From d5df6cbf020da68fa0da3418ac5ab1734fb44ea1 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 7 Sep 2017 09:02:32 +0200 Subject: [PATCH 01/14] pigeonhole updated to 0.4.20 Made the retention period for redirect duplicate identifiers configurable. Changed the default retention period from 24 to 12 hours. sieve-filter: Fixed memory leak: forgot to clean up script binary at end of execution managesieve-login: Fixed handling of AUTHENTICATE command. A second authenticate command would be parsed wrong. --- .gitignore | 2 ++ dovecot-2.2.31-notifyrevert.patch | 28 ------------------------- dovecot.spec | 34 ++++++++++++++++++++++++++----- sources | 4 ++-- 4 files changed, 33 insertions(+), 35 deletions(-) delete mode 100644 dovecot-2.2.31-notifyrevert.patch diff --git a/.gitignore b/.gitignore index e659068..fcc1ff0 100644 --- a/.gitignore +++ b/.gitignore @@ -115,3 +115,5 @@ pigeonhole-snap0592366457df.tar.bz2 /dovecot-2.2.30.2.tar.gz /dovecot-2.2.31.tar.gz /dovecot-2.2-pigeonhole-0.4.19.tar.gz +/dovecot-2.2.32.tar.gz +/dovecot-2.2-pigeonhole-0.4.20.tar.gz diff --git a/dovecot-2.2.31-notifyrevert.patch b/dovecot-2.2.31-notifyrevert.patch deleted file mode 100644 index a0fa251..0000000 --- a/dovecot-2.2.31-notifyrevert.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 64d2efdc4b0bdf92249840e9db89b91c8dc0f3a3 Mon Sep 17 00:00:00 2001 -From: Timo Sirainen -Date: Sat, 17 Jun 2017 14:38:22 +0300 -Subject: [PATCH] imap: Fix NOTIFY to parse more than just the first - event-group - ---- - src/imap/cmd-notify.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/imap/cmd-notify.c b/src/imap/cmd-notify.c -index 4c6aad975..94cf103b8 100644 ---- a/src/imap/cmd-notify.c -+++ b/src/imap/cmd-notify.c -@@ -292,10 +292,10 @@ cmd_notify_set(struct imap_notify_context *ctx, const struct imap_arg *args) - ctx->send_immediate_status = TRUE; - args++; - } -+ for (; args->type != IMAP_ARG_EOL; args++) { -+ if (!imap_arg_get_list(args, &event_group)) -+ return -1; - -- if (!imap_arg_get_list(args, &event_group)) -- return -1; -- for (; event_group->type != IMAP_ARG_EOL; event_group++) { - /* filter-mailboxes */ - if (!imap_arg_get_atom(event_group, &filter_mailboxes)) - return -1; diff --git a/dovecot.spec b/dovecot.spec index 51cc853..a0e0e31 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,9 +3,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.2.31 +Version: 2.2.32 %global prever %{nil} -Release: 5%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -14,7 +14,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.2/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.4.19 +%global pigeonholever 0.4.20 Source8: http://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -33,7 +33,6 @@ Patch7: dovecot-2.2.13-online.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch -Patch10: dovecot-2.2.31-notifyrevert.patch Source15: prestartscript @@ -131,7 +130,6 @@ This package provides the development files for dovecot. %patch7 -p1 -b .online %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem -%patch10 -p1 -b .notifyrevert #pushd dovecot-2*2-pigeonhole-%{pigeonholever} #popd @@ -492,6 +490,32 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Aug 28 2017 Michal Hlavinka - 1:2.2.32-2 +- pigeonhole updated to 0.4.20 +- Made the retention period for redirect duplicate identifiers + configurable. Changed the default retention period from 24 to 12 hours. +- sieve-filter: Fixed memory leak: forgot to clean up script binary at + end of execution +- managesieve-login: Fixed handling of AUTHENTICATE command. A second + authenticate command would be parsed wrong. + +* Fri Aug 25 2017 Michal Hlavinka - 1:2.2.32-1 +- dovecot updated to 2.2.32 +- Modseq tracking didn't always work correctly. This could have caused + imap unhibernation to fail or IMAP QRESYNC/CONDSTORE extensions to + not work perfectly. +- mdbox: "Inconsistency in map index" wasn't fixed automatically +- dict-ldap: %variable values used in the LDAP filter weren't escaped. +- quota=count: quota_warning = -storage=.. was never executed (try #2). +- imapc: >= 32 kB mail bodies were supposed to be cached for subsequent + FETCHes, but weren't. +- quota-status service didn't support recipient_delimiter +- acl: Don't access dovecot-acl-list files with acl_globals_only=yes +- mail_location: If INDEX dir is set, mailbox deletion deletes its + childrens' indexes. +- director: v2.2.31 caused rapid reconnection loops to directors + that were down. + * Wed Aug 02 2017 Fedora Release Engineering - 1:2.2.31-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild diff --git a/sources b/sources index ebcda8b..3825a8c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.2.31.tar.gz) = 071797e260a75de9117b03c0fa9d903de82b1f1c039c2aece2d7313587e6673c49174bfce17b80fe3f3725fcbc42ed3a1bd1f1c22efef5bc016752277eff3266 -SHA512 (dovecot-2.2-pigeonhole-0.4.19.tar.gz) = c1211a3c65b25995770309c427ec5cd888ddb962f2f64884640163b492a11ffa8937aac1eb66d25e48f0e00131da1cc98c1cb307781576780de47b8816333ff1 +SHA512 (dovecot-2.2.32.tar.gz) = a26ce763fdea7d72ff9801d3b7d57a1f0d00278e4a1aa60d1be070fe5a6d2c6a15f266a519119492bee7a3e7a6b7d0732e9879e5c5841adbab8c0952cd1b7c7c +SHA512 (dovecot-2.2-pigeonhole-0.4.20.tar.gz) = 84a28842be206e05cb96c07cf1c1b62c9c378ba4c952caa47cf79a44b9428e076f4182eadd9c4fb8f45d3605b881f91e8e520c41705017ac4039240d4bcace39 From 8e92fc5f666e6b167305b179953c5ccfdbb1d20c Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 24 Oct 2017 12:33:15 +0200 Subject: [PATCH 02/14] dovecot updated to 2.2.33.2 doveadm: Fix crash in proxying (or dsync replication) if remote is running older than v2.2.33 auth: Fix memory leak in %{ldap_dn} dict-sql: Fix data types to work correctly with Cassandra --- .gitignore | 3 +++ dovecot.spec | 38 +++++++++++++++++++++++++++++++++++--- sources | 4 ++-- 3 files changed, 40 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index fcc1ff0..2472335 100644 --- a/.gitignore +++ b/.gitignore @@ -117,3 +117,6 @@ pigeonhole-snap0592366457df.tar.bz2 /dovecot-2.2-pigeonhole-0.4.19.tar.gz /dovecot-2.2.32.tar.gz /dovecot-2.2-pigeonhole-0.4.20.tar.gz +/dovecot-2.2.33.1.tar.gz +/dovecot-2.2-pigeonhole-0.4.21.tar.gz +/dovecot-2.2.33.2.tar.gz diff --git a/dovecot.spec b/dovecot.spec index a0e0e31..6f11de1 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,9 +3,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.2.32 +Version: 2.2.33.2 %global prever %{nil} -Release: 2%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -14,7 +14,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.2/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.4.20 +%global pigeonholever 0.4.21 Source8: http://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -490,6 +490,38 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Oct 24 2017 Michal Hlavinka - 1:2.2.33.2-1 +- dovecot updated to 2.2.33.2 +- doveadm: Fix crash in proxying (or dsync replication) if remote is + running older than v2.2.33 +- auth: Fix memory leak in %%{ldap_dn} +- dict-sql: Fix data types to work correctly with Cassandra + +* Wed Oct 18 2017 Michal Hlavinka - 1:2.2.33.1-1 +- dovecot updated to 2.2.33.1, pigeonhole updated to +- Added %{if}, see https://wiki2.dovecot.org/Variables#Conditionals +- sdbox: Mails were always opened when expunging, unless + mail_attachment_fs was explicitly set to empty. +- lmtp/doveadm proxy: hostip passdb field was ignored, which caused + unnecessary DNS lookups if host field wasn't an IP +- lmtp proxy: Fix crash when receiving unexpected reply in RCPT TO +- quota_clone: Update also when quota is unlimited (broken in v2.2.31) +- mbox, zlib: Fix assert-crash when accessing compressed mbox +- doveadm director kick -f parameter didn't work +- doveadm director flush resulted flushing all hosts, if + wasn't an IP address. +- director: Various fixes to handling backend/director changes at + abnormal times, especially while ring was unsynced. +- director: Use less CPU in imap-login processes when moving/kicking + many users. +- lmtp: Session IDs were duplicated/confusing with multiple RCPT TOs + when lmtp_rcpt_check_quota=yes +- LDA Sieve plugin: Fixed sequential execution of LDAP-based scripts. A + missing LDAP-based script could cause the script sequence to exit earlier. +- sieve-filter: Removed the (now) duplicate utf8 to mutf7 mailbox name + conversion. This caused problems with mailbox names containing UTF-8 + characters. + * Mon Aug 28 2017 Michal Hlavinka - 1:2.2.32-2 - pigeonhole updated to 0.4.20 - Made the retention period for redirect duplicate identifiers diff --git a/sources b/sources index 3825a8c..7e35512 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.2.32.tar.gz) = a26ce763fdea7d72ff9801d3b7d57a1f0d00278e4a1aa60d1be070fe5a6d2c6a15f266a519119492bee7a3e7a6b7d0732e9879e5c5841adbab8c0952cd1b7c7c -SHA512 (dovecot-2.2-pigeonhole-0.4.20.tar.gz) = 84a28842be206e05cb96c07cf1c1b62c9c378ba4c952caa47cf79a44b9428e076f4182eadd9c4fb8f45d3605b881f91e8e520c41705017ac4039240d4bcace39 +SHA512 (dovecot-2.2.33.2.tar.gz) = 028910a4d02b1630f1ada4d1c45fcc3ea2057969db7078a78d46e2a578b4dceaf8be0ac8de4a613b4890019e721871f2d366ec651db658da4cc72977d3e09931 +SHA512 (dovecot-2.2-pigeonhole-0.4.21.tar.gz) = 4751f449ede1b05173c706b414ebf9f7f670ff78589ce6f0b687c32c9abe6dae8b3064ed1b20e893d9ec0147b0139ce479e1d74ebe94747c33f2d8ca177912de From a27cafd2e8191b696dead041defe82ce14e146e9 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Fri, 2 Mar 2018 10:38:35 +0100 Subject: [PATCH 03/14] dovecot updated to 2.2.34, pigeonhole updated to 0.4.22 fixes CVE-2017-15130: TLS SNI config lookups may lead to excessive memory usage, causing imap-login/pop3-login VSZ limit to be reached and the process restarted. This happens only if Dovecot config has local_name { } or local { } configuration blocks and attacker uses randomly generated SNI servernames. fixes CVE-2017-14461: Parsing invalid email addresses may cause a crash or leak memory contents to attacker. For example, these memory contents might contain parts of an email from another user if the same imap process is reused for multiple users. fixes CVE-2017-15132: Aborted SASL authentication leaks memory in login process. --- dovecot.spec | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 6f11de1..4ab4b0b 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.2.33.2 +Version: 2.2.34 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -14,7 +14,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.2/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.4.21 +%global pigeonholever 0.4.22 Source8: http://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -490,6 +490,20 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Mar 01 2018 Michal Hlavinka - 1:2.2.34-1 +- dovecot updated to 2.2.34, pigeonhole updated to 0.4.22 +- fixes CVE-2017-15130: TLS SNI config lookups may lead to excessive + memory usage, causing imap-login/pop3-login VSZ limit to be reached + and the process restarted. This happens only if Dovecot config has + local_name { } or local { } configuration blocks and attacker uses + randomly generated SNI servernames. +- fixes CVE-2017-14461: Parsing invalid email addresses may cause a crash or + leak memory contents to attacker. For example, these memory contents + might contain parts of an email from another user if the same imap + process is reused for multiple users. +- fixes CVE-2017-15132: Aborted SASL authentication leaks memory in login + process. + * Tue Oct 24 2017 Michal Hlavinka - 1:2.2.33.2-1 - dovecot updated to 2.2.33.2 - doveadm: Fix crash in proxying (or dsync replication) if remote is From c75d4e7107816c5a2568690270bd94dc2a1edf35 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Fri, 2 Mar 2018 10:41:27 +0100 Subject: [PATCH 04/14] upload new tarballs --- .gitignore | 2 ++ sources | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 2472335..83cebb1 100644 --- a/.gitignore +++ b/.gitignore @@ -120,3 +120,5 @@ pigeonhole-snap0592366457df.tar.bz2 /dovecot-2.2.33.1.tar.gz /dovecot-2.2-pigeonhole-0.4.21.tar.gz /dovecot-2.2.33.2.tar.gz +/dovecot-2.2.34.tar.gz +/dovecot-2.2-pigeonhole-0.4.22.tar.gz diff --git a/sources b/sources index 7e35512..84bf304 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.2.33.2.tar.gz) = 028910a4d02b1630f1ada4d1c45fcc3ea2057969db7078a78d46e2a578b4dceaf8be0ac8de4a613b4890019e721871f2d366ec651db658da4cc72977d3e09931 -SHA512 (dovecot-2.2-pigeonhole-0.4.21.tar.gz) = 4751f449ede1b05173c706b414ebf9f7f670ff78589ce6f0b687c32c9abe6dae8b3064ed1b20e893d9ec0147b0139ce479e1d74ebe94747c33f2d8ca177912de +SHA512 (dovecot-2.2.34.tar.gz) = 9f08a7116a08a08495aa0e7b4cb6b11a924ea61006970487946e338bc79bba7fd7619c345cbf278a74de285d548af04fc66eaaee508185b8b9d7335cf5612055 +SHA512 (dovecot-2.2-pigeonhole-0.4.22.tar.gz) = 