svn commit: r439856 - in branches/2017Q2/mail: dovecot2 dovecot2-antispam-plugin dovecot2-pigeonhole dovecot2-pigeonhole/files dovecot2/files
Adam Weinberger
adamw at FreeBSD.org
Mon May 1 00:59:31 UTC 2017
Author: adamw
Date: Mon May 1 00:59:29 2017
New Revision: 439856
URL: https://svnweb.freebsd.org/changeset/ports/439856
Log:
MFH: r438222 r438323 r438365 r439618 r439854
This contains updates to both dovecot2 and dovecot2-pigeonhole that
fix bugs and, in dovecot2, a CVE.
Update dovecot to 2.2.29, and bump PORTREVISION for the plugins. Add a
warning to the pkg-message that security.bsd.see_other_uids/gids should
not be enabled if dovecot is storing mail for multiple users concurrently
(PR 218392, submitted by topical).
* passdb/userdb dict: Don't double-expand %variables in keys. If dict
was used as the authentication passdb, using specially crafted
%variables in the username could be used to cause DoS (CVE-2017-2669)
* When Dovecot encounters an internal error, it logs the real error and
usually logs another line saying what function failed. Previously the
second log line's error message was a rather uninformative "Internal
error occurred. Refer to server log for more information." Now the
real error message is duplicated in this second log line.
* lmtp: If a delivery has multiple recipients, run autoexpunging only
for the last recipient. This avoids a problem where a long
autoexpunge run causes LMTP client to timeout between the DATA
replies, resulting in duplicate mail deliveries.
* config: Don't stop the process due to idling. Otherwise the
configuration is reloaded when the process restarts.
* mail_log plugin: Differentiate autoexpunges from regular expunges
* imapc: Use LOGOUT to cleanly disconnect from server.
* lib-http: Internal status codes (>9000) are no longer visible in logs
* director: Log vhost count changes and HOST-UP/DOWN
+ quota: Add plugin { quota_max_mail_size } setting to limit the
maximum individual mail size that can be saved.
+ imapc: Add imapc_features=delay-login. If set, connecting to the
remote IMAP server isn't done until it's necessary.
+ imapc: Add imapc_connection_retry_count and
imapc_connection_retry_interval settings.
+ imap, pop3, indexer-worker: Add (deinit) to process title before
autoexpunging runs.
+ Added %{encrypt} and %{decrypt} variables
+ imap/pop3 proxy: Log proxy state in errors as human-readable string.
+ imap/pop3-login: All forward_* extra fields returned by passdb are
sent to the next hop when proxying using ID/XCLIENT commands. On the
receiving side these fields are imported and sent to auth process
where they're accessible via %{passdb:forward_*}. This is done only
if the sending IP address matches login_trusted_networks.
+ imap-login: If imap_id_retain=yes, send the IMAP ID string to
auth process. %{client_id} expands to it in auth process. The ID
string is also sent to the next hop when proxying.
+ passdb imap: Use ssl_client_ca_* settings for CA validation.
- fts-tika: Fixed crash when parsing attachment without
Content-Disposition header. Broken by 2.2.28. (fixed in FreeBSD ports)
- trash plugin was broken in 2.2.28 (fixed in FreeBSD ports)
- auth: When passdb/userdb lookups were done via auth-workers, too much
data was added to auth cache. This could have resulted in wrong
replies when using multiple passdbs/userdbs.
- auth: passdb { skip & mechanisms } were ignored for the first passdb
- oauth2: Various fixes, including fixes to crashes
- dsync: Large Sieve scripts (or other large metadata) weren't always
synced.
- Index rebuild (e.g. doveadm force-resync) set all mails as \Recent
- imap-hibernate: %{userdb:*} wasn't expanded in mail_log_prefix
- doveadm: Exit codes weren't preserved when proxying commands via
doveadm-server. Almost all errors used exit code 75 (tempfail).
- ACLs weren't applied to not-yet-existing autocreated mailboxes.
- Fixed a potential crash when parsing a broken message header.
