mail/dovecot, mail/dovecot-pigeonhole: upgrade to 2.3.11.3 and 0.5.11, repectively.

dovecot changelog:
* CVE-2020-12100: Parsing mails with a large number of MIME parts could
  have resulted in excessive CPU usage or a crash due to running out of
  stack memory.
* CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
  message buffer size, which leads to reading past allocation which can
  lead to crash.
* CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
  address that has the empty quoted string as local-part causes the lmtp
  service to crash.
* CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
  zero-length message, which leads to assert-crash later on.
* Events: Fix inconsistency in events. See event documentation in
  https://doc.dovecot.org.
* imap_command_finished event's cmd_name field now contains "unknown"
  for unknown commands. A new "cmd_input_name" field contains the
  command name exactly as it was sent.
* lib-index: Renamed mail_cache_compress_* settings to mail_cache_purge_*.
  Note that these settings are mainly intended for testing and usually
  shouldn't be changed.
* events: Renamed "index" event category to "mail-index".
* events: service:<name> category is now using the name from
  configuration file.
* dns-client: service dns_client was renamed to dns-client.
* log: Prefixes generally use the service name from configuration file.
  For example dict-async service will now use
  "dict-async(pid): " log prefix instead of "dict(pid): "
* *-login: Changed logging done by proxying to use a consistent prefix
  containing the IP address and port.
* *-login: Changed disconnection log messages to be slightly clearer.
+ dict: Add events for dictionaries.
+ lib-index: Finish logging with events.
+ oauth2: Support local validation of JWT tokens.
+ stats: Add support for dynamic histograms and grouping. See
  https://doc.dovecot.org/configuration_manual/stats/.
+ imap: Implement RFC 8514: IMAP SAVEDATE
+ lib-index: If a long-running transaction (e.g. SORT/FETCH on a huge
  folder) adds a lot of data to dovecot.index.cache file, commit those
  changes periodically to make them visible to other concurrent sessions
  as well.
+ stats: Add OpenMetrics exporter for statistics. See
  https://doc.dovecot.org/configuration_manual/stats/openmetrics/.
+ stats: Support disabling stats-writer socket by setting
  stats_writer_socket_path="".
- auth-worker: Process keeps slowly increasing its memory usage and
  eventually dies with "out of memory" due to reaching vsz_limit.
- auth: Prevent potential timing attacks in authentication secret
  comparisons: OAUTH2 JWT-token HMAC, imap-urlauth token, crypt() result.
- auth: Several auth-mechanisms allowed input to be truncated by NUL
  which can potentially lead to unintentional issues or even successful
  logins which should have failed.
- auth: When auth policy returned a delay, auth_request_finished event
  had policy_result=ok field instead of policy_result=delayed.
- auth: auth process crash when auth_policy_server_url is set to an
  invalid URL.
- auth: Lua passdb/userdb leaks stack elements per call, eventually
  causing the stack to become too deep and crashing the auth or
  auth-worker process.
- dict-ldap: Crash occurs if var_expand template expansion fails.
- dict: If dict client disconnected while iteration was still running,
  dict process could have started using 100% CPU, although it was still
  handling clients.
- doveadm: Running doveadm commands via proxying may hang, especially
  when doveadm is printing a lot of output.
- imap: "MOVE * destfolder" goes to a loop copying the last mail to the
  destination until the imap process dies due to running out of memory.
- imap: Running "UID MOVE 1:* Trash" on an empty folder goes to infinite
  loop.
- imap: SEARCH doesn't support $.
- lib-compress: Buffer over-read in zlib stream read.
- lib-dns: If DNS lookup times out, lib-dns can cause crash in calling
  process.
- lib-index: Fixed several bugs in dovecot.index.cache handling that
  could have caused cached data to be lost.
- lib-index: Writing to >=1 GB dovecot.index.cache files may cause
  assert-crashes:
  Panic: file mail-index-util.c: line 37 (mail_index_uint32_to_offset):
  assertion failed: (offset < 0x40000000)
- lib-mail: v2.3.11 regression: MIME parts not returned correctly by
  Dovecot MIME parser.
- lib-ssl-iostream: Fix buggy OpenSSL error handling without
  assert-crashing. If there is no error available, log it as an error
  instead of crashing:
  Panic: file iostream-openssl.c: line 599 (openssl_iostream_handle_error):
  assertion failed: (errno != 0)
- lib-ssl-iostream: ssl_key_password setting did not work.
- pop3-login: Login didn't handle commands in multiple IP packets properly.
  This mainly affected large XCLIENT commands or a large SASL initial
  response parameter in the AUTH command.
- pop3: pop3_deleted_flag setting was broken, causing:
  Panic: file seq-range-array.c: line 472 (seq_range_array_invert):
  assertion failed: (range[count-1].seq2 <= max_seq)
- pop3-login: Login would fail with "Input buffer full" if the initial
  response for SASL was too long.
- submission: A segfault crash may occur when the client or server
  disconnects while a non-transaction command like NOOP or VRFY is still
  being processed.
- virtual: Copying/moving mails with IMAP into a virtual folder
assert-crashes:
  Panic: file cmd-copy.c: line 152 (fetch_and_copy): assertion failed:
  (copy_ctx->copy_count == seq_range_count(&copy_ctx->saved_uids))

