* [Buildroot] [PATCH] package/dovecot: security bump to version 2.3.5.1
@ 2019-03-30 19:53 Peter Korsgaard
2019-03-31 10:08 ` Thomas Petazzoni
2019-04-05 15:29 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2019-03-30 19:53 UTC (permalink / raw)
To: buildroot
Fixes the following security issue:
* CVE-2019-7524: Missing input buffer size validation leads into
arbitrary buffer overflow when reading fts or pop3 uidl header
from Dovecot index. Exploiting this requires direct write access to
the index files.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/dovecot/dovecot.hash | 2 +-
package/dovecot/dovecot.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/dovecot/dovecot.hash b/package/dovecot/dovecot.hash
index a37cc68cf6..a1c2c8ff84 100644
--- a/package/dovecot/dovecot.hash
+++ b/package/dovecot/dovecot.hash
@@ -1,5 +1,5 @@
# Locally computed after checking signature
-sha256 bfe112ec6d11f7d6c6f7f0440e3b6e2c840c15cec1e99466b5495765d54aaaff dovecot-2.3.5.tar.gz
+sha256 d78f9d479e3b2caa808160f86bfec1c9c7b46344d8b14b88f5fa9bbbf8c7c33f dovecot-2.3.5.1.tar.gz
sha256 a363b132e494f662d98c820d1481297e6ae72f194c2c91b6c39e1518b86240a8 COPYING
sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 COPYING.LGPL
sha256 52b8c95fabb19575281874b661ef7968ea47e8f5d74ba0dd40ce512e52b3fc97 COPYING.MIT
diff --git a/package/dovecot/dovecot.mk b/package/dovecot/dovecot.mk
index 0960d20da7..e56517b0a2 100644
--- a/package/dovecot/dovecot.mk
+++ b/package/dovecot/dovecot.mk
@@ -5,7 +5,7 @@
################################################################################
DOVECOT_VERSION_MAJOR = 2.3
-DOVECOT_VERSION = $(DOVECOT_VERSION_MAJOR).5
+DOVECOT_VERSION = $(DOVECOT_VERSION_MAJOR).5.1
DOVECOT_SITE = https://www.dovecot.org/releases/$(DOVECOT_VERSION_MAJOR)
DOVECOT_INSTALL_STAGING = YES
DOVECOT_LICENSE = LGPL-2.1, MIT, Public Domain, BSD-3-Clause, Unicode-DFS-2015
--
2.11.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/dovecot: security bump to version 2.3.5.1
2019-03-30 19:53 [Buildroot] [PATCH] package/dovecot: security bump to version 2.3.5.1 Peter Korsgaard
@ 2019-03-31 10:08 ` Thomas Petazzoni
2019-04-05 15:29 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni @ 2019-03-31 10:08 UTC (permalink / raw)
To: buildroot
On Sat, 30 Mar 2019 20:53:52 +0100
Peter Korsgaard <peter@korsgaard.com> wrote:
> Fixes the following security issue:
>
> * CVE-2019-7524: Missing input buffer size validation leads into
> arbitrary buffer overflow when reading fts or pop3 uidl header
> from Dovecot index. Exploiting this requires direct write access to
> the index files.
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
> package/dovecot/dovecot.hash | 2 +-
> package/dovecot/dovecot.mk | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/dovecot: security bump to version 2.3.5.1
2019-03-30 19:53 [Buildroot] [PATCH] package/dovecot: security bump to version 2.3.5.1 Peter Korsgaard
2019-03-31 10:08 ` Thomas Petazzoni
@ 2019-04-05 15:29 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2019-04-05 15:29 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issue:
> * CVE-2019-7524: Missing input buffer size validation leads into
> arbitrary buffer overflow when reading fts or pop3 uidl header
> from Dovecot index. Exploiting this requires direct write access to
> the index files.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2019.02.x (and the corresponding dovecot-pigeonhole bump), thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-04-05 15:29 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-30 19:53 [Buildroot] [PATCH] package/dovecot: security bump to version 2.3.5.1 Peter Korsgaard
2019-03-31 10:08 ` Thomas Petazzoni
2019-04-05 15:29 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.