Opened 8 months ago

Closed 8 months ago

#20231 closed enhancement (fixed)

dovecot-2.3.21.1

Reported by: Bruce Dubbs Owned by: Douglas R. Reno
Priority: elevated Milestone: 12.2
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New nano version.

Change History (4)

comment:1 by Douglas R. Reno, 8 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 8 months ago 

- CVE-2024-23184: A large number of address headers in email resulted
  in excessive CPU usage.
- CVE-2024-23185: Abnormally large email headers are now truncated or
  discarded, with a limit of 10MB on a single header and 50MB for all
  the headers of all the parts of an email.
- oauth2: Dovecot would send client_id and client_secret as POST parameters
  to introspection server. These need to be optionally in Basic auth
  instead as required by OIDC specification.
- oauth2: JWT key type check was too strict.
- oauth2: JWT token audience was not validated against client_id as
  required by OIDC specification.
- oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out
  protocol specific error message on all errors. This broke OIDC discovery.
- oauth2: JWT aud validation was not performed if aud was missing
  from token, but was configured on Dovecot.

comment:3 by Douglas R. Reno, 8 months ago

Priority: normalelevated

comment:4 by Douglas R. Reno, 8 months ago

Resolution: fixed
Status: assignedclosed

Fixed at e663b41c0c853a4ede73f2a9a5aaa6c2a293e240

SA-12.1-093 issued

Note: See TracTickets for help on using tickets.