From owner-freebsd-ports-bugs@FreeBSD.ORG Sat May 13 07:30:18 2006 Return-Path: X-Original-To: freebsd-ports-bugs@hub.freebsd.org Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C35316A40F for ; Sat, 13 May 2006 07:30:18 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B28F443D49 for ; Sat, 13 May 2006 07:30:17 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k4D7UHmK061144 for ; Sat, 13 May 2006 07:30:17 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k4D7UHuZ061143; Sat, 13 May 2006 07:30:17 GMT (envelope-from gnats) Resent-Date: Sat, 13 May 2006 07:30:17 GMT Resent-Message-Id: <200605130730.k4D7UHuZ061143@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Jeremy Chadwick Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C0B0216A411 for ; Sat, 13 May 2006 07:21:22 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx1.parodius.com (mx1.parodius.com [64.62.145.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id C605E43D46 for ; Sat, 13 May 2006 07:21:21 +0000 (GMT) (envelope-from jdc@parodius.com) Received: by mx1.parodius.com (Postfix, from userid 500) id ABFFB6006; Sat, 13 May 2006 00:21:21 -0700 (PDT) Message-Id: <20060513072121.ABFFB6006@mx1.parodius.com> Date: Sat, 13 May 2006 00:21:21 -0700 (PDT) From: Jeremy Chadwick To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: ports/97193: mail/dovecot - Update to 1.0.b8 (fixes security hole) X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jeremy Chadwick List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 May 2006 07:30:18 -0000 >Number: 97193 >Category: ports >Synopsis: mail/dovecot - Update to 1.0.b8 (fixes security hole) >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Sat May 13 07:30:16 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Jeremy Chadwick >Release: FreeBSD 4.11-STABLE i386 >Organization: Parodius Networking >Environment: System: FreeBSD pentarou.parodius.com 4.11-STABLE FreeBSD 4.11-STABLE #0: Thu Jan 12 01:50:11 PST 2006 root@pentarou.parodius.com:/usr/obj/usr/src/sys/PENTAROU i386 >Description: Update the mail/dovecot to 1.0.b8, which addresses numerous problems (including proper kqueue support -- that means us, BSD folks! ;) ), the most important of which is a security hole (individuals are allowed to list other users' mailboxes). I've labelled this as serious/medium because of the security hole. Official changelog between b7 and b8 is as follows: * Fixed a security hole with mbox: "1 LIST .. *" command could list all directories and files under the mbox root directory, so if your mails were stored in eg. /var/mail/%u/ directory, the command would list everything under /var/mail. + Unless nfs_check=no or mmap_disable=yes, check for the first login if the user's index directory exists in NFS mount. If so, refuse to run. This is done only on first login to avoid constant extra overhead. + If we have plugins set and imap_capability unset, figure out the IMAP capabilities automatically by running imap binary at startup. The generated capability list isn't updated until Dovecot is restarted completely, so if you add or remove IMAP plugins you should restart. If you have problems related to this, set imap_capabilities setting manually to work around it. + Added auth_username_format setting - pop3_lock_session setting wasn't really working - Lots of fixes related to quota handling. It's still not working perfectly though. - Lots of index handling fixes, especially with mmap_disable=yes - Maildir: saving mails could have sometimes caused "Append with UID n, but next_uid = m" errors - flock() locking never timeouted because ignoring SIGALRM caused the system call just to be restarted when SIGALRM occurred (probably not with all OSes though?) - kqueue: Fixed "Unrecognized event". Patch by Vaclav Haisman >How-To-Repeat: n/a >Fix: Apply below patch. diff -ruN dovecot.orig/Makefile dovecot/Makefile --- dovecot.orig/Makefile Tue May 9 06:19:06 2006 +++ dovecot/Makefile Sat May 13 00:08:29 2006 @@ -7,8 +7,7 @@ # PORTNAME= dovecot -DISTVERSION= 1.0.beta7 -PORTREVISION= 1 +DISTVERSION= 1.0.beta8 CATEGORIES= mail ipv6 MASTER_SITES= http://www.dovecot.org/releases/ diff -ruN dovecot.orig/distinfo dovecot/distinfo --- dovecot.orig/distinfo Mon May 8 02:02:59 2006 +++ dovecot/distinfo Sat May 13 00:19:54 2006 @@ -1,3 +1,3 @@ -MD5 (dovecot-1.0.beta7.tar.gz) = bfbc4c3705f6e6e891934168cd26e9dd -SHA256 (dovecot-1.0.beta7.tar.gz) = 0044595968396d094d6e67e9112b3af16bef1bd1d63ec4934cc9ca889864e580 -SIZE (dovecot-1.0.beta7.tar.gz) = 1406322 +MD5 (dovecot-1.0.beta8.tar.gz) = 6a87718a86ee1ae2334c75843dd9a7df +SHA256 (dovecot-1.0.beta8.tar.gz) = b43bb6ea5426b0d78ae260b53be035d1b5371b76a342870b2d56a6aba1ad82d2 +SIZE (dovecot-1.0.beta8.tar.gz) = 1392106 diff -ruN dovecot.orig/pkg-plist dovecot/pkg-plist --- dovecot.orig/pkg-plist Mon May 8 02:02:59 2006 +++ dovecot/pkg-plist Sat May 13 00:12:20 2006 @@ -12,6 +12,7 @@ lib/dovecot/imap/lib02_trash_plugin.so @dirrm lib/dovecot/imap lib/dovecot/pop3/lib01_convert_plugin.so +lib/dovecot/pop3/lib01_quota_plugin.so @dirrm lib/dovecot/pop3 lib/dovecot/lda/lib01_acl_plugin.so lib/dovecot/lda/lib01_convert_plugin.so >Release-Note: >Audit-Trail: >Unformatted: