--- - branch: MAIN date: Thu Mar 1 11:13:14 UTC 2018 files: - new: '1.18' old: '1.17' path: pkgsrc/mail/dovecot2/Makefile.common pathrev: pkgsrc/mail/dovecot2/Makefile.common@1.18 type: modified - new: '1.59' old: '1.58' path: pkgsrc/mail/dovecot2/PLIST pathrev: pkgsrc/mail/dovecot2/PLIST@1.59 type: modified - new: '1.82' old: '1.81' path: pkgsrc/mail/dovecot2/distinfo pathrev: pkgsrc/mail/dovecot2/distinfo@1.82 type: modified id: 20180301T111314Z.d69f5b0bb02e9328de03ccc94af7589eec5304a5 log: | mail/dovecot2: update to 2.3.0.1 Small patch release to fix the worst bugs in v2.3.0. v2.3.1 is coming in about a month with a lot more changes. * CVE-2017-15130: TLS SNI config lookups may lead to excessive memory usage, causing imap-login/pop3-login VSZ limit to be reached and the process restarted. This happens only if Dovecot config has local_name { } or local { } configuration blocks and attacker uses randomly generated SNI servernames. * CVE-2017-14461: Parsing invalid email addresses may cause a crash or leak memory contents to attacker. For example, these memory contents might contain parts of an email from another user if the same imap process is reused for multiple users. First discovered by Aleksandar Nikolic of Cisco Talos. Independently also discovered by "flxflndy" via HackerOne. * CVE-2017-15132: Aborted SASL authentication leaks memory in login process. * Linux: Core dumping is no longer enabled by default via PR_SET_DUMPABLE, because this may allow attackers to bypass chroot/group restrictions. Found by cPanel Security Team. Nowadays core dumps can be safely enabled by using "sysctl -w fs.suid_dumpable=2". If the old behaviour is wanted, it can still be enabled by setting: import_environment=$import_environment PR_SET_DUMPABLE=1 - imap-login with SSL/TLS connections may end up in infinite loop module: pkgsrc subject: 'CVS commit: pkgsrc/mail/dovecot2' unixtime: '1519902794' user: taca