From a9c67892af9cd16620e0dc0b44d3d7c97ad13cd2 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 9 Aug 2016 10:19:05 +0200 Subject: [PATCH 001/163] add note to dovecot unit file about ProtectSystem option --- dovecot-2.2.22-systemd_w_protectsystem.patch | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dovecot-2.2.22-systemd_w_protectsystem.patch b/dovecot-2.2.22-systemd_w_protectsystem.patch index bc69e10..10fe4b8 100644 --- a/dovecot-2.2.22-systemd_w_protectsystem.patch +++ b/dovecot-2.2.22-systemd_w_protectsystem.patch @@ -4,8 +4,9 @@ diff -up dovecot-2.2.22/dovecot.service.in.systemd_w_protectsystem dovecot-2.2.2 @@ -33,7 +33,7 @@ ExecStop=@bindir@/doveadm stop PrivateTmp=true NonBlocking=yes - # Enable this if your systemd is new enough to support it: +-# Enable this if your systemd is new enough to support it: -#ProtectSystem=full ++# Enable this if your systemd is new enough to support it: (it will make /usr /boot /etc read only for dovecot) +ProtectSystem=full [Install] From 621a521183cbe27ac4b9c0a482566eb2f9abab8c Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 31 Oct 2016 16:13:54 +0100 Subject: [PATCH 002/163] dovecot updated to 2.2.26.0, pigeonhole updated to 0.4.16 - master process's listener socket was leaked to all child processes. This might have allowed untrusted processes to capture and prevent "doveadm service stop" comands from working. - login proxy: Fixed crash when outgoing SSL connections were hanging. - auth: userdb fields weren't passed to auth-workers, so %{userdb:*} from previous userdbs didn't work there. - auth: Fixed auth_bind=yes + sasl_bind=yes to work together - lmtp: %{userdb:*} variables didn't work in mail_log_prefix - Fixed writing >2GB to iostream-temp files (used by fs-compress, fs-metawrap, doveadm-http) - fts-solr: Fixed searching multiple mailboxes - and more... --- .gitignore | 2 ++ dovecot.spec | 19 +++++++++++++++++-- sources | 4 ++-- 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 275d452..619a904 100644 --- a/.gitignore +++ b/.gitignore @@ -103,3 +103,5 @@ pigeonhole-snap0592366457df.tar.bz2 /dovecot-2.2.24.tar.gz /dovecot-2.2-pigeonhole-0.4.14.tar.gz /dovecot-2.2.25.tar.gz +/dovecot-2.2.26.0.tar.gz +/dovecot-2.2-pigeonhole-0.4.16.tar.gz diff --git a/dovecot.spec b/dovecot.spec index e94eda0..64a780f 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.2.25 +Version: 2.2.26.0 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -14,7 +14,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.2/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.4.14 +%global pigeonholever 0.4.16 Source8: http://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -481,6 +481,21 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Oct 31 2016 Michal Hlavinka - 1:2.2.26.0-1 +- dovecot updated to 2.2.26.0, pigeonhole updated to 0.4.16 +- master process's listener socket was leaked to all child processes. + This might have allowed untrusted processes to capture and prevent + "doveadm service stop" comands from working. +- login proxy: Fixed crash when outgoing SSL connections were hanging. +- auth: userdb fields weren't passed to auth-workers, so %{userdb:*} + from previous userdbs didn't work there. +- auth: Fixed auth_bind=yes + sasl_bind=yes to work together +- lmtp: %{userdb:*} variables didn't work in mail_log_prefix +- Fixed writing >2GB to iostream-temp files (used by fs-compress, + fs-metawrap, doveadm-http) +- fts-solr: Fixed searching multiple mailboxes +- and more... + * Mon Jul 04 2016 Michal Hlavinka - 1:2.2.25-1 - dovecot updated to 2.2.25 - doveadm backup was sometimes deleting entire mailboxes unnecessarily. diff --git a/sources b/sources index 696c213..4112778 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -8f62ea76489c47c369cbbe0b19818448 dovecot-2.2.25.tar.gz -27e47fb731f2948d6905b12b6184705f dovecot-2.2-pigeonhole-0.4.14.tar.gz +85bc42328de41d1eb8d6d3f1db666db8 dovecot-2.2.26.0.tar.gz +e03eed707b39cffc4b2a82867de45d9c dovecot-2.2-pigeonhole-0.4.16.tar.gz From 828b5d8c857f10d48798c927025e744a9636c02c Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Fri, 2 Dec 2016 17:21:11 +0100 Subject: [PATCH 003/163] fix remote crash when auth-policy component is activated (CVE-2016-8652,#1401025) --- dovecot-2.2.26-CVE-2016-8652a.patch | 28 +++++++++++++ dovecot-2.2.26-CVE-2016-8652b.patch | 64 +++++++++++++++++++++++++++++ dovecot.spec | 11 ++++- 3 files changed, 102 insertions(+), 1 deletion(-) create mode 100644 dovecot-2.2.26-CVE-2016-8652a.patch create mode 100644 dovecot-2.2.26-CVE-2016-8652b.patch diff --git a/dovecot-2.2.26-CVE-2016-8652a.patch b/dovecot-2.2.26-CVE-2016-8652a.patch new file mode 100644 index 0000000..2867856 --- /dev/null +++ b/dovecot-2.2.26-CVE-2016-8652a.patch @@ -0,0 +1,28 @@ +From 1f2c35da2b96905bec6e45f88af0f33ee63789e6 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Wed, 23 Nov 2016 13:16:19 +0200 +Subject: [PATCH] auth: Fix auth-policy crash when username is NULL + +If SASL request is invalid, or incomplete, and username +is left NULL, handle it gracefully by adding just +NUL byte in auth policy digest for username. +--- + src/auth/auth-policy.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/auth/auth-policy.c b/src/auth/auth-policy.c +index c7faa3c..86b31f1 100755 +--- a/src/auth/auth-policy.c ++++ b/src/auth/auth-policy.c +@@ -442,7 +442,10 @@ void auth_policy_create_json(struct policy_lookup_ctx *context, + context->set->policy_hash_nonce, + strlen(context->set->policy_hash_nonce)); + /* use +1 to make sure \0 gets included */ +- digest->loop(ctx, context->request->user, strlen(context->request->user) + 1); ++ if (context->request->user == NULL) ++ digest->loop(ctx, "\0", 1); ++ else ++ digest->loop(ctx, context->request->user, strlen(context->request->user) + 1); + if (password != NULL) + digest->loop(ctx, password, strlen(password)); + ptr = (unsigned char*)str_c_modifiable(buffer); diff --git a/dovecot-2.2.26-CVE-2016-8652b.patch b/dovecot-2.2.26-CVE-2016-8652b.patch new file mode 100644 index 0000000..c5ff72a --- /dev/null +++ b/dovecot-2.2.26-CVE-2016-8652b.patch @@ -0,0 +1,64 @@ +From 2c3f37672277b1f73f84722802aaa0ab1ab3e413 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen +Date: Wed, 23 Nov 2016 15:57:03 +0200 +Subject: [PATCH] auth: Don't crash expanding %variables when username isn't + set. + +This continues the auth-policy fix in +c3d3faa4f72a676e183f34be960cff13a5a725ae +--- + src/auth/auth-request-var-expand.