Date: Fri, 16 Aug 2024 21:40:57 -0700 From: Kevin Bowling <kevin.bowling@kev009.com> To: Vladimir Druzenko <vvd@freebsd.org> Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Subject: =?UTF-8?B?UmU6IGdpdDogNzJkZDhkMmVlNjc2IC0gbWFpbiAtIG1haWwvZG92ZWNvdDogdXBkYXRlIA==?= =?UTF-8?B?Mi4zLjIxIOKGkiAyLjMuMjEuMSAoZml4ZXMgMiBDVkVzKQ==?= Message-ID: <CAK7dMtCxxTsJW5h%2BhVjvzZZWs-3sQWCHZ%2BO72BaCQte2iLnPuw@mail.gmail.com> In-Reply-To: <46cd3411-017c-4efa-8f75-e1e3acecce09@freebsd.org> References: <202408161835.47GIZuZJ084942@gitrepo.freebsd.org> <CAK7dMtD6gZ0dHhu8edEs%2BH1wEdKbeE4%2B6L%2BRDCbBRuHj5WJ5fA@mail.gmail.com> <5b4df306-2998-4f98-b5fa-8bf168cd011a@freebsd.org> <CAK7dMtDpKJjLYheA77QY_5TKG2uEsLWtcGwSz%2Bqp4%2BNYuwDqNg@mail.gmail.com> <46cd3411-017c-4efa-8f75-e1e3acecce09@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--000000000000475f7e061fd9afe0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, Aug 16, 2024 at 5:08=E2=80=AFPM Vladimir Druzenko <vvd@freebsd.org>= wrote: > 17.08.2024 01:03, Kevin Bowling =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > > On Fri, Aug 16, 2024 at 2:57=E2=80=AFPM Vladimir Druzenko <vvd@freebsd.or= g> > wrote: > >> 16.08.2024 22:03, Kevin Bowling =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >> > CVEs should come with an update to security/vuxml/vuln/2024.xml >> >> I don't know how to do this correctly. >> > > You should seek help or abstain from doing security updates then. It is > just an xml file that you update, the wiki https://wiki.freebsd.org/VuXML > and the link inside to the PHB have all necessary instructions. > > I wouldn't do that, but ler@ (maintainer) is in hospital and asked to > update his port. > Also, I use dovecot so I can test it in real work before committing, whic= h > I did. > > If you can and are willing to help, then just help. Just like we all help > with updating ports from maintainers without commit bits or fixing broken > ports builds. > I have given you the information you need. It is editing a declarative text file which is simpler in both concept and execution of the port update in question. The wiki linked covers the obstinate behavior already so read what was given before replying. Peace. > > >> > On Fri, Aug 16, 2024 at 11:36=E2=80=AFAM Vladimir Druzenko <vvd@freebs= d.org> >> wrote: >> >> The branch main has been updated by vvd: >> >> >> >> URL: >> https://cgit.FreeBSD.org/ports/commit/?id=3D72dd8d2ee6760ed9a0f22fb2c2e7= 50d5875518d4 >> >> >> >> commit 72dd8d2ee6760ed9a0f22fb2c2e750d5875518d4 >> >> Author: Vladimir Druzenko <vvd@FreeBSD.org> <vvd@FreeBSD.org> >> >> AuthorDate: 2024-08-16 18:31:04 +0000 >> >> Commit: Vladimir Druzenko <vvd@FreeBSD.org> <vvd@FreeBSD.org> >> >> CommitDate: 2024-08-16 18:31:04 +0000 >> >> >> >> mail/dovecot: update 2.3.21 =E2=86=92 2.3.21.1 (fixes 2 CVEs) >> >> >> >> - CVE-2024-23184: A large number of address headers in email >> resulted >> >> in excessive CPU usage. >> >> - CVE-2024-23185: Abnormally large email headers are now >> truncated or >> >> discarded, with a limit of 10MB on a single header and 50MB fo= r >> all >> >> the headers of all the parts of an email. >> >> - oauth2: Dovecot would send client_id and client_secret as POST >> parameters >> >> to introspection server. These need to be optionally in Basic >> auth >> >> instead as required by OIDC specification. >> >> - oauth2: JWT key type check was too strict. >> >> - oauth2: JWT token audience was not validated against client_id >> as >> >> required by OIDC specification. >> >> - oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out >> >> protocol specific error message on all errors. This broke OIDC >> discovery. >> >> - oauth2: JWT aud validation was not performed if aud was missin= g >> >> from token, but was configured on Dovecot. >> >> >> https://dovecot.org/mailman3/hyperkitty/list/dovecot-news@dovecot.org/th= read/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/ >> >> >> >> PR: 280866 >> >> Approved by: ler (maintainer) >> >> MFH: 2024Q3 >> >> --- >> >> mail/dovecot/Makefile | 4 +--- >> >> mail/dovecot/distinfo | 6 +++--- >> >> 2 files changed, 4 insertions(+), 6 deletions(-) >> >> >> >> diff --git a/mail/dovecot/Makefile b/mail/dovecot/Makefile >> >> index c789da0a2294..44f42b27f94f 100644 >> >> --- a/mail/dovecot/Makefile >> >> +++ b/mail/dovecot/Makefile >> >> @@ -9,8 +9,7 @@ >> >> >> ###################################################################### >> >> >> >> PORTNAME=3D dovecot >> >> -PORTVERSION=3D 2.3.21 >> >> -PORTREVISION=3D 6 >> >> +DISTVERSION=3D 2.3.21.1 >> >> CATEGORIES=3D mail >> >> MASTER_SITES=3D https://dovecot.org/releases/2.3/ >> >> >> >> @@ -27,7 +26,6 @@ USES=3D cpe iconv libtool pkgconfig ssl >> >> USE_RC_SUBR=3D dovecot >> >> >> >> GNU_CONFIGURE=3D yes >> >> -GNU_CONFIGURE_MANPREFIX=3D ${PREFIX}/share >> >> CONFIGURE_ARGS=3D --localstatedir=3D/var \ >> >> --with-docs \ >> >> --with-ssl=3Dopenssl \ >> >> diff --git a/mail/dovecot/distinfo b/mail/dovecot/distinfo >> >> index e9e4c683e46c..97f77b78a427 100644 >> >> --- a/mail/dovecot/distinfo >> >> +++ b/mail/dovecot/distinfo >> >> @@ -1,3 +1,3 @@ >> >> -TIMESTAMP =3D 1695133264 >> >> -SHA256 (dovecot-2.3.21.tar.gz) =3D >> 05b11093a71c237c2ef309ad587510721cc93bbee6828251549fc1586c36502d >> >> -SIZE (dovecot-2.3.21.tar.gz) =3D 7837242 >> >> +TIMESTAMP =3D 1723829732 >> >> +SHA256 (dovecot-2.3.21.1.tar.gz) =3D >> 2d90a178c4297611088bf7daae5492a3bc3d5ab6328c3a032eb425d2c249097e >> >> +SIZE (dovecot-2.3.21.1.tar.gz) =3D 7842044 >> >> >> -- >> Best regards, >> Vladimir Druzenko >> >> > -- > Best regards, > Vladimir Druzenko > > --000000000000475f7e061fd9afe0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div><br></div><div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class= =3D"gmail_attr">On Fri, Aug 16, 2024 at 5:08=E2=80=AFPM Vladimir Druzenko &= lt;<a href=3D"mailto:vvd@freebsd.org">vvd@freebsd.org</a>> wrote:<br></d= iv><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bord= er-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-colo= r:rgb(204,204,204)"><u></u> =20 =20 =20 <div> <div>17.08.2024 01:03, Kevin Bowling =D0=BF=D0=B8=D1=88=D0=B5=D1=82:<br= > </div> <blockquote type=3D"cite"> =20 <div>On Fri, Aug 16, 2024 at 2:57=E2=80=AFPM Vladimir Druzenko <<a= href=3D"mailto:vvd@freebsd.org" target=3D"_blank">vvd@freebsd.org</a>> = wrote: <div class=3D"gmail_quote"> <blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8= ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-le= ft-color:rgb(204,204,204)">16.08.2024 22:03, Kevin Bowling =D0=BF=D0=B8=D1=88=D0=B5=D1=82:<br> > CVEs should come with an update to security/vuxml/vuln/2024.xml<br> <br> I don't know how to do this correctly.<br> </blockquote> <div dir=3D"auto"><br> </div> <div dir=3D"auto">You should seek help or abstain from doing security updates then.=C2=A0 It is just an xml file that you update, the wiki=C2=A0<a href=3D"https://wiki.freebsd.org/VuXML= " target=3D"_blank">https://wiki.freebsd.org/VuXML</a><br>; =C2=A0and the link inside to the PHB have all necessary instructions.</div> <div dir=3D"auto"><br> </div> </div> </div> </blockquote> <p>I wouldn't do that, but ler@ (maintainer) is in hospital and asked to update his port.<br> Also, I use dovecot so I can test it in real work before committing, which I did.<br> <br> If you can and are willing to help, then just help. Just like we all help with updating ports from maintainers without commit bits or fixing broken ports builds.</p></div></blockquote><div dir=3D"auto= ">I have given you the information you need.=C2=A0 It is editing a declarat= ive text file which is simpler in both concept and execution of the port up= date in question.=C2=A0 The wiki linked covers the obstinate behavior alrea= dy so read what was given before replying.</div><div dir=3D"auto"><br></div= ><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border= -left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:= rgb(204,204,204)"><div><p dir=3D"auto"></p> <p>Peace.</p></div><div> <blockquote type=3D"cite"> <div> <div class=3D"gmail_quote"> <blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8= ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-le= ft-color:rgb(204,204,204)"><br> > On Fri, Aug 16, 2024 at 11:36=E2=80=AFAM Vladimir Druzenko= <<a href=3D"mailto:vvd@freebsd.org" target=3D"_blank">vvd@freebsd.org</= a>> wrote:<br> >> The branch main has been updated by vvd:<br> >><br> >> URL: <a href=3D"https://cgit.FreeBSD.org/ports/commit/= ?id=3D72dd8d2ee6760ed9a0f22fb2c2e750d5875518d4" rel=3D"noreferrer" target= =3D"_blank">https://cgit.FreeBSD.org/ports/commit/?id=3D72dd8d2ee6760ed9a0f= 22fb2c2e750d5875518d4</a><br> >><br> >> commit 72dd8d2ee6760ed9a0f22fb2c2e750d5875518d4<br> >> Author:=C2=A0 =C2=A0 =C2=A0Vladimir Druzenko <a href=3D"mailto:vvd@FreeBSD.org" target=3D"_blank"><vvd@Fr= eeBSD.org></a><br> >> AuthorDate: 2024-08-16 18:31:04 +0000<br> >> Commit:=C2=A0 =C2=A0 =C2=A0Vladimir Druzenko <a href=3D"mailto:vvd@FreeBSD.org" target=3D"_blank"><vvd@Fr= eeBSD.org></a><br> >> CommitDate: 2024-08-16 18:31:04 +0000<br> >><br> >>=C2=A0 =C2=A0 =C2=A0 mail/dovecot: update 2.3.21 =E2=86= =92 2.3.21.1 (fixes 2 CVEs)<br> >><br> >>=C2=A0 =C2=A0 =C2=A0 - CVE-2024-23184: A large number o= f address headers in email resulted<br> >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 in excessive CPU usage.<br> >>=C2=A0 =C2=A0 =C2=A0 - CVE-2024-23185: Abnormally large= email headers are now truncated or<br> >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 discarded, with a limit of = 10MB on a single header and 50MB for all<br> >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 the headers of all the part= s of an email.<br> >>=C2=A0 =C2=A0 =C2=A0 - oauth2: Dovecot would send clien= t_id and client_secret as POST parameters<br> >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 to introspection server. Th= ese need to be optionally in Basic auth<br> >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 instead as required by OIDC= specification.<br> >>=C2=A0 =C2=A0 =C2=A0 - oauth2: JWT key type check was t= oo strict.<br> >>=C2=A0 =C2=A0 =C2=A0 - oauth2: JWT token audience was n= ot validated against client_id as<br> >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 required by OIDC specificat= ion.