[Midnightbsd-cvs] mports: mail/dovecot: Dovecot versions prior to 1.0.13 allowed remote
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Fri Mar 14 16:09:04 EDT 2008
Log Message:
-----------
Dovecot versions prior to 1.0.13 allowed remote attackers to bypass the password check by using tab characters in the passwordmake packagemake package
Modified Files:
--------------
mports/mail/dovecot:
Makefile (r1.16 -> r1.17)
distinfo (r1.13 -> r1.14)
mports/mail/dovecot/files:
patch-dovecot-example.conf (r1.3 -> r1.4)
-------------- next part --------------
Index: Makefile
===================================================================
RCS file: /home/cvs/mports/mail/dovecot/Makefile,v
retrieving revision 1.16
retrieving revision 1.17
diff -L mail/dovecot/Makefile -L mail/dovecot/Makefile -u -r1.16 -r1.17
--- mail/dovecot/Makefile
+++ mail/dovecot/Makefile
@@ -8,7 +8,7 @@
#
PORTNAME= dovecot
-DISTVERSION= 1.0.9
+DISTVERSION= 1.0.13
CATEGORIES= mail ipv6
MASTER_SITES= http://www.dovecot.org/releases/1.0/
Index: distinfo
===================================================================
RCS file: /home/cvs/mports/mail/dovecot/distinfo,v
retrieving revision 1.13
retrieving revision 1.14
diff -L mail/dovecot/distinfo -L mail/dovecot/distinfo -u -r1.13 -r1.14
--- mail/dovecot/distinfo
+++ mail/dovecot/distinfo
@@ -1,3 +1,3 @@
-MD5 (dovecot-1.0.9.tar.gz) = fdd490b72fee9b99da972ddb69f4b58d
-SHA256 (dovecot-1.0.9.tar.gz) = a1861f42954a5497dc27eb6549e980524f75a50a03f58ac184e1770cff8a881d
-SIZE (dovecot-1.0.9.tar.gz) = 1796543
+MD5 (dovecot-1.0.13.tar.gz) = 281bd9dee8d6c1674977257acc80ce64
+SHA256 (dovecot-1.0.13.tar.gz) = 16da29b2bc08d0178a09323bf0787a2a0e953075655566a7b4b6b148c87ac25f
+SIZE (dovecot-1.0.13.tar.gz) = 1774025
Index: patch-dovecot-example.conf
===================================================================
RCS file: /home/cvs/mports/mail/dovecot/files/patch-dovecot-example.conf,v
retrieving revision 1.3
retrieving revision 1.4
diff -L mail/dovecot/files/patch-dovecot-example.conf -L mail/dovecot/files/patch-dovecot-example.conf -u -r1.3 -r1.4
--- mail/dovecot/files/patch-dovecot-example.conf
+++ mail/dovecot/files/patch-dovecot-example.conf
@@ -1,6 +1,6 @@
---- dovecot-example.conf.orig Wed Jan 3 23:19:41 2007
-+++ dovecot-example.conf Sun Jan 7 15:42:35 2007
-@@ -9,7 +9,7 @@
+--- dovecot-example.conf.orig 2008-03-04 05:48:12.000000000 +0000
++++ dovecot-example.conf 2008-03-05 22:49:08.554336095 +0000
+@@ -12,7 +12,7 @@
# Default values are shown for each setting, it's not required to uncomment
# any of the lines. Exception to this are paths, they're just examples with
# the real defaults being based on configure options. The paths listed here
@@ -9,7 +9,7 @@
# --with-ssldir=/etc/ssl
# Base directory where to store runtime data.
-@@ -18,6 +18,7 @@
+@@ -21,6 +21,7 @@
# Protocols we want to be serving: imap imaps pop3 pop3s
# If you only want to use dovecot-auth, you can set this to "none".
#protocols = imap imaps
@@ -17,23 +17,23 @@
# IP or host address where to listen in for connections. It's not currently
# possible to specify multiple addresses. "*" listens in all IPv4 interfaces.
-@@ -205,6 +206,7 @@
- # http://wiki.dovecot.org/MailLocation
+@@ -210,6 +212,7 @@
+ # <doc/wiki/MailLocation.txt>
#
#mail_location =
+mail_location = mbox:~/mail/:INBOX=/var/mail/%u
# If you need to set multiple mailbox locations or want to change default
- # namespace settings, you can do it by defining namespace sections:
-@@ -248,6 +250,7 @@
- # Grant access to these extra groups for mail processes. Typical use would be
- # to give "mail" group write access to /var/mail to be able to create dotlocks.
- #mail_extra_groups =
-+mail_extra_groups = mail
-
- # Allow full filesystem access to clients. There's no access checks other than
- # what the operating system does for the active UID/GID. It works with both
-@@ -300,6 +303,7 @@
+ # namespace settings, you can do it by defining namespace sections.
+@@ -256,6 +259,7 @@
+ # used only for creating mbox dotlock files when creation fails for INBOX.
+ # Typically this is set to "mail" to give access to /var/mail.
