From patchwork Tue Aug 18 16:54:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bernd Kuhls X-Patchwork-Id: 1347167 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=t-online.de Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BWH891YqSz9sRK for ; Wed, 19 Aug 2020 02:54:48 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id E220D8731E; Tue, 18 Aug 2020 16:54:45 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P6TA5pLll1NB; Tue, 18 Aug 2020 16:54:45 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id 49C878778E; Tue, 18 Aug 2020 16:54:45 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 7E1551BF23B for ; Tue, 18 Aug 2020 16:54:42 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 7ACA58778E for ; Tue, 18 Aug 2020 16:54:42 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OoxTlL1tqfvD for ; Tue, 18 Aug 2020 16:54:41 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mailout05.t-online.de (mailout05.t-online.de [194.25.134.82]) by hemlock.osuosl.org (Postfix) with ESMTPS id 10B298731E for ; Tue, 18 Aug 2020 16:54:40 +0000 (UTC) Received: from fwd39.aul.t-online.de (fwd39.aul.t-online.de [172.20.27.138]) by mailout05.t-online.de (Postfix) with SMTP id 7E28F4201219 for ; Tue, 18 Aug 2020 18:54:38 +0200 (CEST) Received: from fli4l.lan.fli4l (bNLSFGZHoh0fpSgy6cEeok2F5UFfj-kyQYPrxFwlYChCiy78tFmZWp-HiAokqUOwob@[79.214.198.185]) by fwd39.t-online.de with (TLSv1:ECDHE-RSA-AES256-SHA encrypted) esmtp id 1k84sf-0ePMau0; Tue, 18 Aug 2020 18:54:37 +0200 Received: from mahler.lan.fli4l ([192.168.1.1]:54202) by fli4l.lan.fli4l with esmtp (Exim 4.94) (envelope-from ) id 1k84se-0008FD-M9 for buildroot@buildroot.org; Tue, 18 Aug 2020 18:54:37 +0200 From: Bernd Kuhls To: buildroot@buildroot.org Date: Tue, 18 Aug 2020 18:54:36 +0200 Message-Id: <20200818165436.145310-2-bernd.kuhls@t-online.de> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200818165436.145310-1-bernd.kuhls@t-online.de> References: <20200818165436.145310-1-bernd.kuhls@t-online.de> MIME-Version: 1.0 X-ID: bNLSFGZHoh0fpSgy6cEeok2F5UFfj-kyQYPrxFwlYChCiy78tFmZWp-HiAokqUOwob X-TOI-EXPURGATEID: 150726::1597769677-0000418D-EF3974D0/0/0 CLEAN NORMAL X-TOI-MSGID: 7ab81594-eca2-48e4-9356-f19d2f8a8550 Subject: [Buildroot] [PATCH 1/1] package/dovecot: security bump version to 2.3.11.3 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Release notes: https://dovecot.org/pipermail/dovecot-news/2020-August/000440.html Fixes the following CVEs: * CVE-2020-12100: Parsing mails with a large number of MIME parts could have resulted in excessive CPU usage or a crash due to running out of stack memory. * CVE-2020-12673: Dovecot's NTLM implementation does not correctly check message buffer size, which leads to reading past allocation which can lead to crash. * CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an address that has the empty quoted string as local-part causes the lmtp service to crash. * CVE-2020-12674: Dovecot's RPA mechanism implementation accepts zero-length message, which leads to assert-crash later on. Signed-off-by: Bernd Kuhls --- package/dovecot/dovecot.hash | 2 +- package/dovecot/dovecot.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/dovecot/dovecot.hash b/package/dovecot/dovecot.hash index 09295816d3..e5c2ab6f40 100644 --- a/package/dovecot/dovecot.hash +++ b/package/dovecot/dovecot.hash @@ -1,5 +1,5 @@ # Locally computed after checking signature -sha256 6642e62f23b1b23cfac235007ca6e21cb67460cca834689fad450724456eb10c dovecot-2.3.10.1.tar.gz +sha256 d3d9ea9010277f57eb5b9f4166a5d2ba539b172bd6d5a2b2529a6db524baafdc dovecot-2.3.11.3.tar.gz sha256 a363b132e494f662d98c820d1481297e6ae72f194c2c91b6c39e1518b86240a8 COPYING sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 COPYING.LGPL sha256 52b8c95fabb19575281874b661ef7968ea47e8f5d74ba0dd40ce512e52b3fc97 COPYING.MIT diff --git a/package/dovecot/dovecot.mk b/package/dovecot/dovecot.mk index 59b52a3f84..f0508753a2 100644 --- a/package/dovecot/dovecot.mk +++ b/package/dovecot/dovecot.mk @@ -5,7 +5,7 @@ ################################################################################ DOVECOT_VERSION_MAJOR = 2.3 -DOVECOT_VERSION = $(DOVECOT_VERSION_MAJOR).10.1 +DOVECOT_VERSION = $(DOVECOT_VERSION_MAJOR).11.3 DOVECOT_SITE = https://dovecot.org/releases/$(DOVECOT_VERSION_MAJOR) DOVECOT_INSTALL_STAGING = YES DOVECOT_LICENSE = LGPL-2.1, MIT, Public Domain, BSD-3-Clause, Unicode-DFS-2015