of gettext m4 files with newer ones from the gettext-tools package, the
latter fixing things so that it links to shared rather than static
libraries for the database dependencies.
found after investigating an issue reported by Martin Ziemer, ok espie@
check for this pulls in cmake modules which check for LLVM toolchain
components (llvm-ar/llvm-ranlib) which are only present in the version
of LLVM in ports not the version in base; it then tries to use them in
the build, e.g. llvm-ar instead of ar when archiving libraries.
There is a cmake variable _CMAKE_TOOLCHAIN_LOCATION which looks like
it should force only checking in a certain path, but it doesn't seem
to work.
Build problem reported by tb@
This is a maintenance & security release.
- fixed CVE-2021-3578: possible remote code execution
- fixed crash on invalid CAPABILITY response code
- tolerate INBOX mis-casing in Path setting
OK msg
CVE-2020-28200: Sieve interpreter is not protected against abusive
scripts that claim excessive resource usage. Fixed by limiting the
user CPU time per single script execution and cumulatively over
several script runs within a configurable timeout period. Sufficiently
large CPU time usage is summed in the Sieve script binary and execution
is blocked when the sum exceeds the limit within that time. The block
is lifted when the script is updated after the resource usage times out.
CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
JWT tokens. This may be used to supply attacker controlled keys to
validate tokens, if attacker has local access.
CVE-2021-33515: On-path attacker could have injected plaintext commands
before STARTTLS negotiation that would be executed after STARTTLS
finished with the client.
Changelist:
- Add support for ed25519. This currently requires openssl1.1 libcrypto and
is thus only enabled in an ed25519 flavor of the package.
Lots of help from tb@ and sthen@
- Fix error handling in a couple of places
- Fix an initialization issue
Spotted by Maarten de Vries <maarten <at> de-vri <dot> es>
- Fix a couple of signedness warnings
- Allow filter-dkimsign to be build on Debian (not relevant for OpenBSD)
With Ryan Kavanagh <rak <at> debian <dot> org>
Looks OK to jasper@ sthen@
Fixes:
- Registering OSMTPD_PHASE_LINK_CONNECT should be OSMTPD_TYPE_REPORT
- Fix manpage: 0 is for outgoing connections, not 2.
From Edgar Pettijohn <edgar <at> pettijohn-web <dot> com>
- Fix a spelling mistake.
From Ryan Kavanagh <rak <at> debian <dot> org>
- Major overhaul of the Makefile.gnu so that things properly build on
Debian (not relevant for OpenBSD)
With Ryan Kavanagh <rak <at> debian <dot> org>
Looks OK to jasper@ sthen@
exim uses its own SSL_CIPHER_get_id() which replaces libssl's version
with one that will break once we make SSL_CIPHER opaque.
seems fine to Renaud Allard (maintainer)
