Path to this page:
Subject: CVS commit: pkgsrc/mail
From: Adam Ciarcinski
Date: 2024-08-19 11:29:57
Message id: 20240819092957.2C9C0FC74@cvs.NetBSD.org
Log Message:
dovecot2: updated to 2.3.21.1
v2.3.21.1
- CVE-2024-23184: A large number of address headers in email resulted
in excessive CPU usage.
- CVE-2024-23185: Abnormally large email headers are now truncated or
discarded, with a limit of 10MB on a single header and 50MB for all
the headers of all the parts of an email.
- oauth2: Dovecot would send client_id and client_secret as POST parameters
to introspection server. These need to be optionally in Basic auth
instead as required by OIDC specification.
- oauth2: JWT key type check was too strict.
- oauth2: JWT token audience was not validated against client_id as
required by OIDC specification.
- oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out
protocol specific error message on all errors. This broke OIDC discovery.
- oauth2: JWT aud validation was not performed if aud was missing
from token, but was configured on Dovecot.
Files: