00:27 ler 

mail/dovecot, mail/dovecot-pigeonhole: upgrade to 2.3.11.3 and 0.5.11,
repectively.

dovecot changelog:
* CVE-2020-12100: Parsing mails with a large number of MIME parts could
  have resulted in excessive CPU usage or a crash due to running out of
  stack memory.
* CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
  message buffer size, which leads to reading past allocation which can
  lead to crash.
* CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
  address that has the empty quoted string as local-part causes the lmtp
  service to crash.
* CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
  zero-length message, which leads to assert-crash later on.
* Events: Fix inconsistency in events. See event documentation in
  https://doc.dovecot.org.
* imap_command_finished event's cmd_name field now contains "unknown"
  for unknown commands. A new "cmd_input_name" field contains the
  command name exactly as it was sent.
* lib-index: Renamed mail_cache_compress_* settings to mail_cache_purge_*.
  Note that these settings are mainly intended for testing and usually
  shouldn't be changed.
* events: Renamed "index" event category to "mail-index".
* events: service:<name> category is now using the name from
  configuration file.
* dns-client: service dns_client was renamed to dns-client.
* log: Prefixes generally use the service name from configuration file.
  For example dict-async service will now use
  "dict-async(pid): " log prefix instead of "dict(pid): "
* *-login: Changed logging done by proxying to use a consistent prefix
  containing the IP address and port.
* *-login: Changed disconnection log messages to be slightly clearer.
+ dict: Add events for dictionaries.
+ lib-index: Finish logging with events.
+ oauth2: Support local validation of JWT tokens.
+ stats: Add support for dynamic histograms and grouping. See
  https://doc.dovecot.org/configuration_manual/stats/.
+ imap: Implement RFC 8514: IMAP SAVEDATE
+ lib-index: If a long-running transaction (e.g. SORT/FETCH on a huge
  folder) adds a lot of data to dovecot.index.cache file, commit those
  changes periodically to make them visible to other concurrent sessions
  as well.
+ stats: Add OpenMetrics exporter for statistics. See
  https://doc.dovecot.org/configuration_manual/stats/openmetrics/.
+ stats: Support disabling stats-writer socket by setting
  stats_writer_socket_path="".
- auth-worker: Process keeps slowly increasing its memory usage and
  eventually dies with "out of memory" due to reaching vsz_limit.
- auth: Prevent potential timing attacks in authentication secret
  comparisons: OAUTH2 JWT-token HMAC, imap-urlauth token, crypt() result.
- auth: Several auth-mechanisms allowed input to be truncated by NUL
  which can potentially lead to unintentional issues or even successful
  logins which should have failed.
- auth: When auth policy returned a delay, auth_request_finished event
  had policy_result=ok field instead of policy_result=delayed.
- auth: auth process crash when auth_policy_server_url is set to an
  invalid URL.
- auth: Lua passdb/userdb leaks stack elements per call, eventually
  causing the stack to become too deep and crashing the auth or
  auth-worker process.
- dict-ldap: Crash occurs if var_expand template expansion fails.
- dict: If dict client disconnected while iteration was still running,
  dict process could have started using 100% CPU, although it was still
  handling clients.
- doveadm: Running doveadm commands via proxying may hang, especially
  when doveadm is printing a lot of output.
- imap: "MOVE * destfolder" goes to a loop copying the last mail to the
  destination until the imap process dies due to running out of memory.
- imap: Running "UID MOVE 1:* Trash" on an empty folder goes to infinite
  loop.
- imap: SEARCH doesn't support $.
- lib-compress: Buffer over-read in zlib stream read.
- lib-dns: If DNS lookup times out, lib-dns can cause crash in calling
  process.
- lib-index: Fixed several bugs in dovecot.index.cache handling that
  could have caused cached data to be lost.
- lib-index: Writing to >=1 GB dovecot.index.cache files may cause
  assert-crashes:
  Panic: file mail-index-util.c: line 37 (mail_index_uint32_to_offset):
  assertion failed: (offset < 0x40000000)
- lib-mail: v2.3.11 regression: MIME parts not returned correctly by
  Dovecot MIME parser.
- lib-ssl-iostream: Fix buggy OpenSSL error handling without
  assert-crashing. If there is no error available, log it as an error
  instead of crashing:
  Panic: file iostream-openssl.c: line 599 (openssl_iostream_handle_error):
  assertion failed: (errno != 0)
- lib-ssl-iostream: ssl_key_password setting did not work.
- pop3-login: Login didn't handle commands in multiple IP packets properly.
  This mainly affected large XCLIENT commands or a large SASL initial
  response parameter in the AUTH command.
- pop3: pop3_deleted_flag setting was broken, causing:
  Panic: file seq-range-array.c: line 472 (seq_range_array_invert):
  assertion failed: (range[count-1].seq2 <= max_seq)
- pop3-login: Login would fail with "Input buffer full" if the initial
  response for SASL was too long.
- submission: A segfault crash may occur when the client or server
  disconnects while a non-transaction command like NOOP or VRFY is still
  being processed.
- virtual: Copying/moving mails with IMAP into a virtual folder
assert-crashes:
  Panic: file cmd-copy.c: line 152 (fetch_and_copy): assertion failed:
  (copy_ctx->copy_count == seq_range_count(&copy_ctx->saved_uids))

