From owner-svn-ports-branches@freebsd.org Mon May 1 00:59:31 2017 Return-Path: Delivered-To: svn-ports-branches@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D4F00D45F77; Mon, 1 May 2017 00:59:31 +0000 (UTC) (envelope-from adamw@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9F5E3F3B; Mon, 1 May 2017 00:59:31 +0000 (UTC) (envelope-from adamw@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v410xUug062392; Mon, 1 May 2017 00:59:30 GMT (envelope-from adamw@FreeBSD.org) Received: (from adamw@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v410xT8k062384; Mon, 1 May 2017 00:59:29 GMT (envelope-from adamw@FreeBSD.org) Message-Id: <201705010059.v410xT8k062384@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: adamw set sender to adamw@FreeBSD.org using -f From: Adam Weinberger Date: Mon, 1 May 2017 00:59:29 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r439856 - in branches/2017Q2/mail: dovecot2 dovecot2-antispam-plugin dovecot2-pigeonhole dovecot2-pigeonhole/files dovecot2/files X-SVN-Group: ports-branches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-branches@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for all the branches of the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 May 2017 00:59:31 -0000 Author: adamw Date: Mon May 1 00:59:29 2017 New Revision: 439856 URL: https://svnweb.freebsd.org/changeset/ports/439856 Log: MFH: r438222 r438323 r438365 r439618 r439854 This contains updates to both dovecot2 and dovecot2-pigeonhole that fix bugs and, in dovecot2, a CVE. Update dovecot to 2.2.29, and bump PORTREVISION for the plugins. Add a warning to the pkg-message that security.bsd.see_other_uids/gids should not be enabled if dovecot is storing mail for multiple users concurrently (PR 218392, submitted by topical). * passdb/userdb dict: Don't double-expand %variables in keys. If dict was used as the authentication passdb, using specially crafted %variables in the username could be used to cause DoS (CVE-2017-2669) * When Dovecot encounters an internal error, it logs the real error and usually logs another line saying what function failed. Previously the second log line's error message was a rather uninformative "Internal error occurred. Refer to server log for more information." Now the real error message is duplicated in this second log line. * lmtp: If a delivery has multiple recipients, run autoexpunging only for the last recipient. This avoids a problem where a long autoexpunge run causes LMTP client to timeout between the DATA replies, resulting in duplicate mail deliveries. * config: Don't stop the process due to idling. Otherwise the configuration is reloaded when the process restarts. * mail_log plugin: Differentiate autoexpunges from regular expunges * imapc: Use LOGOUT to cleanly disconnect from server. * lib-http: Internal status codes (>9000) are no longer visible in logs * director: Log vhost count changes and HOST-UP/DOWN + quota: Add plugin { quota_max_mail_size } setting to limit the maximum individual mail size that can be saved. + imapc: Add imapc_features=delay-login. If set, connecting to the remote IMAP server isn't done until it's necessary. + imapc: Add imapc_connection_retry_count and imapc_connection_retry_interval settings. + imap, pop3, indexer-worker: Add (deinit) to process title before autoexpunging runs. + Added %{encrypt} and %{decrypt} variables + imap/pop3 proxy: Log proxy state in errors as human-readable string. + imap/pop3-login: All forward_* extra fields returned by passdb are sent to the next hop when