ff7b3d5db3
Dovecot 2.3.21.1
- CVE-2024-23184: A large number of address headers in email resulted
in excessive CPU usage. [boo#1229184]
- CVE-2024-23185: Abnormally large email headers are now truncated or
discarded, with a limit of 10MB on a single header and 50MB for all
the headers of all the parts of an email. [boo#1229183]
- oauth2: Dovecot would send client_id and client_secret as POST parameters
to introspection server. These need to be optionally in Basic auth
instead as required by OIDC specification.
- oauth2: JWT key type check was too strict.
- oauth2: JWT token audience was not validated against client_id as
required by OIDC specification.
- oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out
protocol specific error message on all errors. This broke OIDC discovery.
- oauth2: JWT aud validation was not performed if aud was missing
from token, but was configured on Dovecot.
OBS-URL: https://build.opensuse.org/package/show/server:mail/dovecot23?expand=0&rev=121
18 lines
866 B
Standard ML
18 lines
866 B
Standard ML
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQJLBAABCgA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAma8frUXHGRvdmVjb3Qt
|
|
Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaHesA//QG3U92zq5vmWLoEC7G8nKbT7
|
|
JUYthTqG4j2wgEngdcZmylKo4dbXvbEljf9PdTfFAJJbwKDaOgKedwykQo+xIGwO
|
|
y8Xkcs8iyB4Sv9boZp4aIPSCPr5zLE81dZrjy7UNxOyNxQKkcr092HhLxLhU3ktJ
|
|
Kpjkr6yVdgDVmu48jvePhxTVlH/whdN/5DWxfkUjp09xZRjTwSOqBaoQTyVgTvQv
|
|
HYVUsfzLHmeUjkasZ/piaHdZPq1fdtIMjmDVUkpyZcyQVEUABLOF1ahYCNIgQlrS
|
|
61roI3rI58P7YQAguhoNpvBvQGUflUp8UFhv1XDTVcHpEKQzBXv/SUX+H14vHfek
|
|
m8qX4gs/WKwIajH7dvdBC2Rz2ApVfXPrBLZRNyOxjMI3OhGNfeCLKX/bQajltHmx
|
|
EP9eW60WYkfI3BlbnkIJDcRFFo1Wq1p97tQS/I+wct9tLtbokmOPJYGAsge/kWT3
|
|
iywTPopD3mTtcvtcK7eVs3u9OYOJPhAsyBk6ahlcQ+3niks1LeqMpaWG2QgvNUUo
|
|
se3zjMzVeC/FbWj5H9qJyp282xRce88CD0vzBLThRTR5OXIPujqOvsvJN7qFcpKi
|
|
6lenb26sDXYxLHEsDkRw8oQtk6jGOJh971X8Tr4S+RLmwo3hNZ9qZtYjs7h7485x
|
|
Iu/utjziOizSFIsy2Jk=
|
|
=8VHs
|
|
-----END PGP SIGNATURE-----
|