From 500aa846aec52ca4c44d3025f65f4432cb480b35 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 6 Mar 2019 18:19:37 +0100 Subject: [PATCH 01/12] dovecot updated to 2.3.5, pigeonhole updated to 0.5.5 --- dovecot-2.3.4-de42b54.patch | 69 ------------------------------------- dovecot.spec | 11 +++--- sources | 4 +-- 3 files changed, 8 insertions(+), 76 deletions(-) delete mode 100644 dovecot-2.3.4-de42b54.patch diff --git a/dovecot-2.3.4-de42b54.patch b/dovecot-2.3.4-de42b54.patch deleted file mode 100644 index 534ce98..0000000 --- a/dovecot-2.3.4-de42b54.patch +++ /dev/null @@ -1,69 +0,0 @@ -diff --git a/src/lib-master/test-event-stats.c b/src/lib-master/test-event-stats.c -index 8fcb3dd22d..2d8a13cd40 100644 ---- a/src/lib-master/test-event-stats.c -+++ b/src/lib-master/test-event-stats.c -@@ -344,7 +344,7 @@ static void test_no_merging2(void) - event_unref(&child_ev); - test_assert( - compare_test_stats_to( -- "EVENT %lu 1 0 0" -+ "EVENT %"PRIu64" 1 0 0" - " stest-event-stats.c %d" - " l0 0 ctest2\n", id, l)); - test_end(); -@@ -370,12 +370,12 @@ static void test_no_merging3(void) - event_unref(&child_ev); - test_assert( - compare_test_stats_to( -- "BEGIN %lu 0 1 0 0" -+ "BEGIN %"PRIu64" 0 1 0 0" - " stest-event-stats.c %d ctest1\n" -- "EVENT %lu 1 1 0" -+ "EVENT %"PRIu64" 1 1 0" - " stest-event-stats.c %d" - " l1 0 ctest2\n" -- "END\t%lu\n", idp, lp, idp, l, idp)); -+ "END\t%"PRIu64"\n", idp, lp, idp, l, idp)); - test_end(); - } - -@@ -435,7 +435,7 @@ static void test_merge_events2(void) - event_unref(&merge_ev2); - test_assert( - compare_test_stats_to( -- "EVENT %lu 1 0 0" -+ "EVENT %"PRIu64" 1 0 0" - " stest-event-stats.c %d l0 0" - " ctest3 ctest2 ctest1 Tkey3" - " 10 0 Ikey2 20" -@@ -467,11 +467,11 @@ static void test_skip_parents(void) - event_unref(&child_ev); - test_assert( - compare_test_stats_to( -- "BEGIN %lu 0 1 0 0" -+ "BEGIN %"PRIu64" 0 1 0 0" - " stest-event-stats.c %d ctest1\n" -- "EVENT %lu 1 3 0 " -+ "EVENT %"PRIu64" 1 3 0 " - "stest-event-stats.c %d l3 0" -- " ctest2\nEND\t%lu\n", id, lp, id, l, id)); -+ " ctest2\nEND\t%"PRIu64"\n", id, lp, id, l, id)); - test_end(); - } - -@@ -509,12 +509,12 @@ static void test_merge_events_skip_parents(void) - event_unref(&child2_ev); - test_assert( - compare_test_stats_to( -- "BEGIN %lu 0 1 0 0" -+ "BEGIN %"PRIu64" 0 1 0 0" - " stest-event-stats.c %d ctest1\n" -- "EVENT %lu 1 3 0 " -+ "EVENT %"PRIu64" 1 3 0 " - "stest-event-stats.c %d l3 0 " - "ctest4 ctest5 Tkey3 10 0 Skey4" -- " str4\nEND\t%lu\n", id, lp, id, l, id)); -+ " str4\nEND\t%"PRIu64"\n", id, lp, id, l, id)); - test_end(); - } - diff --git a/dovecot.spec b/dovecot.spec index 4193a1f..4212779 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,9 +3,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.4 +Version: 2.3.5 %global prever %{nil} -Release: 3%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.4 +%global pigeonholever 0.5.5 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -32,7 +32,6 @@ Patch6: dovecot-2.1.10-waitonline.