Pullup ticket #6303 - requested by taca

mail/dovecot2: security fix

Revisions pulled up:
- mail/dovecot2-sqlite/Makefile                                 1.23
- mail/dovecot2/Makefile.common                                 1.41
- mail/dovecot2/PLIST                                           1.70
- mail/dovecot2/buildlink3.mk                                   1.34
- mail/dovecot2/distinfo                                        1.105

---
   Module Name:    pkgsrc
   Committed By:   taca
   Date:           Wed Aug 12 15:54:38 UTC 2020

   Modified Files:
           pkgsrc/mail/dovecot2: Makefile.common PLIST buildlink3.mk distinfo
           pkgsrc/mail/dovecot2-sqlite: Makefile

   Log Message:
   mail/dovocot2: update to 2.3.11.3

   Update dovecot2 and related packages to 2.3.11.3.

   v2.3.11.3 2020-07-29    Aki Tuomi <aki.tuomi@open-xchange.com>

           - pop3-login: Login didn't handle commands in multiple IP packets properly.
             This mainly affected large XCLIENT commands or a large SASL initial
             response parameter in the AUTH command.
           - pop3: pop3_deleted_flag setting was broken, causing:
             Panic: file seq-range-array.c: line 472 (seq_range_array_invert):
             assertion failed: (range[count-1].seq2 <= max_seq)

   v2.3.11.2 2020-07-13    Aki Tuomi <aki.tuomi@open-xchange.com>

           - auth: Lua passdb/userdb leaks stack elements per call, eventually
             causing the stack to become too deep and crashing the auth or
             auth-worker process.
           - lib-mail: v2.3.11 regression: MIME parts not returned correctly by
             Dovecot MIME parser.
           - pop3-login: Login would fail with "Input buffer full" if the initial
             response for SASL was too long.

   v2.3.11 2020-06-17  Aki Tuomi <aki.tuomi@open-xchange.com>

           * CVE-2020-12100: Parsing mails with a large number of MIME parts could
             have resulted in excessive CPU usage or a crash due to running out of
             stack memory.
           * CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
             message buffer size, which leads to reading past allocation which can
             lead to crash.
           * CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
             zero-length message, which leads to assert-crash later on.
           * Events: Fix inconsistency in events. See event documentation in
             https://doc.dovecot.org.
           * imap_command_finished event's cmd_name field now contains "unknown"
             for unknown commands. A new "cmd_input_name" field contains the
             command name exactly as it was sent.
           * lib-index: Renamed mail_cache_compress_* settings to mail_cache_purge_*.
             Note that these settings are mainly intended for testing and usually
             shouldn't be changed.
           * events: Renamed "index" event category to "mail-index".
           * events: service:<name> category is now using the name from
             configuration file.
           * dns-client: service dns_client was renamed to dns-client.
           * log: Prefixes generally use the service name from configuration file.
             For example dict-async service will now use
             "dict-async(pid): " log prefix instead of "dict(pid): "
           * *-login: Changed logging done by proxying to use a consistent prefix
             containing the IP address and port.
           * *-login: Changed disconnection log messages to be slightly clearer.
           + dict: Add events for dictionaries.
           + lib-index: Finish logging with events.
           + oauth2: Support local validation of JWT tokens.
           + stats: Add support for dynamic histograms and grouping. See
             https://doc.dovecot.org/configuration_manual/stats/.
           + imap: Implement RFC 8514: IMAP SAVEDATE
           + lib-index: If a long-running transaction (e.g. SORT/FETCH on a huge
             folder) adds a lot of data to dovecot.index.cache file, commit those
             changes periodically to make them visible to other concurrent sessions
             as well.
           + stats: Add OpenMetrics exporter for statistics. See
             https://doc.dovecot.org/configuration_manual/stats/openmetrics/.
           + stats: Support disabling stats-writer socket by setting
             stats_writer_socket_path="".
           - auth-worker: Process keeps slowly increasing its memory usage and
             eventually dies with "out of memory" due to reaching vsz_limit.
           - auth: Prevent potential timing attacks in authentication secret
             comparisons: OAUTH2 JWT-token HMAC, imap-urlauth token, crypt() result.
           - auth: Several auth-mechanisms allowed input to be truncated by NUL
             which can potentially lead to unintentional issues or even successful
             logins which should have failed.
           - auth: When auth policy returned a delay, auth_request_finished event
             had policy_result=ok field instead of policy_result=delayed.
           - auth: auth process crash when auth_policy_server_url is set to an
             invalid URL.
           - dict-ldap: Crash occurs if var_expand template expansion fails.
           - dict: If dict client disconnected while iteration was still running,
             dict process could have started using 100% CPU, although it was still
             handling clients.
           - doveadm: Running doveadm commands via proxying may hang, especially
             when doveadm is printing a lot of output.
           - imap: "MOVE * destfolder" goes to a loop copying the last mail to the
             destination until the imap process dies due to running out of memory.
           - imap: Running "UID MOVE 1:* Trash" on an empty folder goes to infinite
             loop.
           - imap: SEARCH doesn't support $.
           - lib-compress: Buffer over-read in zlib stream read.
           - lib-dns: If DNS lookup times out, lib-dns can cause crash in calling
             process.
           - lib-index: Fixed several bugs in dovecot.index.cache handling that
             could have caused cached data to be lost.
           - lib-index: Writing to >=1 GB dovecot.index.cache files may cause
             assert-crashes:
             Panic: file mail-index-util.c: line 37 (mail_index_uint32_to_offset):
             assertion failed: (offset < 0x40000000)
           - lib-ssl-iostream: Fix buggy OpenSSL error handling without
             assert-crashing. If there is no error available, log it as an error
             instead of crashing:
             Panic: file iostream-openssl.c: line 599 (openssl_iostream_handle_error):
             assertion failed: (errno != 0)
           - lib-ssl-iostream: ssl_key_password setting did not work.
           - submission: A segfault crash may occur when the client or server
             disconnects while a non-transaction command like NOOP or VRFY is still
             being processed.
           - virtual: Copying/moving mails with IMAP into a virtual folder assert-crashes:
             Panic: file cmd-copy.c: line 152 (fetch_and_copy): assertion failed:
             (copy_ctx->copy_count == seq_range_count(&copy_ctx->saved_uids))

5 files changed, 14 insertions, 12 deletions

diff --git a/mail/dovecot2-sqlite/Makefile b/mail/dovecot2-sqlite/Makefile
index 8ce16f8df68..3aa21b4d9b2 100644
--- a/mail/dovecot2-sqlite/Makefile
+++ b/mail/dovecot2-sqlite/Makefile
@@ -1,6 +1,5 @@
-# $NetBSD: Makefile,v 1.22 2020/06/02 08:24:14 adam Exp $
+# $NetBSD: Makefile,v 1.22.2.1 2020/08/24 19:03:13 bsiegert Exp $
 
-PKGREVISION= 1
 .include "../../mail/dovecot2/Makefile.common"
 
 PKGNAME=	${DISTNAME:S/dovecot/dovecot-sqlite/}
diff --git a/mail/dovecot2/Makefile.common b/mail/dovecot2/Makefile.common
index 4923adea8ea..05d0459a49d 100644
--- a/mail/dovecot2/Makefile.common
+++ b/mail/dovecot2/Makefile.common
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.common,v 1.40 2020/05/18 14:20:46 taca Exp $
+# $NetBSD: Makefile.common,v 1.40.2.1 2020/08/24 19:03:13 bsiegert Exp $
 #
 # when updating to a new release, update ABI depends in
 # the buildlink3.mk file as well, since the plugins' version
@@ -11,7 +11,7 @@
 # used by mail/dovecot2-pgsql/Makefile
 # used by mail/dovecot2-sqlite/Makefile
 
-DISTNAME=	dovecot-2.3.10.1
+DISTNAME=	dovecot-2.3.11.3
 CATEGORIES=	mail
 MASTER_SITES=	https://dovecot.org/releases/${PKGVERSION_NOREV:R:R}/
 
