ports/97193: mail/dovecot - Update to 1.0.b8 (fixes security hole)

Jeremy Chadwick freebsd at jdc.parodius.com
Sat May 13 07:30:18 UTC 2006

>Number:         97193
>Category:       ports
>Synopsis:       mail/dovecot - Update to 1.0.b8 (fixes security hole)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Sat May 13 07:30:16 GMT 2006
>Originator:     Jeremy Chadwick
>Release:        FreeBSD 4.11-STABLE i386
Parodius Networking
System: FreeBSD pentarou.parodius.com 4.11-STABLE FreeBSD 4.11-STABLE #0: Thu Jan 12 01:50:11 PST 2006 root at pentarou.parodius.com:/usr/obj/usr/src/sys/PENTAROU i386
	Update the mail/dovecot to 1.0.b8, which addresses numerous problems
	(including proper kqueue support -- that means us, BSD folks! ;) ),
	the most important of which is a security hole (individuals are
	allowed to list other users' mailboxes).

	I've labelled this as serious/medium because of the security hole.

	Official changelog between b7 and b8 is as follows:

	* Fixed a security hole with mbox: "1 LIST .. *" command could
	  list all directories and files under the mbox root directory, so
	  if your mails were stored in eg. /var/mail/%u/ directory, the
	  command would list everything under /var/mail.

	+ Unless nfs_check=no or mmap_disable=yes, check for the first login
	  if the user's index directory exists in NFS mount. If so, refuse to
	  run. This is done only on first login to avoid constant extra
	+ If we have plugins set and imap_capability unset, figure out the
	  IMAP capabilities automatically by running imap binary at startup.
	  The generated capability list isn't updated until Dovecot is
	  restarted completely, so if you add or remove IMAP plugins you
	  should restart. If you have problems related to this, set
	  imap_capabilities setting manually to work around it.
	+ Added auth_username_format setting
	- pop3_lock_session setting wasn't really working
	- Lots of fixes related to quota handling. It's still not working
	  perfectly though.
	- Lots of index handling fixes, especially with mmap_disable=yes
	- Maildir: saving mails could have sometimes caused "Append with UID
	  n, but next_uid = m" errors
	- flock() locking never timeouted because ignoring SIGALRM caused the
	  system call just to be restarted when SIGALRM occurred (probably not
	  with all OSes though?)
	- kqueue: Fixed "Unrecognized event". Patch by Vaclav Haisman

	Apply below patch.

diff -ruN dovecot.orig/Makefile dovecot/Makefile
--- dovecot.orig/Makefile	Tue May  9 06:19:06 2006
+++ dovecot/Makefile	Sat May 13 00:08:29 2006
@@ -7,8 +7,7 @@
 PORTNAME=	dovecot
-DISTVERSION=	1.0.beta7
+DISTVERSION=	1.0.beta8
 CATEGORIES=	mail ipv6
 MASTER_SITES=	http://www.dovecot.org/releases/
diff -ruN dovecot.orig/distinfo dovecot/distinfo
--- dovecot.orig/distinfo	Mon May  8 02:02:59 2006
+++ dovecot/distinfo	Sat May 13 00:19:54 2006
@@ -1,3 +1,3 @@
-MD5 (dovecot-1.0.beta7.tar.gz) = bfbc4c3705f6e6e891934168cd26e9dd
-SHA256 (dovecot-1.0.beta7.tar.gz) = 0044595968396d094d6e67e9112b3af16bef1bd1d63ec4934cc9ca889864e580
-SIZE (dovecot-1.0.beta7.tar.gz) = 1406322
+MD5 (dovecot-1.0.beta8.tar.gz) = 6a87718a86ee1ae2334c75843dd9a7df
+SHA256 (dovecot-1.0.beta8.tar.gz) = b43bb6ea5426b0d78ae260b53be035d1b5371b76a342870b2d56a6aba1ad82d2
+SIZE (dovecot-1.0.beta8.tar.gz) = 1392106
diff -ruN dovecot.orig/pkg-plist dovecot/pkg-plist
--- dovecot.orig/pkg-plist	Mon May  8 02:02:59 2006
+++ dovecot/pkg-plist	Sat May 13 00:12:20 2006
@@ -12,6 +12,7 @@
 @dirrm lib/dovecot/imap
 @dirrm lib/dovecot/pop3

More information about the freebsd-ports-bugs mailing list