Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 14 Aug 2020 00:27:43 +0000 (UTC)
From:      Larry Rosenman <ler@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r544857 - in head/mail: dovecot dovecot-pigeonhole dovecot/files
Message-ID:  <202008140027.07E0Rhep007464@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: ler
Date: Fri Aug 14 00:27:43 2020
New Revision: 544857
URL: https://svnweb.freebsd.org/changeset/ports/544857

Log:
  mail/dovecot, mail/dovecot-pigeonhole: upgrade to 2.3.11.3 and 0.5.11, repectively.
  
  dovecot changelog:
  * CVE-2020-12100: Parsing mails with a large number of MIME parts could
    have resulted in excessive CPU usage or a crash due to running out of
    stack memory.
  * CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
    message buffer size, which leads to reading past allocation which can
    lead to crash.
  * CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
    address that has the empty quoted string as local-part causes the lmtp
    service to crash.
  * CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
    zero-length message, which leads to assert-crash later on.
  * Events: Fix inconsistency in events. See event documentation in
    https://doc.dovecot.org.
  * imap_command_finished event's cmd_name field now contains "unknown"
    for unknown commands. A new "cmd_input_name" field contains the
    command name exactly as it was sent.
  * lib-index: Renamed mail_cache_compress_* settings to mail_cache_purge_*.
    Note that these settings are mainly intended for testing and usually
    shouldn't be changed.
  * events: Renamed "index" event category to "mail-index".
  * events: service:<name> category is now using the name from
    configuration file.
  * dns-client: service dns_client was renamed to dns-client.
  * log: Prefixes generally use the service name from configuration file.
    For example dict-async service will now use
    "dict-async(pid): " log prefix instead of "dict(pid): "
  * *-login: Changed logging done by proxying to use a consistent prefix
    containing the IP address and port.
  * *-login: Changed disconnection log messages to be slightly clearer.
  + dict: Add events for dictionaries.
  + lib-index: Finish logging with events.
  + oauth2: Support local validation of JWT tokens.
  + stats: Add support for dynamic histograms and grouping. See
    https://doc.dovecot.org/configuration_manual/stats/.
  + imap: Implement RFC 8514: IMAP SAVEDATE
  + lib-index: If a long-running transaction (e.g. SORT/FETCH on a huge
    folder) adds a lot of data to dovecot.index.cache file, commit those
    changes periodically to make them visible to other concurrent sessions
    as well.
  + stats: Add OpenMetrics exporter for statistics. See
    https://doc.dovecot.org/configuration_manual/stats/openmetrics/.
  + stats: Support disabling stats-writer socket by setting
    stats_writer_socket_path="".
  - auth-worker: Process keeps slowly increasing its memory usage and
    eventually dies with "out of memory" due to reaching vsz_limit.
  - auth: Prevent potential timing attacks in authentication secret
    comparisons: OAUTH2 JWT-token HMAC, imap-urlauth token, crypt() result.
  - auth: Several auth-mechanisms allowed input to be truncated by NUL
    which can potentially lead to unintentional issues or even successful
    logins which should have failed.
  - auth: When auth policy returned a delay, auth_request_finished event
    had policy_result=ok field instead of policy_result=delayed.
  - auth: auth process crash when auth_policy_server_url is set to an
    invalid URL.
  - auth: Lua passdb/userdb leaks stack elements per call, eventually
    causing the stack to become too deep and crashing the auth or
    auth-worker process.
  - dict-ldap: Crash occurs if var_expand template expansion fails.
  - dict: If dict client disconnected while iteration was still running,
    dict process could have started using 100% CPU, although it was still
    handling clients.
  - doveadm: Running doveadm commands via proxying may hang, especially
    when doveadm is printing a lot of output.
  - imap: "MOVE * destfolder" goes to a loop copying the last mail to the
    destination until the imap process dies due to running out of memory.
  - imap: Running "UID MOVE 1:* Trash" on an empty folder goes to infinite
    loop.
  - imap: SEARCH doesn't support $.
  - lib-compress: Buffer over-read in zlib stream read.
  - lib-dns: If DNS lookup times out, lib-dns can cause crash in calling
    process.
  - lib-index: Fixed several bugs in dovecot.index.cache handling that
    could have caused cached data to be lost.
  - lib-index: Writing to >=1 GB dovecot.index.cache files may cause
    assert-crashes:
    Panic: file mail-index-util.c: line 37 (mail_index_uint32_to_offset):
    assertion failed: (offset < 0x40000000)
  - lib-mail: v2.3.11 regression: MIME parts not returned correctly by
    Dovecot MIME parser.
  - lib-ssl-iostream: Fix buggy OpenSSL error handling without
    assert-crashing. If there is no error available, log it as an error
    instead of crashing:
    Panic: file iostream-openssl.c: line 599 (openssl_iostream_handle_error):
    assertion failed: (errno != 0)
  - lib-ssl-iostream: ssl_key_password setting did not work.
  - pop3-login: Login didn't handle commands in multiple IP packets properly.
    This mainly affected large XCLIENT commands or a large SASL initial
    response parameter in the AUTH command.
  - pop3: pop3_deleted_flag setting was broken, causing:
    Panic: file seq-range-array.c: line 472 (seq_range_array_invert):
    assertion failed: (range[count-1].seq2 <= max_seq)
  - pop3-login: Login would fail with "Input buffer full" if the initial
    response for SASL was too long.
  - submission: A segfault crash may occur when the client or server
    disconnects while a non-transaction command like NOOP or VRFY is still
    being processed.
  - virtual: Copying/moving mails with IMAP into a virtual folder
  assert-crashes:
    Panic: file cmd-copy.c: line 152 (fetch_and_copy): assertion failed:
    (copy_ctx->copy_count == seq_range_count(&copy_ctx->saved_uids))
  
