Subject: CVS commit: pkgsrc/mail
From: Takahiro Kambe
Date: 2020-05-18 16:20:47
Message id: 20200518142047.2AA19FB27@cvs.NetBSD.org

Log Message:
mail/dovecot2: update to 2.3.10.1

Update dovecot2 to 2.3.10.1.

v2.3.10.1  2020-05-18  Aki Tuomi <aki.tuomi@open-xchange.com>

- CVE-2020-10957: lmtp/submission: A client can crash the server by
  sending a NOOP command with an invalid string parameter. This occurs
  particularly for a parameter that doesn't start with a double quote.
  This applies to all SMTP services, including submission-login, which
  makes it possible to crash the submission service without
  authentication.
- CVE-2020-10958: lmtp/submission: Sending many invalid or unknown
  commands can cause the server to access freed memory, which can lead
  to a server crash. This happens when the server closes the connection
  with a "421 Too many invalid commands" error. The bad command limit
  depends on the service (lmtp or submission) and varies between 10 to
  20 bad commands.
- CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
  address that has the empty quoted string as local-part causes the lmtp
  service to crash.

Files:
RevisionActionfile
1.40modifypkgsrc/mail/dovecot2/Makefile.common
1.104modifypkgsrc/mail/dovecot2/distinfo
1.21modifypkgsrc/mail/dovecot2-sqlite/Makefile