CVSROOT: /cvs
Module name: ports
Changes by: [email protected] 2018/03/10 14:54:30
Modified files:
mail/dovecot : Makefile distinfo
mail/dovecot/pkg: PLIST-server
Added files:
mail/dovecot/patches:
patch-src_lib-master_master-service-ssl-settings_c
patch-src_plugins_fts-solr_fts-backend-solr_c
Log message:
security update to Dovecot 2.2.34. while there, also fix the default TLS
protocol string to avoid using !SSLv2 which is not supported. ok juanfra@ Brad
* CVE-2017-15130: TLS SNI config lookups may lead to excessive memory usage,
causing imap-login/pop3-login VSZ limit to be reached and the process
restarted. This happens only if Dovecot config has local_name { } or local
{ } configuration blocks and attacker uses randomly generated SNI servernames.
* CVE-2017-14461: Parsing invalid email addresses may cause a crash or leak
memory contents to attacker. For example, these memory contents might contain
parts of an email from another user if the same imap process is reused for
multiple users.
* CVE-2017-15132: Aborted SASL authentication leaks memory in login process.
