head 1.8; access; symbols pkgsrc-2026Q1:1.8.0.14 pkgsrc-2026Q1-base:1.8 pkgsrc-2025Q4:1.8.0.12 pkgsrc-2025Q4-base:1.8 pkgsrc-2025Q3:1.8.0.10 pkgsrc-2025Q3-base:1.8 pkgsrc-2025Q2:1.8.0.8 pkgsrc-2025Q2-base:1.8 pkgsrc-2025Q1:1.8.0.6 pkgsrc-2025Q1-base:1.8 pkgsrc-2024Q4:1.8.0.4 pkgsrc-2024Q4-base:1.8 pkgsrc-2024Q3:1.8.0.2 pkgsrc-2024Q3-base:1.8 pkgsrc-2024Q2:1.7.0.6 pkgsrc-2024Q2-base:1.7 pkgsrc-2024Q1:1.7.0.4 pkgsrc-2024Q1-base:1.7 pkgsrc-2023Q4:1.7.0.2 pkgsrc-2023Q4-base:1.7 pkgsrc-2023Q3:1.6.0.30 pkgsrc-2023Q3-base:1.6 pkgsrc-2023Q2:1.6.0.28 pkgsrc-2023Q2-base:1.6 pkgsrc-2023Q1:1.6.0.26 pkgsrc-2023Q1-base:1.6 pkgsrc-2022Q4:1.6.0.24 pkgsrc-2022Q4-base:1.6 pkgsrc-2022Q3:1.6.0.22 pkgsrc-2022Q3-base:1.6 pkgsrc-2022Q2:1.6.0.20 pkgsrc-2022Q2-base:1.6 pkgsrc-2022Q1:1.6.0.18 pkgsrc-2022Q1-base:1.6 pkgsrc-2021Q4:1.6.0.16 pkgsrc-2021Q4-base:1.6 pkgsrc-2021Q3:1.6.0.14 pkgsrc-2021Q3-base:1.6 pkgsrc-2021Q2:1.6.0.12 pkgsrc-2021Q2-base:1.6 pkgsrc-2021Q1:1.6.0.10 pkgsrc-2021Q1-base:1.6 pkgsrc-2020Q4:1.6.0.8 pkgsrc-2020Q4-base:1.6 pkgsrc-2020Q3:1.6.0.6 pkgsrc-2020Q3-base:1.6 pkgsrc-2020Q2:1.6.0.4 pkgsrc-2020Q2-base:1.6 pkgsrc-2020Q1:1.6.0.2 pkgsrc-2020Q1-base:1.6 pkgsrc-2019Q4:1.4.0.12 pkgsrc-2019Q4-base:1.4 pkgsrc-2019Q3:1.4.0.8 pkgsrc-2019Q3-base:1.4 pkgsrc-2019Q2:1.4.0.6 pkgsrc-2019Q2-base:1.4 pkgsrc-2019Q1:1.4.0.4 pkgsrc-2019Q1-base:1.4 pkgsrc-2018Q4:1.4.0.2 pkgsrc-2018Q4-base:1.4 pkgsrc-2018Q3:1.2.0.6 pkgsrc-2018Q3-base:1.2 pkgsrc-2018Q2:1.2.0.4 pkgsrc-2018Q2-base:1.2 pkgsrc-2018Q1:1.2.0.2 pkgsrc-2018Q1-base:1.2 pkgsrc-2017Q4:1.1.0.14 pkgsrc-2017Q4-base:1.1 pkgsrc-2017Q3:1.1.0.12 pkgsrc-2017Q3-base:1.1 pkgsrc-2017Q2:1.1.0.8 pkgsrc-2017Q2-base:1.1 pkgsrc-2017Q1:1.1.0.6 pkgsrc-2017Q1-base:1.1 pkgsrc-2016Q4:1.1.0.4 pkgsrc-2016Q4-base:1.1 pkgsrc-2016Q3:1.1.0.2 pkgsrc-2016Q3-base:1.1; locks; strict; comment @# @; 1.8 date 2024.08.19.09.29.56; author adam; state Exp; branches; next 1.7; commitid RTdGdaTeT7D0LpmF; 1.7 date 2023.10.24.22.09.42; author wiz; state Exp; branches; next 1.6; commitid MTsrqKm6aGrQAVJE; 1.6 date 2020.02.12.14.01.59; author taca; state Exp; branches; next 1.5; commitid 2hZ1q8fmHoYyioWB; 1.5 date 2020.01.18.21.49.48; author jperkin; state Exp; branches; next 1.4; commitid JW4hJgY8ZdoTFdTB; 1.4 date 2018.11.30.18.43.09; author adam; state Exp; branches; next 1.3; commitid Ib7JVO2tsxfYXZ1B; 1.3 date 2018.10.23.16.29.18; author adam; state Exp; branches; next 1.2; commitid AnG1vjGSDJXMr6XA; 1.2 date 2018.01.02.15.52.44; author fhajny; state Exp; branches; next 1.1; commitid N220maW7p1LWGjlA; 1.1 date 2016.07.18.15.03.05; author fhajny; state Exp; branches 1.1.14.1; next ; commitid h4iyisaMOqtNxOez; 1.1.14.1 date 2018.03.02.21.24.18; author spz; state Exp; branches; next ; commitid myuwZw3LL6euDVsA; desc @@ 1.8 log @dovecot2: updated to 2.3.21.1 v2.3.21.1 - CVE-2024-23184: A large number of address headers in email resulted in excessive CPU usage. - CVE-2024-23185: Abnormally large email headers are now truncated or discarded, with a limit of 10MB on a single header and 50MB for all the headers of all the parts of an email. - oauth2: Dovecot would send client_id and client_secret as POST parameters to introspection server. These need to be optionally in Basic auth instead as required by OIDC specification. - oauth2: JWT key type check was too strict. - oauth2: JWT token audience was not validated against client_id as required by OIDC specification. - oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out protocol specific error message on all errors. This broke OIDC discovery. - oauth2: JWT aud validation was not performed if aud was missing from token, but was configured on Dovecot. @ text @# $NetBSD: Makefile,v 1.7 2023/10/24 22:09:42 wiz Exp $ .include "../../mail/dovecot2/Makefile.common" PKGNAME= ${DISTNAME:S/dovecot/dovecot-ldap/} COMMENT+= (LDAP plugin) CONFIGURE_ARGS+= --with-ldap=plugin INSTALLATION_DIRS+= include/dovecot \ lib/dovecot/auth lib/dovecot/dict do-install: cd ${WRKSRC} && \ ${LIBTOOL} --mode=install ${INSTALL_LIB} \ src/auth/libauthdb_ldap.la \ ${DESTDIR}${PREFIX}/lib/dovecot/auth && \ ${LIBTOOL} --mode=install ${INSTALL_LIB} \ src/lib-ldap/libdovecot-ldap.la \ ${DESTDIR}${PREFIX}/lib/dovecot && \ ${LIBTOOL} --mode=install ${INSTALL_LIB} \ src/lib-dict-backend/libdict_ldap.la \ ${DESTDIR}${PREFIX}/lib/dovecot/dict ${INSTALL_DATA} ${WRKSRC}/src/lib-ldap/ldap-client.h \ ${DESTDIR}${PREFIX}/include/dovecot .include "../../databases/openldap-client/buildlink3.mk" .include "../../mk/bsd.pkg.mk" @ 1.7 log @*: bump for openssl 3 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.6 2020/02/12 14:01:59 taca Exp $ a2 1 PKGREVISION= 1 @ 1.6 log @mail/dovecot2: update to 2.3.9.3 Update dovecot2 to 2.3.9.3, security release. v2.3.9.3 2019-02-12 Aki Tuomi * CVE-2020-7046: Truncated UTF-8 can be used to DoS submission-login and lmtp processes. * CVE-2020-7957: Specially crafted mail can crash snippet generation. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.5 2020/01/18 21:49:48 jperkin Exp $ d3 1 @ 1.5 log @*: Recursive revision bump for openssl 1.1.1. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.4 2018/11/30 18:43:09 adam Exp $ a2 1 PKGREVISION= 1 @ 1.4 log @dovecot2: updated to 2.3.4 2.3.4: * The default postmaster_address is now "postmaster@@". If username contains the @@domain part, that's used. If not, then the server's hostname is used. * "doveadm stats dump" now returns two decimals for the "avg" field. + Added push notification driver that uses a Lua script + Added new SQL, DNS and connection events. See https://wiki2.dovecot.org/Events + Added "doveadm mailbox cache purge" command. + Added events API support for Lua scripts + doveadm force-resync -f parameter performs "index fsck" while opening the index. This may be useful to fix some types of broken index files. This may become the default behavior in a later version. - director: Kicking a user crashes if login process is very slow - pop3_no_flag_updates=no: Don't expunge DELEted and RETRed messages unless QUIT is sent. - auth: Fix crypt() segfault with glibc-2.28+ - imap: Running UID FILTER script with errors assert-crashes - dsync, pop3-migration: POP3 UIDLs weren't added to dovecot.index.cache while mails were saved. - dict clients may have been using 100% CPU while waiting for dict server to finish commands. - doveadm user: Fixed user listing via HTTP API - All levels of Cassandra log messages were logged as Dovecot errors. - http/smtp client may have crashed after SSL handshake - Lua auth converted strings that looked like numbers into numbers. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.3 2018/10/23 16:29:18 adam Exp $ d3 1 @ 1.3 log @dovecot2: updated to 2.3.3 2.3.3: * doveconf hides more secrets now in the default output. * ssl_dh setting is no longer enforced at startup. If it's not set and non-ECC DH key exchange happens, error is logged and client is disconnected. + Added log_debug= setting. + Added log_core_filter= setting. + quota-clone: Write to dict asynchronously + --enable-hardening attempts to use retpoline Spectre 2 mitigations + lmtp proxy: Support source_ip passdb extra field. + doveadm stats dump: Support more fields and output stddev by default. + push-notification: Add SSL support for OX backend. - NUL bytes in mail headers can cause truncated replies when fetched. - director: Conflicting host up/down state changes may in some rare situations ended up in a loop of two directors constantly overwriting each others' changes. - director: Fix