pigeonhole changelog:
* managesieve: managesieve_max_line_length setting is now a "size" type
  instead of just number of bytes. This allows using e.g. "64k" as the
  value.
- lib-sieve: When folding white space is used in the Message-ID header,
  it is not stripped away correctly before the message ID value is used,
  causing e.g. garbled log lines at delivery.

PR:		248640
PR:		248644
Submitted by:	juraj@lutter.sk
Reported by:	juraj@lutter.sk
MFH:		2020Q3
Security:	87a07de1-e55e-4d51-bb64-8d117829a26a
Security:	CVE-2020-12100
Security:	CVE-2020-12673
Security:	CVE-2020-10967
Security:	CVE-2020-12674

 

17:59 ler 

mail/dovecot, mail/dovecot-pigeonhole: upgrade to 2.3.9, 0.5.9 respectively.

Bump PORTREVISION of mail/dovecot-fts-xapian for version change of dovecot.

Changelog:
Dovecot:
* Changed several event field names for consistency and to avoid
  conflicts in parent-child event relationships:
   * SMTP server command events: Renamed "name" to "cmd_name"
   * Events inheriting from a mailbox: Renamed "name" to "mailbox"
   * Server connection events have only "remote_ip", "remote_port",
     "local_ip" and "local_port".
   * Removed duplicate "client_ip", "ip" and "port".
   * Mail storage events: Removed "service" field.
     Use "service:<name>" category instead.
   * HTTP client connection events: Renamed "host" to "dest_host" and
     "port" to "dest_port"
* auth: Drop Postfix socketmap support. It hasn't been working
  with recent Postfix versions for a while now.
* push-notification-lua: The "subject" field is now decoded to UTF8
  instead of kept as MIME-encoded.
+ push-notification-lua: Added new "from_address", "from_display_name",
  "to_address" and "to_display_name" fields. The display names are
  decoded to UTF8.
+ Added various new fields to existing events.
  See http://doc.dovecot.net/admin_manual/list_of_events.html
+ Add lmtp_add_received_header setting. It can be used to prevent LMTP
  from adding "Received:" headers.
+ doveadm: Support SSL/STARTTLS for proxied doveadm connections based on
  doveadm_ssl setting and proxy ssl/tls settings.
+ Log filters support now "service:<name>", which matches all events for
  the given service. It can also be used as a category.
+ lib: Use libunwind to get abort backtraces with function names
  where available.
+ lmtp: When the LMTP proxy changes the username (from passdb lookup)
  add an appropriate ORCPT parameter.
- lmtp: Add lmtp_client_workarounds setting to implement workarounds for
  clients that send MAIL and RCPT commands with additional spaces before
  the path and for clients that omit <> brackets around the path.
  See example-config/conf.d/20-lmtp.conf.
- lda/lmtp: Invalid MAIL FROM addresses were rejcted too aggressively.
  Now mails from addresses with unicode characters are delivered, but
  their Return-Path header will be <> instead of the given MAIL FROM
  address.
- lmtp: The lmtp_hdr_delivery_address setting is ignored.
- imap: imap_command_finished event's "args" and "human_args" parameters
  were always empty.
- mbox: Seeking in zlib and bzip2 compressed input streams didn't work
  correctly.
- imap-hibernate: Process crashed when client got destroyed while it was
  attempted to be unhibernated, and the unhibernation fails.
- *-login: Proxying may have crashed if SSL handshake to the backend