409f53fa7a580863c2fef06abcefc15d48c51c7682761b214942f8f5da74dc50afef2d0a0cdce7125540d08806ca15783079816feb5d231f0dd9cc0020baaaaa From 13bc0975bbc028941997b632e56742c3498d1982 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Sun, 4 Mar 2018 16:29:58 +0000 Subject: [PATCH 05/14] use wildcards in source file names --- .gitignore | 126 +---------------------------------------------------- 1 file changed, 2 insertions(+), 124 deletions(-) diff --git a/.gitignore b/.gitignore index 83cebb1..0628189 100644 --- a/.gitignore +++ b/.gitignore @@ -1,124 +1,2 @@ -dovecot-2.0.rc3.tar.gz -pigeonhole-snap01ee63b788c9.tar.bz2 -dovecot-2.0.rc4.tar.gz -pigeonhole-snapcac6acdc4d0e.tar.bz2 -dovecot-2.0.rc5.tar.gz -pigeonhole-snap0592366457df.tar.bz2 -/dovecot-2.0.0.tar.gz -/pigeonhole-snap1ae9569b0383.tar.bz2 -/dovecot-2.0.1.tar.gz -/pigeonhole-snapd51650c8af85.tar.bz2 -/dovecot-2.0.2.tar.gz -/pigeonhole-snapfbcb05e7eda1.tar.bz2 -/dovecot-2.0.3.tar.gz -/pigeonhole-snapcb4c1ebecff3.tar.bz2 -/dovecot-2.0.4.tar.gz -/pigeonhole-snap824454514f08.tar.bz2 -/dovecot-2.0.5.tar.gz -/pigeonhole-snapa50464354f5a.tar.bz2 -/dovecot-2.0.6.tar.gz -/pigeonhole-snap2023f8c74250.tar.bz2 -/dovecot-2.0.7.tar.gz -/pigeonhole-snapa8cc6294071e.tar.bz2 -/dovecot-2.0.8.tar.gz -/pigeonhole-snap67d2240966ec.tar.bz2 -/dovecot-2.0-pigeonhole-0.2.2.tar.gz -/dovecot-2.0.9.tar.gz -/dovecot-2.0.11.tar.gz -/dovecot-2.0.12.tar.gz -/dovecot-2.0-pigeonhole-0.2.3.tar.gz -/dovecot-2.0.13.tar.gz -/dovecot-2.0.14.tar.gz -/dovecot-2.0.15.tar.gz -/dovecot-2.0.16.tar.gz -/dovecot-2.1.rc1.tar.gz -/dovecot-2.1-pigeonhole-b3bff60a18da.tar.bz2 -/dovecot-2.1.rc3.tar.gz -/dovecot-2.1.rc5.tar.gz -/dovecot-2.1-pigeonhole-a130a50f82e1.tar.bz2 -/dovecot-2.1.rc6.tar.gz -/dovecot-2.1-pigeonhole-b2a456e15ed5.tar.bz2 -/dovecot-2.1.0.tar.gz -/dovecot-2.1-pigeonhole-0.3.0.tar.gz -/dovecot-2.1.1.tar.gz -/pigeonhole-snap67950c9d3675.tar.bz2 -/dovecot-2.1.2.tar.gz -/pigeonhole-snap08a2d2718a65.tar.bz2 -/dovecot-2.1.3.tar.gz -/dovecot-2.1.4.tar.gz -/dovecot-2.1.5.tar.gz -/dovecot-2.1.6.tar.gz -/dovecot-2.1.7.tar.gz -/dovecot-2.1-pigeonhole-0.3.1.tar.gz -/dovecot-2.1.8.tar.gz -/dovecot-2.1.9.tar.gz -/dovecot-2.1.10.tar.gz -/dovecot-2.1-pigeonhole-0.3.3.tar.gz -/dovecot-2.1.12.tar.gz -/dovecot-2.1.13.tar.gz -/dovecot-2.1.14.tar.gz -/dovecot-2.1.15.tar.gz -/dovecot-2.2.rc2.tar.gz -/pigeonhole-99eec511aa2c.tar.bz2 -/dovecot-2.2.rc3.tar.gz -/dovecot-2.2.rc4.tar.gz -/dovecot-2.2.0.tar.gz -/dovecot-2.2.1.tar.gz -/pigeonhole-snape42a38f02d28.tar.bz2 -/dovecot-2.2-pigeonhole-0.4.0.tar.gz -/dovecot-2.2.2.tar.gz -/dovecot-2.2.3.tar.gz -/dovecot-2.2.4.tar.gz -/dovecot-2.2-pigeonhole-0.4.1.tar.gz -/dovecot-2.2.5.tar.gz -/dovecot-2.2.6.tar.gz -/dovecot-2.2-pigeonhole-0.4.2.tar.gz -/dovecot-2.2.7.tar.gz -/dovecot-2.2.8.tar.gz -/dovecot-2.2.9.tar.gz -/dovecot-2.2.10.tar.gz -/dovecot-2.2.11.tar.gz -/dovecot-2.2.12.tar.gz -/dovecot-2.2.13.tar.gz -/dovecot-2.2.14.tar.gz -/dovecot-2.2-pigeonhole-0.4.3.tar.gz -/dovecot-2.2.15.tar.gz -/pigeonhole-snapded0c5a467aa.tar.bz2 -/dovecot-2.2-pigeonhole-0.4.6.tar.gz -/dovecot-2.2.16.tar.gz -/dovecot-2.2.17.tar.gz -/dovecot-2.2.18.tar.gz -/dovecot-2.2-pigeonhole-0.4.7.tar.gz -/dovecot-2.2-pigeonhole-0.4.8.tar.gz -/dovecot-2.2.19.tar.gz -/dovecot-2.2-pigeonhole-0.4.9.tar.gz -/dovecot-2.2.20.tar.gz -/dovecot-2.2.21.tar.gz -/dovecot-2.2-pigeonhole-0.4.10.tar.gz -/dovecot-2.2-pigeonhole-0.4.11.tar.gz -/dovecot-2.2-pigeonhole-0.4.12.tar.gz -/dovecot-2.2.22.tar.gz -/dovecot-2.2.23.tar.gz -/dovecot-2.2-pigeonhole-0.4.13.tar.gz -/dovecot-2.2.24.tar.gz -/dovecot-2.2-pigeonhole-0.4.14.tar.gz -/dovecot-2.2.25.tar.gz -/dovecot-2.2.26.0.tar.gz -/dovecot-2.2-pigeonhole-0.4.16.tar.gz -/dovecot-2.2.27.tar.gz -/dovecot-2.2.28.tar.gz -/dovecot-2.2-pigeonhole-0.4.17.tar.gz -/dovecot-2.2.29.tar.gz -/dovecot-2.2.29.1.tar.gz -/dovecot-2.2-pigeonhole-0.4.18.tar.gz -/dovecot-2.2.30.1.tar.gz -/dovecot-2.2.30.2.tar.gz -/dovecot-2.2.31.tar.gz -/dovecot-2.2-pigeonhole-0.4.19.tar.gz -/dovecot-2.2.32.tar.gz -/dovecot-2.2-pigeonhole-0.4.20.tar.gz -/dovecot-2.2.33.1.tar.gz -/dovecot-2.2-pigeonhole-0.4.21.tar.gz -/dovecot-2.2.33.2.tar.gz -/dovecot-2.2.34.tar.gz -/dovecot-2.2-pigeonhole-0.4.22.tar.gz +/dovecot-*.tar.gz +/pigeonhole-*.tar.bz2 From 7c795df415c6b65300c222ae33fe7803d2cae1be Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 21 Mar 2018 17:22:51 +0100 Subject: [PATCH 06/14] dovecot updated to 2.2.35, pigeonhole updated to 0.4.23 --- dovecot.spec | 7 +++++-- sources | 4 ++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index a1d73fb..4b0c482 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.2.34 +Version: 2.2.35 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -14,7 +14,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.2/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.4.22 +%global pigeonholever 0.4.23 Source8: http://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -496,6 +496,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Mar 21 2018 Michal Hlavinka - 1:2.2.35-1 +- dovecot updated to 2.2.35, pigeonhole updated to 0.4.23 + * Thu Mar 01 2018 Michal Hlavinka - 1:2.2.34-1 - dovecot updated to 2.2.34, pigeonhole updated to 0.4.22 - fixes CVE-2017-15130: TLS SNI config lookups may lead to excessive diff --git a/sources b/sources index 84bf304..5539752 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.2.34.tar.gz) = 9f08a7116a08a08495aa0e7b4cb6b11a924ea61006970487946e338bc79bba7fd7619c345cbf278a74de285d548af04fc66eaaee508185b8b9d7335cf5612055 -SHA512 (dovecot-2.2-pigeonhole-0.4.22.tar.gz) = 409f53fa7a580863c2fef06abcefc15d48c51c7682761b214942f8f5da74dc50afef2d0a0cdce7125540d08806ca15783079816feb5d231f0dd9cc0020baaaaa +SHA512 (dovecot-2.2.35.tar.gz) = 002ceea7f17018bcd438edda5a36a782606f291264ef63cebb8b4f72b094e812bf5553686c9e1e0d8c1354af54c1174f3670d1b1fc498ec4cddb3f731bf00c56 +SHA512 (dovecot-2.2-pigeonhole-0.4.23.tar.gz) = 24dae1f7a52fdb37f644e9c0a5c30dcbb95018e8dd43f18af56e7ee813723cad36b74d6c22ddff281e140e4c0bbb61900baf23116a980dcda5244ae8a5b544f8 From 9fca5a8f12c4522a5a90e14fc4dfd28a8a861f92 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 19 Apr 2018 16:32:15 +0200 Subject: [PATCH 07/14] include crypt.h explicitely --- dovecot-2.3.0.1-libxcrypt.patch | 11 +++++++++++ dovecot.spec | 7 ++++++- 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 dovecot-2.3.0.1-libxcrypt.patch diff --git a/dovecot-2.3.0.1-libxcrypt.patch b/dovecot-2.3.0.1-libxcrypt.patch new file mode 100644 index 0000000..a8c33bf --- /dev/null +++ b/dovecot-2.3.0.1-libxcrypt.patch @@ -0,0 +1,11 @@ +diff -up dovecot-2.3.0.1/src/auth/mycrypt.c.libxcrypt dovecot-2.3.0.1/src/auth/mycrypt.c +--- dovecot-2.3.0.1/src/auth/mycrypt.c.libxcrypt 2018-02-28 15:28:58.000000000 +0100 ++++ dovecot-2.3.0.1/src/auth/mycrypt.c 2018-03-27 10:57:38.447769201 +0200 +@@ -14,6 +14,7 @@ + # define _XPG6 /* Some Solaris versions require this, some break with this */ + #endif + #include ++#include + + #include "mycrypt.h" + diff --git a/dovecot.spec b/dovecot.spec index 4b0c482..cc0e22b 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.2.35 %global prever %{nil} -Release: 1%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -33,6 +33,7 @@ Patch7: dovecot-2.2.13-online.