From ${URL} : Important vulnerability in Dovecot (CVE-2016-8652) CVSS score: 7.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H) Affected version(s): 2.2.25.1 up to 2.2.26.1 Fixed in: 2.2.27.1rc1 Short summary: Dovecot auth component can be crashed by remote user when auth-policy component is activated. If auth-policy component has been activated in Dovecot, then remote user can use SASL authentication to crash auth component. Workaround is to disable auth-policy component until fix is in place. This can be done by commenting out all auth_policy_* settings. @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
@ Maintainer(s): Dovecot v2.2.27 is now released, see http://dovecot.org/list/dovecot-news/2016-December/000333.html From announcement: > Note that the download URLs are now https with a certificate from Let's Encrypt. So you can also adjust SRC_URI to use HTTPS. And I am not convinced that we aren't affected. According to the advisory, > Affected version(s): 2.2.25.1 up to 2.2.26.1 We have v2.2.25. But if you see the fixes, https://github.com/dovecot/core/commit/1f2c35da2b96905bec6e45f88af0f33ee63789e6 https://github.com/dovecot/core/commit/2c3f37672277b1f73f84722802aaa0ab1ab3e413 then you don't see one of these files touched between v2.2.25 and v2.2.25.1, see https://github.com/dovecot/core/compare/2.2.25...2.2.25.1 So if v2.2.25.1 is vulnerable, I would expect that our v2.2.25 is affected as well. I'll ping upstream to ask for clarification.
Upstream replied: Their advisory is wrong and previous versions (including our v2.2.25) are affected! @ Maintainer(s): Please bump to >=net-mail/dovecot-2.2.27
Arches, please test and mark stable =net-mail/dovecot-2.2.27 Target Keywords = alpha amd64 arm hppa ppc ppc64 ~s390 x86 Alpha, arm, hppa, ppc and ppc64 will need to stabilize =app-text/libexttextcat-3.4.4 as well. It is as an optional dependency via textcat USEFLAG
Stable on alpha.
amd64 stable
x86 stable
arm stable
Shouldn't #601880 block stabilization?
(In reply to Nick Wallingford from comment #8) > Shouldn't #601880 block stabilization? No, this is a libressl problem and libressl has no security coverage in Gentoo at the moment (i.e. no stable ebuild) so we don't care. Also, maintainer(s) can always add a patch which fixes a compilation problem without losing stable keywords. So no need to block stabilization.
Stable for HPPA.
ppc stable
ppc64 stable. Maintainer(s), please cleanup. Security, please vote.
Can't remove =net-mail/dovecot-2.2.19 without breaking the tree for ia64 mips sh and sparc (see bug #564484) Rest punted from the tree.
(In reply to Eray Aslan from comment #13) > Can't remove =net-mail/dovecot-2.2.19 without breaking the tree for ia64 > mips sh and sparc (see bug #564484) > > Rest punted from the tree. Thanks for the info. Once it is able to security masked or cleaned just let us know.
GLSA Vote: No
Why was ia64/sparc not CC'ed for stable here? I missed that as well, but unsure of the reasoning.
(In reply to Aaron Bauman from comment #16) > Why was ia64/sparc not CC'ed for stable here? I missed that as well, but > unsure of the reasoning. dovecot dropped keywords on ia64 and sparc in the past and is awaiting re-keywording, see depending bug 564484.
@maintainer(s), please consider dropping keywords or masking the old version. Thanks.
=net-mail/dovecot-2.2.19 is only for ia64/sparc which are not security supported. No other arches will be impacted with the ebuild being in place.