[ 23:12 adamw  ]

• 463271 mail/dovecot-pigeonhole/Makefile
• 463271 mail/dovecot/Makefile
• 463271 mail/dovecot/distinfo
• 463271 mail/dovecot/files/patch-src_doveadm_Makefile.am
• 463271 mail/dovecot/files/patch-src_lib-auth_auth-client-request.c
• 463271 mail/dovecot/files/patch-src_lib-auth_auth-server-connection.c
• 463271 mail/dovecot/files/patch-src_lib-auth_auth-server-connection.h
• 463271 mail/dovecot/pkg-plist

Update dovecot to 2.2.34, and bump pigeonhole.

 * CVE-2017-15130: TLS SNI config lookups may lead to excessive
   memory usage, causing imap-login/pop3-login VSZ limit to be reached
   and the process restarted. This happens only if Dovecot config has
   local_name { } or local { } configuration blocks and attacker uses
   randomly generated SNI servernames.
 * CVE-2017-14461: Parsing invalid email addresses may cause a crash or
   leak memory contents to attacker. For example, these memory contents
   might contain parts of an email from another user if the same imap
   process is reused for multiple users. First discovered by Aleksandar
   Nikolic of Cisco Talos. Independently also discovered by "flxflndy"
   via HackerOne.
 * CVE-2017-15132: Aborted SASL authentication leaks memory in login
   process.

(Only the first 15 lines of the commit message are shown above )

[ 13:23 zeising  ]

• 460590 mail/dovecot/Makefile
• 460590 mail/dovecot/files/patch-src_lib-auth_auth-client-request.c
• 460590 mail/dovecot/files/patch-src_lib-auth_auth-server-connection.c
• 460590 mail/dovecot/files/patch-src_lib-auth_auth-server-connection.h

Complete fix for CVE-2017-15132

Complete fix for CVE-2017-15132, the previous fix was not enough, and caused
the request to remain after an abort, causing a use-after-free later on.

PR:		225585
Submitted by:	Vladimir Krstulja
Approved by:	adamw (maintainer)
MFH:		2018Q1