From nobody Fri Jul 2 07:33:46 2021 X-Original-To: ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 2FCB411C8514 for ; Fri, 2 Jul 2021 07:33:49 +0000 (UTC) (envelope-from kremels@kreme.com) Received: from mail.covisp.net (mail.covisp.net [65.121.55.42]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4GGRf50R1Gz3Cfj for ; Fri, 2 Jul 2021 07:33:48 +0000 (UTC) (envelope-from kremels@kreme.com) Content-Type: text/plain; charset=us-ascii Subject: Re: Dovecot From: "@lbutlr" In-Reply-To: Date: Fri, 2 Jul 2021 01:33:46 -0600 Cc: The Doctor , "ports@FreeBSD.org" Content-Transfer-Encoding: quoted-printable Message-Id: <8FF5363D-039B-4BAA-97B4-A31AF379084E@kreme.com> References: <7C77BA02-A26E-42CA-869E-804BD6C63B07@kreme.com> To: Kevin Oberman X-Mailer: Apple Mail (2.3681.0.2.1.2) X-Rspamd-Queue-Id: 4GGRf50R1Gz3Cfj X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-Spam: Yes X-ThisMailContainsUnwantedMimeParts: N List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org > On 02 Jul 2021, at 00:03, Kevin Oberman wrote: >=20 > On Thu, Jul 1, 2021 at 4:00 PM @lbutlr wrote: >=20 >> On 01 Jul 2021, at 16:45, The Doctor = wrote: >>> On Thu, Jul 01, 2021 at 04:21:31PM -0600, @lbutlr wrote: >>>> The current version of dovecot is 2.3.15. The newest ports version = is >> 2.3.13_1 >>>>=20 >>>> dovecot-2.3.13_1 is vulnerable: >>>> dovecot -- multiple vulnerabilities >>>> CVE: CVE-2021-33515 >>>> CVE: CVE-2021-29157 >>>> WWW: >> = https://vuxml.FreeBSD.org/freebsd/d18f431d-d360-11eb-a32c-00a0989e4ec1.htm= l >>>>=20 >>>> dovecot-pigeonhole-0.5.13 is vulnerable: >>>> dovecot-pigeonhole -- Sieve excessive resource usage >>>> CVE: CVE-2020-28200 >>>> WWW: >> = https://vuxml.FreeBSD.org/freebsd/f3fc2b50-d36a-11eb-a32c-00a0989e4ec1.htm= l >>>>=20 >>>> These CVEs were addressed in 2.3.14.1. >>>>=20 >>>> Any idea what the delay is? >>>=20 >>> Where is the person responsible for the ports? >>=20 >> No idea. Some people have emailed and received no reply. >=20 > % make -C /usr/ports/mail/dovecot maintainer > ler@FreeBSD.org Yes, but sine I know that outhers have emailed and not heard, I din't = think it was worse adding more email to the pile since Larry obviously = either knows, or is not in a position to do anything right now. Either = way, my email will not help. > Larry is usually quite responsive, but life happens. It is a volunteer = job. > (They all are except the few paid by the FreeBSD Project.) >=20 > If someone could update the port, any ports committer can update the = port > after a 14 day wait. Until that timeout, it's in Larry's ballpark. I > suspect that some of the FreeBSD patches will need at least a little = work. > I really don't have time to spend right now on a port I don't use and = am > only familiar with its function. 14 days is a long time to be sitting on the CVEs "This may be used to = supply attacker controlled keys to validate tokens" and "On-path = attacker could inject plaintext commands before STARTTLS negotiation = that would be executed after STARTTLS finished with the client." --=20 "Are you pondering what I'm pondering?" "I think so, Brain, but me and Pippi Longstocking -- I mean, what would the children look like?"