From cfb1172a13a9e16478368c37e1372757ca6cf8f4 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 3 Oct 2018 16:22:49 +0200 Subject: [PATCH 01/10] dovecot updated to 2.3.3, pigeonhole pdated to 0.5.3 doveconf hides more secrets now in the default output NUL bytes in mail headers can cause truncated replies when fetched. virtual plugin: Some searches used 100% CPU for many seconds dsync assert-crashed with acl plugin in some situations. imapc: Fixed various assert-crashes when reconnecting to server. --- dovecot-2.2.20-initbysystemd.patch | 2 +- dovecot.spec | 20 ++++++++++++++++---- sources | 4 ++-- 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/dovecot-2.2.20-initbysystemd.patch b/dovecot-2.2.20-initbysystemd.patch index 01e8263..7e3d94c 100644 --- a/dovecot-2.2.20-initbysystemd.patch +++ b/dovecot-2.2.20-initbysystemd.patch @@ -13,7 +13,7 @@ diff -up dovecot-2.3.0.1/dovecot-init.service.initbysystemd dovecot-2.3.0.1/dove +if [ ! -f /etc/pki/dovecot/certs/dovecot.pem ]; \ +then\ + SSLDIR=/etc/pki/dovecot/ OPENSSLCONFIG=/etc/pki/dovecot/dovecot-openssl.cnf /usr/libexec/dovecot/mkcert.sh /dev/null 2>&1;\ -+fi;\ ++fi' + diff -up dovecot-2.3.0.1/dovecot.service.in.initbysystemd dovecot-2.3.0.1/dovecot.service.in --- dovecot-2.3.0.1/dovecot.service.in.initbysystemd 2018-03-01 10:38:22.060716016 +0100 diff --git a/dovecot.spec b/dovecot.spec index df6d636..1e5e846 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,9 +3,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.2.1 +Version: 2.3.3 %global prever %{nil} -Release: 3%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -14,7 +14,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.2 +%global pigeonholever 0.5.3 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -39,7 +39,7 @@ Source15: prestartscript BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel BuildRequires: libtool, autoconf, automake, pkgconfig BuildRequires: sqlite-devel -BuildRequires: postgresql-devel +BuildRequires: libpq-devel %if %{?fedora}0 < 280 BuildRequires: mysql-devel BuildRequires: tcp_wrappers-devel @@ -497,6 +497,18 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Oct 02 2018 Michal Hlavinka - 1:2.3.3-1 +- dovecot updated to 2.3.3, pigeonhole pdated to 0.5.3 +- doveconf hides more secrets now in the default output +- NUL bytes in mail headers can cause truncated replies when fetched. +- virtual plugin: Some searches used 100% CPU for many seconds +- dsync assert-crashed with acl plugin in some situations. +- imapc: Fixed various assert-crashes when reconnecting to server. + + +* Tue Oct 02 2018 Michal Hlavinka - 1:2.3.2.1-4 +- fix dovecot-init service syntax error (#1635017) + * Mon Aug 13 2018 Michal Hlavinka - 1:2.3.2.1-3 - do not try to generate ssl-params as its obsolete (#1614640) diff --git a/sources b/sources index daab9d6..99f9b1e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.2.1.tar.gz) = c085a0d04925485423086736a3c7d919ad0ca9efeff005890382da5333edb68c7d23ccb89fbe2ac44f8f016fc993bf2c669e450794c3ab13463676cbb47c7bf7 -SHA512 (dovecot-2.3-pigeonhole-0.5.2.tar.gz) = 6bc24d9241f94db795a012346d9bc94b5cc7d7ce0175c03213c2b5d179d80dec95e9bdbd50bed628c8f9f7c51639e692ba5e429212a3b4a654c1e4764ac4f11c +SHA512 (dovecot-2.3.3.tar.gz) = 8666c4f92f7df883067540f85be9d03dbe6815b58a7f5de55b4292e986e9a2a1ef52c7e0c72dde2bc781fe40d57488b78a99b6b813745b8e4683f1a2fdc1f2ff +SHA512 (dovecot-2.3-pigeonhole-0.5.3.tar.gz) = 