* [Buildroot] [PATCH] package/dovecot: security bump to version 2.3.5.2
@ 2019-04-25 10:26 Peter Korsgaard
2019-04-26 7:14 ` Thomas Petazzoni
2019-04-26 13:06 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2019-04-25 10:26 UTC (permalink / raw)
To: buildroot
Fixes the following security issue:
* CVE-2019-10691: Trying to login with 8bit username containing
invalid UTF8 input causes auth process to crash if auth policy is
enabled. This could be used rather easily to cause a DoS. Similar
crash also happens during mail delivery when using invalid UTF8 in
From or Subject header when OX push notification driver is used.
https://dovecot.org/pipermail/dovecot-news/2019-April/000406.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/dovecot/dovecot.hash | 2 +-
package/dovecot/dovecot.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/dovecot/dovecot.hash b/package/dovecot/dovecot.hash
index a1c2c8ff84..2b8492a3c8 100644
--- a/package/dovecot/dovecot.hash
+++ b/package/dovecot/dovecot.hash
@@ -1,5 +1,5 @@
# Locally computed after checking signature
-sha256 d78f9d479e3b2caa808160f86bfec1c9c7b46344d8b14b88f5fa9bbbf8c7c33f dovecot-2.3.5.1.tar.gz
+sha256 ba14e41aefd81a868a35b83bcb54194116106424d37690519b50ea83c0f31bf2 dovecot-2.3.5.2.tar.gz
sha256 a363b132e494f662d98c820d1481297e6ae72f194c2c91b6c39e1518b86240a8 COPYING
sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 COPYING.LGPL
sha256 52b8c95fabb19575281874b661ef7968ea47e8f5d74ba0dd40ce512e52b3fc97 COPYING.MIT
diff --git a/package/dovecot/dovecot.mk b/package/dovecot/dovecot.mk
index e56517b0a2..d9b94eb83a 100644
--- a/package/dovecot/dovecot.mk
+++ b/package/dovecot/dovecot.mk
@@ -5,7 +5,7 @@
################################################################################
DOVECOT_VERSION_MAJOR = 2.3
-DOVECOT_VERSION = $(DOVECOT_VERSION_MAJOR).5.1
+DOVECOT_VERSION = $(DOVECOT_VERSION_MAJOR).5.2
DOVECOT_SITE = https://www.dovecot.org/releases/$(DOVECOT_VERSION_MAJOR)
DOVECOT_INSTALL_STAGING = YES
DOVECOT_LICENSE = LGPL-2.1, MIT, Public Domain, BSD-3-Clause, Unicode-DFS-2015
--
2.11.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/dovecot: security bump to version 2.3.5.2
2019-04-25 10:26 [Buildroot] [PATCH] package/dovecot: security bump to version 2.3.5.2 Peter Korsgaard
@ 2019-04-26 7:14 ` Thomas Petazzoni
2019-04-26 13:06 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni @ 2019-04-26 7:14 UTC (permalink / raw)
To: buildroot
On Thu, 25 Apr 2019 12:26:18 +0200
Peter Korsgaard <peter@korsgaard.com> wrote:
> Fixes the following security issue:
>
> * CVE-2019-10691: Trying to login with 8bit username containing
> invalid UTF8 input causes auth process to crash if auth policy is
> enabled. This could be used rather easily to cause a DoS. Similar
> crash also happens during mail delivery when using invalid UTF8 in
> From or Subject header when OX push notification driver is used.
>
> https://dovecot.org/pipermail/dovecot-news/2019-April/000406.html
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
> package/dovecot/dovecot.hash | 2 +-
> package/dovecot/dovecot.mk | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/dovecot: security bump to version 2.3.5.2
2019-04-25 10:26 [Buildroot] [PATCH] package/dovecot: security bump to version 2.3.5.2 Peter Korsgaard
2019-04-26 7:14 ` Thomas Petazzoni
@ 2019-04-26 13:06 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2019-04-26 13:06 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issue:
> * CVE-2019-10691: Trying to login with 8bit username containing
> invalid UTF8 input causes auth process to crash if auth policy is
> enabled. This could be used rather easily to cause a DoS. Similar
> crash also happens during mail delivery when using invalid UTF8 in
> From or Subject header when OX push notification driver is used.
> https://dovecot.org/pipermail/dovecot-news/2019-April/000406.html
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2019.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-04-26 13:06 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-25 10:26 [Buildroot] [PATCH] package/dovecot: security bump to version 2.3.5.2 Peter Korsgaard
2019-04-26 7:14 ` Thomas Petazzoni
2019-04-26 13:06 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.