update to Dovecot 2.3.6, from Brad:

- CVE-2019-11494: Submission-login crashed with signal 11 due to null pointer access when authentication was aborted by disconnecting. - CVE-2019-11499: Submission-login crashed when authentication was started over TLS secured channel and invalid authentication message was sent.
2019-05-02 22:06:13 +00:00 · 2019-05-02 22:06:13 +00:00 · 32ce2c0794
commit 32ce2c0794
parent 0614f53c3b
12 changed files with 42 additions and 27 deletions
--- a/mail/dovecot/Makefile
+++ b/mail/dovecot/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.276 2019/05/01 13:41:20 danj Exp $
+# $OpenBSD: Makefile,v 1.277 2019/05/02 22:06:13 sthen Exp $

 COMMENT-server=	compact IMAP/POP3 server
 COMMENT-ldap=	LDAP authentication / dictionary support for Dovecot
@ -6,8 +6,7 @@ COMMENT-mysql=	MySQL authentication / dictionary support for Dovecot
 COMMENT-postgresql= PostgreSQL authentication / dictionary support for Dovecot

 V_MAJOR=	2.3
-V_DOVECOT=	2.3.5.2
-REVISION-server=	0
+V_DOVECOT=	2.3.6

 DISTNAME=	dovecot-${V_DOVECOT}
 PKGNAME=	dovecot-${V_DOVECOT}
--- a/mail/dovecot/distinfo
+++ b/mail/dovecot/distinfo
@ -1,2 +1,2 @@
-SHA256 (dovecot-2.3.5.2.tar.gz) = uhTkGu/YGoaKNbg7y1QZQRYQZCTTdpBRm1Dqg8DzG/I=
-SIZE (dovecot-2.3.5.2.tar.gz) = 6953228
+SHA256 (dovecot-2.3.6.tar.gz) = 7R2Nwb7q6cbHPerHOmLvGf6SYvv/2GYEo/aQRS9VNsc=
+SIZE (dovecot-2.3.6.tar.gz) = 6980135
--- a/mail/dovecot/patches/patch-doc_example-config_Makefile_in
+++ b/mail/dovecot/patches/patch-doc_example-config_Makefile_in
@ -1,4 +1,5 @@
-$OpenBSD: patch-doc_example-config_Makefile_in,v 1.19 2019/03/06 21:53:07 sthen Exp $
+$OpenBSD: patch-doc_example-config_Makefile_in,v 1.20 2019/05/02 22:06:13 sthen Exp $
+
 Index: doc/example-config/Makefile.in
 --- doc/example-config/Makefile.in.orig
 +++ doc/example-config/Makefile.in
--- a/mail/dovecot/patches/patch-doc_example-config_conf_d_10-mail_conf
+++ b/mail/dovecot/patches/patch-doc_example-config_conf_d_10-mail_conf
@ -1,4 +1,5 @@
-$OpenBSD: patch-doc_example-config_conf_d_10-mail_conf,v 1.9 2018/10/24 19:42:36 sthen Exp $
+$OpenBSD: patch-doc_example-config_conf_d_10-mail_conf,v 1.10 2019/05/02 22:06:13 sthen Exp $
+
 Index: doc/example-config/conf.d/10-mail.conf
 --- doc/example-config/conf.d/10-mail.conf.orig	Mon Jun 18 14:15:32 2018
 +++ doc/example-config/conf.d/10-mail.conf	Sun Oct 21 15:56:45 2018
--- a/mail/dovecot/patches/patch-doc_example-config_conf_d_10-master_conf
+++ b/mail/dovecot/patches/patch-doc_example-config_conf_d_10-master_conf
@ -1,6 +1,8 @@
-$OpenBSD: patch-doc_example-config_conf_d_10-master_conf,v 1.2 2012/01/07 12:14:21 sthen Exp $
--- doc/example-config/conf.d/10-master.conf.orig	Thu Dec 30 10:42:54 2010
-+++ doc/example-config/conf.d/10-master.conf	Tue Mar 22 15:23:22 2011
+$OpenBSD: patch-doc_example-config_conf_d_10-master_conf,v 1.3 2019/05/02 22:06:13 sthen Exp $
+
+Index: doc/example-config/conf.d/10-master.conf
+--- doc/example-config/conf.d/10-master.conf.orig
+++ doc/example-config/conf.d/10-master.conf
@@ -8,11 +8,11 @@
 
