From: Kirill A. Korinsky Subject: Re: [security update] mail/dovecot: update to v2.3.21.1 To: OpenBSD ports Cc: Brad Smith Date: Thu, 15 Aug 2024 18:00:05 +0200 On Thu, 15 Aug 2024 16:40:37 +0200, Kirill A. Korinsky wrote: > > Brad, ports@, > > Here a clean security update for mail/dovecot. > > Changelog: > > - CVE-2024-23184: A large number of address headers in email resulted > in excessive CPU usage. > - CVE-2024-23185: Abnormally large email headers are now truncated or > discarded, with a limit of 10MB on a single header and 50MB for all > the headers of all the parts of an email. > - oauth2: Dovecot would send client_id and client_secret as POST parameters > to introspection server. These need to be optionally in Basic auth > instead as required by OIDC specification. > - oauth2: JWT key type check was too strict. > - oauth2: JWT token audience was not validated against client_id as > required by OIDC specification. > - oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out > protocol specific error message on all errors. This broke OIDC discovery. > - oauth2: JWT aud validation was not performed if aud was missing > from token, but was configured on Dovecot. > > Announcment: > https://dovecot.org/mailman3/hyperkitty/list/dovecot-news@dovecot.org/message/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/ > > I suggest to backport it to 7.5 as well. > > Tested on -current/amd64 > > The diff: > Oops, it was wrong diff without minor update existed patches. Here the right one: diff --git mail/dovecot/Makefile mail/dovecot/Makefile index e85558e7ad5..881b9931e9e 100644 --- mail/dovecot/Makefile +++ mail/dovecot/Makefile @@ -9,7 +9,7 @@ COMMENT-postgresql= PostgreSQL authentication / dictionary support for Dovecot # (dovecot-fts-xapian, dovecot-fts-flatcurve, dovecot-pigeonhole if # not updated anyway) V_MAJOR= 2.3 -V_DOVECOT= 2.3.21 +V_DOVECOT= 2.3.21.1 EPOCH= 0 DISTNAME= dovecot-${V_DOVECOT} diff --git mail/dovecot/distinfo mail/dovecot/distinfo index 611fc0e4a6e..4c4b8a76768 100644 --- mail/dovecot/distinfo +++ mail/dovecot/distinfo @@ -1,2 +1,2 @@ -SHA256 (dovecot-2.3.21.tar.gz) = BbEQk6ccI3wu8wmtWHUQchzJO77mgoJRVJ/BWGw2UC0= -SIZE (dovecot-2.3.21.tar.gz) = 7837242 +SHA256 (dovecot-2.3.21.1.tar.gz) = LZCheMQpdhEIi/farlSSo7w9WrYyjDoDLrQl0sJJCX4= +SIZE (dovecot-2.3.21.1.tar.gz) = 7842044 diff --git mail/dovecot/patches/patch-src_auth_auth-request_c mail/dovecot/patches/patch-src_auth_auth-request_c index 70de6e4187f..dc238fde381 100644 --- mail/dovecot/patches/patch-src_auth_auth-request_c +++ mail/dovecot/patches/patch-src_auth_auth-request_c @@ -5,7 +5,7 @@ mechanisms/username_filter Index: src/auth/auth-request.c --- src/auth/auth-request.c.orig +++ src/auth/auth-request.c -@@ -553,8 +553,8 @@ auth_request_want_skip_passdb(struct auth_request *req +@@ -560,8 +560,8 @@ auth_request_want_skip_passdb(struct auth_request *req struct auth_passdb *passdb) { /* if mechanism is not supported, skip */ @@ -16,7 +16,7 @@ Index: src/auth/auth-request.c const char *username; username = request->fields.user; -@@ -567,7 +567,7 @@ auth_request_want_skip_passdb(struct auth_request *req +@@ -574,7 +574,7 @@ auth_request_want_skip_passdb(struct auth_request *req return TRUE; } -- wbr, Kirill