hang/crash when multiple doveadm commands are being handled concurrently. - director: Fix assert-crash if doveadm disconnects too early - virtual plugin: Some searches used 100% CPU for many seconds - dsync assert-crashed with acl plugin in some situations. - mail_attachment_detection_options=add-flags-on-save assert-crashed with some specific Sieve scripts. - Mail snippet generation crashed with mails containing invalid Content-Type:multipart header. - Log prefix ordering was different for some log lines. - quota: With noenforcing option current quota usage wasn't updated. - auth: Kerberos authentication against Samba assert-crashed. - stats clients were unnecessarily chatty with the stats server. - imapc: Fixed various assert-crashes when reconnecting to server. - lmtp, submission: Fix potential crash if client disconnects while handling a command. - quota: Fixed compiling with glibc-2.26 / support libtirpc. - fts-solr: Empty search values resulted in 400 Bad Request errors - fts-solr: default_ns parameter couldn't be used - submission server crashed if relay server returned over 7 lines in a reply (e.g. to EHLO) @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.2 2018/01/02 15:52:44 fhajny Exp $ d3 1 a3 1 .include "../../mail/dovecot2/Makefile.plugin" d5 2 a6 2 PKGNAME= ${DISTNAME:S/dovecot/dovecot-ldap/} COMMENT+= (LDAP plugin) d14 1 a14 1 cd ${WRKSRC} && (\ d17 1 a17 1 ${DESTDIR}${PREFIX}/lib/dovecot/auth; \ d20 1 a20 1 ${DESTDIR}${PREFIX}/lib/dovecot; \ d23 1 a23 2 ${DESTDIR}${PREFIX}/lib/dovecot/dict; \ ) @ 1.2 log @Update mail/dovecot2* to 2.3.0. Some of the larger changes: * Various setting changes, see https://wiki2.dovecot.org/Upgrading/2.3 * Logging rewrite started: Logging is now based on hierarchical events. This makes it possible to do various things, like: 1) giving consistent log prefixes, 2) enabling debug logging with finer granularity, 3) provide logs in more machine readable formats (e.g. json). Everything isn't finished yet, especially a lot of the old logging code still needs to be translated to the new way. * Statistics rewrite started: Stats are now based on (log) events. It's possible to gather statistics about any event that is logged. See http://wiki2.dovecot.org/Statistics for details * ssl_dh setting replaces the old generated ssl-parameters.dat * IMAP: When BINARY FETCH finds a broken mails, send [PARSE] error instead of [UNKNOWNCTE] * Linux: core dumping via PR_SET_DUMPABLE is no longer enabled by default due to potential security reasons (found by cPanel Security Team). + Added support for SMTP submission proxy server, which includes support for BURL and CHUNKING extension. + LMTP rewrite. Supports now CHUNKING extension and mixing of local/proxy recipients. + auth: Support libsodium to add support for ARGON2I and ARGON2ID password schemes. + auth: Support BLF-CRYPT password scheme in all platforms + auth: Added LUA scripting support for passdb/userdb. See https://wiki2.dovecot.org/AuthDatabase/Lua - Input streams are more reliable now when there are errors or when the maximum buffer size is reached. Previously in some situations this could have caused Dovecot to try to read already freed memory. - Output streams weren't previously handling failures when writing a trailer at the end of the stream. This mainly affected encrypt and zlib compress ostreams, which could have silently written truncated files if the last write happened to fail (which shouldn't normally have ever happened). - virtual plugin: Fixed panic when fetching mails from virtual mailboxes with IMAP BINARY extension. - doveadm-server: Fix potential hangs with SSL connections - doveadm proxy: Reading commands' output from v2.2.33+ servers could have caused the output to be corrupted