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch +Patch10: dovecot-2.3.0.1-libxcrypt.patch Source15: prestartscript @@ -134,6 +135,7 @@ This package provides the development files for dovecot. %patch7 -p1 -b .online %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem +%patch10 -p1 -b .libxcrypt #pushd dovecot-2*2-pigeonhole-%{pigeonholever} #popd @@ -496,6 +498,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Apr 19 2018 Michal Hlavinka - 1:2.2.35-2 +- include crypt.h explicitely + * Wed Mar 21 2018 Michal Hlavinka - 1:2.2.35-1 - dovecot updated to 2.2.35, pigeonhole updated to 0.4.23 From 982dbab10d2375125d0c33b4cfda2fa75fffa7c9 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 7 Jun 2018 10:13:37 +0200 Subject: [PATCH 08/14] dovecot updated to 2.2.36, pigeonhole updated to 0.4.24 --- dovecot.spec | 9 ++++++--- sources | 4 ++-- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index cc0e22b..5410788 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,9 +3,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.2.35 +Version: 2.2.36 %global prever %{nil} -Release: 2%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -14,7 +14,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.2/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.4.23 +%global pigeonholever 0.4.24 Source8: http://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -498,6 +498,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Jun 07 2018 Michal Hlavinka - 1:2.2.36-1 +- dovecot updated to 2.2.36, pigeonhole updated to 0.4.24 + * Thu Apr 19 2018 Michal Hlavinka - 1:2.2.35-2 - include crypt.h explicitely diff --git a/sources b/sources index 5539752..fd4556a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.2.35.tar.gz) = 002ceea7f17018bcd438edda5a36a782606f291264ef63cebb8b4f72b094e812bf5553686c9e1e0d8c1354af54c1174f3670d1b1fc498ec4cddb3f731bf00c56 -SHA512 (dovecot-2.2-pigeonhole-0.4.23.tar.gz) = 24dae1f7a52fdb37f644e9c0a5c30dcbb95018e8dd43f18af56e7ee813723cad36b74d6c22ddff281e140e4c0bbb61900baf23116a980dcda5244ae8a5b544f8 +SHA512 (dovecot-2.2.36.tar.gz) = 327c50971e276f6013ca7f7bb59498ee88d76c9f8419bd18ee531cf10142214350fb81c6d64eaef73ee01765dd0fcf4142ab146ed67d9d7d86d5a58d41cf8db5 +SHA512 (dovecot-2.2-pigeonhole-0.4.24.tar.gz) = 2e21c95ece475ffcb78e5b5d4efa29e61471faf90b80b44a49963fb287de2784ebfb4c2b7ddfc66732fd073e9f02995d5950840336f6babe618b3d7d5166059f From 1ff06cf3cab6ba37225f1d57b8f14146b050e68a Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 3 Oct 2018 16:45:19 +0200 Subject: [PATCH 09/14] dovecot updated to 2.3.3, pigeonhole pdated to 0.5.3 doveconf hides more secrets now in the default output NUL bytes in mail headers can cause truncated replies when fetched. virtual plugin: Some searches used 100% CPU for many seconds dsync assert-crashed with acl plugin in some situations. imapc: Fixed various assert-crashes when reconnecting to server. --- dovecot-2.0-defaultconfig.patch | 26 +++--- dovecot-2.1.10-waitonline.patch | 12 +-- dovecot-2.2.13-online.patch | 12 --- dovecot-2.2.20-initbysystemd.patch | 31 +++---- dovecot-2.2.22-systemd_w_protectsystem.patch | 19 ++--- dovecot.spec | 85 ++++++++++++-------- sources | 4 +- 7 files changed, 92 insertions(+), 97 deletions(-) delete mode 100644 dovecot-2.2.13-online.patch diff --git a/dovecot-2.0-defaultconfig.patch b/dovecot-2.0-defaultconfig.patch index 1f537f7..c18dd47 100644 --- a/dovecot-2.0-defaultconfig.patch +++ b/dovecot-2.0-defaultconfig.patch @@ -1,7 +1,7 @@ -diff -up dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf ---- dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf.default-settings 2014-06-02 13:50:10.000000000 +0200 -+++ dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf 2015-08-24 17:09:03.866648631 +0200 -@@ -283,6 +283,7 @@ namespace inbox { +diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf +--- dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings 2018-02-28 15:28:57.000000000 +0100 ++++ dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf 2018-03-01 10:29:38.208368555 +0100 +@@ -322,6 +322,7 @@ protocol !indexer-worker { # them simultaneously. #mbox_read_locks = fcntl #mbox_write_locks = dotlock fcntl @@ -9,9 +9,9 @@ diff -up dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf.default-settings # Maximum time to wait for lock (all of them) before aborting. #mbox_lock_timeout = 5 mins -diff -up dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf ---- dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf.default-settings 2014-10-03 16:36:00.000000000 +0200 -+++ dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf 2015-08-24 17:10:49.536071649 +0200 +diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf +--- dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings 2018-02-28 15:28:57.000000000 +0100 ++++ dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf 2018-03-01 10:33:54.779499044 +0100 @@ -3,7 +3,9 @@ ## @@ -23,11 +23,11 @@ diff -up dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf.default-settings d # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but -@@ -50,6 +52,7 @@ ssl_key = &1;\ -+fi;\ -+if [ ! -f /var/lib/dovecot/ssl-parameters.dat ]; \ -+then\ -+ /usr/libexec/dovecot/ssl-params >/dev/null 2>&1; \ +fi' + -diff -up dovecot-2.2.22/dovecot.service.in.initbysystemd dovecot-2.2.22/dovecot.service.in ---- dovecot-2.2.22/dovecot.service.in.initbysystemd 2016-03-16 13:48:25.996297203 +0100 -+++ dovecot-2.2.22/dovecot.service.in 2016-03-16 13:49:17.619039641 +0100 -@@ -20,7 +20,8 @@ +diff -up dovecot-2.3.0.1/dovecot.service.in.initbysystemd dovecot-2.3.0.1/dovecot.service.in +--- dovecot-2.3.0.1/dovecot.service.in.initbysystemd 2018-03-01 10:38:22.060716016 +0100 ++++ dovecot-2.3.0.1/dovecot.service.in 2018-03-01 10:40:45.524901319 +0100 +@@ -8,7 +8,8 @@ Description=Dovecot IMAP/POP3 email server Documentation=man:dovecot(1) Documentation=http://wiki2.dovecot.org/ @@ -32,11 +27,11 @@ diff -up dovecot-2.2.22/dovecot.service.in.initbysystemd dovecot-2.2.22/dovecot. +Requires=dovecot-init.service [Service] - Type=forking -diff -up dovecot-2.2.22/Makefile.am.initbysystemd dovecot-2.2.22/Makefile.am ---- dovecot-2.2.22/Makefile.am.initbysystemd 2016-03-04 12:04:33.000000000 +0100 -+++ dovecot-2.2.22/Makefile.am 2016-03-16 13:48:25.996297203 +0100 -@@ -51,9 +51,10 @@ if HAVE_SYSTEMD + Type=simple +diff -up dovecot-2.3.0.1/Makefile.am.initbysystemd dovecot-2.3.0.1/Makefile.am +--- dovecot-2.3.0.1/Makefile.am.initbysystemd 2018-02-28 15:28:57.000000000 +0100 ++++ dovecot-2.3.0.1/Makefile.am 2018-03-01 10:38:22.060716016 +0100 +@@ -63,9 +63,10 @@ if HAVE_SYSTEMD systemdsystemunit_DATA = \ dovecot.socket \ diff --git a/dovecot-2.2.22-systemd_w_protectsystem.patch b/dovecot-2.2.22-systemd_w_protectsystem.patch index 6fcddac..d00a9b9 100644 --- a/dovecot-2.2.22-systemd_w_protectsystem.patch +++ b/dovecot-2.2.22-systemd_w_protectsystem.patch @@ -1,14 +1,11 @@ -diff -up dovecot-2.2.28/dovecot.service.in.systemd_w_protectsystem dovecot-2.2.28/dovecot.service.in ---- dovecot-2.2.28/dovecot.service.in.systemd_w_protectsystem 2017-02-27 10:00:14.647423500 +0100 -+++ dovecot-2.2.28/dovecot.service.in 2017-02-27 10:02:18.051377067 +0100 -@@ -20,8 +20,8 @@ ExecReload=@bindir@/doveadm reload +diff -up dovecot-2.3.2/dovecot.service.in.systemd_w_protectsystem dovecot-2.3.2/dovecot.service.in +--- dovecot-2.3.2/dovecot.service.in.systemd_w_protectsystem 2018-07-09 12:00:13.359193526 +0200 ++++ dovecot-2.3.2/dovecot.service.in 2018-07-09 12:00:46.387716884 +0200 +@@ -23,6 +23,7 @@ ExecReload=@bindir@/doveadm reload ExecStop=@bindir@/doveadm stop PrivateTmp=true NonBlocking=yes --# Enable this if your systemd is new enough to support it: --#ProtectSystem=full -+# Enable this if your systemd is new enough to support it: (it will make /usr /boot /etc read only for dovecot) -+ProtectSystem=full - - # You can add environment variables with e.g.: - #Environment='CORE_OUTOFMEM=1' ++# this will make /usr /boot /etc read only for dovecot + ProtectSystem=full + ProtectHome=no + PrivateDevices=true diff --git a/dovecot.spec b/dovecot.spec index 5410788..1e5e846 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.2.36 +Version: 2.3.3 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -11,11 +11,11 @@ License: MIT and LGPLv2 Group: System Environment/Daemons URL: http://www.dovecot.org/ -Source: http://www.dovecot.org/releases/2.2/%{name}-%{version}%{?prever}.tar.gz +Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.4.24 -Source8: http://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-%{pigeonholever}.tar.gz +%global pigeonholever 0.5.3 +Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -29,7 +29,6 @@ Patch3: dovecot-1.0.rc7-mkcert-paths.patch #wait for network Patch6: dovecot-2.1.10-waitonline.patch -Patch7: dovecot-2.2.13-online.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch @@ -37,15 +36,16 @@ Patch10: dovecot-2.3.0.1-libxcrypt.patch Source15: prestartscript -BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel +BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel BuildRequires: libtool, autoconf, automake, pkgconfig BuildRequires: sqlite-devel -BuildRequires: postgresql-devel +BuildRequires: libpq-devel %if %{?fedora}0 < 280 BuildRequires: mysql-devel BuildRequires: tcp_wrappers-devel %else BuildRequires: mariadb-connector-c-devel +BuildRequires: libxcrypt-devel %endif BuildRequires: openldap-devel BuildRequires: krb5-devel @@ -132,12 +132,11 @@ This package provides the development files for dovecot. %patch2 -p1 -b .mkcert-permissions %patch3 -p1 -b .mkcert-paths %patch6 -p1 -b .waitonline -%patch7 -p1 -b .online %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem %patch10 -p1 -b .libxcrypt -#pushd dovecot-2*2-pigeonhole-%{pigeonholever} +#pushd dovecot-2*3-pigeonhole-%{pigeonholever} #popd sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in @@ -186,7 +185,7 @@ sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10 make %{?_smp_mflags} #pigeonhole -pushd dovecot-2*2-pigeonhole-%{pigeonholever} +pushd dovecot-2*3-pigeonhole-%{pigeonholever} # required for snapshot [ -f configure ] || autoreconf -fiv @@ -210,7 +209,7 @@ make install DESTDIR=$RPM_BUILD_ROOT mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/docinstall -pushd dovecot-2*2-pigeonhole-%{pigeonholever} +pushd dovecot-2*3-pigeonhole-%{pigeonholever} make install DESTDIR=$RPM_BUILD_ROOT mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole @@ -349,7 +348,7 @@ fi %check make check -cd dovecot-2*2-pigeonhole-%{pigeonholever} +cd dovecot-2*3-pigeonhole-%{pigeonholever} make check %files @@ -386,6 +385,7 @@ make check %config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-imap.conf %config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-lmtp.conf %config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-pop3.conf +%config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-submission.conf %config(noreplace) %{_sysconfdir}/dovecot/conf.d/90-acl.conf %config(noreplace) %{_sysconfdir}/dovecot/conf.d/90-quota.conf %config(noreplace) %{_sysconfdir}/dovecot/conf.d/90-plugin.conf @@ -412,7 +412,6 @@ make check %dir %{_libdir}/dovecot %dir %{_libdir}/dovecot/auth %dir %{_libdir}/dovecot/dict -%dir %{_libdir}/dovecot/stats %{_libdir}/dovecot/doveadm %exclude %{_libdir}/dovecot/doveadm/*sieve* %{_libdir}/dovecot/*.so.