14:39 ler 

mail/dovecot: remove obsolete patch.

no PORTREVISION bump, as it doesn't change the package.

Reported by:	herbert@gojira.at

 

21:33 ler 

mail/dovecot, mail/dovecot-pigeonhole: upgrade to 2.3.6, 0.5.6 respectively.

Dovecot changelog:
* CVE-2019-11494: Submission-login crashed with signal 11 due to null pointer
access when authentication was aborted by disconnecting.
* CVE-2019-11499: Submission-login crashed when authentication was started over
TLS secured channel and invalid authentication message was sent.
* auth: Support password grant with passdb oauth2.
+ Use system default CAs for outbound TLS connections.
+ Simplify array handling with new helper macros.
+ fts_solr: Enable configuring batch_size and soft_commit features.
- lmtp/submission: Fixed various bugs in XCLIENT handling, including a hang when
XCLIENT commands were sent infinitely to the remote server.
- lmtp/submission: Forwarded multi-line replies were erroneously sent as two
replies to the client.
- lib-smtp: client: Message was not guaranteed to contain CRLF consistently when
CHUNKING was used.
- fts_solr: Plugin was no longer compatible with Solr 7.
- Make it possible to disable certificate checking without setting
ssl_client_ca_* settings.
- pop3c: SSL support was broken.
- mysql: Closing connection twice lead to crash on some systems.
- auth: Multiple oauth2 passdbs crashed auth process on deinit.
- HTTP client connection errors infrequently triggered a segmentation fault when
the connection was idle and not used for a particular client instance.

Pigeonhole changelog:
+ sieve: Redirect loop prevention is sometimes ineffective. Improve existing
loop detection by also recognizing the
  X-Sieve-Redirected-From header in incoming messages and dropping redirect
actions when it points to
  the sending account. This header is already added by the redirect action, so
this improvement only adds an additional use of this header.
- sieve: Prevent execution of implicit keep upon temporary failure occurring at
runtime.

MFH:		2019Q2
Security:	CVE-2019-11494
Security:	CVE-2019-11499

 

23:34 ler 

mail/dovecot and mail/dovecot-pigeonhole upgrade to 2.3.5 and 0.5.5 respectively

dovecot changelog:
+ Lua push notification driver: mail keywords and flags are provided in
MessageNew and MessageAppend events.
+ submission: Implement support for plugins.
+ auth: When auth_policy_log_only=yes, only log what the policy server response
would do without actually doing it.
+ auth: Always log policy server decisions with auth_verbose=yes
- v2.3.[34]: doveadm log errors: Output was missing user/session
- lda: Debug log lines could have shown slightly corrupted
- login proxy: Login processes may have crashed in various ways when
login_proxy_max_disconnect_delay was set.
- imap: Fix crash with Maildir+zlib if client disconnects during APPEND
- lmtp proxy: Fix potential assert-crash
- lmtp/submission: Fix crash when SMTP client transaction times out
- submission: Split large XCLIENT commands to 512 bytes per command, so Postfix
accepts them.
- submission: Fix crash when client sends invalid BURL command
- submission: relay backend: VRFY command: Avoid forwarding 500 and 502 replies
back to client.
- lib-http: Fix potential assert-crash when DNS lookup fails
- lib-fts: Fix search query generation when one language ignores a token (e.g.
via stopwords).

pigeonhole changelog:
+ IMAPSieve: Add new plugin/imapsieve_expunge_discarded setting which causes
messages discarded by an IMAPSieve script to be expunged immediately, rather
than only being marked as "\Deleted" (which is still the default behavior).
- IMAPSieve: Fix panic crash occurring when a COPY command copies
messages from a virtual mailbox where the source messages originate from more
than a single real mailbox.
- imap4flags extension: Fix deleting all keywords. When the action
resulted in all keywords being removed, no changes were actually
applied.
- variables extension: Fix truncation of UTF-8 variable content. The maximum
size of Sieve variables was enforced by truncating the
variable string content bluntly at the limit, but this does not
consider UTF-8 code point boundaries. This resulted in broken UTF-8 strings.
This problem also surfaced for variable modifiers, such as the ":encodeurl"
modifier provided by the Sieve "enotify" extension. In that case, the resulting
URI escaping could also be truncated inappropriately.
- IMAPSieve, IMAP FILTER=SIEVE: Fix replacing a modified message. Sieve scripts
running in IMAPSIEVE or IMAP FILTER=SIEVE context that modify the message,
stored the message a second time, rather than replacing the originally stored
unmodified message.
- Fix segmentation fault occurring when both the sieve_extprograms
plugin (for the Sieve interpreter) and the imap_filter_sieve plugin (for IMAP)
are loaded at the same time. A symbol was defined by both plugins, causing a
clash when both were loaded.

 

18:22 ler 

mail/dovecot: pick up patch from upstream to quiet format warnings.

Obtained
from:	https://github.com/dovecot/core/commit/de42b54aaf165d4f62b45be864dde36bdbbc4276

 

15:12 ler 

mail/dovecot update to 2.3.4, mail/dovecot-pigeonhole to 0.5.4

dovecot change log:
* The default postmaster_address is now "postmaster@<user domain or
   server hostname>". If username contains the @domain part, that's
   used. If not, then the server's hostname is used.
* "doveadm stats dump" now returns two decimals for the "avg" field.

+ Added push notification driver that uses a Lua script
+ Added new SQL, DNS and connection events.
   See https://wiki2.dovecot.org/Events
+ Added "doveadm mailbox cache purge" command.
+ Added events API support for Lua scripts
+ doveadm force-resync -f parameter performs "index fsck" while opening
   the index. This may be useful to fix some types of broken index files.

(Only the first 15 lines of the commit message are shown above )