Index | Thread | Search

From:
Stuart Henderson <stu@spacehopper.org>
Subject:
Re: [security update] mail/dovecot: update to v2.3.21.1
To:
"Kirill A. Korinsky" <kirill@korins.ky>, OpenBSD ports <ports@openbsd.org>
Cc:
Brad Smith <brad@comstyle.com>
Date:
Thu, 15 Aug 2024 18:34:07 +0100

Download raw body.

Thread 
Pigeonhole needs updating too, and the various other ports providing 
plugins for dovecot need revision bumps. I have diffs for all.

-- 
  Sent from a phone, apologies for poor formatting.

On 15 August 2024 16:41:04 Kirill A. Korinsky <kirill@korins.ky> wrote:

> Brad, ports@,
>
> Here a clean security update for mail/dovecot.
>
> Changelog:
>
> - CVE-2024-23184: A large number of address headers in email resulted
>  in excessive CPU usage.
> - CVE-2024-23185: Abnormally large email headers are now truncated or
>  discarded, with a limit of 10MB on a single header and 50MB for all
>  the headers of all the parts of an email.
> - oauth2: Dovecot would send client_id and client_secret as POST parameters
>  to introspection server. These need to be optionally in Basic auth
>  instead as required by OIDC specification.
> - oauth2: JWT key type check was too strict.
> - oauth2: JWT token audience was not validated against client_id as
>  required by OIDC specification.
> - oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out
>  protocol specific error message on all errors. This broke OIDC discovery.
> - oauth2: JWT aud validation was not performed if aud was missing
>  from token, but was configured on Dovecot.
>
> Announcment:
> https://dovecot.org/mailman3/hyperkitty/list/dovecot-news@dovecot.org/message/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/
>
> I suggest to backport it to 7.5 as well.
>
> Tested on -current/amd64
>
> The diff:
>
> diff --git mail/dovecot/Makefile mail/dovecot/Makefile
> index e85558e7ad5..881b9931e9e 100644
> --- mail/dovecot/Makefile
> +++ mail/dovecot/Makefile
> @@ -9,7 +9,7 @@ COMMENT-postgresql= PostgreSQL authentication / dictionary 
> support for Dovecot
> # (dovecot-fts-xapian, dovecot-fts-flatcurve, dovecot-pigeonhole if
> # not updated anyway)
> V_MAJOR=	2.3
> -V_DOVECOT=	2.3.21
> +V_DOVECOT=	2.3.21.1
> EPOCH=		0
>
> DISTNAME=	dovecot-${V_DOVECOT}
> diff --git mail/dovecot/distinfo mail/dovecot/distinfo
> index 611fc0e4a6e..4c4b8a76768 100644
> --- mail/dovecot/distinfo
> +++ mail/dovecot/distinfo
> @@ -1,2 +1,2 @@
> -SHA256 (dovecot-2.3.21.tar.gz) = BbEQk6ccI3wu8wmtWHUQchzJO77mgoJRVJ/BWGw2UC0=
> -SIZE (dovecot-2.3.21.tar.gz) = 7837242
> +SHA256 (dovecot-2.3.21.1.tar.gz) = 
> LZCheMQpdhEIi/farlSSo7w9WrYyjDoDLrQl0sJJCX4=
> +SIZE (dovecot-2.3.21.1.tar.gz) = 7842044
>
>
> --
> wbr, Kirill