* @@ -426,8 +425,6 @@ make check %{_libdir}/dovecot/auth/libdriver_sqlite.so %{_libdir}/dovecot/dict/libdriver_sqlite.so %{_libdir}/dovecot/dict/libdict_ldap.so -%{_libdir}/dovecot/stats/libstats_auth.so -%{_libdir}/dovecot/stats/libstats_mail.so %{_libdir}/dovecot/libdriver_sqlite.so %{_libdir}/dovecot/libssl_iostream_openssl.so %{_libdir}/dovecot/libfs_compress.so @@ -435,6 +432,8 @@ make check %{_libdir}/dovecot/libfs_mail_crypt.so %{_libdir}/dovecot/libdcrypt_openssl.so %{_libdir}/dovecot/lib20_var_expand_crypt.so +%{_libdir}/dovecot/old-stats/libold_stats_mail.so +%{_libdir}/dovecot/old-stats/libstats_auth.so %dir %{_libdir}/dovecot/settings @@ -498,28 +497,44 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog -* Thu Jun 07 2018 Michal Hlavinka - 1:2.2.36-1 -- dovecot updated to 2.2.36, pigeonhole updated to 0.4.24 +* Tue Oct 02 2018 Michal Hlavinka - 1:2.3.3-1 +- dovecot updated to 2.3.3, pigeonhole pdated to 0.5.3 +- doveconf hides more secrets now in the default output +- NUL bytes in mail headers can cause truncated replies when fetched. +- virtual plugin: Some searches used 100% CPU for many seconds +- dsync assert-crashed with acl plugin in some situations. +- imapc: Fixed various assert-crashes when reconnecting to server. -* Thu Apr 19 2018 Michal Hlavinka - 1:2.2.35-2 -- include crypt.h explicitely -* Wed Mar 21 2018 Michal Hlavinka - 1:2.2.35-1 -- dovecot updated to 2.2.35, pigeonhole updated to 0.4.23 +* Tue Oct 02 2018 Michal Hlavinka - 1:2.3.2.1-4 +- fix dovecot-init service syntax error (#1635017) -* Thu Mar 01 2018 Michal Hlavinka - 1:2.2.34-1 -- dovecot updated to 2.2.34, pigeonhole updated to 0.4.22 -- fixes CVE-2017-15130: TLS SNI config lookups may lead to excessive - memory usage, causing imap-login/pop3-login VSZ limit to be reached - and the process restarted. This happens only if Dovecot config has - local_name { } or local { } configuration blocks and attacker uses - randomly generated SNI servernames. -- fixes CVE-2017-14461: Parsing invalid email addresses may cause a crash or - leak memory contents to attacker. For example, these memory contents - might contain parts of an email from another user if the same imap - process is reused for multiple users. -- fixes CVE-2017-15132: Aborted SASL authentication leaks memory in login - process. +* Mon Aug 13 2018 Michal Hlavinka - 1:2.3.2.1-3 +- do not try to generate ssl-params as its obsolete (#1614640) + +* Thu Jul 12 2018 Fedora Release Engineering - 1:2.3.2.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Jul 10 2018 Michal Hlavinka - 1:2.3.2.1-1 +- SSL/TLS servers may have crashed during client disconnection + +* Mon Jul 09 2018 Michal Hlavinka - 1:2.3.2-1 +- dovecot updated to 2.3.2, pigeonhole to 0.5.2 + +* Wed Mar 28 2018 Michal Hlavinka - 1:2.3.1-2 +- fix ftbfs - murmurhash3 check fail + +* Wed Mar 28 2018 Michal Hlavinka - 1:2.3.1-1 +- dovecot updated to 2.3.1, pigeonhole updated to 0.5.1 + +* Tue Mar 27 2018 Michal Hlavinka - 1:2.3.0.1-3 +- use libxcrypt for Fedora >= 28, part of ftbfs fix (#1548520) + +* Wed Mar 07 2018 Michal Hlavinka - 1:2.3.0.1-2 +- add gcc buildrequire + +* Thu Mar 01 2018 Michal Hlavinka - 1:2.3.0.1-1 +- dovecot updated to 2.3.0.1, pigeonhole updated to 0.5.0.1 * Fri Feb 09 2018 Igor Gnatenko - 1:2.2.33.2-5 - Escape macros in %%changelog @@ -581,7 +596,7 @@ make check imap unhibernation to fail or IMAP QRESYNC/CONDSTORE extensions to not work perfectly. - mdbox: "Inconsistency in map index" wasn't fixed automatically -- dict-ldap: %variable values used in the LDAP filter weren't escaped. +- dict-ldap: %%variable values used in the LDAP filter weren't escaped. - quota=count: quota_warning = -storage=.. was never executed (try #2). - imapc: >= 32 kB mail bodies were supposed to be cached for subsequent FETCHes, but weren't. diff --git a/sources b/sources index fd4556a..99f9b1e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.2.36.tar.gz) = 327c50971e276f6013ca7f7bb59498ee88d76c9f8419bd18ee531cf10142214350fb81c6d64eaef73ee01765dd0fcf4142ab146ed67d9d7d86d5a58d41cf8db5 -SHA512 (dovecot-2.2-pigeonhole-0.4.24.tar.gz) = 2e21c95ece475ffcb78e5b5d4efa29e61471faf90b80b44a49963fb287de2784ebfb4c2b7ddfc66732fd073e9f02995d5950840336f6babe618b3d7d5166059f +SHA512 (dovecot-2.3.3.tar.gz) = 8666c4f92f7df883067540f85be9d03dbe6815b58a7f5de55b4292e986e9a2a1ef52c7e0c72dde2bc781fe40d57488b78a99b6b813745b8e4683f1a2fdc1f2ff +SHA512 (dovecot-2.3-pigeonhole-0.5.3.tar.gz) = 8403b1976a915836ba875b96825446d46e0d8c7ff245ed1f2b014347fdc78a81f9ed6dbd05bd3b4f1f7072edc5e9a302201cdb375de44436adcbb83919f203f5 From ab85bbd503837533aee5729165e21f549bcb9450 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 9 Jan 2019 18:20:00 +0100 Subject: [PATCH 10/14] dovecot updated to 2.3.4, pigeonhole updated to 0.5.4 --- dovecot-2.3.4-de42b54.patch | 69 +++++++++++++++++++++++++++++++++++++ dovecot.spec | 12 +++++-- sources | 4 +-- 3 files changed, 80 insertions(+), 5 deletions(-) create mode 100644 dovecot-2.3.4-de42b54.patch diff --git a/dovecot-2.3.4-de42b54.patch b/dovecot-2.3.4-de42b54.patch new file mode 100644 index 0000000..534ce98 --- /dev/null +++ b/dovecot-2.3.4-de42b54.patch @@ -0,0 +1,69 @@ +diff --git a/src/lib-master/test-event-stats.c b/src/lib-master/test-event-stats.c +index 8fcb3dd22d..2d8a13cd40 100644 +--- a/src/lib-master/test-event-stats.c ++++ b/src/lib-master/test-event-stats.c +@@ -344,7 +344,7 @@ static void test_no_merging2(void) + event_unref(&child_ev); + test_assert( + compare_test_stats_to( +- "EVENT %lu 1 0 0" ++ "EVENT %"PRIu64" 1 0 0" + " stest-event-stats.c %d" + " l0 0 ctest2\n", id, l)); + test_end(); +@@ -370,12 +370,12 @@ static void test_no_merging3(void) + event_unref(&child_ev); + test_assert( + compare_test_stats_to( +- "BEGIN %lu 0 1 0 0" ++ "BEGIN %"PRIu64" 0 1 0 0" + " stest-event-stats.c %d ctest1\n" +- "EVENT %lu 1 1 0" ++ "EVENT %"PRIu64" 1 1 0" + " stest-event-stats.c %d" + " l1 0 ctest2\n" +- "END\t%lu\n", idp, lp, idp, l, idp)); ++ "END\t%"PRIu64"\n", idp, lp, idp, l, idp)); + test_end(); + } + +@@ -435,7 +435,7 @@ static void test_merge_events2(void) + event_unref(&merge_ev2); + test_assert( + compare_test_stats_to( +- "EVENT %lu 1 0 0" ++ "EVENT %"PRIu64" 1 0 0" + " stest-event-stats.c %d l0 0" + " ctest3 ctest2 ctest1 Tkey3" + " 10 0 Ikey2 20" +@@ -467,11 +467,11 @@ static void test_skip_parents(void) + event_unref(&child_ev); + test_assert( + compare_test_stats_to( +- "BEGIN %lu 0 1 0 0" ++ "BEGIN %"PRIu64" 0 1 0 0" + " stest-event-stats.c %d ctest1\n" +- "EVENT %lu 1 3 0 " ++ "EVENT %"PRIu64" 1 3 0 " + "stest-event-stats.c %d l3 0" +- " ctest2\nEND\t%lu\n", id, lp, id, l, id)); ++ " ctest2\nEND\t%"PRIu64"\n", id, lp, id, l, id)); + test_end(); + } + +@@ -509,12 +509,12 @@ static void test_merge_events_skip_parents(void) + event_unref(&child2_ev); + test_assert( + compare_test_stats_to( +- "BEGIN %lu 0 1 0 0" ++ "BEGIN %"PRIu64" 0 1 0 0" + " stest-event-stats.c %d ctest1\n" +- "EVENT %lu 1 3 0 " ++ "EVENT %"PRIu64" 1 3 0 " + "stest-event-stats.c %d l3 0 " + "ctest4 ctest5 Tkey3 10 0 Skey4" +- " str4\nEND\t%lu\n", id, lp, id, l, id)); ++ " str4\nEND\t%"PRIu64"\n", id, lp, id, l, id)); + test_end(); + } + diff --git a/dovecot.spec b/dovecot.spec index 1e5e846..5f3eee4 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.3 +Version: 2.3.4 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -14,7 +14,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.3 +%global pigeonholever 0.5.4 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -33,6 +33,7 @@ Patch6: dovecot-2.1.10-waitonline.