Date: Fri, 16 Aug 2024 15:03:16 -0700 From: Kevin Bowling <kevin.bowling@kev009.com> To: Vladimir Druzenko <vvd@freebsd.org> Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Subject: =?UTF-8?B?UmU6IGdpdDogNzJkZDhkMmVlNjc2IC0gbWFpbiAtIG1haWwvZG92ZWNvdDogdXBkYXRlIA==?= =?UTF-8?B?Mi4zLjIxIOKGkiAyLjMuMjEuMSAoZml4ZXMgMiBDVkVzKQ==?= Message-ID: <CAK7dMtDpKJjLYheA77QY_5TKG2uEsLWtcGwSz%2Bqp4%2BNYuwDqNg@mail.gmail.com> In-Reply-To: <5b4df306-2998-4f98-b5fa-8bf168cd011a@freebsd.org> References: <202408161835.47GIZuZJ084942@gitrepo.freebsd.org> <CAK7dMtD6gZ0dHhu8edEs%2BH1wEdKbeE4%2B6L%2BRDCbBRuHj5WJ5fA@mail.gmail.com> <5b4df306-2998-4f98-b5fa-8bf168cd011a@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--0000000000002c876f061fd42145 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, Aug 16, 2024 at 2:57=E2=80=AFPM Vladimir Druzenko <vvd@freebsd.org>= wrote: > 16.08.2024 22:03, Kevin Bowling =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > > CVEs should come with an update to security/vuxml/vuln/2024.xml > > I don't know how to do this correctly. > You should seek help or abstain from doing security updates then. It is just an xml file that you update, the wiki https://wiki.freebsd.org/VuXML and the link inside to the PHB have all necessary instructions. > > On Fri, Aug 16, 2024 at 11:36=E2=80=AFAM Vladimir Druzenko <vvd@freebsd= .org> > wrote: > >> The branch main has been updated by vvd: > >> > >> URL: > https://cgit.FreeBSD.org/ports/commit/?id=3D72dd8d2ee6760ed9a0f22fb2c2e75= 0d5875518d4 > >> > >> commit 72dd8d2ee6760ed9a0f22fb2c2e750d5875518d4 > >> Author: Vladimir Druzenko <vvd@FreeBSD.org> > >> AuthorDate: 2024-08-16 18:31:04 +0000 > >> Commit: Vladimir Druzenko <vvd@FreeBSD.org> > >> CommitDate: 2024-08-16 18:31:04 +0000 > >> > >> mail/dovecot: update 2.3.21 =E2=86=92 2.3.21.1 (fixes 2 CVEs) > >> > >> - CVE-2024-23184: A large number of address headers in email > resulted > >> in excessive CPU usage. > >> - CVE-2024-23185: Abnormally large email headers are now truncate= d > or > >> discarded, with a limit of 10MB on a single header and 50MB for > all > >> the headers of all the parts of an email. > >> - oauth2: Dovecot would send client_id and client_secret as POST > parameters > >> to introspection server. These need to be optionally in Basic > auth > >> instead as required by OIDC specification. > >> - oauth2: JWT key type check was too strict. > >> - oauth2: JWT token audience was not validated against client_id = as > >> required by OIDC specification. > >> - oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out > >> protocol specific error message on all errors. This broke OIDC > discovery. > >> - oauth2: JWT aud validation was not performed if aud was missing > >> from token, but was configured on Dovecot. > >> > https://dovecot.org/mailman3/hyperkitty/list/dovecot-news@dovecot.org/thr= ead/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/ > >> > >> PR: 280866 > >> Approved by: ler (maintainer) > >> MFH: 2024Q3 > >> --- > >> mail/dovecot/Makefile | 4 +--- > >> mail/dovecot/distinfo | 6 +++--- > >> 2 files changed, 4 insertions(+), 6 deletions(-) > >> > >> diff --git a/mail/dovecot/Makefile b/mail/dovecot/Makefile > >> index c789da0a2294..44f42b27f94f 100644 > >> --- a/mail/dovecot/Makefile > >> +++ b/mail/dovecot/Makefile > >> @@ -9,8 +9,7 @@ > >> ####################################################################= ## > >> > >> PORTNAME=3D dovecot > >> -PORTVERSION=3D 2.3.21 > >> -PORTREVISION=3D 6 > >> +DISTVERSION=3D 2.3.21.1 > >> CATEGORIES=3D mail > >> MASTER_SITES=3D https://dovecot.org/releases/2.3/ > >> > >> @@ -27,7 +26,6 @@ USES=3D cpe iconv libtool