8403b1976a915836ba875b96825446d46e0d8c7ff245ed1f2b014347fdc78a81f9ed6dbd05bd3b4f1f7072edc5e9a302201cdb375de44436adcbb83919f203f5 From e77c4f7d514e761b2e2e6a323ba7f7256a15a859 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 9 Jan 2019 18:19:42 +0100 Subject: [PATCH 02/10] dovecot updated to 2.3.4, pigeonhole updated to 0.5.4 --- dovecot-2.3.4-de42b54.patch | 69 +++++++++++++++++++++++++++++++++++++ dovecot.spec | 12 +++++-- sources | 4 +-- 3 files changed, 80 insertions(+), 5 deletions(-) create mode 100644 dovecot-2.3.4-de42b54.patch diff --git a/dovecot-2.3.4-de42b54.patch b/dovecot-2.3.4-de42b54.patch new file mode 100644 index 0000000..534ce98 --- /dev/null +++ b/dovecot-2.3.4-de42b54.patch @@ -0,0 +1,69 @@ +diff --git a/src/lib-master/test-event-stats.c b/src/lib-master/test-event-stats.c +index 8fcb3dd22d..2d8a13cd40 100644 +--- a/src/lib-master/test-event-stats.c ++++ b/src/lib-master/test-event-stats.c +@@ -344,7 +344,7 @@ static void test_no_merging2(void) + event_unref(&child_ev); + test_assert( + compare_test_stats_to( +- "EVENT %lu 1 0 0" ++ "EVENT %"PRIu64" 1 0 0" + " stest-event-stats.c %d" + " l0 0 ctest2\n", id, l)); + test_end(); +@@ -370,12 +370,12 @@ static void test_no_merging3(void) + event_unref(&child_ev); + test_assert( + compare_test_stats_to( +- "BEGIN %lu 0 1 0 0" ++ "BEGIN %"PRIu64" 0 1 0 0" + " stest-event-stats.c %d ctest1\n" +- "EVENT %lu 1 1 0" ++ "EVENT %"PRIu64" 1 1 0" + " stest-event-stats.c %d" + " l1 0 ctest2\n" +- "END\t%lu\n", idp, lp, idp, l, idp)); ++ "END\t%"PRIu64"\n", idp, lp, idp, l, idp)); + test_end(); + } + +@@ -435,7 +435,7 @@ static void test_merge_events2(void) + event_unref(&merge_ev2); + test_assert( + compare_test_stats_to( +- "EVENT %lu 1 0 0" ++ "EVENT %"PRIu64" 1 0 0" + " stest-event-stats.c %d l0 0" + " ctest3 ctest2 ctest1 Tkey3" + " 10 0 Ikey2 20" +@@ -467,11 +467,11 @@ static void test_skip_parents(void) + event_unref(&child_ev); + test_assert( + compare_test_stats_to( +- "BEGIN %lu 0 1 0 0" ++ "BEGIN %"PRIu64" 0 1 0 0" + " stest-event-stats.c %d ctest1\n" +- "EVENT %lu 1 3 0 " ++ "EVENT %"PRIu64" 1 3 0 " + "stest-event-stats.c %d l3 0" +- " ctest2\nEND\t%lu\n", id, lp, id, l, id)); ++ " ctest2\nEND\t%"PRIu64"\n", id, lp, id, l, id)); + test_end(); + } + +@@ -509,12 +509,12 @@ static void test_merge_events_skip_parents(void) + event_unref(&child2_ev); + test_assert( + compare_test_stats_to( +- "BEGIN %lu 0 1 0 0" ++ "BEGIN %"PRIu64" 0 1 0 0" + " stest-event-stats.c %d ctest1\n" +- "EVENT %lu 1 3 0 " ++ "EVENT %"PRIu64" 1 3 0 " + "stest-event-stats.c %d l3 0 " + "ctest4 ctest5 Tkey3 10 0 Skey4" +- " str4\nEND\t%lu\n", id, lp, id, l, id)); ++ " str4\nEND\t%"PRIu64"\n", id, lp, id, l, id)); + test_end(); + } + diff --git a/dovecot.spec b/dovecot.spec index 1e5e846..5f3eee4 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.3 +Version: 2.3.4 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -14,7 +14,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.3 +%global pigeonholever 0.5.4 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -33,6 +33,7 @@ Patch6: dovecot-2.1.10-waitonline.