MFH: r544857


MFH: r544857

mail/dovecot, mail/dovecot-pigeonhole: upgrade to and 0.5.11, repectively.

dovecot changelog:

  • CVE-2020-12100: Parsing mails with a large number of MIME parts could have resulted in excessive CPU usage or a crash due to running out of stack memory.
  • CVE-2020-12673: Dovecot's NTLM implementation does not correctly check message buffer size, which leads to reading past allocation which can lead to crash.
  • CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an address that has the empty quoted string as local-part causes the lmtp service to crash.
  • CVE-2020-12674: Dovecot's RPA mechanism implementation accepts zero-length message, which leads to assert-crash later on.
  • Events: Fix inconsistency in events. See event documentation in https://doc.dovecot.org.
  • imap_command_finished event's cmd_name field now contains "unknown" for unknown commands. A new "cmd_input_name" field contains the command name exactly as it was sent.
  • lib-index: Renamed mail_cache_compress_* settings to mail_cache_purge_*. Note that these settings are mainly intended for testing and usually shouldn't be changed.
  • events: Renamed "index" event category to "mail-index".
  • events: service:<name> category is now using the name from configuration file.
  • dns-client: service dns_client was renamed to dns-client.
  • log: Prefixes generally use the service name from configuration file. For example dict-async service will now use "dict-async(pid): " log prefix instead of "dict(pid): "
  • *-login: Changed logging done by proxying to use a consistent prefix containing the IP address and port.
  • *-login: Changed disconnection log messages to be slightly clearer.

+ dict: Add events for dictionaries.
+ lib-index: Finish logging with events.
+ oauth2: Support local validation of JWT tokens.
+ stats: Add support for dynamic histograms and grouping. See


+ imap: Implement RFC 8514: IMAP SAVEDATE
+ lib-index: If a long-running transaction (e.g. SORT/FETCH on a huge

folder) adds a lot of data to dovecot.index.cache file, commit those
changes periodically to make them visible to other concurrent sessions
as well.

+ stats: Add OpenMetrics exporter for statistics. See


+ stats: Support disabling stats-writer socket by setting

  • auth-worker: Process keeps slowly increasing its memory usage and eventually dies with "out of memory" due to reaching vsz_limit.
  • auth: Prevent potential timing attacks in authentication secret comparisons: OAUTH2 JWT-token HMAC, imap-urlauth token, crypt() result.
  • auth: Several auth-mechanisms allowed input to be truncated by NUL which can potentially lead to unintentional issues or even successful logins which should have failed.
  • auth: When auth policy returned a delay, auth_request_finished event had policy_result=ok field instead of policy_result=delayed.
  • auth: auth process crash when auth_policy_server_url is set to an invalid URL.
  • auth: Lua passdb/userdb leaks stack elements per call, eventually causing the stack to become too deep and crashing the auth or auth-worker process.
  • dict-ldap: Crash occurs if var_expand template expansion fails.
  • dict: If dict client disconnected while iteration was still running, dict process could have started using 100% CPU, although it was still handling clients.
  • doveadm: Running doveadm commands via proxying may hang, especially when doveadm is printing a lot of output.
  • imap: "MOVE * destfolder" goes to a loop copying the last mail to the destination until the imap process dies due to running out of memory.
  • imap: Running "UID MOVE 1:* Trash" on an empty folder goes to infinite loop.
  • imap: SEARCH doesn't support $.
  • lib-compress: Buffer over-read in zlib stream read.
  • lib-dns: If DNS lookup times out, lib-dns can cause crash in calling process.
  • lib-index: Fixed several bugs in dovecot.index.cache handling that could have caused cached data to be lost.
  • lib-index: Writing to >=1 GB dovecot.index.cache files may cause assert-crashes: Panic: file mail-index-util.c: line 37 (mail_index_uint32_to_offset): assertion failed: (offset < 0x40000000)
  • lib-mail: v2.3.11 regression: MIME parts not returned correctly by Dovecot MIME parser.
  • lib-ssl-iostream: Fix buggy OpenSSL error handling without assert-crashing. If there is no error available, log it as an error instead of crashing: Panic: file iostream-openssl.c: line 599 (openssl_iostream_handle_error): assertion failed: (errno != 0)
  • lib-ssl-iostream: ssl_key_password setting did not work.
  • pop3-login: Login didn't handle commands in multiple IP packets properly. This mainly affected large XCLIENT commands or a large SASL initial response parameter in the AUTH command.
  • pop3: pop3_deleted_flag setting was broken, causing: Panic: file seq-range-array.c: line 472 (seq_range_array_invert): assertion failed: (range[count-1].seq2 <= max_seq)
  • pop3-login: Login would fail with "Input buffer full" if the initial response for SASL was too long.
  • submission: A segfault crash may occur when the client or server disconnects while a non-transaction command like NOOP or VRFY is still being processed.
  • virtual: Copying/moving mails with IMAP into a virtual folder


Panic: file cmd-copy.c: line 152 (fetch_and_copy): assertion failed:
(copy_ctx->copy_count == seq_range_count(&copy_ctx->saved_uids))

pigeonhole changelog:

  • managesieve: managesieve_max_line_length setting is now a "size" type instead of just number of bytes. This allows using e.g. "64k" as the value.
  • lib-sieve: When folding white space is used in the Message-ID header, it is not stripped away correctly before the message ID value is used, causing e.g. garbled log lines at delivery.

PR: 248640
PR: 248644
Submitted by: juraj@lutter.sk
Reported by: juraj@lutter.sk
Security: 87a07de1-e55e-4d51-bb64-8d117829a26a
Security: CVE-2020-12100
Security: CVE-2020-12673
Security: CVE-2020-10967
Security: CVE-2020-12674

Approved by: ports-secteam (joneum)


lerAuthored on
rP544949: updating devel/mate-common to 1.24.2