pkgconfig ssl > >> USE_RC_SUBR=3D dovecot > >> > >> GNU_CONFIGURE=3D yes > >> -GNU_CONFIGURE_MANPREFIX=3D ${PREFIX}/share > >> CONFIGURE_ARGS=3D --localstatedir=3D/var \ > >> --with-docs \ > >> --with-ssl=3Dopenssl \ > >> diff --git a/mail/dovecot/distinfo b/mail/dovecot/distinfo > >> index e9e4c683e46c..97f77b78a427 100644 > >> --- a/mail/dovecot/distinfo > >> +++ b/mail/dovecot/distinfo > >> @@ -1,3 +1,3 @@ > >> -TIMESTAMP =3D 1695133264 > >> -SHA256 (dovecot-2.3.21.tar.gz) =3D > 05b11093a71c237c2ef309ad587510721cc93bbee6828251549fc1586c36502d > >> -SIZE (dovecot-2.3.21.tar.gz) =3D 7837242 > >> +TIMESTAMP =3D 1723829732 > >> +SHA256 (dovecot-2.3.21.1.tar.gz) =3D > 2d90a178c4297611088bf7daae5492a3bc3d5ab6328c3a032eb425d2c249097e > >> +SIZE (dovecot-2.3.21.1.tar.gz) =3D 7842044 > > > -- > Best regards, > Vladimir Druzenko > > --0000000000002c876f061fd42145 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div><br></div><div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class= =3D"gmail_attr">On Fri, Aug 16, 2024 at 2:57=E2=80=AFPM Vladimir Druzenko &= lt;<a href=3D"mailto:vvd@freebsd.org">vvd@freebsd.org</a>> wrote:<br></d= iv><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bord= er-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-colo= r:rgb(204,204,204)">16.08.2024 22:03, Kevin Bowling =D0=BF=D0=B8=D1=88=D0= =B5=D1=82:<br> > CVEs should come with an update to security/vuxml/vuln/2024.xml<br> <br> I don't know how to do this correctly.<br> </blockquote><div dir=3D"auto"><br></div><div dir=3D"auto">You should seek = help or abstain from doing security updates then.=C2=A0 It is just an xml f= ile that you update, the wiki=C2=A0<a href=3D"https://wiki.freebsd.org/VuXM= L">https://wiki.freebsd.org/VuXML</a><br>=C2=A0and the link inside to the P= HB have all necessary instructions.</div><div dir=3D"auto"><br></div><div d= ir=3D"auto"><br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px= 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1= ex;border-left-color:rgb(204,204,204)"><br> > On Fri, Aug 16, 2024 at 11:36=E2=80=AFAM Vladimir Druzenko <<a href= =3D"mailto:vvd@freebsd.org" target=3D"_blank">vvd@freebsd.org</a>> wrote= :<br> >> The branch main has been updated by vvd:<br> >><br> >> URL: <a href=3D"https://cgit.FreeBSD.org/ports/commit/?id=3D72dd8d= 2ee6760ed9a0f22fb2c2e750d5875518d4" rel=3D"noreferrer" target=3D"_blank">ht= tps://cgit.FreeBSD.org/ports/commit/?id=3D72dd8d2ee6760ed9a0f22fb2c2e750d58= 75518d4</a><br> >><br> >> commit 72dd8d2ee6760ed9a0f22fb2c2e750d5875518d4<br> >> Author:=C2=A0 =C2=A0 =C2=A0Vladimir Druzenko <vvd@FreeBSD.org&g= t;<br> >> AuthorDate: 2024-08-16 18:31:04 +0000<br> >> Commit:=C2=A0 =C2=A0 =C2=A0Vladimir Druzenko <vvd@FreeBSD.org&g= t;<br> >> CommitDate: 2024-08-16 18:31:04 +0000<br> >><br> >>=C2=A0 =C2=A0 =C2=A0 mail/dovecot: update 2.3.21 =E2=86=92 2.3.21.1= (fixes 2 CVEs)<br> >><br> >>=C2=A0 =C2=A0 =C2=A0 - CVE-2024-23184: A large number of address he= aders in email resulted<br> >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 in excessive CPU usage.<br> >>=C2=A0 =C2=A0 =C2=A0 - CVE-2024-23185: Abnormally large email heade= rs are now truncated or<br> >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 discarded, with a limit of 10MB on a si= ngle header and 50MB for all<br> >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 the headers of all the parts of an emai= l.<br> >>=C2=A0 =C2=A0 =C2=A0 - oauth2: Dovecot would send client_id and cli= ent_secret as POST parameters<br> >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 to introspection server. These need to = be optionally in Basic auth<br> >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 instead as required by OIDC specificati= on.