10:09 Kurt Jaeger (pi)  Author: Juraj Lutter

mail/dovecot-*: update 2.3.13 -> 2.3.15 and related ports

PR:			256860
Approved by:		fluffy (ports-secteam)
Submitted by:		otis
Relnotes:		https://dovecot.org/pipermail/dovecot-news/2021-June/000457.html
			https://dovecot.org/pipermail/dovecot-news/2021-March/000455.html
			https://dovecot.org/pipermail/dovecot-news/2021-March/000456.html
			https://dovecot.org/pipermail/dovecot-news/2021-June/000458.html
Security:		CVE-2021-29157, CVE-2021-33515, CVE-2020-28200
Differential Revision:	https://reviews.freebsd.org/D30866
MFH:			2021Q3

    21a797e

00:27 ler 

mail/dovecot, mail/dovecot-pigeonhole: upgrade to 2.3.11.3 and 0.5.11,
repectively.

dovecot changelog:
* CVE-2020-12100: Parsing mails with a large number of MIME parts could
  have resulted in excessive CPU usage or a crash due to running out of
  stack memory.
* CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
  message buffer size, which leads to reading past allocation which can
  lead to crash.
* CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
  address that has the empty quoted string as local-part causes the lmtp
  service to crash.
* CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
  zero-length message, which leads to assert-crash later on.
* Events: Fix inconsistency in events. See event documentation in
  https://doc.dovecot.org.
* imap_command_finished event's cmd_name field now contains "unknown"
  for unknown commands. A new "cmd_input_name" field contains the
  command name exactly as it was sent.
* lib-index: Renamed mail_cache_compress_* settings to mail_cache_purge_*.
  Note that these settings are mainly intended for testing and usually
  shouldn't be changed.
* events: Renamed "index" event category to "mail-index".
* events: service:<name> category is now using the name from
  configuration file.
* dns-client: service dns_client was renamed to dns-client.
* log: Prefixes generally use the service name from configuration file.
  For example dict-async service will now use
  "dict-async(pid): " log prefix instead of "dict(pid): "
* *-login: Changed logging done by proxying to use a consistent prefix
  containing the IP address and port.
* *-login: Changed disconnection log messages to be slightly clearer.
+ dict: Add events for dictionaries.
+ lib-index: Finish logging with events.
+ oauth2: Support local validation of JWT tokens.
+ stats: Add support for dynamic histograms and grouping. See
  https://doc.dovecot.org/configuration_manual/stats/.
+ imap: Implement RFC 8514: IMAP SAVEDATE
+ lib-index: If a long-running transaction (e.g. SORT/FETCH on a huge
  folder) adds a lot of data to dovecot.index.cache file, commit those
  changes periodically to make them visible to other concurrent sessions
  as well.
+ stats: Add OpenMetrics exporter for statistics. See
  https://doc.dovecot.org/configuration_manual/stats/openmetrics/.
+ stats: Support disabling stats-writer socket by setting
  stats_writer_socket_path="".
- auth-worker: Process keeps slowly increasing its memory usage and
  eventually dies with "out of memory" due to reaching vsz_limit.
- auth: Prevent potential timing attacks in authentication secret
  comparisons: OAUTH2 JWT-token HMAC, imap-urlauth token, crypt() result.
- auth: Several auth-mechanisms allowed input to be truncated by NUL
  which can potentially lead to unintentional issues or even successful
  logins which should have failed.
- auth: When auth policy returned a delay, auth_request_finished event
  had policy_result=ok field instead of policy_result=delayed.
- auth: auth process crash when auth_policy_server_url is set to an
  invalid URL.
- auth: Lua passdb/userdb leaks stack elements per call, eventually
  causing the stack to become too deep and crashing the auth or
  auth-worker process.
- dict-ldap: Crash occurs if var_expand template expansion fails.
- dict: If dict client disconnected while iteration was still running,
  dict process could have started using 100% CPU, although it was still
  handling clients.
- doveadm: Running doveadm commands via proxying may hang, especially
  when doveadm is printing a lot of output.
- imap: "MOVE * destfolder" goes to a loop copying the last mail to the
  destination until the imap process dies due to running out of memory.
- imap: Running "UID MOVE 1:* Trash" on an empty folder goes to infinite
  loop.
- imap: SEARCH doesn't support $.
- lib-compress: Buffer over-read in zlib stream read.
- lib-dns: If DNS lookup times out, lib-dns can cause crash in calling
  process.
- lib-index: Fixed several bugs in dovecot.index.cache handling that
  could have caused cached data to be lost.
- lib-index: Writing to >=1 GB dovecot.index.cache files may cause
  assert-crashes:
  Panic: file mail-index-util.c: line 37 (mail_index_uint32_to_offset):
  assertion failed: (offset < 0x40000000)
- lib-mail: v2.3.11 regression: MIME parts not returned correctly by
  Dovecot MIME parser.
- lib-ssl-iostream: Fix buggy OpenSSL error handling without
  assert-crashing. If there is no error available, log it as an error
  instead of crashing:
  Panic: file iostream-openssl.c: line 599 (openssl_iostream_handle_error):
  assertion failed: (errno != 0)
- lib-ssl-iostream: ssl_key_password setting did not work.
- pop3-login: Login didn't handle commands in multiple IP packets properly.
  This mainly affected large XCLIENT commands or a large SASL initial
  response parameter in the AUTH command.
- pop3: pop3_deleted_flag setting was broken, causing:
  Panic: file seq-range-array.c: line 472 (seq_range_array_invert):
  assertion failed: (range[count-1].seq2 <= max_seq)
- pop3-login: Login would fail with "Input buffer full" if the initial
  response for SASL was too long.
- submission: A segfault crash may occur when the client or server
  disconnects while a non-transaction command like NOOP or VRFY is still
  being processed.
- virtual: Copying/moving mails with IMAP into a virtual folder
assert-crashes:
  Panic: file cmd-copy.c: line 152 (fetch_and_copy): assertion failed:
  (copy_ctx->copy_count == seq_range_count(&copy_ctx->saved_uids))

