There are two CVEs, one of which can result in leaking of other users' mails (not in the standard configuration though): https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html An ebuild for v2.3.13 would be great.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1ddd164e2402c15e598eb8ae615dfaa7a52b08a9 commit 1ddd164e2402c15e598eb8ae615dfaa7a52b08a9 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2021-01-05 09:35:39 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2021-01-05 09:35:39 +0000 net-mail/dovecot: security bump to 2.3.13 Bug: https://bugs.gentoo.org/763525 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: Eray Aslan <eras@gentoo.org> net-mail/dovecot/Manifest | 2 + net-mail/dovecot/dovecot-2.3.13.ebuild | 293 +++++++++++++++++++++ .../files/dovecot-autoconf-lua-version.patch | 17 ++ .../files/dovecot-socket-name-too-long.patch | 11 + 4 files changed, 323 insertions(+)
arches, please test and mark stable =net-mail/dovecot-2.3.13 thank you
Sanity check failed: > net-mail/dovecot-2.3.13 > depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (36 total) > dev-lang/lua:5.1 > dev-lang/lua:5.2 > dev-lang/lua:5.3 > depend amd64 stable profile default/linux/amd64/17.1 (45 total) > dev-lang/lua:5.1 > dev-lang/lua:5.2 > dev-lang/lua:5.3 > rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (36 total) > dev-lang/lua:5.1 > dev-lang/lua:5.2 > dev-lang/lua:5.3 > rdepend amd64 stable profile default/linux/amd64/17.1 (45 total) > dev-lang/lua:5.1 > dev-lang/lua:5.2 > dev-lang/lua:5.3
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a92f4e5c02b03f9b7bacc1c5ba200b5a8f60597a commit a92f4e5c02b03f9b7bacc1c5ba200b5a8f60597a Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2021-01-05 11:41:43 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2021-01-05 11:41:43 +0000 net-mail/dovecot: slotted lua is not stable yet Bug: https://bugs.gentoo.org/763525 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: Eray Aslan <eras@gentoo.org> net-mail/dovecot/dovecot-2.3.13-r1.ebuild | 287 ++++++++++++++++++++++++++++++ 1 file changed, 287 insertions(+)
arches, let's go wih =net-mail/dovecot-2.3.13-r1 as slotted lua is not stable yet. sorry for the email spam
All sanity-check issues have been resolved
amd64 done
New GLSA request filed.
ppc64 done
arm done
This issue was resolved and addressed in GLSA 202101-01 at https://security.gentoo.org/glsa/202101-01 by GLSA coordinator Sam James (sam_c).
Full cleanup is blocked on bug 756217. @eras, could you update the mask/cleanup where possible for now?
Reopening for remaining arches (not cleanup, oops!)
x86 done
*** Bug 768870 has been marked as a duplicate of this bug. ***
ppc done
s390 done all arches done
Please cleanup, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=416a8ad88987bf8480d2c5afc9db8af864b21e98 commit 416a8ad88987bf8480d2c5afc9db8af864b21e98 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2021-02-10 15:42:40 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2021-02-10 15:42:40 +0000 net-mail/dovecot: cleanup Bug: https://bugs.gentoo.org/763525 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Eray Aslan <eras@gentoo.org> net-mail/dovecot/Manifest | 2 - net-mail/dovecot/dovecot-2.3.11.3-r1.ebuild | 296 -------------------- net-mail/dovecot/dovecot-2.3.11.3-r2.ebuild | 297 --------------------- net-mail/dovecot/dovecot-2.3.11.3.ebuild | 290 -------------------- net-mail/dovecot/dovecot-2.3.13.ebuild | 293 -------------------- .../dovecot/files/dovecot-2.3.11.3-apop-fix.patch | 60 ----- .../dovecot/files/dovecot-fix-search-crash.patch | 91 ------- net-mail/dovecot/metadata.xml | 1 - 8 files changed, 1330 deletions(-)
Thanks a bunch Eras. All done!
