Re: Dovecot

In reply to: @lbutlr: "Re: Dovecot"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kevin Oberman <rkoberman_at_gmail.com>
Date: Fri, 02 Jul 2021 15:31:01 UTC
On Fri, Jul 2, 2021 at 12:33 AM @lbutlr <kremels@kreme.com> wrote:

>
>
> > On 02 Jul 2021, at 00:03, Kevin Oberman <rkoberman@gmail.com> wrote:
> >
> > On Thu, Jul 1, 2021 at 4:00 PM @lbutlr <kremels@kreme.com> wrote:
> >
> >> On 01 Jul 2021, at 16:45, The Doctor <doctor@doctor.nl2k.ab.ca> wrote:
> >>> On Thu, Jul 01, 2021 at 04:21:31PM -0600, @lbutlr wrote:
> >>>> The current version of dovecot is 2.3.15. The newest ports version is
> >> 2.3.13_1
> >>>>
> >>>> dovecot-2.3.13_1 is vulnerable:
> >>>> dovecot -- multiple vulnerabilities
> >>>> CVE: CVE-2021-33515
> >>>> CVE: CVE-2021-29157
> >>>> WWW:
> >>
> https://vuxml.FreeBSD.org/freebsd/d18f431d-d360-11eb-a32c-00a0989e4ec1.html
> >>>>
> >>>> dovecot-pigeonhole-0.5.13 is vulnerable:
> >>>> dovecot-pigeonhole -- Sieve excessive resource usage
> >>>> CVE: CVE-2020-28200
> >>>> WWW:
> >>
> https://vuxml.FreeBSD.org/freebsd/f3fc2b50-d36a-11eb-a32c-00a0989e4ec1.html
> >>>>
> >>>> These CVEs were addressed in 2.3.14.1.
> >>>>
> >>>> Any idea what the delay is?
> >>>
> >>> Where is the person responsible for the ports?
> >>
> >> No idea. Some people have emailed and received no reply.
> >
> > % make -C /usr/ports/mail/dovecot maintainer
> > ler@FreeBSD.org
>
> Yes, but sine I know that outhers have emailed and not heard, I din't
> think it was worse adding more email to the pile since Larry obviously
> either knows, or is not in a position to do anything right now. Either way,
> my email will not help.
>
> > Larry is usually quite responsive, but life happens. It is a volunteer
> job.
> > (They all are except the few paid by the FreeBSD Project.)
> >
> > If someone could update the port, any ports committer can update the port
> > after a 14 day wait. Until that timeout, it's in Larry's ballpark. I
> > suspect that some of the FreeBSD patches will need at least a little
> work.
> > I really don't have time to spend right now on a port I don't use and am
> > only familiar with its function.
>
> 14 days is a long time to be sitting on the CVEs "This may be used to
> supply attacker controlled keys to validate tokens" and "On-path attacker
> could inject plaintext commands before STARTTLS negotiation that would be
> executed after STARTTLS finished with the client."


It is a long time. It's already been a long time. I should have noted this
last night, but I was just shutting down for the night and just looked at
who was responsible for the port. Sorry.

This is best dealt with by notifying ports-secteam@. Let them know of the
CVE(s) involved.
--
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkoberman@gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683