Message ID | 20200818165436.145310-2-bernd.kuhls@t-online.de |
---|---|
State | Accepted |
Headers | show |
Series | [PATCH/next,1/1] package/dovecot-pigeonhole: bump version to 0.5.11 | expand |
On Tue, 18 Aug 2020 18:54:36 +0200 Bernd Kuhls <bernd.kuhls@t-online.de> wrote: > Release notes: > https://dovecot.org/pipermail/dovecot-news/2020-August/000440.html > > Fixes the following CVEs: > > * CVE-2020-12100: Parsing mails with a large number of MIME parts could > have resulted in excessive CPU usage or a crash due to running out of > stack memory. > * CVE-2020-12673: Dovecot's NTLM implementation does not correctly check > message buffer size, which leads to reading past allocation which can > lead to crash. > * CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an > address that has the empty quoted string as local-part causes the lmtp > service to crash. > * CVE-2020-12674: Dovecot's RPA mechanism implementation accepts > zero-length message, which leads to assert-crash later on. > > Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> > --- > package/dovecot/dovecot.hash | 2 +- > package/dovecot/dovecot.mk | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) Applied to master, thanks. Thomas
>>>>> "Bernd" == Bernd Kuhls <bernd.kuhls@t-online.de> writes: > Release notes: > https://dovecot.org/pipermail/dovecot-news/2020-August/000440.html > Fixes the following CVEs: > * CVE-2020-12100: Parsing mails with a large number of MIME parts could > have resulted in excessive CPU usage or a crash due to running out of > stack memory. > * CVE-2020-12673: Dovecot's NTLM implementation does not correctly check > message buffer size, which leads to reading past allocation which can > lead to crash. > * CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an > address that has the empty quoted string as local-part causes the lmtp > service to crash. > * CVE-2020-12674: Dovecot's RPA mechanism implementation accepts > zero-length message, which leads to assert-crash later on. > Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Committed to 2020.02.x and 2020.05.x, thanks.
Am Fri, 28 Aug 2020 18:52:49 +0200 schrieb Peter Korsgaard: >>>>>> "Bernd" == Bernd Kuhls >>>>>> <bernd.kuhls@t-online.de> writes: > > Committed to 2020.02.x and 2020.05.x, thanks. Hi Peter, please commit https://git.buildroot.net/buildroot/commit/package/dovecot-pigeonhole? id=bbb4e2104606bc55ba070d53cc4d90c878ef74b3 to 2020.02.x and 2020.05.x as well because the previous version of dovecot-pigeonhole is incompatible with dovecot-2.3.11.3. For details see http://patchwork.ozlabs.org/project/buildroot/patch/ 20200820061744.293397-1-bernd.kuhls@t-online.de/ Regards, Bernd
>>>>> "Bernd" == Bernd Kuhls <bernd.kuhls@t-online.de> writes: > Am Fri, 28 Aug 2020 18:52:49 +0200 schrieb Peter Korsgaard: >>>>>>> "Bernd" == Bernd Kuhls >>>>>>> <bernd.kuhls@t-online.de> writes: >> >> Committed to 2020.02.x and 2020.05.x, thanks. > Hi Peter, > please commit > https://git.buildroot.net/buildroot/commit/package/dovecot-pigeonhole? > id=bbb4e2104606bc55ba070d53cc4d90c878ef74b3 > to 2020.02.x and 2020.05.x as well because the previous version of > dovecot-pigeonhole is incompatible with dovecot-2.3.11.3. > For details see http://patchwork.ozlabs.org/project/buildroot/patch/ > 20200820061744.293397-1-bernd.kuhls@t-online.de/ Ok, thanks. I was hessitating about that.
diff --git a/package/dovecot/dovecot.hash b/package/dovecot/dovecot.hash index 09295816d3..e5c2ab6f40 100644 --- a/package/dovecot/dovecot.hash +++ b/package/dovecot/dovecot.hash @@ -1,5 +1,5 @@ # Locally computed after checking signature -sha256 6642e62f23b1b23cfac235007ca6e21cb67460cca834689fad450724456eb10c dovecot-2.3.10.1.tar.gz +sha256 d3d9ea9010277f57eb5b9f4166a5d2ba539b172bd6d5a2b2529a6db524baafdc dovecot-2.3.11.3.tar.gz sha256 a363b132e494f662d98c820d1481297e6ae72f194c2c91b6c39e1518b86240a8 COPYING sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 COPYING.LGPL sha256 52b8c95fabb19575281874b661ef7968ea47e8f5d74ba0dd40ce512e52b3fc97 COPYING.MIT diff --git a/package/dovecot/dovecot.mk b/package/dovecot/dovecot.mk index 59b52a3f84..f0508753a2 100644 --- a/package/dovecot/dovecot.mk +++ b/package/dovecot/dovecot.mk @@ -5,7 +5,7 @@ ################################################################################ DOVECOT_VERSION_MAJOR = 2.3 -DOVECOT_VERSION = $(DOVECOT_VERSION_MAJOR).10.1 +DOVECOT_VERSION = $(DOVECOT_VERSION_MAJOR).11.3 DOVECOT_SITE = https://dovecot.org/releases/$(DOVECOT_VERSION_MAJOR) DOVECOT_INSTALL_STAGING = YES DOVECOT_LICENSE = LGPL-2.1, MIT, Public Domain, BSD-3-Clause, Unicode-DFS-2015
Release notes: https://dovecot.org/pipermail/dovecot-news/2020-August/000440.html Fixes the following CVEs: * CVE-2020-12100: Parsing mails with a large number of MIME parts could have resulted in excessive CPU usage or a crash due to running out of stack memory. * CVE-2020-12673: Dovecot's NTLM implementation does not correctly check message buffer size, which leads to reading past allocation which can lead to crash. * CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an address that has the empty quoted string as local-part causes the lmtp service to crash. * CVE-2020-12674: Dovecot's RPA mechanism implementation accepts zero-length message, which leads to assert-crash later on. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> --- package/dovecot/dovecot.hash | 2 +- package/dovecot/dovecot.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)