or caused a crash. - Many other smaller fixes @ text @d1 1 a1 2 # $NetBSD: Makefile,v 1.1 2016/07/18 15:03:05 fhajny Exp $ # @ 1.1 log @Split off dovecot2-{gssapi,ldap,mysql,pgsql,sqlite} as separate packages, remove respective options.mk parts. @ text @d1 1 a1 1 # $NetBSD$ d23 1 a23 1 src/plugins/dict-ldap/libdict_ldap.la \ @ 1.1.14.1 log @Pullup ticket #5713 - requested by taca mail/dovecot2-ldap: security update mail/dovecot2-sqlite: security update mail/dovecot2: security update Revisions pulled up: - mail/dovecot2-ldap/Makefile 1.2 - mail/dovecot2-sqlite/Makefile 1.10 - mail/dovecot2/Makefile.common 1.16-1.18 - mail/dovecot2/PLIST 1.58-1.59 - mail/dovecot2/buildlink3.mk 1.26 - mail/dovecot2/distinfo 1.80-1.82 - mail/dovecot2/patches/patch-ab 1.5 - mail/dovecot2/patches/patch-ae 1.2 - mail/dovecot2/patches/patch-src_old-stats_mail-stats.h 1.1 - mail/dovecot2/patches/patch-src_plugins_quota_quota-fs.c deleted - mail/dovecot2/patches/patch-src_stats_mail-stats.h deleted ------------------------------------------------------------------- Module Name: pkgsrc Committed By: fhajny Date: Tue Jan 2 15:52:44 UTC 2018 Modified Files: pkgsrc/mail/dovecot2: Makefile.common PLIST distinfo pkgsrc/mail/dovecot2-ldap: Makefile pkgsrc/mail/dovecot2-sqlite: Makefile pkgsrc/mail/dovecot2/patches: patch-ab patch-ae patch-src_plugins_quota_quota-fs.c Added Files: pkgsrc/mail/dovecot2/patches: patch-src_old-stats_mail-stats.h Removed Files: pkgsrc/mail/dovecot2/patches: patch-src_stats_mail-stats.h Log Message: Update mail/dovecot2* to 2.3.0. Some of the larger changes: * Various setting changes, see https://wiki2.dovecot.org/Upgrading/2.3 * Logging rewrite started: Logging is now based on hierarchical events. This makes it possible to do various things, like: 1) giving consistent log prefixes, 2) enabling debug logging with finer granularity, 3) provide logs in more machine readable formats (e.g. json). Everything isn't finished yet, especially a lot of the old logging code still needs to be translated to the new way. * Statistics rewrite started: Stats are now based on (log) events. It's possible to gather statistics about any event that is logged. See http://wiki2.dovecot.org/Statistics for details * ssl_dh setting replaces the old generated ssl-parameters.dat * IMAP: When BINARY FETCH finds a broken mails, send [PARSE] error instead of [UNKNOWNCTE] * Linux: core dumping via PR_SET_DUMPABLE is no longer enabled by default due to potential security reasons (found by cPanel Security Team). + Added support for SMTP submission proxy server, which includes support for BURL and CHUNKING extension. + LMTP rewrite. Supports now CHUNKING extension and mixing of local/proxy recipients. + auth: Support libsodium to add support for ARGON2I and ARGON2ID password schemes. + auth: Support BLF-CRYPT password scheme in all platforms + auth: Added LUA scripting support for passdb/userdb. See https://wiki2.dovecot.org/AuthDatabase/Lua - Input streams are more reliable now when there are errors or when the maximum buffer size is reached. Previously in some situations this could have caused Dovecot to try to read already freed memory. - Output streams weren't previously handling failures when writing a trailer at the end of the stream. This mainly affected encrypt and zlib compress ostreams, which could have silently written truncated files if the last write happened to fail (which shouldn't normally have ever happened). - virtual plugin: Fixed panic when fetching mails from virtual mailboxes with IMAP BINARY extension. - doveadm-server: Fix potential hangs with SSL connections - doveadm proxy: Reading commands' output from v2.2.33+ servers could have caused the output to be corrupted or caused a crash. - Many other