Received: by mail.netbsd.org (Postfix, from userid 605) id D11FE84D4D; Thu, 1 Mar 2018 11:13:16 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id E249984D4A for ; Thu, 1 Mar 2018 11:13:15 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 04l6BV9mg9Zy for ; Thu, 1 Mar 2018 11:13:15 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984]) by mail.netbsd.org (Postfix) with ESMTP id D7A3A84C77 for ; Thu, 1 Mar 2018 11:13:14 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id C89EBFB40; Thu, 1 Mar 2018 11:13:14 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1519902794136370" MIME-Version: 1.0 Date: Thu, 1 Mar 2018 11:13:14 +0000 From: "Takahiro Kambe" Subject: CVS commit: pkgsrc/mail/dovecot2 To: pkgsrc-changes@NetBSD.org Reply-To: taca@netbsd.org X-Mailer: log_accum Message-Id: <20180301111314.C89EBFB40@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_1519902794136370 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: taca Date: Thu Mar 1 11:13:14 UTC 2018 Modified Files: pkgsrc/mail/dovecot2: Makefile.common PLIST distinfo Log Message: mail/dovecot2: update to 2.3.0.1 Small patch release to fix the worst bugs in v2.3.0. v2.3.1 is coming in about a month with a lot more changes. * CVE-2017-15130: TLS SNI config lookups may lead to excessive memory usage, causing imap-login/pop3-login VSZ limit to be reached and the process restarted. This happens only if Dovecot config has local_name { } or local { } configuration blocks and attacker uses randomly generated SNI servernames. * CVE-2017-14461: Parsing invalid email addresses may cause a crash or leak memory contents to attacker. For example, these memory contents might contain parts of an email from another user if the same imap process is reused for multiple users. First discovered by Aleksandar Nikolic of Cisco Talos. Independently also discovered by "flxflndy" via HackerOne. * CVE-2017-15132: Aborted SASL authentication leaks memory in login process. * Linux: Core dumping is no longer enabled by default via PR_SET_DUMPABLE, because this may allow attackers to bypass chroot/group restrictions. Found by cPanel Security Team. Nowadays core dumps can be safely enabled by using "sysctl -w fs.suid_dumpable=2". If the old behaviour is wanted, it can still be enabled by setting: import_environment=$import_environment PR_SET_DUMPABLE=1 - imap-login with SSL/TLS connections may end up in infinite loop To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 pkgsrc/mail/dovecot2/Makefile.common cvs rdiff -u -r1.58 -r1.59 pkgsrc/mail/dovecot2/PLIST cvs rdiff -u -r1.81 -r1.82 pkgsrc/mail/dovecot2/distinfo Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1519902794136370 Content-Disposition: inline Content-Length: 3673 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/mail/dovecot2/Makefile.common diff -u pkgsrc/mail/dovecot2/Makefile.common:1.17 pkgsrc/mail/dovecot2/Makefile.common:1.18 --- pkgsrc/mail/dovecot2/Makefile.common:1.17 Wed Jan 24 15:16:49 2018 +++ pkgsrc/mail/dovecot2/Makefile.common Thu Mar 1 11:13:14 2018 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile.common,v 1.17 2018/01/24 15:16:49 jperkin Exp $ +# $NetBSD: Makefile.common,v 1.18 2018/03/01 11:13:14 taca Exp $ # # when updating to a new release, update ABI depends in # the buildlink3.mk file as well, since the plugins' version @@ -7,9 +7,9 @@ # used by mail/dovecot2/Makefile # used by mail/dovecot2/Makefile.plugin -DISTNAME= dovecot-2.3.0 +DISTNAME= dovecot-2.3.0.1 CATEGORIES= mail -MASTER_SITES= https://www.dovecot.org/releases/${PKGVERSION_NOREV:R}/ +MASTER_SITES= https://www.dovecot.org/releases/${PKGVERSION_NOREV:R:R}/ MAINTAINER= adam@NetBSD.org HOMEPAGE= http://www.dovecot.org/ @@ -18,7 +18,6 @@ LICENSE= mit AND gnu-lgpl-v2.1 AND modif DISTINFO_FILE= ${.CURDIR}/../../mail/dovecot2/distinfo PATCHDIR= ${.CURDIR}/../../mail/dovecot2/patches -WRKSRC= ${WRKDIR}/${DISTNAME:S/dovecot/dovecot-ce/} USE_LIBTOOL= yes USE_TOOLS+= gmake pkg-config rpcgen Index: pkgsrc/mail/dovecot2/PLIST diff -u pkgsrc/mail/dovecot2/PLIST:1.58 pkgsrc/mail/dovecot2/PLIST:1.59 --- pkgsrc/mail/dovecot2/PLIST:1.58 Tue Jan 2 15:52:44 2018 +++ pkgsrc/mail/dovecot2/PLIST Thu Mar 1 11:13:14 2018 @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.58 2018/01/02 15:52:44 fhajny Exp $ +@comment $NetBSD: PLIST,v 1.59 2018/03/01 11:13:14 taca Exp $ bin/doveadm bin/doveconf bin/dsync @@ -765,6 +765,7 @@ share/doc/dovecot/wiki/Design.Dcrypt.txt share/doc/dovecot/wiki/Design.DoveadmProtocol.HTTP.txt share/doc/dovecot/wiki/Design.DoveadmProtocol.txt share/doc/dovecot/wiki/Design.Dsync.txt +share/doc/dovecot/wiki/Design.Events.txt share/doc/dovecot/wiki/Design.Indexes.Cache.txt share/doc/dovecot/wiki/Design.Indexes.MailIndexApi.txt share/doc/dovecot/wiki/Design.Indexes.MainIndex.txt @@ -904,6 +905,7 @@ share/doc/dovecot/wiki/Pigeonhole.Sieve. share/doc/dovecot/wiki/Pigeonhole.txt share/doc/dovecot/wiki/Plugins.Apparmor.txt share/doc/dovecot/wiki/Plugins.Autocreate.txt +share/doc/dovecot/wiki/Plugins.CharsetAlias.txt share/doc/dovecot/wiki/Plugins.Compress.txt share/doc/dovecot/wiki/Plugins.Expire.txt share/doc/dovecot/wiki/Plugins.FTS.Lucene.txt Index: pkgsrc/mail/dovecot2/distinfo diff -u pkgsrc/mail/dovecot2/distinfo:1.81 pkgsrc/mail/dovecot2/distinfo:1.82 --- pkgsrc/mail/dovecot2/distinfo:1.81 Thu Jan 4 00:22:02 2018 +++ pkgsrc/mail/dovecot2/distinfo Thu Mar 1 11:13:14 2018 @@ -1,9 +1,9 @@ -$NetBSD: distinfo,v 1.81 2018/01/04 00:22:02 maya Exp $ +$NetBSD: distinfo,v 1.82 2018/03/01 11:13:14 taca Exp $ -SHA1 (dovecot-2.3.0.tar.gz) = e5772a317f2df99329cd9c1289adfbc552fa6b84 -RMD160 (dovecot-2.3.0.tar.gz) = f78c06acc7e729fd1d80d7128df8a44a67bdf391 -SHA512 (dovecot-2.3.0.tar.gz) = 8d8591e371ba2ebf8d3c1561af49b970d8351c4acdde8a97ff0ab403bf4cad6e4d96e9556c9be747a85085552449cab4c52bb41bda36e1a822594ec87661ce7f -Size (dovecot-2.3.0.tar.gz) = 6635541 bytes +SHA1 (dovecot-2.3.0.1.tar.gz) = 911440fa278c7204b1257f4d861e7de123bf5305 +RMD160 (dovecot-2.3.0.1.tar.gz) = 6745d03a4b8d860476e2e7aacf91dd757b906037 +SHA512 (dovecot-2.3.0.1.tar.gz) = 2b30c46c1660f425f6303a15cf638388439fd7a8065c91d28caf41d9a6403a4fccb530df3f69037a634bc3b0b9e498037da6b0b93c176f5e3b5808907d3f759d +Size (dovecot-2.3.0.1.tar.gz) = 6499984 bytes SHA1 (patch-aa) = ea185011f0c1ee3aa1ff528e61f6f356fe385666 SHA1 (patch-ab) = 9db15fd853ba47ef4bf04f2adc9ab24f71ee4d1e SHA1 (patch-ae) = c795585df9f415ceabb28eec1ff691ee26168d3b --_----------=_1519902794136370--