> -TIMESTAMP =3D 1695133264 >> >> -SHA256 (dovecot-2.3.21.tar.gz) =3D >> 05b11093a71c237c2ef309ad587510721cc93bbee6828251549fc1586c36502d >> >> -SIZE (dovecot-2.3.21.tar.gz) =3D 7837242 >> >> +TIMESTAMP =3D 1723829732 >> >> +SHA256 (dovecot-2.3.21.1.tar.gz) =3D >> 2d90a178c4297611088bf7daae5492a3bc3d5ab6328c3a032eb425d2c249097e >> >> +SIZE (dovecot-2.3.21.1.tar.gz) =3D 7842044 >> >> >> -- >> Best regards, >> Vladimir Druzenko >> >> > -- > Best regards, > Vladimir Druzenko > > --000000000000475f7e061fd9afe0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Fri, Aug 16, 2024 at 5:08=E2=80=AFPM Vladimir Druzenko &= lt;vvd@freebsd.org> wrote:
=20 =20 =20
17.08.2024 01:03, Kevin Bowling =D0=BF=D0=B8=D1=88=D0=B5=D1=82:
=20
On Fri, Aug 16, 2024 at 2:57=E2=80=AFPM Vladimir Druzenko <vvd@freebsd.org> = wrote:
16.08.2024 22:03, Kevin Bowling =D0=BF=D0=B8=D1=88=D0=B5=D1=82:
> CVEs should come with an update to security/vuxml/vuln/2024.xml

I don't know how to do this correctly.

You should seek help or abstain from doing security updates then.=C2=A0 It is just an xml file that you update, the wiki=C2=A0https://wiki.freebsd.org/VuXML
=C2=A0and the link inside to the PHB have all necessary instructions.

I wouldn't do that, but ler@ (maintainer) is in hospital and asked to update his port.
Also, I use dovecot so I can test it in real work before committing, which I did.

If you can and are willing to help, then just help. Just like we all help with updating ports from maintainers without commit bits or fixing broken ports builds.

I have given you the information you need.=C2=A0 It is editing a declarat= ive text file which is simpler in both concept and execution of the port up= date in question.=C2=A0 The wiki linked covers the obstinate behavior alrea= dy so read what was given before replying.

Peace.