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/src/auth/auth-request-var-expand.c b/src/auth/auth-request-var-expand.c +index 4f256c0..a04a4d9 100644 +--- a/src/auth/auth-request-var-expand.c ++++ b/src/auth/auth-request-var-expand.c +@@ -72,7 +72,7 @@ auth_request_get_var_expand_table_full(const struct auth_request *auth_request, + const unsigned int auth_count = + N_ELEMENTS(auth_request_var_expand_static_tab); + struct var_expand_table *tab, *ret_tab; +- const char *orig_user, *auth_user; ++ const char *orig_user, *auth_user, *username; + + if (escape_func == NULL) + escape_func = escape_none; +@@ -87,10 +87,11 @@ auth_request_get_var_expand_table_full(const struct auth_request *auth_request, + memcpy(tab, auth_request_var_expand_static_tab, + auth_count * sizeof(*tab)); + +- tab[0].value = escape_func(auth_request->user, auth_request); +- tab[1].value = escape_func(t_strcut(auth_request->user, '@'), ++ username = auth_request->user != NULL ? auth_request->user : ""; ++ tab[0].value = escape_func(username, auth_request); ++ tab[1].value = escape_func(t_strcut(username, '@'), + auth_request); +- tab[2].value = strchr(auth_request->user, '@'); ++ tab[2].value = strchr(username, '@'); + if (tab[2].value != NULL) + tab[2].value = escape_func(tab[2].value+1, auth_request); + tab[3].value = escape_func(auth_request->service, auth_request); +@@ -138,12 +139,12 @@ auth_request_get_var_expand_table_full(const struct auth_request *auth_request, + tab[20].value = net_ip2addr(&auth_request->real_remote_ip); + tab[21].value = dec2str(auth_request->real_local_port); + tab[22].value = dec2str(auth_request->real_remote_port); +- tab[23].value = strchr(auth_request->user, '@'); ++ tab[23].value = strchr(username, '@'); + if (tab[23].value != NULL) { + tab[23].value = escape_func(t_strcut(tab[23].value+1, '@'), + auth_request); + } +- tab[24].value = strrchr(auth_request->user, '@'); ++ tab[24].value = strrchr(username, '@'); + if (tab[24].value != NULL) + tab[24].value = escape_func(tab[24].value+1, auth_request); + tab[25].value = auth_request->master_user == NULL ? NULL : +@@ -152,7 +153,7 @@ auth_request_get_var_expand_table_full(const struct auth_request *auth_request, + dec2str(auth_request->session_pid); + + orig_user = auth_request->original_username != NULL ? +- auth_request->original_username : auth_request->user; ++ auth_request->original_username : username; + tab[27].value = escape_func(orig_user, auth_request); + tab[28].value = escape_func(t_strcut(orig_user, '@'), auth_request); + tab[29].value = strchr(orig_user, '@'); diff --git a/dovecot.spec b/dovecot.spec index 64a780f..58b3df2 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.2.26.0 %global prever %{nil} -Release: 1%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -34,6 +34,10 @@ Patch7: dovecot-2.2.13-online.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch +# 2x from upstream, for dovecot < 2.2.27, rhbz#1401025 +Patch10: dovecot-2.2.26-CVE-2016-8652a.patch +Patch11: dovecot-2.2.26-CVE-2016-8652b.patch + Source15: prestartscript BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel @@ -129,6 +133,8 @@ This package provides the development files for dovecot. %patch7 -p1 -b .online %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem +%patch10 -p1 -b .CVE-2016-8652a +%patch11 -p1 -b .CVE-2016-8652b #pushd dovecot-2*2-pigeonhole-%{pigeonholever} #popd sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in @@ -481,6 +487,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Fri Dec 02 2016 Michal Hlavinka - 1:2.2.26.0-2 +- fix remote crash when auth-policy component is activated (CVE-2016-8652,#1401025) + * Mon Oct 31 2016 Michal Hlavinka - 1:2.2.26.0-1 - dovecot updated to 2.2.26.0, pigeonhole updated to 0.4.16 - master process's listener socket was leaked to all child processes. From 3203a05c7dcfec98e84fae512f766beec818a050 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 5 Dec 2016 10:41:59 +0100 