Pigeonhole needs updating too, and the various other ports providing
plugins for dovecot need revision bumps. I have diffs for all.
--
Sent from a phone, apologies for poor formatting.
On 15 August 2024 16:41:04 Kirill A. Korinsky <kir...@korins.ky> wrote:
Brad, ports@,
Here a clean security update for mail/dovecot.
Changelog:
- CVE-2024-23184: A large number of address headers in email resulted
in excessive CPU usage.
- CVE-2024-23185: Abnormally large email headers are now truncated or
discarded, with a limit of 10MB on a single header and 50MB for all
the headers of all the parts of an email.
- oauth2: Dovecot would send client_id and client_secret as POST parameters
to introspection server. These need to be optionally in Basic auth
instead as required by OIDC specification.
- oauth2: JWT key type check was too strict.
- oauth2: JWT token audience was not validated against client_id as
required by OIDC specification.
- oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out
protocol specific error message on all errors. This broke OIDC discovery.
- oauth2: JWT aud validation was not performed if aud was missing
from token, but was configured on Dovecot.
Announcment:
https://dovecot.org/mailman3/hyperkitty/list/dovecot-n...@dovecot.org/message/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/
I suggest to backport it to 7.5 as well.
Tested on -current/amd64
The diff:
diff --git mail/dovecot/Makefile mail/dovecot/Makefile
index e85558e7ad5..881b9931e9e 100644
--- mail/dovecot/Makefile
+++ mail/dovecot/Makefile
@@ -9,7 +9,7 @@ COMMENT-postgresql= PostgreSQL authentication / dictionary
support for Dovecot
# (dovecot-fts-xapian, dovecot-fts-flatcurve, dovecot-pigeonhole if
# not updated anyway)
V_MAJOR= 2.3
-V_DOVECOT= 2.3.21
+V_DOVECOT= 2.3.21.1
EPOCH= 0
DISTNAME= dovecot-${V_DOVECOT}
diff --git mail/dovecot/distinfo mail/dovecot/distinfo
index 611fc0e4a6e..4c4b8a76768 100644
--- mail/dovecot/distinfo
+++ mail/dovecot/distinfo
@@ -1,2 +1,2 @@
-SHA256 (dovecot-2.3.21.tar.gz) = BbEQk6ccI3wu8wmtWHUQchzJO77mgoJRVJ/BWGw2UC0=
-SIZE (dovecot-2.3.21.tar.gz) = 7837242
+SHA256 (dovecot-2.3.21.1.tar.gz) =
LZCheMQpdhEIi/farlSSo7w9WrYyjDoDLrQl0sJJCX4=
+SIZE (dovecot-2.3.21.1.tar.gz) = 7842044
--
wbr, Kirill