- cassandra: Fallback consistency settings weren't working correctly.
- doveadm director status <user>: "Initial config" was always empty
- imapc: Various reconnection fixes.
Upgrade mail/dovecot2-pigeonhole to 0.4.18.
Changelog v0.4.18:
+ imapsieve plugin: Implemented the copy_source_after rule action. When
this is enabled for a mailbox rule, the specified Sieve script is
executed for the message in the source mailbox during a "COPY" event.
This happens only after the Sieve script that is executed for the
corresponding message in the destination mailbox finishes running
successfully.
+ imapsieve plugin: Added non-standard Sieve environment items for the
source and destination mailbox.
- multiscript: The execution of the discard script had an implicit
"keep", rather than an implicit "discard".
Approved by: adamw (mentor)
Differential Revision: https://reviews.freebsd.org/D10366
Update to 2.2.29.1.
- imapc reconnection fix was forgotten from 2.2.29 release, which also
made "make check" fail in a unit test
- dict-sql: Merging multiple UPDATEs to a single statement wasn't
actually working.
- Fixed building with vpopmail
Upon continuing the deferred implicit keep, the implicit side-effects
(such as imap flags) were not applied.
Obtained from: https://github.com/dovecot/pigeonhole/commit/3e1a17a286ab0e084577fc267a442cb12aed1cbc
Approved by: adamw (mentor, implicit)
Add an alread-upstreamed patch to fix dovecot-auth wedging with
NTLM authentication.
PR: 218693
Submitted by: Andriy Syrovenko
Obtained from: https://github.com/dovecot/core/commit/a319c3201bff1ea7bae3e7ab1fae42e9c4759056
Approved by: ports-secteam (feld)
Added:
branches/2017Q2/mail/dovecot2-pigeonhole/files/
- copied from r439618, head/mail/dovecot2-pigeonhole/files/
branches/2017Q2/mail/dovecot2/files/patch-fix-ntlm_auth
- copied unchanged from r439854, head/mail/dovecot2/files/patch-fix-ntlm_auth
Deleted:
branches/2017Q2/mail/dovecot2/files/patch-src_plugins_fts_fts-parser-tika.c
branches/2017Q2/mail/dovecot2/files/patch-trash_plugin
Modified:
branches/2017Q2/mail/dovecot2-antispam-plugin/Makefile
branches/2017Q2/mail/dovecot2-pigeonhole/Makefile
branches/2017Q2/mail/dovecot2-pigeonhole/distinfo
branches/2017Q2/mail/dovecot2/Makefile
branches/2017Q2/mail/dovecot2/distinfo
branches/2017Q2/mail/dovecot2/files/pkg-message.in
branches/2017Q2/mail/dovecot2/pkg-plist
Directory Properties:
branches/2017Q2/ (props changed)
Modified: branches/2017Q2/mail/dovecot2-antispam-plugin/Makefile
==============================================================================
--- branches/2017Q2/mail/dovecot2-antispam-plugin/Makefile Mon May 1 00:39:18 2017 (r439855)
+++ branches/2017Q2/mail/dovecot2-antispam-plugin/Makefile Mon May 1 00:59:29 2017 (r439856)
@@ -3,7 +3,7 @@
PORTNAME= dovecot2-antispam-plugin
PORTVERSION= 20130429
-PORTREVISION= 25
+PORTREVISION= 26
CATEGORIES= mail
MASTER_SITES= http://olgeni.olgeni.com/~olgeni/distfiles/ \
LOCAL/olgeni
Modified: branches/2017Q2/mail/dovecot2-pigeonhole/Makefile
==============================================================================