  failed immediately. This was unlikely to happen in normal operation.
- *-login: If TLS handshake to upstream server failed during proxying,
  login process could crash due to invalid memory access.
- *-login: v2.3 regression: Using SASL authentication without initial
  response may have caused SSL connections to hang. This happened often
  at least with PHP's IMAP library.
- *-login: When login processes are flooded with authentication attempts
  it starts logging errors about "Authentication server sent unknown id".
  This is still expected. However, it also caused the login process to
  disconnect from auth server and potentially log some user's password
  in the error message.
- dict-sql: SQL prepared statements were not shared between sessions.
  This resulted in creating a lot of prepared statements, which was
  especially inefficient when using Cassandra backend with a lot of
  Cassandra nodes.
- auth: auth_request_finished event didn't have success=yes parameter
  set for successful authentications.
- auth: userdb dict - Trying to list users crashed.
- submission: Service could be configured to allow anonymous
  authentication mechanism and anonymous user access.
- LAYOUT=index: Corrupted dovecot.list.index caused folder creation to
  panic.
- doveadm: HTTP server crashes if request target starts with double "/".
- dsync: Remote dsync started hanging if the initial doveadm
  "dsync-server" command was sent in the same TCP packet as the
  following dsync handshake. v2.3.8 regression.
- lib: Several "input streams" had a bug that in some rare situations
  might cause it to access freed memory. This could lead to crashes or
  corruption.
  The only currently known effect of this is that using zlib plugin with
  external mail attachments (mail_attachment_dir) could cause fetching
  the mail to return a few bytes of garbage data at the beginning of the
  header. Note that the mail wasn't saved corrupted, but fetching it
  caused corrupted mail to be sent to the client.
- lib-storage: If a mail only has quoted content, use the quoted text
  for generating message snippet (IMAP PREVIEW) instead of returning
  empty snippet.
- lib-storage: When vsize header was rebuilt, newly calculated message
  sizes were added to dovecot.index.cache instead of being directly
  saved into vsize records in dovecot.index.
- lib: JSON generator was escaping UTF-8 characters unnecessarily.

Pigeonhole:
+ Added events for Sieve and ManageSieve, see
  https://doc.dovecot.org/admin_manual/list_of_events/#pigeonhole
+ Pigeonhole: Implement the Sieve "special-use" extension described in
  RFC 8579.
- duplicate: Test only compared the handles which would cause
  different values to be cached as the same duplicate test. Fix to also
  compare the actual hashes.
- imap_sieve_filter: IMAP FILTER Command had various bugs in error
  handling. Errors may have been duplicated for each email, errors
  may have been missing entirely, command tag and ERRORS/WARNINGS
  parameters were swapped.

 

17:55 ler 

mail/dovecot: Fix previous commit.

I missed a character typing the patch.

Pointy Hat: ler

 

17:46 ler 

mail/dovecot: Pick up mailing list patch for imap-preauth vs. stats-writer.

see the dovecot mailing list thread on imap-preauth and stats-writer between
Stephan Bosch and a FreeBSD user

Obtained from:	upstream mailing list.