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch Patch10: dovecot-2.3.0.1-libxcrypt.patch -Patch11: dovecot-2.3.4-de42b54.patch Source15: prestartscript @@ -132,7 +131,6 @@ This package provides the development files for dovecot. %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem #%patch10 -p1 -b .libxcrypt -%patch11 -p1 -b .de42b54 #pushd dovecot-2*3-pigeonhole-%{pigeonholever} #popd @@ -495,6 +493,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Mar 06 2019 Michal Hlavinka - 1:2.3.5-1 +- dovecot updated to 2.3.5, pigeonhole updated to 0.5.5 + * Thu Jan 31 2019 Fedora Release Engineering - 1:2.3.4-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild diff --git a/sources b/sources index 05b6440..ea5c3e2 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.4.tar.gz) = 9e97eb08c319c417e8abcb430b3e6c87ed5aa820d6288656fdfd958ff34664f67202a66e4846763bfc85b309b116cea8012e49dab98b478c57974cc178a37a5a -SHA512 (dovecot-2.3-pigeonhole-0.5.4.tar.gz) = 9c82cce7540f8ab66e2e370e0220c99048d6ac53ed680cd763e0b03d0200e2451cee4303ef97b87a16e7248e1c73b92ba91b47a2a20c75cb2cd62695a28046f3 +SHA512 (dovecot-2.3.5.tar.gz) = 10513c371aeadd52184daaf8dbb9a7559c6db55e34182bbb2c9539dae0897ddcc76f6fe2ce6a81c7ce0cb94c7f79438ae3bb0e7db8ed46615feb337b4078ecc6 +SHA512 (dovecot-2.3-pigeonhole-0.5.5.tar.gz) = 21519fc9b1152a947b64ce4251e1a4bdbe003b48233b1856a32696f9c1e29f730268c56eb38f9431bbfac345e6cd42e8c78c87d0702f39ebf20c6d326dcdbb94 From bcb2bf83b776d5e2506a758f28a26c8bf4e95fdf Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 28 Mar 2019 17:41:20 +0100 Subject: [PATCH 02/12] dovecot updated to 2.3.5.1 CVE-2019-7524: Missing input buffer size validation leads into arbitrary buffer overflow when reading fts or pop3 uidl header from Dovecot index. --- dovecot.spec | 8 +++++++- sources | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 4212779..4f642b7 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.5 +Version: 2.3.5.1 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -493,6 +493,12 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Mar 28 2019 Michal Hlavinka - 1:2.3.5.1-1 +- dovecot updated to 2.3.5.1 +- CVE-2019-7524: Missing input buffer size validation leads into + arbitrary buffer overflow when reading fts or pop3 uidl header + from Dovecot index. + * Wed Mar 06 2019 Michal Hlavinka - 1:2.3.5-1 - dovecot updated to 2.3.5, pigeonhole updated to 0.5.5 diff --git a/sources b/sources index ea5c3e2..1a5e4f7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.5.tar.gz) = 10513c371aeadd52184daaf8dbb9a7559c6db55e34182bbb2c9539dae0897ddcc76f6fe2ce6a81c7ce0cb94c7f79438ae3bb0e7db8ed46615feb337b4078ecc6 +SHA512 (dovecot-2.3.5.1.tar.gz) = e87754461fb0b065acd0ff10dc955000a2fe5baffed69efaf328ce9268f90140e9de444bc68e0bd48b565c7622885a79b1f90ff3dd2335c0c2362d05d9e73e8a SHA512 (dovecot-2.3-pigeonhole-0.5.5.tar.gz) = 21519fc9b1152a947b64ce4251e1a4bdbe003b48233b1856a32696f9c1e29f730268c56eb38f9431bbfac345e6cd42e8c78c87d0702f39ebf20c6d326dcdbb94 From 2bcf743ffe2cd549a067afea715f2a4479d2ecc6 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 18 Apr 2019 15:03:08 +0200 Subject: [PATCH 03/12] dovecot updated to 2.3.5.2 fixes CVE-2019-10691: Trying to login with 8bit username containing invalid UTF8 input causes auth process to crash if auth policy is enabled. --- dovecot.spec | 7 ++++++- sources | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 4f642b7..05c6aa2 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.5.1 +Version: 2.3.5.2 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -493,6 +493,11 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Apr 18 2019 Michal Hlavinka - 1:2.3.5.2-1 +- dovecot updated to 2.3.5.2 +- fixes CVE-2019-10691: Trying to login with 8bit username containing + invalid UTF8 input causes auth process to crash if auth policy is enabled. + * Thu Mar 28 2019 Michal Hlavinka - 1:2.3.5.1-1 - dovecot updated to 2.3.5.1 - CVE-2019-7524: Missing input buffer size validation leads into diff --git a/sources b/sources index 1a5e4f7..2af39ad 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.5.1.tar.gz) = e87754461fb0b065acd0ff10dc955000a2fe5baffed69efaf328ce9268f90140e9de444bc68e0bd48b565c7622885a79b1f90ff3dd2335c0c2362d05d9e73e8a +SHA512 (dovecot-2.3.5.2.tar.gz) = 041ec1c33c6accb5c89d96d7ab2f7dd59795f496c17faea1906e7977983e4a387aa855a238376515c09532731634d9d42e6d6be22659062855241847ea0213d5 SHA512 (dovecot-2.3-pigeonhole-0.5.5.tar.gz) = 21519fc9b1152a947b64ce4251e1a4bdbe003b48233b1856a32696f9c1e29f730268c56eb38f9431bbfac345e6cd42e8c78c87d0702f39ebf20c6d326dcdbb94 From aba67dc0a5588a76f14eb6f032353313ebe48588 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 2 May 2019 16:38:01 +0200 Subject: [PATCH 04/12] dovecot updated to 2.3.6, pigeonhole updated to 0.5.6 --- dovecot.spec | 7 +++++-- sources | 4 ++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 05c6aa2..48998ae 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.5.2 +Version: 2.3.6 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.5 +%global pigeonholever 0.5.6 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -493,6 +493,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu May 02 2019 Michal Hlavinka - 1:2.3.6-1 +- dovecot updated to 2.3.6, pigeonhole updated to 0.5.6 + * Thu Apr 18 2019 Michal Hlavinka - 1:2.3.5.2-1 - dovecot updated to 2.3.5.2 - fixes CVE-2019-10691: Trying to login with 8bit username containing diff --git a/sources b/sources index 2af39ad..f5c7b43 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.5.2.tar.gz) = 041ec1c33c6accb5c89d96d7ab2f7dd59795f496c17faea1906e7977983e4a387aa855a238376515c09532731634d9d42e6d6be22659062855241847ea0213d5 -SHA512 (dovecot-2.3-pigeonhole-0.5.5.tar.gz) = 21519fc9b1152a947b64ce4251e1a4bdbe003b48233b1856a32696f9c1e29f730268c56eb38f9431bbfac345e6cd42e8c78c87d0702f39ebf20c6d326dcdbb94 +SHA512 (dovecot-2.3.6.tar.gz) = ec28af2efcbd4ab534298c3342709251074dcdb0f0f4bcad0d24b996b273387e2ce557d7ab54abafb69be3ed7dd61f25c82b9710d78156932e2eff7f941c9eb2 +SHA512 (dovecot-2.3-pigeonhole-0.5.6.tar.gz) = 998a046d2eb5ff7bba615fd1a3efdfb1e7e1dabf191257f7fa2882074acc1735a0a4c11c5f31bab1e964b0118f1a8e9e51b3d5529b8fff6d1312c9a8257d9c20 From 238fa40c986c92be625e83c0dbee73b7cea8b8f2 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Fri, 31 May 2019 16:20:39 +0200 Subject: [PATCH 05/12] disable gcc 9 stack reuse temporarily --- dovecot.spec | 28 +++++++++++++++++----------- dovecot.tmpfilesd | 2 +- 2 files changed, 18 insertions(+), 12 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 48998ae..c05ed8f 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.6 %global prever %{nil} -Release: 1%{?dist} +Release: 3%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -87,7 +87,7 @@ BuildRequires: curl-devel expat-devel BuildRequires: libcurl-devel expat-devel %endif -%global restart_flag /var/run/%{name}/%{name}-restart-after-rpm-install +%global restart_flag /run/%{name}/%{name}-restart-after-rpm-install %description Dovecot is an IMAP server for Linux/UNIX-like systems, written with security @@ -139,7 +139,7 @@ sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src %build #required for fdpass.c line 125,190: dereferencing type-punned pointer will break strict-aliasing rules %global _hardened_build 1 -export CFLAGS="%{__global_cflags} -fno-strict-aliasing" +export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none" export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}" # el6 autoconf too old to regen; use packaged files (#1082384) %if %{?fedora}00%{?rhel} > 6 @@ -241,7 +241,7 @@ install -p -D -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_initddir}/dovecot install -p -D -m 600 %{SOURCE9} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/dovecot %endif -mkdir -p $RPM_BUILD_ROOT/var/run/dovecot/{login,empty,token-login} +mkdir -p $RPM_BUILD_ROOT/run/dovecot/{login,empty,token-login} # Install dovecot configuration and dovecot-openssl.cnf mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d @@ -298,11 +298,11 @@ then %endif fi -install -d -m 0755 -g dovecot -d /var/run/dovecot -install -d -m 0755 -d /var/run/dovecot/empty -install -d -m 0750 -g dovenull -d /var/run/dovecot/login -install -d -m 0755 -g dovenull -d /var/run/dovecot/token-login -[ -x /sbin/restorecon ] && /sbin/restorecon -R /var/run/dovecot +install -d -m 0755 -g dovecot -d /run/dovecot +install -d -m 0755 -d /run/dovecot/empty +install -d -m 0750 -g dovenull -d /run/dovecot/login +install -d -m 0755 -g dovenull -d /run/dovecot/token-login +[ -x /sbin/restorecon ] && /sbin/restorecon -R /run/dovecot %preun if [ $1 = 0 ]; then @@ -313,7 +313,7 @@ if [ $1 = 0 ]; then /sbin/service %{name} stop > /dev/null 2>&1 /sbin/chkconfig --del %{name} %endif - rm -rf /var/run/dovecot + rm -rf /run/dovecot fi %postun @@ -436,7 +436,7 @@ make check %{_libexecdir}/%{name} %exclude %{_libexecdir}/%{name}/managesieve* -%ghost /var/run/dovecot +%ghost /run/dovecot %attr(0750,dovecot,dovecot) /var/lib/dovecot %{_datadir}/%{name} @@ -493,6 +493,12 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Fri May 31 2019 Michal Hlavinka - 1:2.3.6-3 +- disable gcc 9 stack reuse temporarily + +* Mon May 13 2019 Michal Hlavinka - 1:2.3.6-2 +- use /run instead of /var/run (#1706372) + * Thu May 02 2019 Michal Hlavinka - 1:2.3.6-1 - dovecot updated to 2.3.6, pigeonhole updated to 0.5.6 diff --git a/dovecot.tmpfilesd b/dovecot.tmpfilesd index 7178498..d96639a 100644 --- a/dovecot.tmpfilesd +++ b/dovecot.tmpfilesd @@ -1,2 +1,2 @@ -d /var/run/dovecot 0755 root dovecot - +d /run/dovecot 0755 root dovecot - From edd1a25a8564b1f825909c6bf027ef68f9163fd2 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 19 Aug 2019 17:35:12 +0200 Subject: [PATCH 06/12] dovecot updated to 2.3.7.1, pigeonhole updated to 0.5.7.1 --- dovecot.spec | 12 +++++++++--- sources | 4 ++-- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index c05ed8f..7ee0d5e 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,9 +3,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.6 +Version: 2.3.7.1 %global prever %{nil} -Release: 3%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.6 +%global pigeonholever 0.5.7.1 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -493,6 +493,12 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Aug 19 2019 Michal Hlavinka - 1:1-2.3.7.1 +- dovecot updated to 2.3.7.1, pigeonhole updated to 0.5.7.1 + +* Wed Jul 24 2019 Fedora Release Engineering - 1:2.3.6-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + * Fri May 31 2019 Michal Hlavinka - 1:2.3.6-3 - disable gcc 9 stack reuse temporarily diff --git a/sources b/sources index f5c7b43..8b8981e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.6.tar.gz) = ec28af2efcbd4ab534298c3342709251074dcdb0f0f4bcad0d24b996b273387e2ce557d7ab54abafb69be3ed7dd61f25c82b9710d78156932e2eff7f941c9eb2 -SHA512 (dovecot-2.3-pigeonhole-0.5.6.tar.gz) = 998a046d2eb5ff7bba615fd1a3efdfb1e7e1dabf191257f7fa2882074acc1735a0a4c11c5f31bab1e964b0118f1a8e9e51b3d5529b8fff6d1312c9a8257d9c20 +SHA512 (dovecot-2.3.7.1.tar.gz) = 9addfe2be9ae745ac9164e1658e6638df96bd611d45f172e2cd1cb2c6596e4ce534674e9eea3c1d17f497555061031916e0fb9a9fbc6de0eb6034e2fd0bed3b9 +SHA512 (dovecot-2.3-pigeonhole-0.5.7.1.tar.gz) = 121eac4ad8bc1ddc55c554d00338bb553590b6aedffcb11e34f6cba102d59bd34580cb7218bd5fe820038c004d12db73f7a27ca135c3d4a12c4449bae3216355 From 104fb40bac23a86855d1b4dbd70aa8a235f7585d Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 29 Aug 2019 11:04:04 +0200 Subject: [PATCH 07/12] dovecot updated to 2.3.7.2, pigeonhole 0.5.7.2 fixes CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap memory writes --- dovecot.spec | 10 ++++++++-- sources | 4 ++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 7ee0d5e..eba9723 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.7.1 +Version: 2.3.7.2 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.7.1 +%global pigeonholever 0.5.7.2 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -493,6 +493,12 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Aug 29 2019 Michal Hlavinka - 1:2.3.7.2-1 +- dovecot updated to 2.3.7.2, pigeonhole 0.5.7.2 +- fixes CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte + when scanning data in quoted strings, leading to out of bounds heap + memory writes + * Mon Aug 19 2019 Michal Hlavinka - 1:1-2.3.7.1 - dovecot updated to 2.3.7.1, pigeonhole updated to 0.5.7.1 diff --git a/sources b/sources index 8b8981e..9a8ce1a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.7.1.tar.gz) = 9addfe2be9ae745ac9164e1658e6638df96bd611d45f172e2cd1cb2c6596e4ce534674e9eea3c1d17f497555061031916e0fb9a9fbc6de0eb6034e2fd0bed3b9 -SHA512 (dovecot-2.3-pigeonhole-0.5.7.1.tar.gz) = 121eac4ad8bc1ddc55c554d00338bb553590b6aedffcb11e34f6cba102d59bd34580cb7218bd5fe820038c004d12db73f7a27ca135c3d4a12c4449bae3216355 +SHA512 (dovecot-2.3.7.2.tar.gz) = 172f7f0edb884259e4c050607510aee67a35c3a20b7dd147e7c8a25a04921c18f7d6b5c85af2c69ae8c4d53791550970e471b033dbfae94253e331053b6a317d +SHA512 (dovecot-2.3-pigeonhole-0.5.7.2.tar.gz) = 7fc8d89ee31c8e8c16a9aeaeffb591f4188de36fc80e3a30a9ae10bc5acd7ea5d5d91e077fda566e61d588d9221ec53044ce17a9cc0c9c219dbe6824558a1d60 From 