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch Patch10: dovecot-2.3.0.1-libxcrypt.patch +Patch11: dovecot-2.3.4-de42b54.patch Source15: prestartscript @@ -51,6 +52,7 @@ BuildRequires: openldap-devel BuildRequires: krb5-devel BuildRequires: quota-devel BuildRequires: xz-devel +BuildRequires: libsodium-devel # gettext-devel is needed for running autoconf because of the # presence of AM_ICONV @@ -134,7 +136,8 @@ This package provides the development files for dovecot. %patch6 -p1 -b .waitonline %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem -%patch10 -p1 -b .libxcrypt +#%patch10 -p1 -b .libxcrypt +%patch11 -p1 -b .de42b54 #pushd dovecot-2*3-pigeonhole-%{pigeonholever} #popd @@ -497,6 +500,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Jan 09 2019 Michal Hlavinka - 1:2.3.4-1 +- dovecot updated to 2.3.4, pigeonhole updated to 0.5.4 + * Tue Oct 02 2018 Michal Hlavinka - 1:2.3.3-1 - dovecot updated to 2.3.3, pigeonhole pdated to 0.5.3 - doveconf hides more secrets now in the default output diff --git a/sources b/sources index 99f9b1e..05b6440 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.3.tar.gz) = 8666c4f92f7df883067540f85be9d03dbe6815b58a7f5de55b4292e986e9a2a1ef52c7e0c72dde2bc781fe40d57488b78a99b6b813745b8e4683f1a2fdc1f2ff -SHA512 (dovecot-2.3-pigeonhole-0.5.3.tar.gz) = 8403b1976a915836ba875b96825446d46e0d8c7ff245ed1f2b014347fdc78a81f9ed6dbd05bd3b4f1f7072edc5e9a302201cdb375de44436adcbb83919f203f5 +SHA512 (dovecot-2.3.4.tar.gz) = 9e97eb08c319c417e8abcb430b3e6c87ed5aa820d6288656fdfd958ff34664f67202a66e4846763bfc85b309b116cea8012e49dab98b478c57974cc178a37a5a +SHA512 (dovecot-2.3-pigeonhole-0.5.4.tar.gz) = 9c82cce7540f8ab66e2e370e0220c99048d6ac53ed680cd763e0b03d0200e2451cee4303ef97b87a16e7248e1c73b92ba91b47a2a20c75cb2cd62695a28046f3 From 33ac77966311b8686163aecdfa339f4cdd62975d Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 6 Mar 2019 18:20:14 +0100 Subject: [PATCH 11/14] dovecot updated to 2.3.5, pigeonhole updated to 0.5.5 --- dovecot-2.3.4-de42b54.patch | 69 ------------------------------------- dovecot.spec | 20 ++++++----- sources | 4 +-- 3 files changed, 13 insertions(+), 80 deletions(-) delete mode 100644 dovecot-2.3.4-de42b54.patch diff --git a/dovecot-2.3.4-de42b54.patch b/dovecot-2.3.4-de42b54.patch deleted file mode 100644 index 534ce98..0000000 --- a/dovecot-2.3.4-de42b54.patch +++ /dev/null @@ -1,69 +0,0 @@ -diff --git a/src/lib-master/test-event-stats.c b/src/lib-master/test-event-stats.c -index 8fcb3dd22d..2d8a13cd40 100644 ---- a/src/lib-master/test-event-stats.c -+++ b/src/lib-master/test-event-stats.c -@@ -344,7 +344,7 @@ static void test_no_merging2(void) - event_unref(&child_ev); - test_assert( - compare_test_stats_to( -- "EVENT %lu 1 0 0" -+ "EVENT %"PRIu64" 1 0 0" - " stest-event-stats.c %d" - " l0 0 ctest2\n", id, l)); - test_end(); -@@ -370,12 +370,12 @@ static void test_no_merging3(void) - event_unref(&child_ev); - test_assert( - compare_test_stats_to( -- "BEGIN %lu 0 1 0 0" -+ "BEGIN %"PRIu64" 0 1 0 0" - " stest-event-stats.c %d ctest1\n" -- "EVENT %lu 1 1 0" -+ "EVENT %"PRIu64" 1 1 0" - " stest-event-stats.c %d" - " l1 0 ctest2\n" -- "END\t%lu\n", idp, lp, idp, l, idp)); -+ "END\t%"PRIu64"\n", idp, lp, idp, l, idp)); - test_end(); - } - -@@ -435,7 +435,7 @@ static void test_merge_events2(void) - event_unref(&merge_ev2); - test_assert( - compare_test_stats_to( -- "EVENT %lu 1 0 0" -+ "EVENT %"PRIu64" 1 0 0" - " stest-event-stats.c %d l0 0" - " ctest3 ctest2 ctest1 Tkey3" - " 10 0 Ikey2 20" -@@ -467,11 +467,11 @@ static void test_skip_parents(void) - event_unref(&child_ev); - test_assert( - compare_test_stats_to( -- "BEGIN %lu 0 1 0 0" -+ "BEGIN %"PRIu64" 0 1 0 0" - " stest-event-stats.c %d ctest1\n" -- "EVENT %lu 1 3 0 " -+ "EVENT %"PRIu64" 1 3 0 " - "stest-event-stats.c %d l3 0" -- " ctest2\nEND\t%lu\n", id, lp, id, l, id)); -+ " ctest2\nEND\t%"PRIu64"\n", id, lp, id, l, id)); - test_end(); - } - -@@ -509,12 +509,12 @@ static void test_merge_events_skip_parents(void) - event_unref(&child2_ev); - test_assert( - compare_test_stats_to( -- "BEGIN %lu 0 1 0 0" -+ "BEGIN %"PRIu64" 0 1 0 0" - " stest-event-stats.c %d ctest1\n" -- "EVENT %lu 1 3 0 " -+ "EVENT %"PRIu64" 1 3 0 " - "stest-event-stats.c %d l3 0 " - "ctest4 ctest5 Tkey3 10 0 Skey4" -- " str4\nEND\t%lu\n", id, lp, id, l, id)); -+ " str4\nEND\t%"PRIu64"\n", id, lp, id, l, id)); - test_end(); - } - diff --git a/dovecot.spec b/dovecot.spec index 5f3eee4..4212779 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,18 +3,17 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.4 +Version: 2.3.5 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 -Group: System Environment/Daemons URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.4 +%global pigeonholever 0.5.5 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -33,7 +32,6 @@ Patch6: dovecot-2.1.10-waitonline.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch Patch10: dovecot-2.3.0.1-libxcrypt.patch -Patch11: dovecot-2.3.4-de42b54.patch Source15: prestartscript @@ -101,7 +99,6 @@ The SQL drivers and authentication plug-ins are in their subpackages. %package pigeonhole Requires: %{name} = %{epoch}:%{version}-%{release} Summary: Sieve and managesieve plug-in for dovecot -Group: System Environment/Daemons License: MIT and LGPLv2 %description pigeonhole @@ -110,21 +107,18 @@ This package provides sieve and managesieve plug-in for dovecot LDA. %package pgsql Requires: %{name} = %{epoch}:%{version}-%{release} Summary: Postgres SQL back end for dovecot -Group: System Environment/Daemons %description pgsql This package provides the Postgres SQL back end for dovecot-auth etc. %package mysql Requires: %{name} = %{epoch}:%{version}-%{release} Summary: MySQL back end for dovecot -Group: System Environment/Daemons %description mysql This package provides the MySQL back end for dovecot-auth etc. %package devel Requires: %{name} = %{epoch}:%{version}-%{release} Summary: Development files for dovecot -Group: Development/Libraries %description devel This package provides the development files for dovecot. @@ -137,7 +131,6 @@ This package provides the development files for dovecot. %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem #%patch10 -p1 -b .libxcrypt -%patch11 -p1 -b .de42b54 #pushd dovecot-2*3-pigeonhole-%{pigeonholever} #popd @@ -500,6 +493,15 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Mar 06 2019 Michal Hlavinka - 1:2.3.5-1 +- dovecot updated to 2.3.5, pigeonhole updated to 0.5.5 + +* Thu Jan 31 2019 Fedora Release Engineering - 1:2.3.