Re: Dovecot

From: Kevin Oberman <rkoberman_at_gmail.com>
Date: Thu, 1 Jul 2021 23:03:38 -0700
On Thu, Jul 1, 2021 at 4:00 PM _at_lbutlr <kremels_at_kreme.com> wrote:

> On 01 Jul 2021, at 16:45, The Doctor <doctor_at_doctor.nl2k.ab.ca> wrote:
> > On Thu, Jul 01, 2021 at 04:21:31PM -0600, _at_lbutlr wrote:
> >> The current version of dovecot is 2.3.15. The newest ports version is
> 2.3.13_1
> >>
> >> dovecot-2.3.13_1 is vulnerable:
> >>  dovecot -- multiple vulnerabilities
> >>  CVE: CVE-2021-33515
> >>  CVE: CVE-2021-29157
> >>  WWW:
> https://vuxml.FreeBSD.org/freebsd/d18f431d-d360-11eb-a32c-00a0989e4ec1.html
> >>
> >> dovecot-pigeonhole-0.5.13 is vulnerable:
> >>  dovecot-pigeonhole -- Sieve excessive resource usage
> >>  CVE: CVE-2020-28200
> >>  WWW:
> https://vuxml.FreeBSD.org/freebsd/f3fc2b50-d36a-11eb-a32c-00a0989e4ec1.html
> >>
> >> These CVEs were addressed in 2.3.14.1.
> >>
> >> Any idea what the delay is?
> >
> > Where is the person responsible for the ports?
>
> No idea. Some people have emailed and received no reply.

% make -C /usr/ports/mail/dovecot maintainer
ler_at_FreeBSD.org

Larry is usually quite responsive, but life happens. It is a volunteer job.
(They all are except the few paid by the FreeBSD Project.)

If someone could update the port, any ports committer can update the port
after a 14 day wait. Until that timeout, it's in Larry's ballpark. I
suspect that some of the FreeBSD patches will need at least a little work.
I really don't have time to spend right now on a port I don't use and am
only familiar with its function.
--
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkoberman_at_gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
Received on Fri Jul 02 2021 - 06:03:38 UTC

Original text of this message