Subject: CVS commit: [pkgsrc-2019Q1] pkgsrc/mail/dovecot2
From: S.P.Zeidler
Date: 2019-05-12 22:29:57
Message id: 20190512202957.59AF6FB16@cvs.NetBSD.org

Log Message:
Pullup ticket #5956 - requested by taca
mail/dovecot2: security update

Revisions pulled up:
- mail/dovecot2/Makefile.common                                 1.27-1.28
- mail/dovecot2/PLIST                                           1.65
- mail/dovecot2/distinfo                                        1.91-1.92

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Fri Apr 19 05:35:04 UTC 2019

   Modified Files:
   	pkgsrc/mail/dovecot2: Makefile.common distinfo
   	pkgsrc/mail/dovecot2-sqlite: Makefile

   Log Message:
   dovecot2: updated to 2.3.5.2

   v2.3.5.2
   * CVE-2019-10691: Trying to login with 8bit username containing
     invalid UTF8 input causes auth process to crash if auth policy is
     enabled. This could be used rather easily to cause a DoS. Similar
     crash also happens during mail delivery when using invalid UTF8 in
     From or Subject header when OX push notification driver is used.

   To generate a diff of this commit:
   cvs rdiff -u -r1.26 -r1.27 pkgsrc/mail/dovecot2/Makefile.common
   cvs rdiff -u -r1.90 -r1.91 pkgsrc/mail/dovecot2/distinfo

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Tue Apr 30 15:21:06 UTC 2019

   Modified Files:
   	pkgsrc/mail/dovecot2: Makefile.common PLIST distinfo

   Log Message:
   mail/dovecot2: update to 2.3.6

   Update dovecot2 and dovecot-{gssapi,ldap,mysql,pgsql,sqlite} to 2.3.6.

   v2.3.6 2019-04-30  Aki Tuomi <aki.tuomi@open-xchange.com>

   	* CVE-2019-11494: Submission-login crashed with signal 11 due to null
   	  pointer access when authentication was aborted by disconnecting.
   	* CVE-2019-11499: Submission-login crashed when authentication was
   	  started over TLS secured channel and invalid authentication message
   	  was sent.
   	* auth: Support password grant with passdb oauth2.
   	+ Use system default CAs for outbound TLS connections.
   	+ Simplify array handling with new helper macros.
   	+ fts_solr: Enable configuring batch_size and soft_commit features.
   	- lmtp/submission: Fixed various bugs in XCLIENT handling, including a
   	  hang when XCLIENT commands were sent infinitely to the remote server.
   	- lmtp/submission: Forwarded multi-line replies were erroneously sent
   	  as two replies to the client.
   	- lib-smtp: client: Message was not guaranteed to contain CRLF
   	  consistently when CHUNKING was used.
   	- fts_solr: Plugin was no longer compatible with Solr 7.
   	- Make it possible to disable certificate checking without
   	  setting ssl_client_ca_* settings.
   	- pop3c: SSL support was broken.
   	- mysql: Closing connection twice lead to crash on some systems.
   	- auth: Multiple oauth2 passdbs crashed auth process on deinit.
   	- HTTP client connection errors infrequently triggered a segmentation
   	  fault when the connection was idle and not used for a particular
   	  client instance.

   To generate a diff of this commit:
   cvs rdiff -u -r1.27 -r1.28 pkgsrc/mail/dovecot2/Makefile.common
   cvs rdiff -u -r1.64 -r1.65 pkgsrc/mail/dovecot2/PLIST
   cvs rdiff -u -r1.91 -r1.92 pkgsrc/mail/dovecot2/distinfo

Files:
RevisionActionfile
1.26.2.1modifypkgsrc/mail/dovecot2/Makefile.common
1.64.2.1modifypkgsrc/mail/dovecot2/PLIST
1.90.2.1modifypkgsrc/mail/dovecot2/distinfo