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Jan 14 2019 Björn Esser - 1:2.3.4-2 +- Rebuilt for libcrypt.so.2 (#1666033) + * Wed Jan 09 2019 Michal Hlavinka - 1:2.3.4-1 - dovecot updated to 2.3.4, pigeonhole updated to 0.5.4 diff --git a/sources b/sources index 05b6440..ea5c3e2 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.4.tar.gz) = 9e97eb08c319c417e8abcb430b3e6c87ed5aa820d6288656fdfd958ff34664f67202a66e4846763bfc85b309b116cea8012e49dab98b478c57974cc178a37a5a -SHA512 (dovecot-2.3-pigeonhole-0.5.4.tar.gz) = 9c82cce7540f8ab66e2e370e0220c99048d6ac53ed680cd763e0b03d0200e2451cee4303ef97b87a16e7248e1c73b92ba91b47a2a20c75cb2cd62695a28046f3 +SHA512 (dovecot-2.3.5.tar.gz) = 10513c371aeadd52184daaf8dbb9a7559c6db55e34182bbb2c9539dae0897ddcc76f6fe2ce6a81c7ce0cb94c7f79438ae3bb0e7db8ed46615feb337b4078ecc6 +SHA512 (dovecot-2.3-pigeonhole-0.5.5.tar.gz) = 21519fc9b1152a947b64ce4251e1a4bdbe003b48233b1856a32696f9c1e29f730268c56eb38f9431bbfac345e6cd42e8c78c87d0702f39ebf20c6d326dcdbb94 From 2bf6cc8b23fe331c929d77c1185d41e2497a5f47 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 28 Mar 2019 17:41:58 +0100 Subject: [PATCH 12/14] dovecot updated to 2.3.5.1 CVE-2019-7524: Missing input buffer size validation leads into arbitrary buffer overflow when reading fts or pop3 uidl header from Dovecot index. --- dovecot.spec | 8 +++++++- sources | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 4212779..4f642b7 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.5 +Version: 2.3.5.1 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -493,6 +493,12 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Mar 28 2019 Michal Hlavinka - 1:2.3.5.1-1 +- dovecot updated to 2.3.5.1 +- CVE-2019-7524: Missing input buffer size validation leads into + arbitrary buffer overflow when reading fts or pop3 uidl header + from Dovecot index. + * Wed Mar 06 2019 Michal Hlavinka - 1:2.3.5-1 - dovecot updated to 2.3.5, pigeonhole updated to 0.5.5 diff --git a/sources b/sources index ea5c3e2..1a5e4f7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.5.tar.gz) = 10513c371aeadd52184daaf8dbb9a7559c6db55e34182bbb2c9539dae0897ddcc76f6fe2ce6a81c7ce0cb94c7f79438ae3bb0e7db8ed46615feb337b4078ecc6 +SHA512 (dovecot-2.3.5.1.tar.gz) = e87754461fb0b065acd0ff10dc955000a2fe5baffed69efaf328ce9268f90140e9de444bc68e0bd48b565c7622885a79b1f90ff3dd2335c0c2362d05d9e73e8a SHA512 (dovecot-2.3-pigeonhole-0.5.5.tar.gz) = 21519fc9b1152a947b64ce4251e1a4bdbe003b48233b1856a32696f9c1e29f730268c56eb38f9431bbfac345e6cd42e8c78c87d0702f39ebf20c6d326dcdbb94 From 22a633e2b18a96e8bfcbd36b48addd6add37aba6 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 18 Apr 2019 15:03:49 +0200 Subject: [PATCH 13/14] dovecot updated to 2.3.5.2 fixes CVE-2019-10691: Trying to login with 8bit username containing invalid UTF8 input causes auth process to crash if auth policy is enabled. --- dovecot.spec | 7 ++++++- sources | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 4f642b7..05c6aa2 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.5.1 +Version: 2.3.5.2 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -493,6 +493,11 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Apr 18 2019 Michal Hlavinka - 1:2.3.5.2-1 +- dovecot updated to 2.3.5.2 +- fixes CVE-2019-10691: Trying to login with 8bit username containing + invalid UTF8 input causes auth process to crash if auth policy is enabled. + * Thu Mar 28 2019 Michal Hlavinka - 1:2.3.5.1-1 - dovecot updated to 2.3.5.1 - CVE-2019-7524: Missing input buffer size validation leads into diff --git a/sources b/sources index 1a5e4f7..2af39ad 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.5.1.tar.gz) = e87754461fb0b065acd0ff10dc955000a2fe5baffed69efaf328ce9268f90140e9de444bc68e0bd48b565c7622885a79b1f90ff3dd2335c0c2362d05d9e73e8a +SHA512 (dovecot-2.3.5.2.tar.gz) = 041ec1c33c6accb5c89d96d7ab2f7dd59795f496c17faea1906e7977983e4a387aa855a238376515c09532731634d9d42e6d6be22659062855241847ea0213d5 SHA512 (dovecot-2.3-pigeonhole-0.5.5.tar.gz) = 21519fc9b1152a947b64ce4251e1a4bdbe003b48233b1856a32696f9c1e29f730268c56eb38f9431bbfac345e6cd42e8c78c87d0702f39ebf20c6d326dcdbb94 From 98052505fb6cb89f6b5b1420a6a2ce1f2b174a24 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 2 May 2019 17:36:52 +0200 Subject: [PATCH 14/14] dovecot updated to 2.3.6, pigeonhole updated to 0.5.6 --- dovecot.spec | 7 +++++-- sources | 4 ++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 05c6aa2..48998ae 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.5.2 +Version: 2.3.6 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.5 +%global pigeonholever 0.5.6 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -493,6 +493,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu May 02 2019 Michal Hlavinka - 1:2.3.6-1 +- dovecot updated to 2.3.6, pigeonhole updated to 0.5.6 + * Thu Apr 18 2019 Michal Hlavinka - 1:2.3.5.2-1 - dovecot updated to 2.3.5.2 - fixes CVE-2019-10691: Trying to login with 8bit username containing diff --git a/sources b/sources index 2af39ad..f5c7b43 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.5.2.tar.gz) = 041ec1c33c6accb5c89d96d7ab2f7dd59795f496c17faea1906e7977983e4a387aa855a238376515c09532731634d9d42e6d6be22659062855241847ea0213d5 -SHA512 (dovecot-2.3-pigeonhole-0.5.5.tar.gz) = 21519fc9b1152a947b64ce4251e1a4bdbe003b48233b1856a32696f9c1e29f730268c56eb38f9431bbfac345e6cd42e8c78c87d0702f39ebf20c6d326dcdbb94 +SHA512 (dovecot-2.3.6.tar.gz) = ec28af2efcbd4ab534298c3342709251074dcdb0f0f4bcad0d24b996b273387e2ce557d7ab54abafb69be3ed7dd61f25c82b9710d78156932e2eff7f941c9eb2 +SHA512 (dovecot-2.3-pigeonhole-0.5.6.tar.gz) = 998a046d2eb5ff7bba615fd1a3efdfb1e7e1dabf191257f7fa2882074acc1735a0a4c11c5f31bab1e964b0118f1a8e9e51b3d5529b8fff6d1312c9a8257d9c20