Brad, ports@,

Here a clean security update for mail/dovecot.

Changelog:

- CVE-2024-23184: A large number of address headers in email resulted
  in excessive CPU usage.
- CVE-2024-23185: Abnormally large email headers are now truncated or
  discarded, with a limit of 10MB on a single header and 50MB for all
  the headers of all the parts of an email.
- oauth2: Dovecot would send client_id and client_secret as POST parameters
  to introspection server. These need to be optionally in Basic auth
  instead as required by OIDC specification.
- oauth2: JWT key type check was too strict.
- oauth2: JWT token audience was not validated against client_id as
  required by OIDC specification.
- oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out
  protocol specific error message on all errors. This broke OIDC discovery.
- oauth2: JWT aud validation was not performed if aud was missing
  from token, but was configured on Dovecot.

Announcment:
https://dovecot.org/mailman3/hyperkitty/list/dovecot-news@dovecot.org/message/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/

I suggest to backport it to 7.5 as well.

Tested on -current/amd64

The diff:

diff --git mail/dovecot/Makefile mail/dovecot/Makefile
index e85558e7ad5..881b9931e9e 100644
--- mail/dovecot/Makefile
+++ mail/dovecot/Makefile
@@ -9,7 +9,7 @@ COMMENT-postgresql= PostgreSQL authentication / dictionary support for Dovecot
 # (dovecot-fts-xapian, dovecot-fts-flatcurve, dovecot-pigeonhole if
 # not updated anyway)
 V_MAJOR=	2.3
-V_DOVECOT=	2.3.21
+V_DOVECOT=	2.3.21.1
 EPOCH=		0
 
 DISTNAME=	dovecot-${V_DOVECOT}
diff --git mail/dovecot/distinfo mail/dovecot/distinfo
index 611fc0e4a6e..4c4b8a76768 100644
--- mail/dovecot/distinfo
+++ mail/dovecot/distinfo
@@ -1,2 +1,2 @@
-SHA256 (dovecot-2.3.21.tar.gz) = BbEQk6ccI3wu8wmtWHUQchzJO77mgoJRVJ/BWGw2UC0=
-SIZE (dovecot-2.3.21.tar.gz) = 7837242
+SHA256 (dovecot-2.3.21.1.tar.gz) = LZCheMQpdhEIi/farlSSo7w9WrYyjDoDLrQl0sJJCX4=
+SIZE (dovecot-2.3.21.1.tar.gz) = 7842044


-- 
wbr, Kirill