smaller fixes To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 pkgsrc/mail/dovecot2/Makefile.common cvs rdiff -u -r1.57 -r1.58 pkgsrc/mail/dovecot2/PLIST cvs rdiff -u -r1.79 -r1.80 pkgsrc/mail/dovecot2/distinfo cvs rdiff -u -r1.1 -r1.2 pkgsrc/mail/dovecot2-ldap/Makefile cvs rdiff -u -r1.9 -r1.10 pkgsrc/mail/dovecot2-sqlite/Makefile cvs rdiff -u -r1.4 -r1.5 pkgsrc/mail/dovecot2/patches/patch-ab cvs rdiff -u -r1.1.1.1 -r1.2 pkgsrc/mail/dovecot2/patches/patch-ae cvs rdiff -u -r0 -r1.1 \ pkgsrc/mail/dovecot2/patches/patch-src_old-stats_mail-stats.h cvs rdiff -u -r1.6 -r1.7 \ pkgsrc/mail/dovecot2/patches/patch-src_plugins_quota_quota-fs.c cvs rdiff -u -r1.2 -r0 \ pkgsrc/mail/dovecot2/patches/patch-src_stats_mail-stats.h ------------------------------------------------------------------- Module Name: pkgsrc Committed By: maya Date: Thu Jan 4 00:22:02 UTC 2018 Modified Files: pkgsrc/mail/dovecot2: distinfo Removed Files: pkgsrc/mail/dovecot2/patches: patch-src_plugins_quota_quota-fs.c Log Message: dovecot2: remove now redundant patch. Heads up by jzu, thanks. To generate a diff of this commit: cvs rdiff -u -r1.80 -r1.81 pkgsrc/mail/dovecot2/distinfo cvs rdiff -u -r1.7 -r0 \ pkgsrc/mail/dovecot2/patches/patch-src_plugins_quota_quota-fs.c ------------------------------------------------------------------- Module Name: pkgsrc Committed By: fhajny Date: Mon Jan 8 13:03:15 UTC 2018 Modified Files: pkgsrc/mail/dovecot2: buildlink3.mk Log Message: mail/dovecot2: bump ABI dependency to 2.3.0 for dovecot2-pigeonhole. To generate a diff of this commit: cvs rdiff -u -r1.25 -r1.26 pkgsrc/mail/dovecot2/buildlink3.mk ------------------------------------------------------------------- Module Name: pkgsrc Committed By: jperkin Date: Wed Jan 24 15:16:49 UTC 2018 Modified Files: pkgsrc/mail/dovecot2: Makefile.common Log Message: dovecot2: Don't automatically add compiler security features. To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 pkgsrc/mail/dovecot2/Makefile.common ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu Mar 1 11:13:14 UTC 2018 Modified Files: pkgsrc/mail/dovecot2: Makefile.common PLIST distinfo Log Message: mail/dovecot2: update to 2.3.0.1 Small patch release to fix the worst bugs in v2.3.0. v2.3.1 is coming in about a month with a lot more changes. * CVE-2017-15130: TLS SNI config lookups may lead to excessive memory usage, causing imap-login/pop3-login VSZ limit to be reached and the process restarted. This happens only if Dovecot config has local_name { } or local { } configuration blocks and attacker uses randomly generated SNI servernames. * CVE-2017-14461: Parsing invalid email addresses may cause a crash or leak memory contents to attacker. For example, these memory contents might contain parts of an email from another user if the same imap process is reused for multiple users. First discovered by Aleksandar Nikolic of Cisco Talos. Independently also discovered by "flxflndy" via HackerOne. * CVE-2017-15132: Aborted SASL authentication leaks memory in login process. * Linux: Core dumping is no longer enabled by default via PR_SET_DUMPABLE, because this may allow attackers to bypass chroot/group restrictions. Found by cPanel Security Team. Nowadays core dumps can be safely enabled by using "sysctl -w fs.suid_dumpable=2". If the old behaviour is wanted, it can still be enabled by setting: import_environment=$import_environment PR_SET_DUMPABLE=1 - imap-login with SSL/TLS connections may end up in infinite loop To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 pkgsrc/mail/dovecot2/Makefile.common cvs rdiff -u -r1.58 -r1.59 pkgsrc/mail/dovecot2/PLIST cvs rdiff -u -r1.81 -r1.82 pkgsrc/mail/dovecot2/distinfo @ text @d23 1 a23 1 src/lib-dict-backend/libdict_ldap.la \ @