From: Kirill A. Korinsky Subject: [security update] mail/dovecot: update to v2.3.21.1 To: OpenBSD ports Cc: Brad Smith Date: Thu, 15 Aug 2024 16:40:37 +0200 Brad, ports@, Here a clean security update for mail/dovecot. Changelog: - CVE-2024-23184: A large number of address headers in email resulted in excessive CPU usage. - CVE-2024-23185: Abnormally large email headers are now truncated or discarded, with a limit of 10MB on a single header and 50MB for all the headers of all the parts of an email. - oauth2: Dovecot would send client_id and client_secret as POST parameters to introspection server. These need to be optionally in Basic auth instead as required by OIDC specification. - oauth2: JWT key type check was too strict. - oauth2: JWT token audience was not validated against client_id as required by OIDC specification. - oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out protocol specific error message on all errors. This broke OIDC discovery. - oauth2: JWT aud validation was not performed if aud was missing from token, but was configured on Dovecot. Announcment: https://dovecot.org/mailman3/hyperkitty/list/dovecot-news@dovecot.org/message/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/ I suggest to backport it to 7.5 as well. Tested on -current/amd64 The diff: diff --git mail/dovecot/Makefile mail/dovecot/Makefile index e85558e7ad5..881b9931e9e 100644 --- mail/dovecot/Makefile +++ mail/dovecot/Makefile @@ -9,7 +9,7 @@ COMMENT-postgresql= PostgreSQL authentication / dictionary support for Dovecot # (dovecot-fts-xapian, dovecot-fts-flatcurve, dovecot-pigeonhole if # not updated anyway) V_MAJOR= 2.3 -V_DOVECOT= 2.3.21 +V_DOVECOT= 2.3.21.1 EPOCH= 0 DISTNAME= dovecot-${V_DOVECOT} diff --git mail/dovecot/distinfo mail/dovecot/distinfo index 611fc0e4a6e..4c4b8a76768 100644 --- mail/dovecot/distinfo +++ mail/dovecot/distinfo @@ -1,2 +1,2 @@ -SHA256 (dovecot-2.3.21.tar.gz) = BbEQk6ccI3wu8wmtWHUQchzJO77mgoJRVJ/BWGw2UC0= -SIZE (dovecot-2.3.21.tar.gz) = 7837242 +SHA256 (dovecot-2.3.21.1.tar.gz) = LZCheMQpdhEIi/farlSSo7w9WrYyjDoDLrQl0sJJCX4= +SIZE (dovecot-2.3.21.1.tar.gz) = 7842044 -- wbr, Kirill