Re: Dovecot
- Reply: Kevin Oberman : "Re: Dovecot"
- In reply to: Kevin Oberman : "Re: Dovecot"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 02 Jul 2021 07:33:46 UTC
> On 02 Jul 2021, at 00:03, Kevin Oberman <rkoberman@gmail.com> wrote: > > On Thu, Jul 1, 2021 at 4:00 PM @lbutlr <kremels@kreme.com> wrote: > >> On 01 Jul 2021, at 16:45, The Doctor <doctor@doctor.nl2k.ab.ca> wrote: >>> On Thu, Jul 01, 2021 at 04:21:31PM -0600, @lbutlr wrote: >>>> The current version of dovecot is 2.3.15. The newest ports version is >> 2.3.13_1 >>>> >>>> dovecot-2.3.13_1 is vulnerable: >>>> dovecot -- multiple vulnerabilities >>>> CVE: CVE-2021-33515 >>>> CVE: CVE-2021-29157 >>>> WWW: >> https://vuxml.FreeBSD.org/freebsd/d18f431d-d360-11eb-a32c-00a0989e4ec1.html >>>> >>>> dovecot-pigeonhole-0.5.13 is vulnerable: >>>> dovecot-pigeonhole -- Sieve excessive resource usage >>>> CVE: CVE-2020-28200 >>>> WWW: >> https://vuxml.FreeBSD.org/freebsd/f3fc2b50-d36a-11eb-a32c-00a0989e4ec1.html >>>> >>>> These CVEs were addressed in 2.3.14.1. >>>> >>>> Any idea what the delay is? >>> >>> Where is the person responsible for the ports? >> >> No idea. Some people have emailed and received no reply. > > % make -C /usr/ports/mail/dovecot maintainer > ler@FreeBSD.org Yes, but sine I know that outhers have emailed and not heard, I din't think it was worse adding more email to the pile since Larry obviously either knows, or is not in a position to do anything right now. Either way, my email will not help. > Larry is usually quite responsive, but life happens. It is a volunteer job. > (They all are except the few paid by the FreeBSD Project.) > > If someone could update the port, any ports committer can update the port > after a 14 day wait. Until that timeout, it's in Larry's ballpark. I > suspect that some of the FreeBSD patches will need at least a little work. > I really don't have time to spend right now on a port I don't use and am > only familiar with its function. 14 days is a long time to be sitting on the CVEs "This may be used to supply attacker controlled keys to validate tokens" and "On-path attacker could inject plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client." -- "Are you pondering what I'm pondering?" "I think so, Brain, but me and Pippi Longstocking -- I mean, what would the children look like?"