Re: Dovecot

From: @lbutlr <>
Date: Fri, 02 Jul 2021 07:33:46 UTC

> On 02 Jul 2021, at 00:03, Kevin Oberman <> wrote:
> On Thu, Jul 1, 2021 at 4:00 PM @lbutlr <> wrote:
>> On 01 Jul 2021, at 16:45, The Doctor <> wrote:
>>> On Thu, Jul 01, 2021 at 04:21:31PM -0600, @lbutlr wrote:
>>>> The current version of dovecot is 2.3.15. The newest ports version is
>> 2.3.13_1
>>>> dovecot-2.3.13_1 is vulnerable:
>>>> dovecot -- multiple vulnerabilities
>>>> CVE: CVE-2021-33515
>>>> CVE: CVE-2021-29157
>>>> WWW:
>>>> dovecot-pigeonhole-0.5.13 is vulnerable:
>>>> dovecot-pigeonhole -- Sieve excessive resource usage
>>>> CVE: CVE-2020-28200
>>>> WWW:
>>>> These CVEs were addressed in
>>>> Any idea what the delay is?
>>> Where is the person responsible for the ports?
>> No idea. Some people have emailed and received no reply.
> % make -C /usr/ports/mail/dovecot maintainer

Yes, but sine I know that outhers have emailed and not heard, I din't think it was worse adding more email to the pile since Larry obviously either knows, or is not in a position to do anything right now. Either way, my email will not help.

> Larry is usually quite responsive, but life happens. It is a volunteer job.
> (They all are except the few paid by the FreeBSD Project.)
> If someone could update the port, any ports committer can update the port
> after a 14 day wait. Until that timeout, it's in Larry's ballpark. I
> suspect that some of the FreeBSD patches will need at least a little work.
> I really don't have time to spend right now on a port I don't use and am
> only familiar with its function.

14 days is a long time to be sitting on the CVEs "This may be used to supply attacker controlled keys to validate tokens" and "On-path attacker could inject plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client."

"Are you pondering what I'm pondering?"
"I think so, Brain, but me and Pippi Longstocking -- I mean, what
	would the children look like?"