./mail/dovecot2, Secure IMAP and POP3 server

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: pkgsrc-2020Q1, Version: 2.3.10, Package name: dovecot-2.3.10, Maintainer: adam

Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems,
written with security primarily in mind. Dovecot is an excellent choice for both
small and large installations. It's fast, simple to set up, requires no special
administration and it uses very little memory.


Required to run:
[archivers/lz4]


Package options: kqueue, pam, ssl, tcpwrappers

Master sites:

SHA1: cf0d572b640bec519c3c771716d0b32148dc2bd4
RMD160: c4892cc02b7a414a23a03c6adb03acc115c0796b
Filesize: 7052.97 KB

Version history: (Expand)


CVS history: (Expand)


   2020-05-20 21:15:13 by Benny Siegert | Files touched by this commit (2) | Package updated
Log message:
Pullup ticket #6203 - requested by taca
mail/dovecot2: security fix

Revisions pulled up:
- mail/dovecot2/Makefile.common                                 1.40
- mail/dovecot2/distinfo                                        1.104

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Mon May 18 14:20:47 UTC 2020

   Modified Files:
   	pkgsrc/mail/dovecot2: Makefile.common distinfo
   	pkgsrc/mail/dovecot2-sqlite: Makefile

   Log message:
   mail/dovecot2: update to 2.3.10.1

   Update dovecot2 to 2.3.10.1.

   v2.3.10.1  2020-05-18  Aki Tuomi <aki.tuomi@open-xchange.com>

   - CVE-2020-10957: lmtp/submission: A client can crash the server by
     sending a NOOP command with an invalid string parameter. This occurs
     particularly for a parameter that doesn't start with a double quote.
     This applies to all SMTP services, including submission-login, which
     makes it possible to crash the submission service without
     authentication.
   - CVE-2020-10958: lmtp/submission: Sending many invalid or unknown
     commands can cause the server to access freed memory, which can lead
     to a server crash. This happens when the server closes the connection
     with a "421 Too many invalid commands" error. The bad command limit
     depends on the service (lmtp or submission) and varies between 10 to
     20 bad commands.
   - CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
     address that has the empty quoted string as local-part causes the lmtp
     service to crash.