> On Fri, Aug 16, 2024 at 11:36=E2=80=AFAM Vladimir Druzenko= <vvd@freebsd.org> wrote:
>> The branch main has been updated by vvd:
>>
>> URL: https://cgit.FreeBSD.org/ports/commit/?id=3D72dd8d2ee6760ed9a0f= 22fb2c2e750d5875518d4
>>
>> commit 72dd8d2ee6760ed9a0f22fb2c2e750d5875518d4
>> Author:=C2=A0 =C2=A0 =C2=A0Vladimir Druzenko <vvd@Fr= eeBSD.org>
>> AuthorDate: 2024-08-16 18:31:04 +0000
>> Commit:=C2=A0 =C2=A0 =C2=A0Vladimir Druzenko <vvd@Fr= eeBSD.org>
>> CommitDate: 2024-08-16 18:31:04 +0000
>>
>>=C2=A0 =C2=A0 =C2=A0 mail/dovecot: update 2.3.21 =E2=86= =92 2.3.21.1 (fixes 2 CVEs)
>>
>>=C2=A0 =C2=A0 =C2=A0 - CVE-2024-23184: A large number o= f address headers in email resulted
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 in excessive CPU usage.
>>=C2=A0 =C2=A0 =C2=A0 - CVE-2024-23185: Abnormally large= email headers are now truncated or
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 discarded, with a limit of = 10MB on a single header and 50MB for all
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 the headers of all the part= s of an email.
>>=C2=A0 =C2=A0 =C2=A0 - oauth2: Dovecot would send clien= t_id and client_secret as POST parameters
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 to introspection server. Th= ese need to be optionally in Basic auth
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 instead as required by OIDC= specification.
>>=C2=A0 =C2=A0 =C2=A0 - oauth2: JWT key type check was t= oo strict.
>>=C2=A0 =C2=A0 =C2=A0 - oauth2: JWT token audience was n= ot validated against client_id as
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 required by OIDC specificat= ion.
>>=C2=A0 =C2=A0 =C2=A0 - oauth2: XOAUTH2 and OAUTHBEARER = mechanisms were not giving out
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 protocol specific error mes= sage on all errors. This broke OIDC discovery.
>>=C2=A0 =C2=A0 =C2=A0 - oauth2: JWT aud validation was n= ot performed if aud was missing
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 from token, but was configu= red on Dovecot.
>>=C2=A0 =C2=A0 =C2=A0 https://dovecot.org/mail= man3/hyperkitty/list/dovecot-news@dovecot.org/thread/2CSVL56LFPAXVLWMGXEIWZ= L736PSYHP5/
>>
>>=C2=A0 =C2=A0 =C2=A0 PR:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0280866
>>=C2=A0 =C2=A0 =C2=A0 Approved by:=C2=A0 =C2=A0 ler (mai= ntainer)
>>=C2=A0 =C2=A0 =C2=A0 MFH:=C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 2024Q3
>> ---
>>=C2=A0 =C2=A0mail/dovecot/Makefile | 4 +---
>>=C2=A0 =C2=A0mail/dovecot/distinfo | 6 +++---
>>=C2=A0 =C2=A02 files changed, 4 insertions(+), 6 deleti= ons(-)
>>
>> diff --git a/mail/dovecot/Makefile b/mail/dovecot/Makefile
>> index c789da0a2294..44f42b27f94f 100644
>> --- a/mail/dovecot/Makefile
>> +++ b/mail/dovecot/Makefile
>> @@ -9,8 +9,7 @@
>>=C2=A0 =C2=A0#########################################################= #############
>>
>>=C2=A0 =C2=A0PORTNAME=3D=C2=A0 =C2=A0 =C2=A0 dovecot >> -PORTVERSION=3D=C2=A0 =C2=A02.3.21
>> -PORTREVISION=3D=C2=A0 6
>> +DISTVERSION=3D=C2=A0 =C2=A02.3.21.1
>>=C2=A0 =C2=A0CATEGORIES=3D=C2=A0 =C2=A0 mail
>>=C2=A0 =C2=A0MASTER_SITES=3D=C2=A0 https://dove= cot.org/releases/2.3/
>>
>> @@ -27,7 +26,6 @@ USES=3D=C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0cpe iconv libtool pkgconfig ssl
>>=C2=A0 =C2=A0USE_RC_SUBR=3D=C2=A0 =C2=A0dovecot
>>
>>=C2=A0 =C2=A0GNU_CONFIGURE=3D yes
>> -GNU_CONFIGURE_MANPREFIX=3D=C2=A0 =C2=A0 =C2=A0 =C2=A0= ${PREFIX}/share
>>=C2=A0 =C2=A0CONFIGURE_ARGS=3D=C2=A0 =C2=A0 =C2=A0 =C2= =A0 --localstatedir=3D/var \
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 --with-docs \
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 --with-ssl=3Dopenssl \
>> diff --git a/mail/dovecot/distinfo b/mail/dovecot/distinfo
>> index e9e4c683e46c..97f77b78a427 100644
>> --- a/mail/dovecot/distinfo
>> +++ b/mail/dovecot/distinfo
>> @@ -1,3 +1,3 @@
>> -TIMESTAMP =3D 1695133264
>> -SHA256 (dovecot-2.3.21.tar.gz) =3D 05b11093a71c237c2ef309ad587510721cc93bbee6828251549fc1586c36502= d
>> -SIZE (dovecot-2.3.21.tar.gz) =3D 7837242
>> +TIMESTAMP =3D 1723829732
>> +SHA256 (dovecot-2.3.21.1.tar.gz) =3D 2d90a178c4297611088bf7daae5492a3bc3d5ab6328c3a032eb425d2c249097= e
>> +SIZE (dovecot-2.3.21.1.tar.gz) =3D 7842044


--
Best regards,
Vladimir Druzenko


--=20
Best regards,
Vladimir Druzenko
--000000000000475f7e061fd9afe0--