proxying using ID/XCLIENT commands. On the receiving side these fields are imported and sent to auth process where they're accessible via %{passdb:forward_*}. This is done only if the sending IP address matches login_trusted_networks. + imap-login: If imap_id_retain=yes, send the IMAP ID string to auth process. %{client_id} expands to it in auth process. The ID string is also sent to the next hop when proxying. + passdb imap: Use ssl_client_ca_* settings for CA validation. - fts-tika: Fixed crash when parsing attachment without Content-Disposition header. Broken by 2.2.28. (fixed in FreeBSD ports) - trash plugin was broken in 2.2.28 (fixed in FreeBSD ports) - auth: When passdb/userdb lookups were done via auth-workers, too much data was added to auth cache. This could have resulted in wrong replies when using multiple passdbs/userdbs. - auth: passdb { skip & mechanisms } were ignored for the first passdb - oauth2: Various fixes, including fixes to crashes - dsync: Large Sieve scripts (or other large metadata) weren't always synced. - Index rebuild (e.g. doveadm force-resync) set all mails as \Recent - imap-hibernate: %{userdb:*} wasn't expanded in mail_log_prefix - doveadm: Exit codes weren't preserved when proxying commands via doveadm-server. Almost all errors used exit code 75 (tempfail). - ACLs weren't applied to not-yet-existing autocreated mailboxes. - Fixed a potential crash when parsing a broken message header. - cassandra: Fallback consistency settings weren't working correctly. - doveadm director status : "Initial config" was always empty - imapc: Various reconnection fixes. Upgrade mail/dovecot2-pigeonhole to 0.4.18. Changelog v0.4.18: + imapsieve plugin: Implemented the copy_source_after rule action. When this is enabled for a mailbox rule, the specified Sieve script is executed for the message in the source mailbox during a "COPY" event. This happens only after the Sieve script that is executed for the corresponding message in the destination mailbox finishes running successfully. + imapsieve plugin: Added non-standard Sieve environment items for the source and destination mailbox. - multiscript: The execution of the discard script had an implicit "keep", rather than an implicit "discard". Approved by: adamw (mentor) Differential Revision: https://reviews.freebsd.org/D10366 Update to 2.2.29.1. - imapc reconnection fix was forgotten from 2.2.29 release, which also made "make check" fail in a unit test - dict-sql: Merging multiple UPDATEs to a single statement wasn't actually working. - Fixed building with vpopmail Upon continuing the deferred implicit keep, the implicit side-effects (such as imap flags) were not applied. Obtained from: https://github.com/dovecot/pigeonhole/commit/3e1a17a286ab0e084577fc267a442cb12aed1cbc Approved by: adamw (mentor, implicit) Add an alread-upstreamed patch to fix dovecot-auth wedging with NTLM authentication. PR: 218693 Submitted by: Andriy Syrovenko Obtained from: https://github.com/dovecot/core/commit/a319c3201bff1ea7bae3e7ab1fae42e9c4759056 Approved by: ports-secteam (feld) Added: branches/2017Q2/mail/dovecot2-pigeonhole/files/ - copied from r439618, head/mail/dovecot2-pigeonhole/files/ branches/2017Q2/mail/dovecot2/files/patch-fix-ntlm_auth - copied unchanged from r439854, head/mail/dovecot2/files/patch-fix-ntlm_auth Deleted: branches/2017Q2/mail/dovecot2/files/patch-src_plugins_fts_fts-parser-tika.c branches/2017Q2/mail/dovecot2/files/patch-trash_plugin Modified: branches/2017Q2/mail/dovecot2-antispam-plugin/Makefile