  pigeonhole changelog:
  * managesieve: managesieve_max_line_length setting is now a "size" type
    instead of just number of bytes. This allows using e.g. "64k" as the
    value.
  - lib-sieve: When folding white space is used in the Message-ID header,
    it is not stripped away correctly before the message ID value is used,
    causing e.g. garbled log lines at delivery.
  
  PR:		248640
  PR:		248644
  Submitted by:	juraj@lutter.sk
  Reported by:	juraj@lutter.sk
  MFH:		2020Q3
  Security:	87a07de1-e55e-4d51-bb64-8d117829a26a
  Security:	CVE-2020-12100
  Security:	CVE-2020-12673
  Security:	CVE-2020-10967
  Security:	CVE-2020-12674

Deleted:
  head/mail/dovecot/files/patch-src_lib-master_master-service.c
Modified:
  head/mail/dovecot-pigeonhole/Makefile
  head/mail/dovecot-pigeonhole/distinfo
  head/mail/dovecot/Makefile
  head/mail/dovecot/distinfo
  head/mail/dovecot/files/patch-configure
  head/mail/dovecot/files/patch-src_lib-fts_fts-filter-stemmer-snowball.c
  head/mail/dovecot/files/patch-src_plugins_fts-lucene_SnowballFilter.h
  head/mail/dovecot/files/patch-src_plugins_fts-solr_solr-connection.c
  head/mail/dovecot/pkg-plist

Modified: head/mail/dovecot-pigeonhole/Makefile
==============================================================================
--- head/mail/dovecot-pigeonhole/Makefile	Fri Aug 14 00:14:16 2020	(r544856)
+++ head/mail/dovecot-pigeonhole/Makefile	Fri Aug 14 00:27:43 2020	(r544857)
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	dovecot-pigeonhole
-PORTVERSION=	0.5.10
+PORTVERSION=	0.5.11
 CATEGORIES=	mail
 MASTER_SITES=	http://pigeonhole.dovecot.org/releases/${DOVECOTVERSION}/
 DISTNAME=	${PORTNAME:C/-/-${DOVECOTVERSION}-/}-${PORTVERSION}