4f2d108a328b2420cfa539ec674b567a405d04ba Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 10 Oct 2019 14:32:54 +0200 Subject: [PATCH 08/12] dovecot updated to 2.3.8, pigeonhole 0.5.8 --- dovecot.spec | 10 ++++++++-- sources | 4 ++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index eba9723..bb7322b 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.7.2 +Version: 2.3.8 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.7.2 +%global pigeonholever 0.5.8 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -50,7 +50,10 @@ BuildRequires: openldap-devel BuildRequires: krb5-devel BuildRequires: quota-devel BuildRequires: xz-devel +BuildRequires: lz4-devel BuildRequires: libsodium-devel +BuildRequires: libexttextcat-devel +BuildRequires: libstemmer-devel # gettext-devel is needed for running autoconf because of the # presence of AM_ICONV @@ -493,6 +496,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Oct 10 2019 Michal Hlavinka - 1:2.3.8-1 +- dovecot updated to 2.3.8, pigeonhole 0.5.8 + * Thu Aug 29 2019 Michal Hlavinka - 1:2.3.7.2-1 - dovecot updated to 2.3.7.2, pigeonhole 0.5.7.2 - fixes CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte diff --git a/sources b/sources index 9a8ce1a..05fd840 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.7.2.tar.gz) = 172f7f0edb884259e4c050607510aee67a35c3a20b7dd147e7c8a25a04921c18f7d6b5c85af2c69ae8c4d53791550970e471b033dbfae94253e331053b6a317d -SHA512 (dovecot-2.3-pigeonhole-0.5.7.2.tar.gz) = 7fc8d89ee31c8e8c16a9aeaeffb591f4188de36fc80e3a30a9ae10bc5acd7ea5d5d91e077fda566e61d588d9221ec53044ce17a9cc0c9c219dbe6824558a1d60 +SHA512 (dovecot-2.3.8.tar.gz) = f62439e2ea77ffb544a7752c07085582c5653c64671cb42dd7a7e5aa69eb87059c677aa1fa071efa1ddd2287ab621e9a264ec115be2aeb2f43ab4c685411eae3 +SHA512 (dovecot-2.3-pigeonhole-0.5.8.tar.gz) = ddf009c755cc87c362ddf1c17ac1403b0f6a504b039efef3244f2d5bd4d3963fb25baaaa4d98c089b3e8bddd4675d131765fee5499d9aaf01015e44f7d631d2d From 90172f8205da32575e666a54a8eedfc02d283c79 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 19 Dec 2019 23:10:15 +0100 Subject: [PATCH 09/12] CVE-2019-19722: Mails with group addresses in From or To fields caused crash in push notification drivers. --- dovecot.spec | 11 +++++++++-- sources | 4 ++-- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index bb7322b..5d6c3c3 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.8 +Version: 2.3.9.2 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.8 +%global pigeonholever 0.5.9 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -496,6 +496,13 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Dec 19 2019 Michal Hlavinka - 1:2.3.9.2-1 +- CVE-2019-19722: Mails with group addresses in From or To fields + caused crash in push notification drivers. + +* Wed Dec 04 2019 Michal Hlavinka - 1:2.3.9-1 +- dovecot updated to 2.3.9, pigeonhole updated to 0.5.9 + * Thu Oct 10 2019 Michal Hlavinka - 1:2.3.8-1 - dovecot updated to 2.3.8, pigeonhole 0.5.8 diff --git a/sources b/sources index 05fd840..c3d0413 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.8.tar.gz) = f62439e2ea77ffb544a7752c07085582c5653c64671cb42dd7a7e5aa69eb87059c677aa1fa071efa1ddd2287ab621e9a264ec115be2aeb2f43ab4c685411eae3 -SHA512 (dovecot-2.3-pigeonhole-0.5.8.tar.gz) = ddf009c755cc87c362ddf1c17ac1403b0f6a504b039efef3244f2d5bd4d3963fb25baaaa4d98c089b3e8bddd4675d131765fee5499d9aaf01015e44f7d631d2d +SHA512 (dovecot-2.3.9.2.tar.gz) = 36e8270bfa33e2bd6aa89017e65c7d1650c494c79ff297759a4b01c026aebcfdf5b1b542d4357e1f9dc2bb8169ef67064f0699b17ca36d658deb70b4c800b253 +SHA512 (dovecot-2.3-pigeonhole-0.5.9.tar.gz) = 1b8d2ac8d3985dde035fc45df519788a924ba971f3e39717f5196ea56a982d4156226586d0a964473525d086967883ea52f2e624e81f7035cb0952b76f2414d8 From 3c47cbf802c6bd68b63f2f92c47bf3e0d27c9376 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 12 Feb 2020 16:39:09 +0100 Subject: [PATCH 10/12] dovecot updated to 2.3.9.3 fixes CVE-2020-7046: Truncated UTF-8 can be used to DoS submission-login and lmtp processes. fixes CVE-2020-7957: Specially crafted mail can crash snippet generation. --- dovecot.spec | 20 +++++++++++++++++--- sources | 2 +- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 5d6c3c3..b85d60f 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.9.2 +Version: 2.3.9.3 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -304,7 +304,7 @@ fi install -d -m 0755 -g dovecot -d /run/dovecot install -d -m 0755 -d /run/dovecot/empty install -d -m 0750 -g dovenull -d /run/dovecot/login -install -d -m 0755 -g dovenull -d /run/dovecot/token-login +install -d -m 0750 -g dovenull -d /run/dovecot/token-login [ -x /sbin/restorecon ] && /sbin/restorecon -R /run/dovecot %preun @@ -439,7 +439,11 @@ make check %{_libexecdir}/%{name} %exclude %{_libexecdir}/%{name}/managesieve* -%ghost /run/dovecot +%attr(0755,root,dovecot) %ghost /run/dovecot +%attr(0750,root,dovenull) %ghost /run/dovecot/login +%attr(0750,root,dovenull) %ghost /run/dovecot/token-login +%attr(0755,root,root) %ghost /run/dovecot/empty + %attr(0750,dovecot,dovecot) /var/lib/dovecot %{_datadir}/%{name} @@ -496,6 +500,16 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Feb 12 2020 Michal Hlavinka - 1:2.3.9.3-1 +- dovecot updated to 2.3.9.3 +- fixes CVE-2020-7046: Truncated UTF-8 can be used to DoS + submission-login and lmtp processes. +- fixes CVE-2020-7957: Specially crafted mail can crash snippet generation. + + +* Tue Jan 28 2020 Fedora Release Engineering - 1:2.3.9.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + * Thu Dec 19 2019 Michal Hlavinka - 1:2.3.9.2-1 - CVE-2019-19722: Mails with group addresses in From or To fields caused crash in push notification drivers. diff --git a/sources b/sources index c3d0413..27cc3f5 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.9.2.tar.gz) = 36e8270bfa33e2bd6aa89017e65c7d1650c494c79ff297759a4b01c026aebcfdf5b1b542d4357e1f9dc2bb8169ef67064f0699b17ca36d658deb70b4c800b253 +SHA512 (dovecot-2.3.9.3.tar.gz) = e39dc825a03f009928b67d01747bb70487fbec155e6be5109037db67b78301aa761db432f7355e96d927abf30c68f0116a5f2cf518b9eebf7f5c7806ac00ae41 SHA512 (dovecot-2.3-pigeonhole-0.5.9.tar.gz) = 1b8d2ac8d3985dde035fc45df519788a924ba971f3e39717f5196ea56a982d4156226586d0a964473525d086967883ea52f2e624e81f7035cb0952b76f2414d8 From c29c757b299b85dfe051dee59e2cb2a3e44313ae Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 21 Apr 2020 20:07:35 +0200 Subject: [PATCH 11/12] dovecot updated to 2.3.10, pigeonhole updated to 0.5.10 --- dovecot.spec | 10 +++++++--- sources | 4 ++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index b85d60f..b91f5f8 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.9.3 +Version: 2.3.10 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.9 +%global pigeonholever 0.5.10 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -357,6 +357,7 @@ make check %{_bindir}/doveadm %{_bindir}/doveconf %{_bindir}/dsync +%{_bindir}/dovecot-sysreport %if %{?fedora}0 > 140 || %{?rhel}0 > 60 @@ -439,7 +440,7 @@ make check %{_libexecdir}/%{name} %exclude %{_libexecdir}/%{name}/managesieve* -%attr(0755,root,dovecot) %ghost /run/dovecot +%dir %attr(0755,root,dovecot) %ghost /run/dovecot %attr(0750,root,dovenull) %ghost /run/dovecot/login %attr(0750,root,dovenull) %ghost /run/dovecot/token-login %attr(0755,root,root) %ghost /run/dovecot/empty @@ -500,6 +501,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Apr 21 2020 Michal Hlavinka - 1:2.3.10-1 +- dovecot updated to 2.3.10, pigeonhole updated to 0.5.10 + * Wed Feb 12 2020 Michal Hlavinka - 1:2.3.9.3-1 - dovecot updated to 2.3.9.3 - fixes CVE-2020-7046: Truncated UTF-8 can be used to DoS diff --git a/sources b/sources index 27cc3f5..29b0faa 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.9.3.tar.gz) = e39dc825a03f009928b67d01747bb70487fbec155e6be5109037db67b78301aa761db432f7355e96d927abf30c68f0116a5f2cf518b9eebf7f5c7806ac00ae41 -SHA512 (dovecot-2.3-pigeonhole-0.5.9.tar.gz) = 1b8d2ac8d3985dde035fc45df519788a924ba971f3e39717f5196ea56a982d4156226586d0a964473525d086967883ea52f2e624e81f7035cb0952b76f2414d8 +SHA512 (dovecot-2.3.10.tar.gz) = 73e10d7d1e616d6599eb53f2d2d1ac0f0f2e6e84019faac5cd525e833da44839a7e483635b61d432e3254a9e5f6f90915bec8940c584210341085241949dffa2 +SHA512 (dovecot-2.3-pigeonhole-0.5.10.tar.gz) = f3d380edba4d25d20ee52db21d2965e3a6b229924e9a04fbf45cfe32e1d25448977ee41b12ba41ad8cf8b795f19bb1dbef1d7d09e775598d782123268f61dc8b From 1afc1e129292d3b12dfd5df31629db8dbe989764 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 19 May 2020 11:50:18 +0200 Subject: [PATCH 12/12] dovecot updated to 2.3.10.1 fixes CVE-2020-10967, CVE-2020-10958, CVE-2020-10957 --- dovecot.spec | 6 +++++- sources | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index b91f5f8..d32cc87 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.10 +Version: 2.3.10.1 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -501,6 +501,10 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon May 18 2020 Michal Hlavinka - 1:2.3.10.1-1 +- dovecot updated to 2.3.10.1 +- fixes CVE-2020-10967, CVE-2020-10958, CVE-2020-10957 + * Tue Apr 21 2020 Michal Hlavinka - 1:2.3.10-1 - dovecot updated to 2.3.10, pigeonhole updated to 0.5.10 diff --git a/sources b/sources index 29b0faa..649f5e0 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.10.tar.gz) = 73e10d7d1e616d6599eb53f2d2d1ac0f0f2e6e84019faac5cd525e833da44839a7e483635b61d432e3254a9e5f6f90915bec8940c584210341085241949dffa2 +SHA512 (dovecot-2.3.10.1.tar.gz) = 5c07436a3e861993f241caa2c60f035c533c5fceb5c8540c1717d31bedd54b82299f7ea11bfee12c72d4d33985d93a7130c4f56877864a7ad21cf7373a29cc06 SHA512 (dovecot-2.3-pigeonhole-0.5.10.tar.gz) = f3d380edba4d25d20ee52db21d2965e3a6b229924e9a04fbf45cfe32e1d25448977ee41b12ba41ad8cf8b795f19bb1dbef1d7d09e775598d782123268f61dc8b