All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH] package/dovecot: security bump to version 2.3.5.1
@ 2019-03-30 19:53 Peter Korsgaard
  2019-03-31 10:08 ` Thomas Petazzoni
  2019-04-05 15:29 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2019-03-30 19:53 UTC (permalink / raw)
  To: buildroot

Fixes the following security issue:

 * CVE-2019-7524: Missing input buffer size validation leads into
   arbitrary buffer overflow when reading fts or pop3 uidl header
   from Dovecot index. Exploiting this requires direct write access to
   the index files.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/dovecot/dovecot.hash | 2 +-
 package/dovecot/dovecot.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/dovecot/dovecot.hash b/package/dovecot/dovecot.hash
index a37cc68cf6..a1c2c8ff84 100644
--- a/package/dovecot/dovecot.hash
+++ b/package/dovecot/dovecot.hash
@@ -1,5 +1,5 @@
 # Locally computed after checking signature
-sha256 bfe112ec6d11f7d6c6f7f0440e3b6e2c840c15cec1e99466b5495765d54aaaff  dovecot-2.3.5.tar.gz
+sha256 d78f9d479e3b2caa808160f86bfec1c9c7b46344d8b14b88f5fa9bbbf8c7c33f  dovecot-2.3.5.1.tar.gz
 sha256 a363b132e494f662d98c820d1481297e6ae72f194c2c91b6c39e1518b86240a8  COPYING
 sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551  COPYING.LGPL
 sha256 52b8c95fabb19575281874b661ef7968ea47e8f5d74ba0dd40ce512e52b3fc97  COPYING.MIT
diff --git a/package/dovecot/dovecot.mk b/package/dovecot/dovecot.mk
index 0960d20da7..e56517b0a2 100644
--- a/package/dovecot/dovecot.mk
+++ b/package/dovecot/dovecot.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 DOVECOT_VERSION_MAJOR = 2.3
-DOVECOT_VERSION = $(DOVECOT_VERSION_MAJOR).5
+DOVECOT_VERSION = $(DOVECOT_VERSION_MAJOR).5.1
 DOVECOT_SITE = https://www.dovecot.org/releases/$(DOVECOT_VERSION_MAJOR)
 DOVECOT_INSTALL_STAGING = YES
 DOVECOT_LICENSE = LGPL-2.1, MIT, Public Domain, BSD-3-Clause, Unicode-DFS-2015
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/dovecot: security bump to version 2.3.5.1
  2019-03-30 19:53 [Buildroot] [PATCH] package/dovecot: security bump to version 2.3.5.1 Peter Korsgaard
@ 2019-03-31 10:08 ` Thomas Petazzoni
  2019-04-05 15:29 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni @ 2019-03-31 10:08 UTC (permalink / raw)
  To: buildroot

On Sat, 30 Mar 2019 20:53:52 +0100
Peter Korsgaard <peter@korsgaard.com> wrote:

> Fixes the following security issue:
> 
>  * CVE-2019-7524: Missing input buffer size validation leads into
>    arbitrary buffer overflow when reading fts or pop3 uidl header
>    from Dovecot index. Exploiting this requires direct write access to
>    the index files.
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
>  package/dovecot/dovecot.hash | 2 +-
>  package/dovecot/dovecot.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/dovecot: security bump to version 2.3.5.1
  2019-03-30 19:53 [Buildroot] [PATCH] package/dovecot: security bump to version 2.3.5.1 Peter Korsgaard
  2019-03-31 10:08 ` Thomas Petazzoni
@ 2019-04-05 15:29 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2019-04-05 15:29 UTC (permalink / raw)
  To: buildroot

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Fixes the following security issue:
 >  * CVE-2019-7524: Missing input buffer size validation leads into
 >    arbitrary buffer overflow when reading fts or pop3 uidl header
 >    from Dovecot index. Exploiting this requires direct write access to
 >    the index files.

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed to 2019.02.x (and the corresponding dovecot-pigeonhole bump), thanks.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-04-05 15:29 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-30 19:53 [Buildroot] [PATCH] package/dovecot: security bump to version 2.3.5.1 Peter Korsgaard
2019-03-31 10:08 ` Thomas Petazzoni
2019-04-05 15:29 ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.