Modified: head/mail/dovecot-pigeonhole/distinfo
==============================================================================
--- head/mail/dovecot-pigeonhole/distinfo	Fri Aug 14 00:14:16 2020	(r544856)
+++ head/mail/dovecot-pigeonhole/distinfo	Fri Aug 14 00:27:43 2020	(r544857)
@@ -1,3 +1,3 @@
-TIMESTAMP = 1583764476
-SHA256 (dovecot-2.3-pigeonhole-0.5.10.tar.gz) = 48c89cc9f3caa9c5f2454f9dcca74fe251a99749a38062bfab7e5017d329605e
-SIZE (dovecot-2.3-pigeonhole-0.5.10.tar.gz) = 1899237
+TIMESTAMP = 1597360057
+SHA256 (dovecot-2.3-pigeonhole-0.5.11.tar.gz) = 0b972a441f680545ddfacd2f41fb2a705fb03249d46ed5ce7e01fe68b6cfb5f0
+SIZE (dovecot-2.3-pigeonhole-0.5.11.tar.gz) = 1912411

Modified: head/mail/dovecot/Makefile
==============================================================================
--- head/mail/dovecot/Makefile	Fri Aug 14 00:14:16 2020	(r544856)
+++ head/mail/dovecot/Makefile	Fri Aug 14 00:27:43 2020	(r544857)
@@ -8,8 +8,7 @@
 ######################################################################
 
 PORTNAME=	dovecot
-PORTVERSION=	2.3.10.1
-PORTREVISION=	2
+PORTVERSION=	2.3.11.3
 CATEGORIES=	mail
 MASTER_SITES=	https://dovecot.org/releases/2.3/
 
@@ -18,6 +17,8 @@ COMMENT=	Secure, fast and powerful IMAP and POP3 serve
 
 LICENSE=	LGPL21 MIT
 LICENSE_COMB=	dual
+
+LIB_DEPENDS=	libzstd.so:archivers/zstd
 
 USES=		cpe iconv libtool pkgconfig ssl
 USE_RC_SUBR=	dovecot

Modified: head/mail/dovecot/distinfo
==============================================================================
--- head/mail/dovecot/distinfo	Fri Aug 14 00:14:16 2020	(r544856)
+++ head/mail/dovecot/distinfo	Fri Aug 14 00:27:43 2020	(r544857)
@@ -1,3 +1,3 @@
-TIMESTAMP = 1589829060
-SHA256 (dovecot-2.3.10.1.tar.gz) = 6642e62f23b1b23cfac235007ca6e21cb67460cca834689fad450724456eb10c
-SIZE (dovecot-2.3.10.1.tar.gz) = 7226958
+TIMESTAMP = 1597259906
+SHA256 (dovecot-2.3.11.3.tar.gz) = d3d9ea9010277f57eb5b9f4166a5d2ba539b172bd6d5a2b2529a6db524baafdc
+SIZE (dovecot-2.3.11.3.tar.gz) = 7353412

Modified: head/mail/dovecot/files/patch-configure
==============================================================================
--- head/mail/dovecot/files/patch-configure	Fri Aug 14 00:14:16 2020	(r544856)
+++ head/mail/dovecot/files/patch-configure	Fri Aug 14 00:27:43 2020	(r544857)
@@ -1,6 +1,6 @@
---- configure.orig	2020-03-05 17:36:02.000000000 +0300
-+++ configure	2020-03-23 13:27:59.882228000 +0300
-@@ -28652,13 +28652,13 @@
+--- configure.orig	2020-08-12 12:20:51 UTC
++++ configure
+@@ -28901,13 +28901,13 @@ fi
  
  
    if test $want_stemmer != no; then

Modified: head/mail/dovecot/files/patch-src_lib-fts_fts-filter-stemmer-snowball.c
==============================================================================
--- head/mail/dovecot/files/patch-src_lib-fts_fts-filter-stemmer-snowball.c	Fri Aug 14 00:14:16 2020	(r544856)
+++ head/mail/dovecot/files/patch-src_lib-fts_fts-filter-stemmer-snowball.c	Fri Aug 14 00:27:43 2020	(r544857)
@@ -1,4 +1,4 @@
---- src/lib-fts/fts-filter-stemmer-snowball.c.orig
+--- src/lib-fts/fts-filter-stemmer-snowball.c.orig	2020-08-12 12:20:41 UTC
 +++ src/lib-fts/fts-filter-stemmer-snowball.c
 @@ -6,7 +6,7 @@
  