pigeonhole changelog:
* managesieve: managesieve_max_line_length setting is now a "size" type
  instead of just number of bytes. This allows using e.g. "64k" as the
  value.
- lib-sieve: When folding white space is used in the Message-ID header,
  it is not stripped away correctly before the message ID value is used,
  causing e.g. garbled log lines at delivery.

PR:		248640
PR:		248644
Submitted by:	juraj@lutter.sk
Reported by:	juraj@lutter.sk
MFH:		2020Q3
Security:	87a07de1-e55e-4d51-bb64-8d117829a26a
Security:	CVE-2020-12100
Security:	CVE-2020-12673
Security:	CVE-2020-10967
Security:	CVE-2020-12674

 

21:33 ler 

mail/dovecot, mail/dovecot-pigeonhole: upgrade to 2.3.6, 0.5.6 respectively.

Dovecot changelog:
* CVE-2019-11494: Submission-login crashed with signal 11 due to null pointer
access when authentication was aborted by disconnecting.
* CVE-2019-11499: Submission-login crashed when authentication was started over
TLS secured channel and invalid authentication message was sent.
* auth: Support password grant with passdb oauth2.
+ Use system default CAs for outbound TLS connections.
+ Simplify array handling with new helper macros.
+ fts_solr: Enable configuring batch_size and soft_commit features.
- lmtp/submission: Fixed various bugs in XCLIENT handling, including a hang when
XCLIENT commands were sent infinitely to the remote server.
- lmtp/submission: Forwarded multi-line replies were erroneously sent as two
replies to the client.
- lib-smtp: client: Message was not guaranteed to contain CRLF consistently when
CHUNKING was used.
- fts_solr: Plugin was no longer compatible with Solr 7.
- Make it possible to disable certificate checking without setting
ssl_client_ca_* settings.
- pop3c: SSL support was broken.
- mysql: Closing connection twice lead to crash on some systems.
- auth: Multiple oauth2 passdbs crashed auth process on deinit.
- HTTP client connection errors infrequently triggered a segmentation fault when
the connection was idle and not used for a particular client instance.

Pigeonhole changelog:
+ sieve: Redirect loop prevention is sometimes ineffective. Improve existing
loop detection by also recognizing the
  X-Sieve-Redirected-From header in incoming messages and dropping redirect
actions when it points to
  the sending account. This header is already added by the redirect action, so
this improvement only adds an additional use of this header.
- sieve: Prevent execution of implicit keep upon temporary failure occurring at
runtime.

MFH:		2019Q2
Security:	CVE-2019-11494
Security:	CVE-2019-11499

 

22:30 ler 

mail/dovecot: Pick up a mailinglist patch for solr/tika separation.

solr and tika currently use the same http client connection.  Upstream
made the attached patches in response to my (ler@) bug report.

Obtained from:	upstream mailing list.