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch Patch10: dovecot-2.3.0.1-libxcrypt.patch +Patch11: dovecot-2.3.4-de42b54.patch Source15: prestartscript @@ -51,6 +52,7 @@ BuildRequires: openldap-devel BuildRequires: krb5-devel BuildRequires: quota-devel BuildRequires: xz-devel +BuildRequires: libsodium-devel # gettext-devel is needed for running autoconf because of the # presence of AM_ICONV @@ -134,7 +136,8 @@ This package provides the development files for dovecot. %patch6 -p1 -b .waitonline %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem -%patch10 -p1 -b .libxcrypt +#%patch10 -p1 -b .libxcrypt +%patch11 -p1 -b .de42b54 #pushd dovecot-2*3-pigeonhole-%{pigeonholever} #popd @@ -497,6 +500,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Jan 09 2019 Michal Hlavinka - 1:2.3.4-1 +- dovecot updated to 2.3.4, pigeonhole updated to 0.5.4 + * Tue Oct 02 2018 Michal Hlavinka - 1:2.3.3-1 - dovecot updated to 2.3.3, pigeonhole pdated to 0.5.3 - doveconf hides more secrets now in the default output diff --git a/sources b/sources index 99f9b1e..05b6440 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.3.tar.gz) = 8666c4f92f7df883067540f85be9d03dbe6815b58a7f5de55b4292e986e9a2a1ef52c7e0c72dde2bc781fe40d57488b78a99b6b813745b8e4683f1a2fdc1f2ff -SHA512 (dovecot-2.3-pigeonhole-0.5.3.tar.gz) = 8403b1976a915836ba875b96825446d46e0d8c7ff245ed1f2b014347fdc78a81f9ed6dbd05bd3b4f1f7072edc5e9a302201cdb375de44436adcbb83919f203f5 +SHA512 (dovecot-2.3.4.tar.gz) = 9e97eb08c319c417e8abcb430b3e6c87ed5aa820d6288656fdfd958ff34664f67202a66e4846763bfc85b309b116cea8012e49dab98b478c57974cc178a37a5a +SHA512 (dovecot-2.3-pigeonhole-0.5.4.tar.gz) = 9c82cce7540f8ab66e2e370e0220c99048d6ac53ed680cd763e0b03d0200e2451cee4303ef97b87a16e7248e1c73b92ba91b47a2a20c75cb2cd62695a28046f3 From 6f247633b677b787b015560d323526c050efb9b7 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 6 Mar 2019 18:19:56 +0100 Subject: [PATCH 03/10] dovecot updated to 2.3.5, pigeonhole updated to 0.5.5 --- dovecot-2.3.4-de42b54.patch | 69 ------------------------------------- dovecot.spec | 20 ++++++----- sources | 4 +-- 3 files changed, 13 insertions(+), 80 deletions(-) delete mode 100644 dovecot-2.3.4-de42b54.patch diff --git a/dovecot-2.3.4-de42b54.patch b/dovecot-2.3.4-de42b54.patch deleted file mode 100644 index 534ce98..0000000 --- a/dovecot-2.3.4-de42b54.patch +++ /dev/null @@ -1,69 +0,0 @@ -diff --git a/src/lib-master/test-event-stats.c b/src/lib-master/test-event-stats.c -index 8fcb3dd22d..2d8a13cd40 100644 ---- a/src/lib-master/test-event-stats.c -+++ b/src/lib-master/test-event-stats.c -@@ -344,7 +344,7 @@ static void test_no_merging2(void) - event_unref(&child_ev); - test_assert( - compare_test_stats_to( -- "EVENT %lu 1 0 0" -+ "EVENT %"PRIu64" 1 0 0" - " stest-event-stats.c %d" - " l0 0 ctest2\n", id, l)); - test_end(); -@@ -370,12 +370,12 @@ static void test_no_merging3(void) - event_unref(&child_ev); - test_assert( - compare_test_stats_to( -- "BEGIN %lu 0 1 0 0" -+ "BEGIN %"PRIu64" 0 1 0 0" - " stest-event-stats.c %d ctest1\n" -- "EVENT %lu 1 1 0" -+ "EVENT %"PRIu64" 1 1 0" - " stest-event-stats.c %d" - " l1 0 ctest2\n" -- "END\t%lu\n", idp, lp, idp, l, idp)); -+ "END\t%"PRIu64"\n", idp, lp, idp, l, idp)); - test_end(); - } - -@@ -435,7 +435,7 @@ static void test_merge_events2(void) - event_unref(&merge_ev2); - test_assert( - compare_test_stats_to( -- "EVENT %lu 1 0 0" -+ "EVENT %"PRIu64" 1 0 0" - " stest-event-stats.c %d l0 0" - " ctest3 ctest2 ctest1 Tkey3" - " 10 0 Ikey2 20" -@@ -467,11 +467,11 @@ static void test_skip_parents(void) - event_unref(&child_ev); - test_assert( - compare_test_stats_to( -- "BEGIN %lu 0 1 0 0" -+ "BEGIN %"PRIu64" 0 1 0 0" - " stest-event-stats.c %d ctest1\n" -- "EVENT %lu 1 3 0 " -+ "EVENT %"PRIu64" 1 3 0 " - "stest-event-stats.c %d l3 0" -- " ctest2\nEND\t%lu\n", id, lp, id, l, id)); -+ " ctest2\nEND\t%"PRIu64"\n", id, lp, id, l, id)); - test_end(); - } - -@@ -509,12 +509,12 @@ static void test_merge_events_skip_parents(void) - event_unref(&child2_ev); - test_assert( - compare_test_stats_to( -- "BEGIN %lu 0 1 0 0" -+ "BEGIN %"PRIu64" 0 1 0 0" - " stest-event-stats.c %d ctest1\n" -- "EVENT %lu 1 3 0 " -+ "EVENT %"PRIu64" 1 3 0 " - "stest-event-stats.c %d l3 0 " - "ctest4 ctest5 Tkey3 10 0 Skey4" -- " str4\nEND\t%lu\n", id, lp, id, l, id)); -+ " str4\nEND\t%"PRIu64"\n", id, lp, id, l, id)); - test_end(); - } - diff --git a/dovecot.spec b/dovecot.spec index 5f3eee4..4212779 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,18 +3,17 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.4 +Version: 2.3.5 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 -Group: System Environment/Daemons URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.4 +%global pigeonholever 0.5.5 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -33,7 +32,6 @@ Patch6: dovecot-2.1.10-waitonline.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch Patch10: dovecot-2.3.0.1-libxcrypt.patch -Patch11: dovecot-2.3.4-de42b54.patch Source15: prestartscript @@ -101,7 +99,6 @@ The SQL drivers and authentication plug-ins are in their subpackages. %package pigeonhole Requires: %{name} = %{epoch}:%{version}-%{release} Summary: Sieve and managesieve plug-in for dovecot -Group: System Environment/Daemons License: MIT and LGPLv2 %description pigeonhole @@ -110,21 +107,18 @@ This package provides sieve and managesieve plug-in for dovecot LDA. %package pgsql Requires: %{name} = %{epoch}:%{version}-%{release} Summary: Postgres SQL back end for dovecot -Group: System Environment/Daemons %description pgsql This package provides the Postgres SQL back end for dovecot-auth etc. %package mysql Requires: %{name} = %{epoch}:%{version}-%{release} Summary: MySQL back end for dovecot -Group: System Environment/Daemons %description mysql This package provides the MySQL back end for dovecot-auth etc. %package devel Requires: %{name} = %{epoch}:%{version}-%{release} Summary: Development files for dovecot -Group: Development/Libraries %description devel This package provides the development files for dovecot. @@ -137,7 +131,6 @@ This package provides the development files for dovecot. %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem #%patch10 -p1 -b .libxcrypt -%patch11 -p1 -b .de42b54 #pushd dovecot-2*3-pigeonhole-%{pigeonholever} #popd @@ -500,6 +493,15 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Mar 06 2019 Michal Hlavinka - 1:2.3.5-1 +- dovecot updated to 2.3.5, pigeonhole updated to 0.5.5 + +* Thu Jan 31 2019 Fedora Release Engineering - 1:2.3.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Jan 14 2019 Björn Esser - 1:2.3.4-2 +- Rebuilt for libcrypt.so.2 (#1666033) + * Wed Jan 09 2019 Michal Hlavinka - 1:2.3.4-1 - dovecot updated to 2.3.4, pigeonhole updated to 0.5.4 diff --git a/sources b/sources index 05b6440..ea5c3e2 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.4.tar.gz) = 9e97eb08c319c417e8abcb430b3e6c87ed5aa820d6288656fdfd958ff34664f67202a66e4846763bfc85b309b116cea8012e49dab98b478c57974cc178a37a5a -SHA512 (dovecot-2.3-pigeonhole-0.5.4.tar.gz) = 9c82cce7540f8ab66e2e370e0220c99048d6ac53ed680cd763e0b03d0200e2451cee4303ef97b87a16e7248e1c73b92ba91b47a2a20c75cb2cd62695a28046f3 +SHA512 (dovecot-2.3.5.tar.gz) = 10513c371aeadd52184daaf8dbb9a7559c6db55e34182bbb2c9539dae0897ddcc76f6fe2ce6a81c7ce0cb94c7f79438ae3bb0e7db8ed46615feb337b4078ecc6 +SHA512 (dovecot-2.3-pigeonhole-0.5.5.tar.gz) = 21519fc9b1152a947b64ce4251e1a4bdbe003b48233b1856a32696f9c1e29f730268c56eb38f9431bbfac345e6cd42e8c78c87d0702f39ebf20c6d326dcdbb94 From 3fa61155d6395fa634f51646d7e391bea95b54ce Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 28 Mar 2019 17:41:38 +0100 Subject: [PATCH 04/10] dovecot updated to 2.3.5.1 CVE-2019-7524: Missing input buffer size validation leads into arbitrary buffer overflow when reading fts or pop3 uidl header from Dovecot index. --- dovecot.spec | 8 +++++++- sources | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 4212779..4f642b7 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.5 +Version: 2.3.5.1 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -493,6 +493,12 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Mar 28 2019 Michal Hlavinka - 1:2.3.5.1-1 +- dovecot updated to 2.3.5.1 +- CVE-2019-7524: Missing input buffer size validation leads into + arbitrary buffer overflow when reading fts or pop3 uidl header + from Dovecot index. + * Wed Mar 06 2019 Michal Hlavinka - 1:2.3.5-1 - dovecot updated to 2.3.5, pigeonhole updated to 0.5.5 diff --git a/sources b/sources index ea5c3e2..1a5e4f7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.5.tar.gz) = 10513c371aeadd52184daaf8dbb9a7559c6db55e34182bbb2c9539dae0897ddcc76f6fe2ce6a81c7ce0cb94c7f79438ae3bb0e7db8ed46615feb337b4078ecc6 +SHA512 (dovecot-2.3.5.1.tar.gz) = e87754461fb0b065acd0ff10dc955000a2fe5baffed69efaf328ce9268f90140e9de444bc68e0bd48b565c7622885a79b1f90ff3dd2335c0c2362d05d9e73e8a SHA512 (dovecot-2.3-pigeonhole-0.5.5.tar.gz) = 21519fc9b1152a947b64ce4251e1a4bdbe003b48233b1856a32696f9c1e29f730268c56eb38f9431bbfac345e6cd42e8c78c87d0702f39ebf20c6d326dcdbb94 From 1763fadc5c87e7467952b471a347e12d6e608750 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 18 Apr 2019 15:03:30 +0200 Subject: [PATCH 05/10] dovecot updated to 2.3.5.2 fixes CVE-2019-10691: Trying to login with 8bit username containing invalid UTF8 input causes auth process to crash if auth policy is enabled. --- dovecot.spec | 7 ++++++- sources | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 4f642b7..05c6aa2 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.5.1 +Version: 2.3.5.2 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -493,6 +493,11 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Apr 18 2019 Michal Hlavinka - 1:2.3.5.2-1 +- dovecot updated to 2.3.5.2 +- fixes CVE-2019-10691: Trying to login with 8bit username containing + invalid UTF8 input causes auth process to crash if auth policy is enabled. + * Thu Mar 28 2019 Michal Hlavinka - 1:2.3.5.1-1 - dovecot updated to 2.3.5.1 - CVE-2019-7524: Missing input buffer size validation leads into diff --git a/sources b/sources index 1a5e4f7..2af39ad 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.5.1.tar.gz) = e87754461fb0b065acd0ff10dc955000a2fe5baffed69efaf328ce9268f90140e9de444bc68e0bd48b565c7622885a79b1f90ff3dd2335c0c2362d05d9e73e8a +SHA512 (dovecot-2.3.5.2.tar.gz) = 041ec1c33c6accb5c89d96d7ab2f7dd59795f496c17faea1906e7977983e4a387aa855a238376515c09532731634d9d42e6d6be22659062855241847ea0213d5 SHA512 (dovecot-2.3-pigeonhole-0.5.5.tar.gz) = 21519fc9b1152a947b64ce4251e1a4bdbe003b48233b1856a32696f9c1e29f730268c56eb38f9431bbfac345e6cd42e8c78c87d0702f39ebf20c6d326dcdbb94 From 1c3a9c463294980ec3d27f3070dfc18d8a4686ea Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 2 May 2019 17:01:44 +0200 Subject: [PATCH 06/10] dovecot updated to 2.3.6, pigeonhole updated to 0.5.6 --- dovecot.spec | 7 +++++-- sources | 4 ++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 05c6aa2..48998ae 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.5.2 +Version: 2.3.6 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.5 +%global pigeonholever 0.5.6 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -493,6 +493,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu May 02 2019 Michal Hlavinka - 1:2.3.6-1 +- dovecot updated to 2.3.6, pigeonhole updated to 0.5.6 + * Thu Apr 18 2019 Michal Hlavinka - 1:2.3.5.2-1 - dovecot updated to 2.3.5.2 - fixes CVE-2019-10691: Trying to login with 8bit username containing diff --git a/sources b/sources index 2af39ad..f5c7b43 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.5.2.tar.gz) = 041ec1c33c6accb5c89d96d7ab2f7dd59795f496c17faea1906e7977983e4a387aa855a238376515c09532731634d9d42e6d6be22659062855241847ea0213d5 -SHA512 (dovecot-2.3-pigeonhole-0.5.5.tar.gz) = 21519fc9b1152a947b64ce4251e1a4bdbe003b48233b1856a32696f9c1e29f730268c56eb38f9431bbfac345e6cd42e8c78c87d0702f39ebf20c6d326dcdbb94 +SHA512 (dovecot-2.3.6.tar.gz) = ec28af2efcbd4ab534298c3342709251074dcdb0f0f4bcad0d24b996b273387e2ce557d7ab54abafb69be3ed7dd61f25c82b9710d78156932e2eff7f941c9eb2 +SHA512 (dovecot-2.3-pigeonhole-0.5.6.tar.gz) = 998a046d2eb5ff7bba615fd1a3efdfb1e7e1dabf191257f7fa2882074acc1735a0a4c11c5f31bab1e964b0118f1a8e9e51b3d5529b8fff6d1312c9a8257d9c20 From 3802f416a1784a3b982dc5ebb02da9a3ca18a7a5 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Fri, 31 May 2019 16:21:00 +0200 Subject: [PATCH 07/10] disable gcc 9 stack reuse temporarily --- dovecot.spec | 28 +++++++++++++++++----------- dovecot.tmpfilesd | 2 +- 2 files changed, 18 insertions(+), 12 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 48998ae..c05ed8f 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.6 %global prever %{nil} -Release: 1%{?dist} +Release: 3%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -87,7 +87,7 @@ BuildRequires: curl-devel expat-devel BuildRequires: libcurl-devel expat-devel %endif -%global restart_flag /var/run/%{name}/%{name}-restart-after-rpm-install +%global restart_flag /run/%{name}/%{name}-restart-after-rpm-install %description Dovecot is an IMAP server for Linux/UNIX-like systems, written with security @@ -139,7 +139,7 @@ sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src %build #required for fdpass.c line 125,190: dereferencing type-punned pointer will break strict-aliasing rules %global _hardened_build 1 -export CFLAGS="%{__global_cflags} -fno-strict-aliasing" +export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none" export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}" # el6 autoconf too old to regen; use packaged files (#1082384) %if %{?fedora}00%{?rhel} > 6 @@ -241,7 +241,7 @@ install -p -D -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_initddir}/dovecot install -p -D -m 600 %{SOURCE9} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/dovecot %endif -mkdir -p $RPM_BUILD_ROOT/var/run/dovecot/{login,empty,token-login} +mkdir -p $RPM_BUILD_ROOT/run/dovecot/{login,empty,token-login} # Install dovecot configuration and dovecot-openssl.cnf mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d @@ -298,11 +298,11 @@ then %endif fi -install -d -m 0755 -g dovecot -d /var/run/dovecot -install -d -m 0755 -d /var/run/dovecot/empty -install -d -m 0750 -g dovenull -d /var/run/dovecot/login -install -d -m 0755 -g dovenull -d /var/run/dovecot/token-login -[ -x /sbin/restorecon ] && /sbin/restorecon -R /var/run/dovecot +install -d -m 0755 -g dovecot -d /run/dovecot +install -d -m 0755 -d /run/dovecot/empty +install -d -m 0750 -g dovenull -d /run/dovecot/login +install -d -m 0755 -g dovenull -d /run/dovecot/token-login +[ -x /sbin/restorecon ] && /sbin/restorecon -R /run/dovecot %preun if [ $1 = 0 ]; then @@ -313,7 +313,7 @@ if [ $1 = 0 ]; then /sbin/service %{name} stop > /dev/null 2>&1 /sbin/chkconfig --del %{name} %endif - rm -rf /var/run/dovecot + rm -rf /run/dovecot fi %postun @@ -436,7 +436,7 @@ make check %{_libexecdir}/%{name} %exclude %{_libexecdir}/%{name}/managesieve* -%ghost /var/run/dovecot +%ghost /run/dovecot %attr(0750,dovecot,dovecot) /var/lib/dovecot %{_datadir}/%{name} @@ -493,6 +493,12 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Fri May 31 2019 Michal Hlavinka - 1:2.3.6-3 +- disable gcc 9 stack reuse temporarily + +* Mon May 13 2019 Michal Hlavinka - 1:2.3.6-2 +- use /run instead of /var/run (#1706372) + * Thu May 02 2019 Michal Hlavinka - 1:2.3.6-1 - dovecot updated to 2.3.6, pigeonhole updated to 0.5.6 diff --git a/dovecot.tmpfilesd b/dovecot.tmpfilesd index 7178498..d96639a 100644 --- a/dovecot.tmpfilesd +++ b/dovecot.tmpfilesd @@ -1,2 +1,2 @@ -d /var/run/dovecot 0755 root dovecot - +d /run/dovecot 0755 root dovecot - From f88e1086451c722acd06149a883bd8ae24b40a92 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 19 Aug 2019 17:35:29 +0200 Subject: [PATCH 08/10] dovecot updated to 2.3.7.1, pigeonhole updated to 0.5.7.1 --- dovecot.spec | 12 +++++++++--- sources | 4 ++-- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index c05ed8f..7ee0d5e 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,9 +3,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.6 +Version: 2.3.7.1 %global prever %{nil} -Release: 3%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.6 +%global pigeonholever 0.5.7.1 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -493,6 +493,12 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Aug 19 2019 Michal Hlavinka - 1:1-2.3.7.1 +- dovecot updated to 2.3.7.1, pigeonhole updated to 0.5.7.1 + +* Wed Jul 24 2019 Fedora Release Engineering - 1:2.3.6-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + * Fri May 31 2019 Michal Hlavinka - 1:2.3.6-3 - disable gcc 9 stack reuse temporarily diff --git a/sources b/sources index f5c7b43..8b8981e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.6.tar.gz) = ec28af2efcbd4ab534298c3342709251074dcdb0f0f4bcad0d24b996b273387e2ce557d7ab54abafb69be3ed7dd61f25c82b9710d78156932e2eff7f941c9eb2 -SHA512 (dovecot-2.3-pigeonhole-0.5.6.tar.gz) = 998a046d2eb5ff7bba615fd1a3efdfb1e7e1dabf191257f7fa2882074acc1735a0a4c11c5f31bab1e964b0118f1a8e9e51b3d5529b8fff6d1312c9a8257d9c20 +SHA512 (dovecot-2.3.7.1.tar.gz) = 9addfe2be9ae745ac9164e1658e6638df96bd611d45f172e2cd1cb2c6596e4ce534674e9eea3c1d17f497555061031916e0fb9a9fbc6de0eb6034e2fd0bed3b9 +SHA512 (dovecot-2.3-pigeonhole-0.5.7.1.tar.gz) = 121eac4ad8bc1ddc55c554d00338bb553590b6aedffcb11e34f6cba102d59bd34580cb7218bd5fe820038c004d12db73f7a27ca135c3d4a12c4449bae3216355 From caa5c4be29a54d6ba46e955fc36484abfbf76af8 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 29 Aug 2019 11:04:23 +0200 Subject: [PATCH 09/10] dovecot updated to 2.3.7.2, pigeonhole 0.5.7.2 fixes CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap memory writes --- dovecot.spec | 10 ++++++++-- sources | 4 ++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 7ee0d5e..eba9723 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.7.1 +Version: 2.3.7.2 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.7.1 +%global pigeonholever 0.5.7.2 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -493,6 +493,12 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Aug 29 2019 Michal Hlavinka - 1:2.3.7.2-1 +- dovecot updated to 2.3.7.2, pigeonhole 0.5.7.2 +- fixes CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte + when scanning data in quoted strings, leading to out of bounds heap + memory writes + * Mon Aug 19 2019 Michal Hlavinka - 1:1-2.3.7.1 - dovecot updated to 2.3.7.1, pigeonhole updated to 0.5.7.1 diff --git a/sources b/sources index 8b8981e..9a8ce1a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.7.1.tar.gz) = 9addfe2be9ae745ac9164e1658e6638df96bd611d45f172e2cd1cb2c6596e4ce534674e9eea3c1d17f497555061031916e0fb9a9fbc6de0eb6034e2fd0bed3b9 -SHA512 (dovecot-2.3-pigeonhole-0.5.7.1.tar.gz) = 121eac4ad8bc1ddc55c554d00338bb553590b6aedffcb11e34f6cba102d59bd34580cb7218bd5fe820038c004d12db73f7a27ca135c3d4a12c4449bae3216355 +SHA512 (dovecot-2.3.7.2.tar.gz) = 172f7f0edb884259e4c050607510aee67a35c3a20b7dd147e7c8a25a04921c18f7d6b5c85af2c69ae8c4d53791550970e471b033dbfae94253e331053b6a317d +SHA512 (dovecot-2.3-pigeonhole-0.5.7.2.tar.gz) = 7fc8d89ee31c8e8c16a9aeaeffb591f4188de36fc80e3a30a9ae10bc5acd7ea5d5d91e077fda566e61d588d9221ec53044ce17a9cc0c9c219dbe6824558a1d60 From 3399f7ef3508dbc3bd345d142bbaee7c2446c18f Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 10 Oct 2019 14:33:13 +0200 Subject: [PATCH 10/10] dovecot updated to 2.3.8, pigeonhole 0.5.8 --- dovecot.spec | 10 ++++++++-- sources | 4 ++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index eba9723..bb7322b 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.7.2 +Version: 2.3.8 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.7.2 +%global pigeonholever 0.5.8 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -50,7 +50,10 @@ BuildRequires: openldap-devel BuildRequires: krb5-devel BuildRequires: quota-devel BuildRequires: xz-devel +BuildRequires: lz4-devel BuildRequires: libsodium-devel +BuildRequires: libexttextcat-devel +BuildRequires: libstemmer-devel # gettext-devel is needed for running autoconf because of the # presence of AM_ICONV @@ -493,6 +496,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Oct 10 2019 Michal Hlavinka - 1:2.3.8-1 +- dovecot updated to 2.3.8, pigeonhole 0.5.8 + * Thu Aug 29 2019 Michal Hlavinka - 1:2.3.7.2-1 - dovecot updated to 2.3.7.2, pigeonhole 0.5.7.2 - fixes CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte diff --git a/sources b/sources index 9a8ce1a..05fd840 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.7.2.tar.gz) = 172f7f0edb884259e4c050607510aee67a35c3a20b7dd147e7c8a25a04921c18f7d6b5c85af2c69ae8c4d53791550970e471b033dbfae94253e331053b6a317d -SHA512 (dovecot-2.3-pigeonhole-0.5.7.2.tar.gz) = 7fc8d89ee31c8e8c16a9aeaeffb591f4188de36fc80e3a30a9ae10bc5acd7ea5d5d91e077fda566e61d588d9221ec53044ce17a9cc0c9c219dbe6824558a1d60 +SHA512 (dovecot-2.3.8.tar.gz) = f62439e2ea77ffb544a7752c07085582c5653c64671cb42dd7a7e5aa69eb87059c677aa1fa071efa1ddd2287ab621e9a264ec115be2aeb2f43ab4c685411eae3 +SHA512 (dovecot-2.3-pigeonhole-0.5.8.tar.gz) = ddf009c755cc87c362ddf1c17ac1403b0f6a504b039efef3244f2d5bd4d3963fb25baaaa4d98c089b3e8bddd4675d131765fee5499d9aaf01015e44f7d631d2d