Received: by mail.netbsd.org (Postfix, from userid 605) id 0280F84D93; Mon, 24 Aug 2020 19:03:15 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 7B0CD84D31 for ; Mon, 24 Aug 2020 19:03:14 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id ndVwhtflgWoh for ; Mon, 24 Aug 2020 19:03:13 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.netbsd.org [199.233.217.197]) by mail.netbsd.org (Postfix) with ESMTP id 6108384D04 for ; Mon, 24 Aug 2020 19:03:13 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id 59DC3FB28; Mon, 24 Aug 2020 19:03:13 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1598295793235350" MIME-Version: 1.0 Date: Mon, 24 Aug 2020 19:03:13 +0000 From: "Benny Siegert" Subject: CVS commit: [pkgsrc-2020Q2] pkgsrc/mail To: pkgsrc-changes@NetBSD.org Reply-To: bsiegert@netbsd.org X-Mailer: log_accum Message-Id: <20200824190313.59DC3FB28@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_1598295793235350 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: bsiegert Date: Mon Aug 24 19:03:13 UTC 2020 Modified Files: pkgsrc/mail/dovecot2 [pkgsrc-2020Q2]: Makefile.common PLIST buildlink3.mk distinfo pkgsrc/mail/dovecot2-sqlite [pkgsrc-2020Q2]: Makefile Log Message: Pullup ticket #6303 - requested by taca mail/dovecot2: security fix Revisions pulled up: - mail/dovecot2-sqlite/Makefile 1.23 - mail/dovecot2/Makefile.common 1.41 - mail/dovecot2/PLIST 1.70 - mail/dovecot2/buildlink3.mk 1.34 - mail/dovecot2/distinfo 1.105 --- Module Name: pkgsrc Committed By: taca Date: Wed Aug 12 15:54:38 UTC 2020 Modified Files: pkgsrc/mail/dovecot2: Makefile.common PLIST buildlink3.mk distinfo pkgsrc/mail/dovecot2-sqlite: Makefile Log Message: mail/dovocot2: update to 2.3.11.3 Update dovecot2 and related packages to 2.3.11.3. v2.3.11.3 2020-07-29 Aki Tuomi - pop3-login: Login didn't handle commands in multiple IP packets properly. This mainly affected large XCLIENT commands or a large SASL initial response parameter in the AUTH command. - pop3: pop3_deleted_flag setting was broken, causing: Panic: file seq-range-array.c: line 472 (seq_range_array_invert): assertion failed: (range[count-1].seq2 <= max_seq) v2.3.11.2 2020-07-13 Aki Tuomi - auth: Lua passdb/userdb leaks stack elements per call, eventually causing the stack to become too deep and crashing the auth or auth-worker process. - lib-mail: v2.3.11 regression: MIME parts not returned correctly by Dovecot MIME parser. - pop3-login: Login would fail with "Input buffer full" if the initial response for SASL was too long. v2.3.11 2020-06-17 Aki Tuomi * CVE-2020-12100: Parsing mails with a large number of MIME parts could have resulted in excessive CPU usage or a crash due to running out of stack memory. * CVE-2020-12673: Dovecot's NTLM implementation does not correctly check message buffer size, which leads to reading past allocation which can lead to crash. * CVE-2020-12674: Dovecot's RPA mechanism implementation accepts zero-length message, which leads to assert-crash later on. * Events: Fix inconsistency in events. See event documentation in https://doc.dovecot.org. * imap_command_finished event's cmd_name field now contains "unknown" for unknown commands. A new "cmd_input_name" field contains the command name exactly as it was sent. * lib-index: Renamed mail_cache_compress_* settings to mail_cache_purge_*. Note that these settings are mainly intended for testing and usually shouldn't be changed. * events: Renamed "index" event category to "mail-index". * events: service: category is now using the name from configuration file. * dns-client: service dns_client was renamed to dns-client. * log: Prefixes generally use the service name from configuration file. For example dict-async service will now use "dict-async(pid): " log prefix instead of "dict(pid): " * *-login: Changed logging done by proxying to use a consistent prefix containing the IP address and port. * *-login: Changed disconnection log messages to be slightly clearer. + dict: Add events for dictionaries. + lib-index: Finish logging with events. + oauth2: Support local validation of JWT tokens. + stats: Add support for dynamic histograms and grouping. See https://doc.dovecot.org/configuration_manual/stats/. + imap: Implement RFC 8514: IMAP SAVEDATE + lib-index: If a long-running transaction (e.g. SORT/FETCH on a huge folder) adds a lot of data to dovecot.index.cache file, commit those changes periodically to make them visible to other concurrent sessions as well. + stats: Add OpenMetrics exporter for statistics. See https://doc.dovecot.org/configuration_manual/stats/openmetrics/. + stats: Support disabling stats-writer socket by setting stats_writer_socket_path="". - auth-worker: Process keeps slowly increasing its memory usage and eventually dies with "out of memory" due to reaching vsz_limit. - auth: Prevent potential timing attacks in authentication secret comparisons: OAUTH2 JWT-token HMAC, imap-urlauth token, crypt() result. - auth: Several auth-mechanisms allowed input to be truncated by NUL which can potentially lead to unintentional issues or even successful logins which should have failed. - auth: When auth policy returned a delay, auth_request_finished event had policy_result=ok field instead of policy_result=delayed. - auth: auth process crash when auth_policy_server_url is set to an invalid URL. - dict-ldap: Crash occurs if var_expand template expansion fails. - dict: If dict client disconnected while iteration was still running, dict process could have started using 100% CPU, although it was still handling clients. - doveadm: Running doveadm commands via proxying may hang, especially when doveadm is printing a lot of output. - imap: "MOVE * destfolder" goes to a loop copying the last mail to the destination until the imap process dies due to running out of memory. - imap: Running "UID MOVE 1:* Trash" on an empty folder goes to infinite loop. - imap: SEARCH doesn't support $. - lib-compress: Buffer over-read in zlib stream read. - lib-dns: If DNS lookup times out, lib-dns can cause crash in calling process. - lib-index: Fixed several bugs in dovecot.index.cache handling that could have caused cached data to be lost. - lib-index: Writing to >=1 GB dovecot.index.cache files may cause assert-crashes: Panic: file mail-index-util.c: line 37 (mail_index_uint32_to_offset): assertion failed: (offset < 0x40000000) - lib-ssl-iostream: Fix buggy OpenSSL error handling without assert-crashing. If there is no error available, log it as an error instead of crashing: Panic: file iostream-openssl.c: line 599 (openssl_iostream_handle_error): assertion failed: (errno != 0) - lib-ssl-iostream: ssl_key_password setting did not work. - submission: A segfault crash may occur when the client or server disconnects while a non-transaction command like NOOP or VRFY is still being processed. - virtual: Copying/moving mails with IMAP into a virtual folder assert-crashes: Panic: file cmd-copy.c: line 152 (fetch_and_copy): assertion failed: (copy_ctx->copy_count == seq_range_count(©_ctx->saved_uids)) To generate a diff of this commit: cvs rdiff -u -r1.40 -r1.40.2.1 pkgsrc/mail/dovecot2/Makefile.common cvs rdiff -u -r1.69 -r1.69.4.1 pkgsrc/mail/dovecot2/PLIST cvs rdiff -u -r1.33 -r1.33.4.1 pkgsrc/mail/dovecot2/buildlink3.mk cvs rdiff -u -r1.104 -r1.104.2.1 pkgsrc/mail/dovecot2/distinfo cvs rdiff -u -r1.22 -r1.22.2.1 pkgsrc/mail/dovecot2-sqlite/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1598295793235350 Content-Disposition: inline Content-Length: 4772 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/mail/dovecot2/Makefile.common diff -u pkgsrc/mail/dovecot2/Makefile.common:1.40 pkgsrc/mail/dovecot2/Makefile.common:1.40.2.1 --- pkgsrc/mail/dovecot2/Makefile.common:1.40 Mon May 18 14:20:46 2020 +++ pkgsrc/mail/dovecot2/Makefile.common Mon Aug 24 19:03:13 2020 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile.common,v 1.40 2020/05/18 14:20:46 taca Exp $ +# $NetBSD: Makefile.common,v 1.40.2.1 2020/08/24 19:03:13 bsiegert Exp $ # # when updating to a new release, update ABI depends in # the buildlink3.mk file as well, since the plugins' version @@ -11,7 +11,7 @@ # used by mail/dovecot2-pgsql/Makefile # used by