From: Stuart Henderson Subject: Re: [security update] mail/dovecot: update to v2.3.21.1 To: "Kirill A. Korinsky" , OpenBSD ports Cc: Brad Smith Date: Thu, 15 Aug 2024 18:34:07 +0100 Pigeonhole needs updating too, and the various other ports providing plugins for dovecot need revision bumps. I have diffs for all. -- Sent from a phone, apologies for poor formatting. On 15 August 2024 16:41:04 Kirill A. Korinsky wrote: > Brad, ports@, > > Here a clean security update for mail/dovecot. > > Changelog: > > - CVE-2024-23184: A large number of address headers in email resulted > in excessive CPU usage. > - CVE-2024-23185: Abnormally large email headers are now truncated or > discarded, with a limit of 10MB on a single header and 50MB for all > the headers of all the parts of an email. > - oauth2: Dovecot would send client_id and client_secret as POST parameters > to introspection server. These need to be optionally in Basic auth > instead as required by OIDC specification. > - oauth2: JWT key type check was too strict. > - oauth2: JWT token audience was not validated against client_id as > required by OIDC specification. > - oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out > protocol specific error message on all errors. This broke OIDC discovery. > - oauth2: JWT aud validation was not performed if aud was missing > from token, but was configured on Dovecot. > > Announcment: > https://dovecot.org/mailman3/hyperkitty/list/dovecot-news@dovecot.org/message/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/ > > I suggest to backport it to 7.5 as well. > > Tested on -current/amd64 > > The diff: > > diff --git mail/dovecot/Makefile mail/dovecot/Makefile > index e85558e7ad5..881b9931e9e 100644 > --- mail/dovecot/Makefile > +++ mail/dovecot/Makefile > @@ -9,7 +9,7 @@ COMMENT-postgresql= PostgreSQL authentication / dictionary > support for Dovecot > # (dovecot-fts-xapian, dovecot-fts-flatcurve, dovecot-pigeonhole if > # not updated anyway) > V_MAJOR= 2.3 > -V_DOVECOT= 2.3.21 > +V_DOVECOT= 2.3.21.1 > EPOCH= 0 > > DISTNAME= dovecot-${V_DOVECOT} > diff --git mail/dovecot/distinfo mail/dovecot/distinfo > index 611fc0e4a6e..4c4b8a76768 100644 > --- mail/dovecot/distinfo > +++ mail/dovecot/distinfo > @@ -1,2 +1,2 @@ > -SHA256 (dovecot-2.3.21.tar.gz) = BbEQk6ccI3wu8wmtWHUQchzJO77mgoJRVJ/BWGw2UC0= > -SIZE (dovecot-2.3.21.tar.gz) = 7837242 > +SHA256 (dovecot-2.3.21.1.tar.gz) = > LZCheMQpdhEIi/farlSSo7w9WrYyjDoDLrQl0sJJCX4= > +SIZE (dovecot-2.3.21.1.tar.gz) = 7842044 > > > -- > wbr, Kirill