pigeonhole changelog:
* managesieve: managesieve_max_line_length setting is now a "size" type
  instead of just number of bytes. This allows using e.g. "64k" as the
  value.
- lib-sieve: When folding white space is used in the Message-ID header,
  it is not stripped away correctly before the message ID value is used,
  causing e.g. garbled log lines at delivery.

PR:		248640
PR:		248644
Submitted by:	juraj@lutter.sk
Reported by:	juraj@lutter.sk
MFH:		2020Q3
Security:	87a07de1-e55e-4d51-bb64-8d117829a26a
Security:	CVE-2020-12100
Security:	CVE-2020-12673
Security:	CVE-2020-10967
Security:	CVE-2020-12674

8 files changed, 18 insertions, 24 deletions

diff --git a/mail/dovecot/Makefile b/mail/dovecot/Makefile
index 3a128b1374e4..a3519edc439b 100644
--- a/mail/dovecot/Makefile
+++ b/mail/dovecot/Makefile
@@ -8,8 +8,7 @@
 ######################################################################
 
 PORTNAME=	dovecot
-PORTVERSION=	2.3.10.1
-PORTREVISION=	2
+PORTVERSION=	2.3.11.3
 CATEGORIES=	mail
 MASTER_SITES=	https://dovecot.org/releases/2.3/
 
@@ -19,6 +18,8 @@ COMMENT=	Secure, fast and powerful IMAP and POP3 server
 LICENSE=	LGPL21 MIT
 LICENSE_COMB=	dual
 
+LIB_DEPENDS=	libzstd.so:archivers/zstd
+
 USES=		cpe iconv libtool pkgconfig ssl
 USE_RC_SUBR=	dovecot
 
diff --git a/mail/dovecot/distinfo b/mail/dovecot/distinfo
index 4a9e9595f87c..846a350d8fbe 100644
--- a/mail/dovecot/distinfo
+++ b/mail/dovecot/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1589829060
-SHA256 (dovecot-2.3.10.1.tar.gz) = 6642e62f23b1b23cfac235007ca6e21cb67460cca834689fad450724456eb10c
-SIZE (dovecot-2.3.10.1.tar.gz) = 7226958
+TIMESTAMP = 1597259906
+SHA256 (dovecot-2.3.11.3.tar.gz) = d3d9ea9010277f57eb5b9f4166a5d2ba539b172bd6d5a2b2529a6db524baafdc
+SIZE (dovecot-2.3.11.3.tar.gz) = 7353412
diff --git a/mail/dovecot/files/patch-configure b/mail/dovecot/files/patch-configure
index a199e838da39..7d458da545e6 100644
--- a/mail/dovecot/files/patch-configure
+++ b/mail/dovecot/files/patch-configure
@@ -1,6 +1,6 @@
---- configure.orig	2020-03-05 17:36:02.000000000 +0300
-+++ configure	2020-03-23 13:27:59.882228000 +0300
-@@ -28652,13 +28652,13 @@
+--- configure.orig	2020-08-12 12:20:51 UTC
++++ configure
+@@ -28901,13 +28901,13 @@ fi
  
  
    if test $want_stemmer != no; then
diff --git a/mail/dovecot/files/patch-src_lib-fts_fts-filter-stemmer-snowball.c b/mail/dovecot/files/patch-src_lib-fts_fts-filter-stemmer-snowball.c
index 0da23500cf98..b0aeea56ffbc 100644
--- a/mail/dovecot/files/patch-src_lib-fts_fts-filter-stemmer-snowball.c
+++ b/mail/dovecot/files/patch-src_lib-fts_fts-filter-stemmer-snowball.c
@@ -1,4 +1,4 @@
---- src/lib-fts/fts-filter-stemmer-snowball.c.orig
+--- src/lib-fts/fts-filter-stemmer-snowball.c.orig	2020-08-12 12:20:41 UTC
 +++ src/lib-fts/fts-filter-stemmer-snowball.c
 @@ -6,7 +6,7 @@
  