Modified: head/mail/dovecot/files/patch-src_plugins_fts-lucene_SnowballFilter.h
==============================================================================
--- head/mail/dovecot/files/patch-src_plugins_fts-lucene_SnowballFilter.h	Fri Aug 14 00:14:16 2020	(r544856)
+++ head/mail/dovecot/files/patch-src_plugins_fts-lucene_SnowballFilter.h	Fri Aug 14 00:27:43 2020	(r544857)
@@ -1,4 +1,4 @@
---- src/plugins/fts-lucene/SnowballFilter.h.orig
+--- src/plugins/fts-lucene/SnowballFilter.h.orig	2020-08-12 12:20:41 UTC
 +++ src/plugins/fts-lucene/SnowballFilter.h
 @@ -8,7 +8,7 @@
  #define _lucene_analysis_snowball_filter_
@@ -8,3 +8,4 @@
 +#include "CLucene/snowball/libstemmer.h"
  
  CL_NS_DEF2(analysis,snowball)
+ 

Modified: head/mail/dovecot/files/patch-src_plugins_fts-solr_solr-connection.c
==============================================================================
--- head/mail/dovecot/files/patch-src_plugins_fts-solr_solr-connection.c	Fri Aug 14 00:14:16 2020	(r544856)
+++ head/mail/dovecot/files/patch-src_plugins_fts-solr_solr-connection.c	Fri Aug 14 00:27:43 2020	(r544857)
@@ -1,6 +1,6 @@
---- src/plugins/fts-solr/solr-connection.c.orig	2019-04-30 12:25:06 UTC
+--- src/plugins/fts-solr/solr-connection.c.orig	2020-08-12 12:20:41 UTC
 +++ src/plugins/fts-solr/solr-connection.c
-@@ -156,7 +156,7 @@ int solr_connection_init(const struct fts_solr_setting
+@@ -103,7 +103,7 @@ int solr_connection_init(const struct fts_solr_setting
  		http_set.ssl = ssl_client_set;
  		http_set.debug = solr_set->debug;
  		http_set.rawlog_dir = solr_set->rawlog_dir;
@@ -8,4 +8,4 @@
 +		solr_http_client = http_client_init_private(&http_set);
  	}
  
- 	conn->xml_parser = XML_ParserCreate("UTF-8");
+ 	*conn_r = conn;

Modified: head/mail/dovecot/pkg-plist
==============================================================================
--- head/mail/dovecot/pkg-plist	Fri Aug 14 00:14:16 2020	(r544856)
+++ head/mail/dovecot/pkg-plist	Fri Aug 14 00:27:43 2020	(r544857)
@@ -93,6 +93,7 @@ include/dovecot/auth-master.h
 include/dovecot/auth-penalty.h
 include/dovecot/auth-policy.h
 include/dovecot/auth-request-handler.h
+include/dovecot/auth-request-handler-private.h
 include/dovecot/auth-request-stats.h
 include/dovecot/auth-request-var-expand.h
 include/dovecot/auth-request.h
@@ -468,6 +469,7 @@ include/dovecot/mdbox-settings.h
 include/dovecot/mdbox-storage-rebuild.h
 include/dovecot/mdbox-storage.h
 include/dovecot/mdbox-sync.h
+include/dovecot/mech-digest-md5-private.h
 include/dovecot/mech-otp-skey-common.h
 include/dovecot/mech-plain-common.h
 include/dovecot/mech-scram.h
@@ -514,6 +516,7 @@ include/dovecot/ostream-null.h
 include/dovecot/ostream-private.h
 include/dovecot/ostream-rawlog.h
 include/dovecot/ostream-unix.h
+include/dovecot/ostream-wrapper.h
 include/dovecot/ostream-zlib.h
 include/dovecot/ostream.h
 include/dovecot/passdb-blocking.h



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202008140027.07E0Rhep007464>