Subject: CVS commit: pkgsrc/mail
From: Adam Ciarcinski
Date: 2024-08-19 11:29:57
Message id: 20240819092957.2C9C0FC74@cvs.NetBSD.org
Log Message:
dovecot2: updated to 2.3.21.1

v2.3.21.1

- CVE-2024-23184: A large number of address headers in email resulted
  in excessive CPU usage.
- CVE-2024-23185: Abnormally large email headers are now truncated or
  discarded, with a limit of 10MB on a single header and 50MB for all
  the headers of all the parts of an email.
- oauth2: Dovecot would send client_id and client_secret as POST parameters
  to introspection server. These need to be optionally in Basic auth
  instead as required by OIDC specification.
- oauth2: JWT key type check was too strict.
- oauth2: JWT token audience was not validated against client_id as
  required by OIDC specification.
- oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out
  protocol specific error message on all errors. This broke OIDC discovery.
- oauth2: JWT aud validation was not performed if aud was missing
  from token, but was configured on Dovecot.
Files:
RevisionActionfile
1.112modifypkgsrc/mail/dovecot2/Makefile
1.53modifypkgsrc/mail/dovecot2/Makefile.common
1.124modifypkgsrc/mail/dovecot2/distinfo
1.8modifypkgsrc/mail/dovecot2-ldap/Makefile
1.36modifypkgsrc/mail/dovecot2-sqlite/Makefile