f838a05fb9
CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens, if attacker has local access. CVE-2021-33515: On-path attacker could have injected plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client. Add TSLv1.3 support to min_protocols. Allow configuring ssl_cipher_suites. (for TLSv1.3+)
11 lines
403 B
Diff
11 lines
403 B
Diff
diff -up dovecot-2.3.15/doc/dovecot-openssl.cnf.bigkey dovecot-2.3.15/doc/dovecot-openssl.cnf
|
|
--- dovecot-2.3.15/doc/dovecot-openssl.cnf.bigkey 2021-06-21 20:24:51.913456628 +0200
|
|
+++ dovecot-2.3.15/doc/dovecot-openssl.cnf 2021-06-21 20:25:36.352912123 +0200
|
|
@@ -1,5 +1,5 @@
|
|
[ req ]
|
|
-default_bits = 2048
|
|
+default_bits = 3072
|
|
encrypt_key = yes
|
|
distinguished_name = req_dn
|
|
x509_extensions = cert_type
|