diff --git a/mail/dovecot/files/patch-src_lib-master_master-service.c b/mail/dovecot/files/patch-src_lib-master_master-service.c
deleted file mode 100644
index bb5c9d4e5de4..000000000000
--- a/mail/dovecot/files/patch-src_lib-master_master-service.c
+++ /dev/null
@@ -1,11 +0,0 @@
---- src/lib-master/master-service.c.orig	2019-12-04 09:31:27 UTC
-+++ src/lib-master/master-service.c
-@@ -368,7 +368,7 @@ master_service_init(const char *name, enum master_serv
- 	if ((flags & MASTER_SERVICE_FLAG_DONT_SEND_STATS) == 0) {
- 		/* Initialize stats-client early so it can see all events. */
- 		value = getenv(DOVECOT_STATS_WRITER_SOCKET_PATH);
--		if (value != NULL)
-+		if (value != NULL && *value != '\0')
- 			service->stats_client = stats_client_init(value, FALSE);
- 	}
- 
diff --git a/mail/dovecot/files/patch-src_plugins_fts-lucene_SnowballFilter.h b/mail/dovecot/files/patch-src_plugins_fts-lucene_SnowballFilter.h
index 6169e121bc18..07a2b436ad2b 100644
--- a/mail/dovecot/files/patch-src_plugins_fts-lucene_SnowballFilter.h
+++ b/mail/dovecot/files/patch-src_plugins_fts-lucene_SnowballFilter.h
@@ -1,4 +1,4 @@
---- src/plugins/fts-lucene/SnowballFilter.h.orig
+--- src/plugins/fts-lucene/SnowballFilter.h.orig	2020-08-12 12:20:41 UTC
 +++ src/plugins/fts-lucene/SnowballFilter.h
 @@ -8,7 +8,7 @@
  #define _lucene_analysis_snowball_filter_
@@ -8,3 +8,4 @@
 +#include "CLucene/snowball/libstemmer.h"
  
  CL_NS_DEF2(analysis,snowball)
+ 
diff --git a/mail/dovecot/files/patch-src_plugins_fts-solr_solr-connection.c b/mail/dovecot/files/patch-src_plugins_fts-solr_solr-connection.c
index ea2b3cb05c8f..e6991bbf7900 100644
--- a/mail/dovecot/files/patch-src_plugins_fts-solr_solr-connection.c
+++ b/mail/dovecot/files/patch-src_plugins_fts-solr_solr-connection.c
@@ -1,6 +1,6 @@
---- src/plugins/fts-solr/solr-connection.c.orig	2019-04-30 12:25:06 UTC
+--- src/plugins/fts-solr/solr-connection.c.orig	2020-08-12 12:20:41 UTC
 +++ src/plugins/fts-solr/solr-connection.c
-@@ -156,7 +156,7 @@ int solr_connection_init(const struct fts_solr_setting
+@@ -103,7 +103,7 @@ int solr_connection_init(const struct fts_solr_setting
  		http_set.ssl = ssl_client_set;
  		http_set.debug = solr_set->debug;
  		http_set.rawlog_dir = solr_set->rawlog_dir;
@@ -8,4 +8,4 @@
 +		solr_http_client = http_client_init_private(&http_set);
  	}
  
- 	conn->xml_parser = XML_ParserCreate("UTF-8");
+ 	*conn_r = conn;
diff --git a/mail/dovecot/pkg-plist b/mail/dovecot/pkg-plist
index 111306a9eb95..f246fb483015 100644
--- a/mail/dovecot/pkg-plist
+++ b/mail/dovecot/pkg-plist
@@ -93,6 +93,7 @@ include/dovecot/auth-master.h
 include/dovecot/auth-penalty.h
 include/dovecot/auth-policy.h
 include/dovecot/auth-request-handler.h
+include/dovecot/auth-request-handler-private.h
 include/dovecot/auth-request-stats.h
 include/dovecot/auth-request-var-expand.h
 include/dovecot/auth-request.h
@@ -468,6 +469,7 @@ include/dovecot/mdbox-settings.h
 include/dovecot/mdbox-storage-rebuild.h
 include/dovecot/mdbox-storage.h
 include/dovecot/mdbox-sync.h
+include/dovecot/mech-digest-md5-private.h
 include/dovecot/mech-otp-skey-common.h
 include/dovecot/mech-plain-common.h
 include/dovecot/mech-scram.h
@@ -514,6 +516,7 @@ include/dovecot/ostream-null.h
 include/dovecot/ostream-private.h
 include/dovecot/ostream-rawlog.h
 include/dovecot/ostream-unix.h
+include/dovecot/ostream-wrapper.h
 include/dovecot/ostream-zlib.h
 include/dovecot/ostream.h
 include/dovecot/passdb-blocking.h