diff mbox series

[1/1] package/dovecot: security bump version to 2.3.11.3

Message ID 20200818165436.145310-2-bernd.kuhls@t-online.de
State Accepted
Headers show
Series [PATCH/next,1/1] package/dovecot-pigeonhole: bump version to 0.5.11 | expand

Commit Message

Bernd Kuhls Aug. 18, 2020, 4:54 p.m. UTC 
Release notes:
https://dovecot.org/pipermail/dovecot-news/2020-August/000440.html

Fixes the following CVEs:

* CVE-2020-12100: Parsing mails with a large number of MIME parts could
  have resulted in excessive CPU usage or a crash due to running out of
  stack memory.
* CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
  message buffer size, which leads to reading past allocation which can
  lead to crash.
* CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
  address that has the empty quoted string as local-part causes the lmtp
  service to crash.
* CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
  zero-length message, which leads to assert-crash later on.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
---
 package/dovecot/dovecot.hash | 2 +-
 package/dovecot/dovecot.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Comments

Thomas Petazzoni Aug. 18, 2020, 9:44 p.m. UTC | #1 
On Tue, 18 Aug 2020 18:54:36 +0200
Bernd Kuhls <bernd.kuhls@t-online.de> wrote:

> Release notes:
> https://dovecot.org/pipermail/dovecot-news/2020-August/000440.html
> 
> Fixes the following CVEs:
> 
> * CVE-2020-12100: Parsing mails with a large number of MIME parts could
>   have resulted in excessive CPU usage or a crash due to running out of
>   stack memory.
> * CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
>   message buffer size, which leads to reading past allocation which can
>   lead to crash.
> * CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
>   address that has the empty quoted string as local-part causes the lmtp
>   service to crash.
> * CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
>   zero-length message, which leads to assert-crash later on.
> 
> Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
> ---
>  package/dovecot/dovecot.hash | 2 +-
>  package/dovecot/dovecot.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)

Applied to master, thanks.

Thomas
Peter Korsgaard Aug. 28, 2020, 4:52 p.m. UTC | #2 
>>>>> "Bernd" == Bernd Kuhls <bernd.kuhls@t-online.de> writes:

 > Release notes:
 > https://dovecot.org/pipermail/dovecot-news/2020-August/000440.html

 > Fixes the following CVEs:

 > * CVE-2020-12100: Parsing mails with a large number of MIME parts could
 >   have resulted in excessive CPU usage or a crash due to running out of
 >   stack memory.
 > * CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
 >   message buffer size, which leads to reading past allocation which can
 >   lead to crash.
 > * CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
 >   address that has the empty quoted string as local-part causes the lmtp
 >   service to crash.
 > * CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
 >   zero-length message, which leads to assert-crash later on.

 > Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>

Committed to 2020.02.x and 2020.05.x, thanks.
Bernd Kuhls Aug. 28, 2020, 5:07 p.m. UTC | #3 
Am Fri, 28 Aug 2020 18:52:49 +0200 schrieb Peter Korsgaard:

>>>>>> "Bernd" == Bernd Kuhls
>>>>>> <bernd.kuhls@t-online.de> writes:
> 
> Committed to 2020.02.x and 2020.05.x, thanks.

Hi Peter,

please commit
https://git.buildroot.net/buildroot/commit/package/dovecot-pigeonhole?
id=bbb4e2104606bc55ba070d53cc4d90c878ef74b3
to 2020.02.x and 2020.05.x as well because the previous version of 
dovecot-pigeonhole is incompatible with dovecot-2.3.11.3.

For details see http://patchwork.ozlabs.org/project/buildroot/patch/
20200820061744.293397-1-bernd.kuhls@t-online.de/

Regards, Bernd
Peter Korsgaard Aug. 28, 2020, 5:54 p.m. UTC | #4 
>>>>> "Bernd" == Bernd Kuhls <bernd.kuhls@t-online.de> writes:

 > Am Fri, 28 Aug 2020 18:52:49 +0200 schrieb Peter Korsgaard:
 >>>>>>> "Bernd" == Bernd Kuhls
 >>>>>>> <bernd.kuhls@t-online.de> writes:
 >> 
 >> Committed to 2020.02.x and 2020.05.x, thanks.

 > Hi Peter,

 > please commit
 > https://git.buildroot.net/buildroot/commit/package/dovecot-pigeonhole?
 > id=bbb4e2104606bc55ba070d53cc4d90c878ef74b3
 > to 2020.02.x and 2020.05.x as well because the previous version of 
 > dovecot-pigeonhole is incompatible with dovecot-2.3.11.3.

 > For details see http://patchwork.ozlabs.org/project/buildroot/patch/
 > 20200820061744.293397-1-bernd.kuhls@t-online.de/

Ok, thanks. I was hessitating about that.
diff mbox series

Patch

diff --git a/package/dovecot/dovecot.hash b/package/dovecot/dovecot.hash
index 09295816d3..e5c2ab6f40 100644
--- a/package/dovecot/dovecot.hash
+++ b/package/dovecot/dovecot.hash
@@ -1,5 +1,5 @@ 
 # Locally computed after checking signature
-sha256  6642e62f23b1b23cfac235007ca6e21cb67460cca834689fad450724456eb10c  dovecot-2.3.10.1.tar.gz
+sha256  d3d9ea9010277f57eb5b9f4166a5d2ba539b172bd6d5a2b2529a6db524baafdc  dovecot-2.3.11.3.tar.gz
 sha256  a363b132e494f662d98c820d1481297e6ae72f194c2c91b6c39e1518b86240a8  COPYING
 sha256  dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551  COPYING.LGPL
 sha256  52b8c95fabb19575281874b661ef7968ea47e8f5d74ba0dd40ce512e52b3fc97  COPYING.MIT
diff --git a/package/dovecot/dovecot.mk b/package/dovecot/dovecot.mk
index 59b52a3f84..f0508753a2 100644
--- a/package/dovecot/dovecot.mk
+++ b/package/dovecot/dovecot.mk
@@ -5,7 +5,7 @@ 
 ################################################################################
 
 DOVECOT_VERSION_MAJOR = 2.3
-DOVECOT_VERSION = $(DOVECOT_VERSION_MAJOR).10.1
+DOVECOT_VERSION = $(DOVECOT_VERSION_MAJOR).11.3
 DOVECOT_SITE = https://dovecot.org/releases/$(DOVECOT_VERSION_MAJOR)
 DOVECOT_INSTALL_STAGING = YES
 DOVECOT_LICENSE = LGPL-2.1, MIT, Public Domain, BSD-3-Clause, Unicode-DFS-2015