Subject: [PATCH 004/163] Fixed crash in auth process when auth-policy was configured and authentication was aborted/failed without a username set. - director: If two users had different tags but the same hash, the users may have been redirected to the wrong tag's hosts. - Index files may have been thought incorrectly lost, causing "Missing middle file seq=.." to be logged and index rebuild. This happened more easily with IMAP hibernation enabled. - Various fixes to restoring state correctly in un-hibernation. - dovecot.index files were commonly 4 bytes per email too large. This is because 3 bytes per email were being wasted that could have been used for IMAP keywords. - Various fixes to handle dovecot.list.index corruption better. - lib-fts: Fixed assert-crash in address tokenizer with specific input. - Fixed assert-crash in HTML to text parsing with specific input (e.g. for FTS indexing or snippet generation) - doveadm sync -1: Fixed handling mailbox GUID conflicts. - sdbox, mdbox: Perform full index rebuild if corruption is detected inside lib-index, which runs index fsck. - quota: Don't skip quota checks when moving mails between different quota roots. - search: Multiple sequence sets or UID sets in search parameters weren't handled correctly. They were incorrectly merged together. --- .gitignore | 1 + dovecot-1.0.rc7-mkcert-paths.patch | 9 ++-- dovecot-2.2.26-CVE-2016-8652a.patch | 28 ------------- dovecot-2.2.26-CVE-2016-8652b.patch | 64 ----------------------------- dovecot.spec | 37 +++++++++++++---- sources | 2 +- 6 files changed, 36 insertions(+), 105 deletions(-) delete mode 100644 dovecot-2.2.26-CVE-2016-8652a.patch delete mode 100644 dovecot-2.2.26-CVE-2016-8652b.patch diff --git a/.gitignore b/.gitignore index 619a904..f811ba3 100644 --- a/.gitignore +++ b/.gitignore @@ -105,3 +105,4 @@ pigeonhole-snap0592366457df.tar.bz2 /dovecot-2.2.25.tar.gz /dovecot-2.2.26.0.tar.gz /dovecot-2.2-pigeonhole-0.4.16.tar.gz +/dovecot-2.2.27.tar.gz diff --git a/dovecot-1.0.rc7-mkcert-paths.patch b/dovecot-1.0.rc7-mkcert-paths.patch index 91ab41f..e8354e5 100644 --- a/dovecot-1.0.rc7-mkcert-paths.patch +++ b/dovecot-1.0.rc7-mkcert-paths.patch @@ -1,8 +1,9 @@ ---- dovecot-1.0.rc7/doc/mkcert.sh.mkcert-paths 2006-10-04 11:34:46.000000000 +0200 -+++ dovecot-1.0.rc7/doc/mkcert.sh 2006-10-04 11:35:31.000000000 +0200 -@@ -4,8 +4,8 @@ - # Edit dovecot-openssl.cnf before running this. +diff -up dovecot-2.2.27/doc/mkcert.sh.mkcert-paths dovecot-2.2.27/doc/mkcert.sh +--- dovecot-2.2.27/doc/mkcert.sh.mkcert-paths 2016-12-05 10:26:07.913515286 +0100 ++++ dovecot-2.2.27/doc/mkcert.sh 2016-12-05 10:28:25.439634417 +0100 +@@ -5,8 +5,8 @@ + umask 077 OPENSSL=${OPENSSL-openssl} -SSLDIR=${SSLDIR-/etc/ssl} -OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf} diff --git a/dovecot-2.2.26-CVE-2016-8652a.patch b/dovecot-2.2.26-CVE-2016-8652a.patch deleted file mode 100644 index 2867856..0000000 --- a/dovecot-2.2.26-CVE-2016-8652a.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 1f2c35da2b96905bec6e45f88af0f33ee63789e6 Mon Sep 17 00:00:00 2001 -From: Aki Tuomi -Date: Wed, 23 Nov 2016 13:16:19 +0200 -Subject: [PATCH] auth: Fix auth-policy crash when username is NULL - -If SASL request is invalid, or incomplete, and username -is left NULL, handle it gracefully by adding just -NUL byte in auth policy digest for username. ---- - src/auth/auth-policy.