+ #mail_privileged_group =
++mail_privileged_group = mail
+
+ # Grant access to these supplementary groups for mail processes. Typically
+ # these are used to set up access to shared mailboxes. Note that it may be
+@@ -320,6 +324,7 @@
# IP address. Useful for seeing who are actually using the IMAP processes
# (eg. shared mailboxes or if same uid is used for multiple accounts).
#verbose_proctitle = no
@@ -41,7 +41,7 @@
# Valid UID range for users, defaults to 500 and above. This is mostly
# to make sure that users can't log in as daemons or other system users.
-@@ -313,6 +317,7 @@
+@@ -333,6 +338,7 @@
# belongs to supplementary groups with non-valid GIDs, those groups are
# not set.
#first_valid_gid = 1
@@ -49,7 +49,7 @@
#last_valid_gid = 0
# Maximum number of running mail processes. When this limit is reached,
-@@ -489,19 +494,19 @@
+@@ -506,19 +512,19 @@
protocol imap {
# Login executable location.
@@ -73,7 +73,7 @@
# Maximum IMAP command line length in bytes. Some clients generate very long
# command lines with huge mailboxes, so you may need to raise this if you get
-@@ -511,7 +516,7 @@
+@@ -528,7 +534,7 @@
# Support for dynamically loadable plugins. mail_plugins is a space separated
# list of plugins to load.
#mail_plugins =
@@ -82,7 +82,7 @@
# Send IMAP capabilities in greeting message. This makes it unnecessary for
# clients to request it with CAPABILITY command, so it saves one round-trip.
-@@ -546,6 +551,7 @@
+@@ -563,6 +569,7 @@
# accept '/' suffix in mailbox names in subscriptions list.
# The list is space-separated.
#imap_client_workarounds = outlook-idle
@@ -90,7 +90,7 @@
}
##
-@@ -554,11 +560,11 @@
+@@ -571,11 +578,11 @@
protocol pop3 {
# Login executable location.
@@ -104,7 +104,7 @@
# Don't try to set mails non-recent or seen with POP3 sessions. This is
# mostly intended to reduce disk I/O. With maildir it doesn't move files
-@@ -604,6 +610,7 @@
+@@ -621,6 +628,7 @@
# installations.
#
#pop3_uidl_format =
@@ -112,7 +112,7 @@
# POP3 logout format string:
# %t - number of TOP commands
-@@ -618,7 +625,7 @@
+@@ -635,7 +643,7 @@
# Support for dynamically loadable plugins. mail_plugins is a space separated
# list of plugins to load.
#mail_plugins =
@@ -121,7 +121,7 @@
# Workarounds for various client bugs:
# outlook-no-nuls:
-@@ -629,6 +636,7 @@
+@@ -646,6 +654,7 @@
# missing. This option simply sends it if it's missing.
# The list is space-separated.
#pop3_client_workarounds =
@@ -129,7 +129,7 @@
}
##
-@@ -646,10 +654,11 @@
+@@ -663,10 +672,11 @@
# Support for dynamically loadable plugins. mail_plugins is a space separated
# list of plugins to load.
#mail_plugins =
@@ -142,7 +142,7 @@
# UNIX socket path to master authentication server to find users.
#auth_socket_path = /var/run/dovecot/auth-master
-@@ -660,7 +669,7 @@
+@@ -677,7 +687,7 @@
##
# Executable location
@@ -151,3 +151,39 @@
# Set max. process size in megabytes.
#auth_process_size = 256
+@@ -783,7 +793,7 @@
+
+ #passdb passwd-file {
+ # File contains a list of usernames, one per line
+- #args = /etc/dovecot.deny
++ #args = %%PREFIX%%/etc/dovecot.deny
+ #deny = yes
+ #}
+
+@@ -1021,7 +1031,7 @@
+ # referenced using URIs in format "proxy:<name>".
+
+ dict {
+- #quota = mysql:/etc/dovecot-dict-quota.conf
++ #quota = mysql:%%PREFIX%%/etc/dovecot-dict-quota.conf
+ }
+
+ ##
+@@ -1045,7 +1055,7 @@
+ # directory. You can also optionally give a global ACL directory path where
+ # ACLs are applied to all users' mailboxes. The global ACL directory contains
+ # one file for each mailbox, eg. INBOX or sub.mailbox.
+- #acl = vfile:/etc/dovecot-acls
++ #acl = vfile:%%PREFIX%%/etc/dovecot-acls
+
+ # Convert plugin. If set, specifies the source storage path which is
+ # converted to destination storage (mail_location) when the user logs in.
+@@ -1059,7 +1069,7 @@
+ # until the message can be saved within quota limits. The configuration file
+ # is a text file where each line is in format: <priority> <mailbox name>
+ # Mails are first deleted in lowest -> highest priority number order
+- #trash = /etc/dovecot-trash.conf
++ #trash = %%PREFIX%%/etc/dovecot-trash.conf
+
+ # Lazy expunge plugin. Currently works only with maildirs. When a user
+ # expunges mails, the mails are moved to a mailbox in another namespace
More information about the Midnightbsd-cvs
mailing list