Date: Fri, 16 Aug 2024 12:03:31 -0700 From: Kevin Bowling <kevin.bowling@kev009.com> To: Vladimir Druzenko <vvd@freebsd.org> Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Subject: =?UTF-8?B?UmU6IGdpdDogNzJkZDhkMmVlNjc2IC0gbWFpbiAtIG1haWwvZG92ZWNvdDogdXBkYXRlIA==?= =?UTF-8?B?Mi4zLjIxIOKGkiAyLjMuMjEuMSAoZml4ZXMgMiBDVkVzKQ==?= Message-ID: <CAK7dMtD6gZ0dHhu8edEs%2BH1wEdKbeE4%2B6L%2BRDCbBRuHj5WJ5fA@mail.gmail.com> In-Reply-To: <202408161835.47GIZuZJ084942@gitrepo.freebsd.org> References: <202408161835.47GIZuZJ084942@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
CVEs should come with an update to security/vuxml/vuln/2024.xml On Fri, Aug 16, 2024 at 11:36=E2=80=AFAM Vladimir Druzenko <vvd@freebsd.org= > wrote: > > The branch main has been updated by vvd: > > URL: https://cgit.FreeBSD.org/ports/commit/?id=3D72dd8d2ee6760ed9a0f22fb2= c2e750d5875518d4 > > commit 72dd8d2ee6760ed9a0f22fb2c2e750d5875518d4 > Author: Vladimir Druzenko <vvd@FreeBSD.org> > AuthorDate: 2024-08-16 18:31:04 +0000 > Commit: Vladimir Druzenko <vvd@FreeBSD.org> > CommitDate: 2024-08-16 18:31:04 +0000 > > mail/dovecot: update 2.3.21 =E2=86=92 2.3.21.1 (fixes 2 CVEs) > > - CVE-2024-23184: A large number of address headers in email resulted > in excessive CPU usage. > - CVE-2024-23185: Abnormally large email headers are now truncated or > discarded, with a limit of 10MB on a single header and 50MB for all > the headers of all the parts of an email. > - oauth2: Dovecot would send client_id and client_secret as POST para= meters > to introspection server. These need to be optionally in Basic auth > instead as required by OIDC specification. > - oauth2: JWT key type check was too strict. > - oauth2: JWT token audience was not validated against client_id as > required by OIDC specification. > - oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out > protocol specific error message on all errors. This broke OIDC disc= overy. > - oauth2: JWT aud validation was not performed if aud was missing > from token, but was configured on Dovecot. > https://dovecot.org/mailman3/hyperkitty/list/dovecot-news@dovecot.org= /thread/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/ > > PR: 280866 > Approved by: ler (maintainer) > MFH: 2024Q3 > --- > mail/dovecot/Makefile | 4 +--- > mail/dovecot/distinfo | 6 +++--- > 2 files changed, 4 insertions(+), 6 deletions(-) > > diff --git a/mail/dovecot/Makefile b/mail/dovecot/Makefile > index c789da0a2294..44f42b27f94f 100644 > --- a/mail/dovecot/Makefile > +++ b/mail/dovecot/Makefile > @@ -9,8 +9,7 @@ > ###################################################################### > > PORTNAME=3D dovecot > -PORTVERSION=3D 2.3.21 > -PORTREVISION=3D 6 > +DISTVERSION=3D 2.3.21.1 > CATEGORIES=3D mail > MASTER_SITES=3D https://dovecot.org/releases/2.3/ > > @@ -27,7 +26,6 @@ USES=3D cpe iconv libtool pkgconfig ssl > USE_RC_SUBR=3D dovecot > > GNU_CONFIGURE=3D yes > -GNU_CONFIGURE_MANPREFIX=3D ${PREFIX}/share > CONFIGURE_ARGS=3D --localstatedir=3D/var \ > --with-docs \ > --with-ssl=3Dopenssl \ > diff --git a/mail/dovecot/distinfo b/mail/dovecot/distinfo > index e9e4c683e46c..97f77b78a427 100644 > --- a/mail/dovecot/distinfo > +++ b/mail/dovecot/distinfo > @@ -1,3 +1,3 @@ > -TIMESTAMP =3D 1695133264 > -SHA256 (dovecot-2.3.21.tar.gz) =3D 05b11093a71c237c2ef309ad587510721cc93= bbee6828251549fc1586c36502d > -SIZE (dovecot-2.3.21.tar.gz) =3D 7837242 > +TIMESTAMP =3D 1723829732 > +SHA256 (dovecot-2.3.21.1.tar.gz) =3D 2d90a178c4297611088bf7daae5492a3bc3= d5ab6328c3a032eb425d2c249097e > +SIZE (dovecot-2.3.21.1.tar.gz) =3D 7842044
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAK7dMtD6gZ0dHhu8edEs%2BH1wEdKbeE4%2B6L%2BRDCbBRuHj5WJ5fA>