branches/2017Q2/mail/dovecot2-pigeonhole/Makefile branches/2017Q2/mail/dovecot2-pigeonhole/distinfo branches/2017Q2/mail/dovecot2/Makefile branches/2017Q2/mail/dovecot2/distinfo branches/2017Q2/mail/dovecot2/files/pkg-message.in branches/2017Q2/mail/dovecot2/pkg-plist Directory Properties: branches/2017Q2/ (props changed) Modified: branches/2017Q2/mail/dovecot2-antispam-plugin/Makefile ============================================================================== --- branches/2017Q2/mail/dovecot2-antispam-plugin/Makefile Mon May 1 00:39:18 2017 (r439855) +++ branches/2017Q2/mail/dovecot2-antispam-plugin/Makefile Mon May 1 00:59:29 2017 (r439856) @@ -3,7 +3,7 @@ PORTNAME= dovecot2-antispam-plugin PORTVERSION= 20130429 -PORTREVISION= 25 +PORTREVISION= 26 CATEGORIES= mail MASTER_SITES= http://olgeni.olgeni.com/~olgeni/distfiles/ \ LOCAL/olgeni Modified: branches/2017Q2/mail/dovecot2-pigeonhole/Makefile ============================================================================== --- branches/2017Q2/mail/dovecot2-pigeonhole/Makefile Mon May 1 00:39:18 2017 (r439855) +++ branches/2017Q2/mail/dovecot2-pigeonhole/Makefile Mon May 1 00:59:29 2017 (r439856) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= dovecot-pigeonhole -PORTVERSION= 0.4.17 +PORTVERSION= 0.4.18 PORTREVISION= 1 CATEGORIES= mail MASTER_SITES= http://pigeonhole.dovecot.org/releases/${DOVECOTVERSION}/ Modified: branches/2017Q2/mail/dovecot2-pigeonhole/distinfo ============================================================================== --- branches/2017Q2/mail/dovecot2-pigeonhole/distinfo Mon May 1 00:39:18 2017 (r439855) +++ branches/2017Q2/mail/dovecot2-pigeonhole/distinfo Mon May 1 00:59:29 2017 (r439856) @@ -1,3 +1,3 @@ -TIMESTAMP = 1488163544 -SHA256 (dovecot-2.2-pigeonhole-0.4.17.tar.gz) = 74d869c7532cbf4fe41e3cc95a1aa6ce32e98f4d423f0d099da1e0fba022dae3 -SIZE (dovecot-2.2-pigeonhole-0.4.17.tar.gz) = 1787177 +TIMESTAMP = 1491958585 +SHA256 (dovecot-2.2-pigeonhole-0.4.18.tar.gz) = dd871bb57fad22795460f613f3c9484a8bf229272ac00956d837a34444f1c3a9 +SIZE (dovecot-2.2-pigeonhole-0.4.18.tar.gz) = 1742357 Modified: branches/2017Q2/mail/dovecot2/Makefile ============================================================================== --- branches/2017Q2/mail/dovecot2/Makefile Mon May 1 00:39:18 2017 (r439855) +++ branches/2017Q2/mail/dovecot2/Makefile Mon May 1 00:59:29 2017 (r439856) @@ -13,10 +13,10 @@ ###################################################################### PORTNAME= dovecot -PORTVERSION= 2.2.28 -PORTREVISION= 2 +PORTVERSION= 2.2.29.1 +PORTREVISION= 1 CATEGORIES= mail ipv6 -MASTER_SITES= https://www.dovecot.org/releases/${PORTVERSION:R}/ +MASTER_SITES= https://www.dovecot.org/releases/${PORTVERSION:R:R}/ PKGNAMESUFFIX= 2 MAINTAINER= adamw@FreeBSD.org Modified: branches/2017Q2/mail/dovecot2/distinfo ============================================================================== --- branches/2017Q2/mail/dovecot2/distinfo Mon May 1 00:39:18 2017 (r439855) +++ branches/2017Q2/mail/dovecot2/distinfo Mon May 1 00:59:29 2017 (r439856) @@ -1,3 +1,3 @@ -TIMESTAMP = 1487948861 -SHA256 (dovecot-2.2.28.tar.gz) = e0288f59e326ab87cb3881fdabadafe542f4dc7ab9996db13863a439ebbc1f25 -SIZE (dovecot-2.2.28.tar.gz) = 5921992 +TIMESTAMP = 1492013710 +SHA256 (dovecot-2.2.29.1.tar.gz) = ccfa9ffb7eb91e9e87c21c108324b911250c9ffa838bffb64b1caafadcb0f388 +SIZE (dovecot-2.2.29.1.tar.gz) = 5972119 Copied: branches/2017Q2/mail/dovecot2/files/patch-fix-ntlm_auth (from r439854, head/mail/dovecot2/files/patch-fix-ntlm_auth) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/mail/dovecot2/files/patch-fix-ntlm_auth Mon May 1 00:59:29 2017 (r439856, copy of r439854, head/mail/dovecot2/files/patch-fix-ntlm_auth) @@ -0,0 +1,36 @@ +From a319c3201bff1ea7bae3e7ab1fae42e9c4759056 Mon Sep 17 00:00:00 2001 +From: Andriy Syrovenko +Date: Mon, 17 Apr 2017 01:14:02 +0300 +Subject: [PATCH] auth: Fixed dovecot/auth hanging when child ntlm_auth crashes + while processing an authentication request + +--- + src/auth/mech-winbind.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/auth/mech-winbind.c b/src/auth/mech-winbind.c +index 4a65696..c12fb5e 100644 +--- src/auth/mech-winbind.c ++++ src/auth/mech-winbind.c +@@ -187,12 +187,18 @@ do_auth_continue(struct auth_request *auth_request, + request->continued = FALSE; + + while ((answer = i_stream_read_next_line(in_pipe)) == NULL) { +- if (in_pipe->stream_errno != 0) ++ if (in_pipe->stream_errno != 0 || in_pipe->eof) + break; + } + if (answer == NULL) { +- auth_request_log_error(auth_request, AUTH_SUBSYS_MECH, +- "read(in_pipe) failed: %m"); ++ if (in_pipe->stream_errno != 0) { ++ auth_request_log_error(auth_request, AUTH_SUBSYS_MECH, ++ "read(in_pipe) failed: %m"); ++ } else { ++ auth_request_log_error(auth_request, AUTH_SUBSYS_MECH, ++ "read(in_pipe) failed: " ++ "unexpected end of file"); ++ } + return HR_RESTART; + } + Modified: branches/2017Q2/mail/dovecot2/files/pkg-message.in ============================================================================== --- branches/2017Q2/mail/dovecot2/files/pkg-message.in Mon May 1 00:39:18 2017 (r439855) +++ branches/2017Q2/mail/dovecot2/files/pkg-message.in Mon May 1 00:59:29 2017 (r439856) @@ -15,6 +15,14 @@ dovecot_enable="YES" +--------------------------------------------------------------------- + +To avoid a risk of mailbox corruption, do not enable the +security.bsd.see_other_uids or .see_other_guids sysctls if Dovecot +is storing mail for multiple concurrent users (PR 218392). + +--------------------------------------------------------------------- + If you want to be able to search within attachments using the decode2text plugin, you'll need to install textproc/catdoc, and one of graphics/xpdf or graphics/poppler-utils. Modified: branches/2017Q2/mail/dovecot2/pkg-plist ============================================================================== --- branches/2017Q2/mail/dovecot2/pkg-plist Mon May 1 00:39:18 2017 (r439855) +++ branches/2017Q2/mail/dovecot2/pkg-plist Mon May 1 00:59:29 2017 (r439856) @@ -179,6 +179,7 @@ include/dovecot/hex-dec.h include/dovecot/hmac-cram-md5.h include/dovecot/hmac.h include/dovecot/home-expand.h +include/dovecot/hook-build.h include/dovecot/hostpid.h include/dovecot/http-auth.h include/dovecot/http-client-private.h @@ -567,9 +568,12 @@ include/dovecot/userdb-vpopmail.h include/dovecot/userdb.h include/dovecot/utc-mktime.h include/dovecot/utc-offset.h +include/dovecot/var-expand-private.h include/dovecot/var-expand.h include/dovecot/wildcard-match.h include/dovecot/write-full.h +lib/dovecot/auth/lib20_auth_var_expand_crypt.a +lib/dovecot/auth/lib20_auth_var_expand_crypt.so lib/dovecot/auth/libauthdb_imap.a lib/dovecot/auth/libauthdb_imap.so lib/dovecot/doveadm/lib10_doveadm_acl_plugin.a @@ -627,6 +631,8 @@ lib/dovecot/lib20_quota_clone_plugin.a lib/dovecot/lib20_quota_clone_plugin.so lib/dovecot/lib20_replication_plugin.a lib/dovecot/lib20_replication_plugin.so +lib/dovecot/lib20_var_expand_crypt.a +lib/dovecot/lib20_var_expand_crypt.so lib/dovecot/lib20_virtual_plugin.a lib/dovecot/lib20_virtual_plugin.so lib/dovecot/lib20_zlib_plugin.a