miwi@FreeBSD.org
2008-Nov-08 07:27 UTC
ports/128698: [vuxml] new entry for Dovecot 1.1.4-1.1.5
Synopsis: [vuxml] new entry for Dovecot 1.1.4-1.1.5 Responsible-Changed-From-To: freebsd-ports-bugs->miwi Responsible-Changed-By: miwi Responsible-Changed-When: Sat Nov 8 15:27:05 UTC 2008 Responsible-Changed-Why: I'll take it. http://www.freebsd.org/cgi/query-pr.cgi?pr=128698
Eygene Ryabinkin
2008-Nov-08 08:04 UTC
ports/128698: [vuxml] new entry for Dovecot 1.1.4-1.1.5
>Number: 128698 >Category: ports >Synopsis: [vuxml] new entry for Dovecot 1.1.4-1.1.5 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Nov 08 14:10:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization:Code Labs>Environment:Not applicable.>Description:Citing from http://www.dovecot.org/list/dovecot-news/2008-October/000089.html ----- The invalid message address parsing bug is pretty important since it allows a remote user to send broken mail headers and prevent the recipient from accessing the mailbox afterwards, because the process will always just crash trying to parse the header. This is assuming that the IMAP client uses FETCH ENVELOPE command, not all do. Note that it doesn't affect versions older than v1.1.4. ----- Currently, FreeBSD's Dovecot from ports is build from the 1.1.3 release and I doubt that it will be upgraded to something <= 1.1.6, since 1.1.6 is out. But who knows.>How-To-Repeat:Look at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4907 and references therein.>Fix:Possibly, the new VuXML entry can be added: --- dovecot-08.11.2008.xml begins here --- <vuln vid=""> <topic>dovecot -- invalid message address parsing bug</topic> <affects> <package> <name>dovecot</name> <name>dovecot-devel</name> <range><ge>1.1.4</ge><lt>1.1.6</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Dovecot reports:</p> <blockquote cite="http://www.dovecot.org/list/dovecot-news/2008-October/000089.html"> <p> The invalid message address parsing bug is pretty important since it allows a remote user to send broken mail headers and prevent the recipient from accessing the mailbox afterwards, because the process will always just crash trying to parse the header. This is assuming that the IMAP client uses FETCH ENVELOPE command, not all do. Note that it doesn't affect versions older than v1.1.4.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-4907</cvename> <url>http://www.dovecot.org/list/dovecot-news/2008-October/000089.html</url> <url>http://secunia.com/advisories/32479/</url> <url>http://xforce.iss.net/xforce/xfdb/46227/</url> <url>http://www.securityfocus.com/bid/31997/</url> </references> <dates> <discovery>2008-10-30</discovery> <entry>2008-11-08</entry> </dates> </vuln> --- dovecot-08.11.2008.xml ends here --- As I said, I greatly doubt that official FreeBSD ports will ever have these versions of Dovecot, but people can update their ports to receive the new Dovecot versions, so there can be some reasons to add it. The only PR that contains Dovecot is ports/128469 and it upgrades the port to the "safe" version 1.1.6.>Release-Note: >Audit-Trail: >Unformatted:
miwi@FreeBSD.org
2008-Nov-08 11:19 UTC
ports/128698: [vuxml] new entry for Dovecot 1.1.4-1.1.5
Synopsis: [vuxml] new entry for Dovecot 1.1.4-1.1.5 State-Changed-From-To: open->closed State-Changed-By: miwi State-Changed-When: Sat Nov 8 19:19:14 UTC 2008 State-Changed-Why: close. we need to feel a VuXML entry for version never been in ports tree. At least, we see no point to entry this one. http://www.freebsd.org/cgi/query-pr.cgi?pr=128698