mail/dovecot2-sqlite/Makefile -DISTNAME= dovecot-2.3.10.1 +DISTNAME= dovecot-2.3.11.3 CATEGORIES= mail MASTER_SITES= https://dovecot.org/releases/${PKGVERSION_NOREV:R:R}/ Index: pkgsrc/mail/dovecot2/PLIST diff -u pkgsrc/mail/dovecot2/PLIST:1.69 pkgsrc/mail/dovecot2/PLIST:1.69.4.1 --- pkgsrc/mail/dovecot2/PLIST:1.69 Sun Mar 15 22:52:04 2020 +++ pkgsrc/mail/dovecot2/PLIST Mon Aug 24 19:03:13 2020 @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.69 2020/03/15 22:52:04 adam Exp $ +@comment $NetBSD: PLIST,v 1.69.4.1 2020/08/24 19:03:13 bsiegert Exp $ bin/doveadm bin/doveconf bin/dovecot-sysreport @@ -27,6 +27,7 @@ include/dovecot/auth-master-connection.h include/dovecot/auth-master.h include/dovecot/auth-penalty.h include/dovecot/auth-policy.h +include/dovecot/auth-request-handler-private.h include/dovecot/auth-request-handler.h include/dovecot/auth-request-stats.h include/dovecot/auth-request-var-expand.h @@ -403,6 +404,7 @@ include/dovecot/mdbox-settings.h include/dovecot/mdbox-storage-rebuild.h include/dovecot/mdbox-storage.h include/dovecot/mdbox-sync.h +include/dovecot/mech-digest-md5-private.h include/dovecot/mech-otp-skey-common.h include/dovecot/mech-plain-common.h include/dovecot/mech-scram.h @@ -449,6 +451,7 @@ include/dovecot/ostream-null.h include/dovecot/ostream-private.h include/dovecot/ostream-rawlog.h include/dovecot/ostream-unix.h +include/dovecot/ostream-wrapper.h include/dovecot/ostream-zlib.h include/dovecot/ostream.h include/dovecot/passdb-blocking.h Index: pkgsrc/mail/dovecot2/buildlink3.mk diff -u pkgsrc/mail/dovecot2/buildlink3.mk:1.33 pkgsrc/mail/dovecot2/buildlink3.mk:1.33.4.1 --- pkgsrc/mail/dovecot2/buildlink3.mk:1.33 Sat Jan 18 21:48:14 2020 +++ pkgsrc/mail/dovecot2/buildlink3.mk Mon Aug 24 19:03:13 2020 @@ -1,4 +1,4 @@ -# $NetBSD: buildlink3.mk,v 1.33 2020/01/18 21:48:14 jperkin Exp $ +# $NetBSD: buildlink3.mk,v 1.33.4.1 2020/08/24 19:03:13 bsiegert Exp $ BUILDLINK_TREE+= dovecot @@ -7,7 +7,7 @@ DOVECOT_BUILDLINK3_MK:= BUILDLINK_API_DEPENDS.dovecot+= dovecot>=2.2.0 # must match current package version for plugins to load -BUILDLINK_ABI_DEPENDS.dovecot+= dovecot>=2.3.9.2nb1 +BUILDLINK_ABI_DEPENDS.dovecot+= dovecot>=2.3.11.3 BUILDLINK_PKGSRCDIR.dovecot?= ../../mail/dovecot2 pkgbase:= dovecot Index: pkgsrc/mail/dovecot2/distinfo diff -u pkgsrc/mail/dovecot2/distinfo:1.104 pkgsrc/mail/dovecot2/distinfo:1.104.2.1 --- pkgsrc/mail/dovecot2/distinfo:1.104 Mon May 18 14:20:46 2020 +++ pkgsrc/mail/dovecot2/distinfo Mon Aug 24 19:03:13 2020 @@ -1,9 +1,9 @@ -$NetBSD: distinfo,v 1.104 2020/05/18 14:20:46 taca Exp $ +$NetBSD: distinfo,v 1.104.2.1 2020/08/24 19:03:13 bsiegert Exp $ -SHA1 (dovecot-2.3.10.1.tar.gz) = d8afa71f3a7a2c2e406745ff43057ae94ed23871 -RMD160 (dovecot-2.3.10.1.tar.gz) = f68993644d14c4bae321e2525fb6c885724d8ebd -SHA512 (dovecot-2.3.10.1.tar.gz) = 5c07436a3e861993f241caa2c60f035c533c5fceb5c8540c1717d31bedd54b82299f7ea11bfee12c72d4d33985d93a7130c4f56877864a7ad21cf7373a29cc06 -Size (dovecot-2.3.10.1.tar.gz) = 7226958 bytes +SHA1 (dovecot-2.3.11.3.tar.gz) = 4a094ae503ded8ccea97cc06680fbb2e0f9c3171 +RMD160 (dovecot-2.3.11.3.tar.gz) = c44a9686a24127c95bd7c439e0548bd66481ab4e +SHA512 (dovecot-2.3.11.3.tar.gz) = d83e52a7faab918a8e6f6257acc5936b81733c10489affd042c3a043cb842db060286cba9978be378e4958e9ac2e60b55ce289d7f3a88df08e7637e4785e23bb +Size (dovecot-2.3.11.3.tar.gz) = 7353412 bytes SHA1 (patch-aa) = 3af01aa4a8cea1a3fb840b6243a744de77069611 SHA1 (patch-ab) = 9db15fd853ba47ef4bf04f2adc9ab24f71ee4d1e SHA1 (patch-ae) = c795585df9f415ceabb28eec1ff691ee26168d3b Index: pkgsrc/mail/dovecot2-sqlite/Makefile diff -u pkgsrc/mail/dovecot2-sqlite/Makefile:1.22 pkgsrc/mail/dovecot2-sqlite/Makefile:1.22.2.1 --- pkgsrc/mail/dovecot2-sqlite/Makefile:1.22 Tue Jun 2 08:24:14 2020 +++ pkgsrc/mail/dovecot2-sqlite/Makefile Mon Aug 24 19:03:13 2020 @@ -1,6 +1,5 @@ -# $NetBSD: Makefile,v 1.22 2020/06/02 08:24:14 adam Exp $ +# $NetBSD: Makefile,v 1.22.2.1 2020/08/24 19:03:13 bsiegert Exp $ -PKGREVISION= 1 .include "../../mail/dovecot2/Makefile.common" PKGNAME= ${DISTNAME:S/dovecot/dovecot-sqlite/} --_----------=_1598295793235350--