diff --git a/mail/dovecot2/PLIST b/mail/dovecot2/PLIST
index 94c2e054228..bbc2c8224ca 100644
--- a/mail/dovecot2/PLIST
+++ b/mail/dovecot2/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.69 2020/03/15 22:52:04 adam Exp $
+@comment $NetBSD: PLIST,v 1.69.4.1 2020/08/24 19:03:13 bsiegert Exp $
 bin/doveadm
 bin/doveconf
 bin/dovecot-sysreport
@@ -27,6 +27,7 @@ include/dovecot/auth-master-connection.h
 include/dovecot/auth-master.h
 include/dovecot/auth-penalty.h
 include/dovecot/auth-policy.h
+include/dovecot/auth-request-handler-private.h
 include/dovecot/auth-request-handler.h
 include/dovecot/auth-request-stats.h
 include/dovecot/auth-request-var-expand.h
@@ -403,6 +404,7 @@ include/dovecot/mdbox-settings.h
 include/dovecot/mdbox-storage-rebuild.h
 include/dovecot/mdbox-storage.h
 include/dovecot/mdbox-sync.h
+include/dovecot/mech-digest-md5-private.h
 include/dovecot/mech-otp-skey-common.h
 include/dovecot/mech-plain-common.h
 include/dovecot/mech-scram.h
@@ -449,6 +451,7 @@ include/dovecot/ostream-null.h
 include/dovecot/ostream-private.h
 include/dovecot/ostream-rawlog.h
 include/dovecot/ostream-unix.h
+include/dovecot/ostream-wrapper.h
 include/dovecot/ostream-zlib.h
 include/dovecot/ostream.h
 include/dovecot/passdb-blocking.h
diff --git a/mail/dovecot2/buildlink3.mk b/mail/dovecot2/buildlink3.mk
index faffb1770f4..981e4df35d7 100644
--- a/mail/dovecot2/buildlink3.mk
+++ b/mail/dovecot2/buildlink3.mk
@@ -1,4 +1,4 @@
-# $NetBSD: buildlink3.mk,v 1.33 2020/01/18 21:48:14 jperkin Exp $
+# $NetBSD: buildlink3.mk,v 1.33.4.1 2020/08/24 19:03:13 bsiegert Exp $
 
 BUILDLINK_TREE+=	dovecot
 
@@ -7,7 +7,7 @@ DOVECOT_BUILDLINK3_MK:=
 
 BUILDLINK_API_DEPENDS.dovecot+=		dovecot>=2.2.0
 # must match current package version for plugins to load
-BUILDLINK_ABI_DEPENDS.dovecot+=		dovecot>=2.3.9.2nb1
+BUILDLINK_ABI_DEPENDS.dovecot+=		dovecot>=2.3.11.3
 BUILDLINK_PKGSRCDIR.dovecot?=		../../mail/dovecot2
 
 pkgbase:=	dovecot
diff --git a/mail/dovecot2/distinfo b/mail/dovecot2/distinfo
index 84cb68cb534..bae8d9c2729 100644
--- a/mail/dovecot2/distinfo
+++ b/mail/dovecot2/distinfo
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.104 2020/05/18 14:20:46 taca Exp $
+$NetBSD: distinfo,v 1.104.2.1 2020/08/24 19:03:13 bsiegert Exp $
 
-SHA1 (dovecot-2.3.10.1.tar.gz) = d8afa71f3a7a2c2e406745ff43057ae94ed23871
-RMD160 (dovecot-2.3.10.1.tar.gz) = f68993644d14c4bae321e2525fb6c885724d8ebd
-SHA512 (dovecot-2.3.10.1.tar.gz) = 5c07436a3e861993f241caa2c60f035c533c5fceb5c8540c1717d31bedd54b82299f7ea11bfee12c72d4d33985d93a7130c4f56877864a7ad21cf7373a29cc06
-Size (dovecot-2.3.10.1.tar.gz) = 7226958 bytes
+SHA1 (dovecot-2.3.11.3.tar.gz) = 4a094ae503ded8ccea97cc06680fbb2e0f9c3171
+RMD160 (dovecot-2.3.11.3.tar.gz) = c44a9686a24127c95bd7c439e0548bd66481ab4e
+SHA512 (dovecot-2.3.11.3.tar.gz) = d83e52a7faab918a8e6f6257acc5936b81733c10489affd042c3a043cb842db060286cba9978be378e4958e9ac2e60b55ce289d7f3a88df08e7637e4785e23bb
+Size (dovecot-2.3.11.3.tar.gz) = 7353412 bytes
 SHA1 (patch-aa) = 3af01aa4a8cea1a3fb840b6243a744de77069611
 SHA1 (patch-ab) = 9db15fd853ba47ef4bf04f2adc9ab24f71ee4d1e
 SHA1 (patch-ae) = c795585df9f415ceabb28eec1ff691ee26168d3b