Tuesday 20th August 2024
Fedora Project
Branched and built perl-Devel-Hide (0.0015) for EPEL-10
Branched and built perl-Dist-CheckConflicts (0.11) for EPEL-10
Branched and built perl-Module-Implementation (0.09) for EPEL-10
Branched and built perl-Path-Class (0.37) for EPEL-10
Branched and built perl-Perl-Destruct-Level (0.02) for EPEL-10
Updated perl-Business-ISBN-Data to 20240820.001 in F-41 and Rawhide:
- Data update for 20240820
Updated perl-Digest-MD4 (1.9) in F-41 and Rawhide to drop the redundant build requirements libdb-devel and gdbm-devel
Local Packages
Updated dovecot to 2.3.21.1:
A large number of address headers in email resulted in excessive CPU usage (CVE-2024-23184)
Abnormally large email headers are now truncated or discarded, with a limit of 10MB on a single header and 50MB for all the headers of all the parts of an email (CVE-2024-23185)
oauth2: Dovecot would send client_id and client_secret as POST parameters to introspection server; these need to be optionally in Basic auth instead as required by OIDC specification
- oauth2: JWT key type check was too strict
oauth2: JWT token audience was not validated against client_id as required by OIDC specification
oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out protocol specific error message on all errors, which broke OIDC discovery
oauth2: JWT aud validation was not performed if aud was missing from token, but was configured on Dovecot
Updated perl-Digest-MD4 (1.9) as per the Fedora version
Updated perl-Test-Differences (0.71) to fix version handling for builds with different locales set