<br> >>=C2=A0 =C2=A0 =C2=A0 - oauth2: JWT key type check was too strict.<b= r> >>=C2=A0 =C2=A0 =C2=A0 - oauth2: JWT token audience was not validated= against client_id as<br> >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 required by OIDC specification.<br> >>=C2=A0 =C2=A0 =C2=A0 - oauth2: XOAUTH2 and OAUTHBEARER mechanisms w= ere not giving out<br> >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 protocol specific error message on all = errors. This broke OIDC discovery.<br> >>=C2=A0 =C2=A0 =C2=A0 - oauth2: JWT aud validation was not performed= if aud was missing<br> >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 from token, but was configured on Dovec= ot.<br> >>=C2=A0 =C2=A0 =C2=A0 <a href=3D"https://dovecot.org/mailman3/hyperk= itty/list/dovecot-news@dovecot.org/thread/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/= " rel=3D"noreferrer" target=3D"_blank">https://dovecot.org/mailman3/hyperki= tty/list/dovecot-news@dovecot.org/thread/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/<= /a><br> >><br> >>=C2=A0 =C2=A0 =C2=A0 PR:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0280866<br> >>=C2=A0 =C2=A0 =C2=A0 Approved by:=C2=A0 =C2=A0 ler (maintainer)<br> >>=C2=A0 =C2=A0 =C2=A0 MFH:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = 2024Q3<br> >> ---<br> >>=C2=A0 =C2=A0mail/dovecot/Makefile | 4 +---<br> >>=C2=A0 =C2=A0mail/dovecot/distinfo | 6 +++---<br> >>=C2=A0 =C2=A02 files changed, 4 insertions(+), 6 deletions(-)<br> >><br> >> diff --git a/mail/dovecot/Makefile b/mail/dovecot/Makefile<br> >> index c789da0a2294..44f42b27f94f 100644<br> >> --- a/mail/dovecot/Makefile<br> >> +++ b/mail/dovecot/Makefile<br> >> @@ -9,8 +9,7 @@<br> >>=C2=A0 =C2=A0######################################################= ################<br> >><br> >>=C2=A0 =C2=A0PORTNAME=3D=C2=A0 =C2=A0 =C2=A0 dovecot<br> >> -PORTVERSION=3D=C2=A0 =C2=A02.3.21<br> >> -PORTREVISION=3D=C2=A0 6<br> >> +DISTVERSION=3D=C2=A0 =C2=A02.3.21.1<br> >>=C2=A0 =C2=A0CATEGORIES=3D=C2=A0 =C2=A0 mail<br> >>=C2=A0 =C2=A0MASTER_SITES=3D=C2=A0 <a href=3D"https://dovecot.org/r= eleases/2.3/" rel=3D"noreferrer" target=3D"_blank">https://dovecot.org/rele= ases/2.3/</a><br> >><br> >> @@ -27,7 +26,6 @@ USES=3D=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0cpe ico= nv libtool pkgconfig ssl<br> >>=C2=A0 =C2=A0USE_RC_SUBR=3D=C2=A0 =C2=A0dovecot<br> >><br> >>=C2=A0 =C2=A0GNU_CONFIGURE=3D yes<br> >> -GNU_CONFIGURE_MANPREFIX=3D=C2=A0 =C2=A0 =C2=A0 =C2=A0${PREFIX}/sh= are<br> >>=C2=A0 =C2=A0CONFIGURE_ARGS=3D=C2=A0 =C2=A0 =C2=A0 =C2=A0 --localst= atedir=3D/var \<br> >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 --wi= th-docs \<br> >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 --wi= th-ssl=3Dopenssl \<br> >> diff --git a/mail/dovecot/distinfo b/mail/dovecot/distinfo<br> >> index e9e4c683e46c..97f77b78a427 100644<br> >> --- a/mail/dovecot/distinfo<br> >> +++ b/mail/dovecot/distinfo<br> >> @@ -1,3 +1,3 @@<br> >> -TIMESTAMP =3D 1695133264<br> >> -SHA256 (dovecot-2.3.21.tar.gz) =3D 05b11093a71c237c2ef309ad587510= 721cc93bbee6828251549fc1586c36502d<br> >> -SIZE (dovecot-2.3.21.tar.gz) =3D 7837242<br> >> +TIMESTAMP =3D 1723829732<br> >> +SHA256 (dovecot-2.3.21.1.tar.gz) =3D 2d90a178c4297611088bf7daae54= 92a3bc3d5ab6328c3a032eb425d2c249097e<br> >> +SIZE (dovecot-2.3.21.1.tar.gz) =3D 7842044<br> <br> <br> -- <br> Best regards,<br> Vladimir Druzenko<br> <br> </blockquote></div></div> --0000000000002c876f061fd42145--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAK7dMtDpKJjLYheA77QY_5TKG2uEsLWtcGwSz%2Bqp4%2BNYuwDqNg>