* CVE-2021-29157 Description: "Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens, if attacker has local access." * CVE-2021-33515 Description: "On-path attacker could have injected plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client." ---- Please bump to 2.3.14.1 and 2.3.15. Thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e240bf58ed54e64da0a1b7eae61a2b0d5ffd2c3c commit e240bf58ed54e64da0a1b7eae61a2b0d5ffd2c3c Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2021-06-21 13:40:10 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2021-06-21 13:40:10 +0000 net-mail/dovecot: security bump to 2.3.14.1 Bug: https://bugs.gentoo.org/797349 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Eray Aslan <eras@gentoo.org> net-mail/dovecot/Manifest | 1 + net-mail/dovecot/dovecot-2.3.14.1.ebuild | 293 +++++++++++++++++++++++++++++++ 2 files changed, 294 insertions(+)
Thanks eras!
x86 done
amd64 stable
ppc stable
ppc64 stable
Unable to check for sanity: > no match for package: net-mail/dovecot-2.3.14.1
arm done all arches done
Please cleanup, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7831824c64115adf396d7383272a078d7273633 commit c7831824c64115adf396d7383272a078d7273633 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2021-07-17 13:00:54 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2021-07-17 13:00:54 +0000 net-mail/dovecot: cleanup Bug: https://bugs.gentoo.org/797349 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Eray Aslan <eras@gentoo.org> net-mail/dovecot/Manifest | 3 - net-mail/dovecot/dovecot-2.3.13-r101.ebuild | 295 --------------------- net-mail/dovecot/dovecot-2.3.14-r1.ebuild | 294 -------------------- .../files/dovecot-2.3.13-32-bit-tests-1.patch | 52 ---- .../files/dovecot-2.3.13-32-bit-tests-2.patch | 27 -- .../dovecot/files/dovecot-unwind-generic.patch | 15 -- 6 files changed, 686 deletions(-)
GLSA request filed.
This issue was resolved and addressed in GLSA 202107-41 at https://security.gentoo.org/glsa/202107-41 by GLSA coordinator John Helmert III (ajak).