<br> >>=C2=A0 =C2=A0 =C2=A0 - oauth2: XOAUTH2 and OAUTHBEARER = mechanisms were not giving out<br> >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 protocol specific error mes= sage on all errors. This broke OIDC discovery.<br> >>=C2=A0 =C2=A0 =C2=A0 - oauth2: JWT aud validation was n= ot performed if aud was missing<br> >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 from token, but was configu= red on Dovecot.<br> >>=C2=A0 =C2=A0 =C2=A0 <a href=3D"https://dovecot.org/mai= lman3/hyperkitty/list/dovecot-news@dovecot.org/thread/2CSVL56LFPAXVLWMGXEIW= ZL736PSYHP5/" rel=3D"noreferrer" target=3D"_blank">https://dovecot.org/mail= man3/hyperkitty/list/dovecot-news@dovecot.org/thread/2CSVL56LFPAXVLWMGXEIWZ= L736PSYHP5/</a><br> >><br> >>=C2=A0 =C2=A0 =C2=A0 PR:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0280866<br> >>=C2=A0 =C2=A0 =C2=A0 Approved by:=C2=A0 =C2=A0 ler (mai= ntainer)<br> >>=C2=A0 =C2=A0 =C2=A0 MFH:=C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 2024Q3<br> >> ---<br> >>=C2=A0 =C2=A0mail/dovecot/Makefile | 4 +---<br> >>=C2=A0 =C2=A0mail/dovecot/distinfo | 6 +++---<br> >>=C2=A0 =C2=A02 files changed, 4 insertions(+), 6 deleti= ons(-)<br> >><br> >> diff --git a/mail/dovecot/Makefile b/mail/dovecot/Makefile<br> >> index c789da0a2294..44f42b27f94f 100644<br> >> --- a/mail/dovecot/Makefile<br> >> +++ b/mail/dovecot/Makefile<br> >> @@ -9,8 +9,7 @@<br> >>=C2=A0 =C2=A0#########################################################= #############<br> >><br> >>=C2=A0 =C2=A0PORTNAME=3D=C2=A0 =C2=A0 =C2=A0 dovecot<br= > >> -PORTVERSION=3D=C2=A0 =C2=A02.3.21<br> >> -PORTREVISION=3D=C2=A0 6<br> >> +DISTVERSION=3D=C2=A0 =C2=A02.3.21.1<br> >>=C2=A0 =C2=A0CATEGORIES=3D=C2=A0 =C2=A0 mail<br> >>=C2=A0 =C2=A0MASTER_SITES=3D=C2=A0 <a href=3D"https://d= ovecot.org/releases/2.3/" rel=3D"noreferrer" target=3D"_blank">https://dove= cot.org/releases/2.3/</a><br> >><br> >> @@ -27,7 +26,6 @@ USES=3D=C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0cpe iconv libtool pkgconfig ssl<br> >>=C2=A0 =C2=A0USE_RC_SUBR=3D=C2=A0 =C2=A0dovecot<br> >><br> >>=C2=A0 =C2=A0GNU_CONFIGURE=3D yes<br> >> -GNU_CONFIGURE_MANPREFIX=3D=C2=A0 =C2=A0 =C2=A0 =C2=A0= ${PREFIX}/share<br> >>=C2=A0 =C2=A0CONFIGURE_ARGS=3D=C2=A0 =C2=A0 =C2=A0 =C2= =A0 --localstatedir=3D/var \<br> >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 --with-docs \<br> >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 --with-ssl=3Dopenssl \<br> >> diff --git a/mail/dovecot/distinfo b/mail/dovecot/distinfo<br> >> index e9e4c683e46c..97f77b78a427 100644<br> >> --- a/mail/dovecot/distinfo<br> >> +++ b/mail/dovecot/distinfo<br> >> @@ -1,3 +1,3 @@<br> >> -TIMESTAMP =3D 1695133264<br> >> -SHA256 (dovecot-2.3.21.tar.gz) =3D 05b11093a71c237c2ef309ad587510721cc93bbee6828251549fc1586c36502= d<br> >> -SIZE (dovecot-2.3.21.tar.gz) =3D 7837242<br> >> +TIMESTAMP =3D 1723829732<br> >> +SHA256 (dovecot-2.3.21.1.tar.gz) =3D 2d90a178c4297611088bf7daae5492a3bc3d5ab6328c3a032eb425d2c249097= e<br> >> +SIZE (dovecot-2.3.21.1.tar.gz) =3D 7842044<br> <br> <br> -- <br> Best regards,<br> Vladimir Druzenko<br> <br> </blockquote> </div> </div> </blockquote> <p><br> </p> <pre cols=3D"72" style=3D"font-family:monospace">--=20 Best regards, Vladimir Druzenko</pre> </div> </blockquote></div></div> --000000000000475f7e061fd9afe0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAK7dMtCxxTsJW5h%2BhVjvzZZWs-3sQWCHZ%2BO72BaCQte2iLnPuw>