 # Login user is internally used by login processes. This is the most untrusted
--- a/mail/dovecot/patches/patch-doc_example-config_conf_d_10-ssl_conf
+++ b/mail/dovecot/patches/patch-doc_example-config_conf_d_10-ssl_conf
@ -1,6 +1,8 @@
-$OpenBSD: patch-doc_example-config_conf_d_10-ssl_conf,v 1.1 2011/05/23 22:54:38 sthen Exp $
--- doc/example-config/conf.d/10-ssl.conf.orig	Thu Mar 10 14:39:31 2011
-+++ doc/example-config/conf.d/10-ssl.conf	Thu Mar 10 14:40:01 2011
+$OpenBSD: patch-doc_example-config_conf_d_10-ssl_conf,v 1.2 2019/05/02 22:06:13 sthen Exp $
+
+Index: doc/example-config/conf.d/10-ssl.conf
+--- doc/example-config/conf.d/10-ssl.conf.orig
+++ doc/example-config/conf.d/10-ssl.conf
@@ -9,7 +9,7 @@
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
--- a/mail/dovecot/patches/patch-doc_example-config_conf_d_Makefile_in
+++ b/mail/dovecot/patches/patch-doc_example-config_conf_d_Makefile_in
@ -1,4 +1,5 @@
-$OpenBSD: patch-doc_example-config_conf_d_Makefile_in,v 1.19 2019/03/06 21:53:07 sthen Exp $
+$OpenBSD: patch-doc_example-config_conf_d_Makefile_in,v 1.20 2019/05/02 22:06:13 sthen Exp $
+
 Index: doc/example-config/conf.d/Makefile.in
 --- doc/example-config/conf.d/Makefile.in.orig
 +++ doc/example-config/conf.d/Makefile.in
--- a/mail/dovecot/patches/patch-doc_example-config_conf_d_auth-system_conf_ext
+++ b/mail/dovecot/patches/patch-doc_example-config_conf_d_auth-system_conf_ext
@ -1,6 +1,8 @@
-$OpenBSD: patch-doc_example-config_conf_d_auth-system_conf_ext,v 1.2 2018/10/24 19:42:36 sthen Exp $
--- doc/example-config/conf.d/auth-system.conf.ext.orig	Mon Jun 18 14:15:32 2018
-+++ doc/example-config/conf.d/auth-system.conf.ext	Sun Oct 21 15:56:45 2018
+$OpenBSD: patch-doc_example-config_conf_d_auth-system_conf_ext,v 1.3 2019/05/02 22:06:13 sthen Exp $
+
+Index: doc/example-config/conf.d/auth-system.conf.ext
+--- doc/example-config/conf.d/auth-system.conf.ext.orig
+++ doc/example-config/conf.d/auth-system.conf.ext
@@ -7,12 +7,12 @@
 # PAM is typically used with either userdb passwd or userdb static.
 # REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
--- a/mail/dovecot/patches/patch-doc_example-config_dovecot_conf
+++ b/mail/dovecot/patches/patch-doc_example-config_dovecot_conf
@ -1,6 +1,8 @@
-$OpenBSD: patch-doc_example-config_dovecot_conf,v 1.4 2013/08/13 00:29:58 brad Exp $
--- doc/example-config/dovecot.conf.orig	Mon Jan  7 02:50:26 2013
-+++ doc/example-config/dovecot.conf	Tue Apr 23 02:03:41 2013
+$OpenBSD: patch-doc_example-config_dovecot_conf,v 1.5 2019/05/02 22:06:13 sthen Exp $
+
+Index: doc/example-config/dovecot.conf
+--- doc/example-config/dovecot.conf.orig
+++ doc/example-config/dovecot.conf
@@ -30,7 +30,7 @@
 #listen = *, ::
 
--- a/mail/dovecot/patches/patch-doc_mkcert_sh
+++ b/mail/dovecot/patches/patch-doc_mkcert_sh
@ -1,6 +1,8 @@
-$OpenBSD: patch-doc_mkcert_sh,v 1.8 2016/12/04 21:36:02 sthen Exp $
--- doc/mkcert.sh.orig	Tue Nov 29 17:35:50 2016
-+++ doc/mkcert.sh	Tue Nov 29 20:53:21 2016
+$OpenBSD: patch-doc_mkcert_sh,v 1.9 2019/05/02 22:06:13 sthen Exp $
+
+Index: doc/mkcert.sh
+--- doc/mkcert.sh.orig
+++ doc/mkcert.sh
@@ -6,19 +6,13 @@
 umask 077
 OPENSSL=${OPENSSL-openssl}
--- a/mail/dovecot/patches/patch-src_auth_password-scheme-crypt_c
+++ b/mail/dovecot/patches/patch-src_auth_password-scheme-crypt_c
@ -1,4 +1,4 @@
-$OpenBSD: patch-src_auth_password-scheme-crypt_c,v 1.5 2018/10/24 19:42:36 sthen Exp $
+$OpenBSD: patch-src_auth_password-scheme-crypt_c,v 1.6 2019/05/02 22:06:13 sthen Exp $

 Dovecot supports various password schemes, e.g. {MD5}, {SHA1},
 {SSHA512}, {CRYPT}, etc.  This is used in two cases:
@ -29,8 +29,9 @@ This patch re-allows CRYPT as a supported scheme. On OpenBSD it will
 encrypt as blowfish, on other OS it will encrypt as DES. Verification
 will work with whichever password formats are supported by the OS.

--- src/auth/password-scheme-crypt.c.orig	Mon Jun 18 14:15:32 2018
-+++ src/auth/password-scheme-crypt.c	Mon Oct 22 08:36:56 2018
+Index: src/auth/password-scheme-crypt.c
+--- src/auth/password-scheme-crypt.c.orig
+++ src/auth/password-scheme-crypt.c
@@ -149,7 +149,12 @@ static const struct {
 	const char *salt;
 	const char *expected;
--- a/mail/dovecot/pkg/PLIST-server
+++ b/mail/dovecot/pkg/PLIST-server
@ -1,4 +1,4 @@
-@comment $OpenBSD: PLIST-server,v 1.70 2019/03/06 21:53:07 sthen Exp $
+@comment $OpenBSD: PLIST-server,v 1.71 2019/05/02 22:06:13 sthen Exp $
@conflict dovecot-sqlite-*
@pkgpath mail/dovecot
@pkgpath mail/dovecot,-server,bdb
@ -760,6 +760,8 @@ share/aclocal/dovecot.m4
 share/doc/dovecot/
 share/doc/dovecot/documentation.txt
 share/doc/dovecot/securecoding.txt
+share/doc/dovecot/solr-config-7.7.0.xml
+share/doc/dovecot/solr-schema-7.7.0.xml
 share/doc/dovecot/solr-schema.xml
 share/doc/dovecot/thread-refs.txt
 share/doc/dovecot/wiki/