Re: Dovecot

From: _at_lbutlr <kremels_at_kreme.com>
Date: Fri, 2 Jul 2021 01:33:46 -0600
> On 02 Jul 2021, at 00:03, Kevin Oberman <rkoberman_at_gmail.com> wrote:
> 
> On Thu, Jul 1, 2021 at 4:00 PM _at_lbutlr <kremels_at_kreme.com> wrote:
> 
>> On 01 Jul 2021, at 16:45, The Doctor <doctor_at_doctor.nl2k.ab.ca> wrote:
>>> On Thu, Jul 01, 2021 at 04:21:31PM -0600, _at_lbutlr wrote:
>>>> The current version of dovecot is 2.3.15. The newest ports version is
>> 2.3.13_1
>>>> 
>>>> dovecot-2.3.13_1 is vulnerable:
>>>> dovecot -- multiple vulnerabilities
>>>> CVE: CVE-2021-33515
>>>> CVE: CVE-2021-29157
>>>> WWW:
>> https://vuxml.FreeBSD.org/freebsd/d18f431d-d360-11eb-a32c-00a0989e4ec1.html
>>>> 
>>>> dovecot-pigeonhole-0.5.13 is vulnerable:
>>>> dovecot-pigeonhole -- Sieve excessive resource usage
>>>> CVE: CVE-2020-28200
>>>> WWW:
>> https://vuxml.FreeBSD.org/freebsd/f3fc2b50-d36a-11eb-a32c-00a0989e4ec1.html
>>>> 
>>>> These CVEs were addressed in 2.3.14.1.
>>>> 
>>>> Any idea what the delay is?
>>> 
>>> Where is the person responsible for the ports?
>> 
>> No idea. Some people have emailed and received no reply.
> 
> % make -C /usr/ports/mail/dovecot maintainer
> ler_at_FreeBSD.org

Yes, but sine I know that outhers have emailed and not heard, I din't think it was worse adding more email to the pile since Larry obviously either knows, or is not in a position to do anything right now. Either way, my email will not help.

> Larry is usually quite responsive, but life happens. It is a volunteer job.
> (They all are except the few paid by the FreeBSD Project.)
> 
> If someone could update the port, any ports committer can update the port
> after a 14 day wait. Until that timeout, it's in Larry's ballpark. I
> suspect that some of the FreeBSD patches will need at least a little work.
> I really don't have time to spend right now on a port I don't use and am
> only familiar with its function.

14 days is a long time to be sitting on the CVEs "This may be used to supply attacker controlled keys to validate tokens" and "On-path attacker could inject plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client."

-- 
"Are you pondering what I'm pondering?"
"I think so, Brain, but me and Pippi Longstocking -- I mean, what
	would the children look like?"
Received on Fri Jul 02 2021 - 07:33:46 UTC

Original text of this message