--- branches/2017Q2/mail/dovecot2-pigeonhole/Makefile Mon May 1 00:39:18 2017 (r439855)
+++ branches/2017Q2/mail/dovecot2-pigeonhole/Makefile Mon May 1 00:59:29 2017 (r439856)
@@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= dovecot-pigeonhole
-PORTVERSION= 0.4.17
+PORTVERSION= 0.4.18
PORTREVISION= 1
CATEGORIES= mail
MASTER_SITES= http://pigeonhole.dovecot.org/releases/${DOVECOTVERSION}/
Modified: branches/2017Q2/mail/dovecot2-pigeonhole/distinfo
==============================================================================
--- branches/2017Q2/mail/dovecot2-pigeonhole/distinfo Mon May 1 00:39:18 2017 (r439855)
+++ branches/2017Q2/mail/dovecot2-pigeonhole/distinfo Mon May 1 00:59:29 2017 (r439856)
@@ -1,3 +1,3 @@
-TIMESTAMP = 1488163544
-SHA256 (dovecot-2.2-pigeonhole-0.4.17.tar.gz) = 74d869c7532cbf4fe41e3cc95a1aa6ce32e98f4d423f0d099da1e0fba022dae3
-SIZE (dovecot-2.2-pigeonhole-0.4.17.tar.gz) = 1787177
+TIMESTAMP = 1491958585
+SHA256 (dovecot-2.2-pigeonhole-0.4.18.tar.gz) = dd871bb57fad22795460f613f3c9484a8bf229272ac00956d837a34444f1c3a9
+SIZE (dovecot-2.2-pigeonhole-0.4.18.tar.gz) = 1742357
Modified: branches/2017Q2/mail/dovecot2/Makefile
==============================================================================
--- branches/2017Q2/mail/dovecot2/Makefile Mon May 1 00:39:18 2017 (r439855)
+++ branches/2017Q2/mail/dovecot2/Makefile Mon May 1 00:59:29 2017 (r439856)
@@ -13,10 +13,10 @@
######################################################################
PORTNAME= dovecot
-PORTVERSION= 2.2.28
-PORTREVISION= 2
+PORTVERSION= 2.2.29.1
+PORTREVISION= 1
CATEGORIES= mail ipv6
-MASTER_SITES= https://www.dovecot.org/releases/${PORTVERSION:R}/
+MASTER_SITES= https://www.dovecot.org/releases/${PORTVERSION:R:R}/
PKGNAMESUFFIX= 2
MAINTAINER= adamw at FreeBSD.org
Modified: branches/2017Q2/mail/dovecot2/distinfo
==============================================================================
--- branches/2017Q2/mail/dovecot2/distinfo Mon May 1 00:39:18 2017 (r439855)
+++ branches/2017Q2/mail/dovecot2/distinfo Mon May 1 00:59:29 2017 (r439856)
@@ -1,3 +1,3 @@
-TIMESTAMP = 1487948861
-SHA256 (dovecot-2.2.28.tar.gz) = e0288f59e326ab87cb3881fdabadafe542f4dc7ab9996db13863a439ebbc1f25
-SIZE (dovecot-2.2.28.tar.gz) = 5921992
+TIMESTAMP = 1492013710
+SHA256 (dovecot-2.2.29.1.tar.gz) = ccfa9ffb7eb91e9e87c21c108324b911250c9ffa838bffb64b1caafadcb0f388
+SIZE (dovecot-2.2.29.1.tar.gz) = 5972119
Copied: branches/2017Q2/mail/dovecot2/files/patch-fix-ntlm_auth (from r439854, head/mail/dovecot2/files/patch-fix-ntlm_auth)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/2017Q2/mail/dovecot2/files/patch-fix-ntlm_auth Mon May 1 00:59:29 2017 (r439856, copy of r439854, head/mail/dovecot2/files/patch-fix-ntlm_auth)
@@ -0,0 +1,36 @@
+From a319c3201bff1ea7bae3e7ab1fae42e9c4759056 Mon Sep 17 00:00:00 2001
+From: Andriy Syrovenko <andriys at gmail.com>
+Date: Mon, 17 Apr 2017 01:14:02 +0300
+Subject: [PATCH] auth: Fixed dovecot/auth hanging when child ntlm_auth crashes
+ while processing an authentication request
+
+---
+ src/auth/mech-winbind.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/auth/mech-winbind.c b/src/auth/mech-winbind.c
+index 4a65696..c12fb5e 100644
+--- src/auth/mech-winbind.c
++++ src/auth/mech-winbind.c
+@@ -187,12 +187,18 @@ do_auth_continue(struct auth_request *auth_request,
+ request->continued = FALSE;
+
+ while ((answer = i_stream_read_next_line(in_pipe)) == NULL) {
+- if (in_pipe->stream_errno != 0)
++ if (in_pipe->stream_errno != 0 || in_pipe->eof)
+ break;
+ }
+ if (answer == NULL) {
+- auth_request_log_error(auth_request, AUTH_SUBSYS_MECH,
+- "read(in_pipe) failed: %m");
++ if (in_pipe->stream_errno != 0) {
++ auth_request_log_error(auth_request, AUTH_SUBSYS_MECH,
++ "read(in_pipe) failed: %m");
++ } else {
++ auth_request_log_error(auth_request, AUTH_SUBSYS_MECH,
++ "read(in_pipe) failed: "
++ "unexpected end of file");
++ }
+ return HR_RESTART;
+ }
+
Modified: branches/2017Q2/mail/dovecot2/files/pkg-message.in
==============================================================================
--- branches/2017Q2/mail/dovecot2/files/pkg-message.in Mon May 1 00:39:18 2017 (r439855)
+++ branches/2017Q2/mail/dovecot2/files/pkg-message.in Mon May 1 00:59:29 2017 (r439856)
@@ -15,6 +15,14 @@
dovecot_enable="YES"
+---------------------------------------------------------------------
+
+To avoid a risk of mailbox corruption, do not enable the
+security.bsd.see_other_uids or .see_other_guids sysctls if Dovecot
+is storing mail for multiple concurrent users (PR 218392).
+
+---------------------------------------------------------------------
+
If you want to be able to search within attachments using the
decode2text plugin, you'll need to install textproc/catdoc, and
one of graphics/xpdf or graphics/poppler-utils.
Modified: branches/2017Q2/mail/dovecot2/pkg-plist
==============================================================================
--- branches/2017Q2/mail/dovecot2/pkg-plist Mon May 1 00:39:18 2017 (r439855)
+++ branches/2017Q2/mail/dovecot2/pkg-plist Mon May 1 00:59:29 2017 (r439856)
@@ -179,6 +179,7 @@ include/dovecot/hex-dec.h
include/dovecot/hmac-cram-md5.h
include/dovecot/hmac.h
include/dovecot/home-expand.h
+include/dovecot/hook-build.h
include/dovecot/hostpid.h
include/dovecot/http-auth.h
include/dovecot/http-client-private.h
@@ -567,9 +568,12 @@ include/dovecot/userdb-vpopmail.h
include/dovecot/userdb.h
include/dovecot/utc-mktime.h
include/dovecot/utc-offset.h
+include/dovecot/var-expand-private.h
include/dovecot/var-expand.h
include/dovecot/wildcard-match.h
include/dovecot/write-full.h
+lib/dovecot/auth/lib20_auth_var_expand_crypt.a
+lib/dovecot/auth/lib20_auth_var_expand_crypt.so
lib/dovecot/auth/libauthdb_imap.a
lib/dovecot/auth/libauthdb_imap.so
lib/dovecot/doveadm/lib10_doveadm_acl_plugin.a
@@ -627,6 +631,8 @@ lib/dovecot/lib20_quota_clone_plugin.a
lib/dovecot/lib20_quota_clone_plugin.so
lib/dovecot/lib20_replication_plugin.a
lib/dovecot/lib20_replication_plugin.so
+lib/dovecot/lib20_var_expand_crypt.a
+lib/dovecot/lib20_var_expand_crypt.so
lib/dovecot/lib20_virtual_plugin.a
lib/dovecot/lib20_virtual_plugin.so
lib/dovecot/lib20_zlib_plugin.a
More information about the svn-ports-all
mailing list