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/auth/auth-policy.c b/src/auth/auth-policy.c -index c7faa3c..86b31f1 100755 ---- a/src/auth/auth-policy.c -+++ b/src/auth/auth-policy.c -@@ -442,7 +442,10 @@ void auth_policy_create_json(struct policy_lookup_ctx *context, - context->set->policy_hash_nonce, - strlen(context->set->policy_hash_nonce)); - /* use +1 to make sure \0 gets included */ -- digest->loop(ctx, context->request->user, strlen(context->request->user) + 1); -+ if (context->request->user == NULL) -+ digest->loop(ctx, "\0", 1); -+ else -+ digest->loop(ctx, context->request->user, strlen(context->request->user) + 1); - if (password != NULL) - digest->loop(ctx, password, strlen(password)); - ptr = (unsigned char*)str_c_modifiable(buffer); diff --git a/dovecot-2.2.26-CVE-2016-8652b.patch b/dovecot-2.2.26-CVE-2016-8652b.patch deleted file mode 100644 index c5ff72a..0000000 --- a/dovecot-2.2.26-CVE-2016-8652b.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 2c3f37672277b1f73f84722802aaa0ab1ab3e413 Mon Sep 17 00:00:00 2001 -From: Timo Sirainen -Date: Wed, 23 Nov 2016 15:57:03 +0200 -Subject: [PATCH] auth: Don't crash expanding %variables when username isn't - set. - -This continues the auth-policy fix in -c3d3faa4f72a676e183f34be960cff13a5a725ae ---- - src/auth/auth-request-var-expand.c | 15 ++++++++------- - 1 file changed, 8 insertions(+), 7 deletions(-) - -diff --git a/src/auth/auth-request-var-expand.c b/src/auth/auth-request-var-expand.c -index 4f256c0..a04a4d9 100644 ---- a/src/auth/auth-request-var-expand.c -+++ b/src/auth/auth-request-var-expand.c -@@ -72,7 +72,7 @@ auth_request_get_var_expand_table_full(const struct auth_request *auth_request, - const unsigned int auth_count = - N_ELEMENTS(auth_request_var_expand_static_tab); - struct var_expand_table *tab, *ret_tab; -- const char *orig_user, *auth_user; -+ const char *orig_user, *auth_user, *username; - - if (escape_func == NULL) - escape_func = escape_none; -@@ -87,10 +87,11 @@ auth_request_get_var_expand_table_full(const struct auth_request *auth_request, - memcpy(tab, auth_request_var_expand_static_tab, - auth_count * sizeof(*tab)); - -- tab[0].value = escape_func(auth_request->user, auth_request); -- tab[1].value = escape_func(t_strcut(auth_request->user, '@'), -+ username = auth_request->user != NULL ? auth_request->user : ""; -+ tab[0].value = escape_func(username, auth_request); -+ tab[1].value = escape_func(t_strcut(username, '@'), - auth_request); -- tab[2].value = strchr(auth_request->user, '@'); -+ tab[2].value = strchr(username, '@'); - if (tab[2].value != NULL) - tab[2].value = escape_func(tab[2].value+1, auth_request); - tab[3].value = escape_func(auth_request->service, auth_request); -@@ -138,12 +139,12 @@ auth_request_get_var_expand_table_full(const struct auth_request *auth_request, - tab[20].value = net_ip2addr(&auth_request->real_remote_ip); - tab[21].value = dec2str(auth_request->real_local_port); - tab[22].value = dec2str(auth_request->real_remote_port); -- tab[23].value = strchr(auth_request->user, '@'); -+ tab[23].value = strchr(username, '@'); - if (tab[23].value != NULL) { - tab[23].value = escape_func(t_strcut(tab[23].value+1, '@'), - auth_request); - } -- tab[24].value = strrchr(auth_request->user, '@'); -+ tab[24].value = strrchr(username, '@'); - if (tab[24].value != NULL) - tab[24].value = escape_func(tab[24].value+1, auth_request); - tab[25].value = auth_request->master_user == NULL ? NULL : -@@ -152,7 +153,7 @@ auth_request_get_var_expand_table_full(const struct auth_request *auth_request, - dec2str(auth_request->session_pid); - - orig_user = auth_request->original_username != NULL ? -- auth_request->original_username : auth_request->user; -+ auth_request->original_username : username; - tab[27].value = escape_func(orig_user, auth_request); - tab[28].value = escape_func(t_strcut(orig_user, '@'), auth_request); - tab[29].value = strchr(orig_user, '@'); diff --git a/dovecot.spec b/dovecot.spec index 58b3df2..a143afc 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,9 +3,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.2.26.0 +Version: 2.2.27 %global prever %{nil} -Release: 2%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -34,10 +34,6 @@ Patch7: dovecot-2.2.13-online.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch -# 2x from upstream, for dovecot < 2.2.27, rhbz#1401025 -Patch10: dovecot-2.2.26-CVE-2016-8652a.patch -Patch11: dovecot-2.2.26-CVE-2016-8652b.patch - Source15: prestartscript BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel @@ -133,8 +129,6 @@ This package provides the development files for dovecot. %patch7 -p1 -b .online %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem -%patch10 -p1 -b .CVE-2016-8652a -%patch11 -p1 -b .CVE-2016-8652b #pushd dovecot-2*2-pigeonhole-%{pigeonholever} #popd sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in @@ -146,6 +140,7 @@ export CFLAGS="%{__global_cflags} -fno-strict-aliasing" export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}" # el6 autoconf too old to regen; use packaged files (#1082384) %if %{?fedora}00%{?rhel} > 6 +mkdir -p m4 autoreconf -I . -fiv #required for aarch64 support %endif %configure \ @@ -424,6 +419,8 @@ make check %{_libdir}/dovecot/libdriver_sqlite.so %{_libdir}/dovecot/libssl_iostream_openssl.so %{_libdir}/dovecot/libfs_compress.so +%{_libdir}/dovecot/libfs_crypt.so +%{_libdir}/dovecot/libfs_mail_crypt.so %{_libdir}/dovecot/libdcrypt_openssl.so %dir %{_libdir}/dovecot/settings @@ -487,6 +484,30 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Dec 05 2016 Michal Hlavinka - 1:2.2.27-1 +- Fixed crash in auth process when auth-policy was configured and + authentication was aborted/failed without a username set. +- director: If two users had different tags but the same hash, + the users may have been redirected to the wrong tag's hosts. +- Index files may have been thought incorrectly lost, causing + "Missing middle file seq=.." to be logged and index rebuild. + This happened more easily with IMAP hibernation enabled. +- Various fixes to restoring state correctly in un-hibernation. +- dovecot.index files were commonly 4 bytes per email too large. This + is because 3 bytes per email were being wasted that could have been + used for IMAP keywords. +- Various fixes to handle dovecot.list.index corruption better. +- lib-fts: Fixed assert-crash in address tokenizer with specific input. +- Fixed assert-crash in HTML to text parsing with specific input + (e.g. for FTS indexing or snippet generation) +- doveadm sync -1: Fixed handling mailbox GUID conflicts. +- sdbox, mdbox: Perform full index rebuild if corruption is detected + inside lib-index, which runs index fsck. +- quota: Don't skip quota checks when moving mails between different + quota roots. +- search: Multiple sequence sets or UID sets in search parameters + weren't handled correctly. They were incorrectly merged together. + * Fri Dec 02 2016 Michal Hlavinka - 1:2.2.26.0-2 - fix remote crash when auth-policy component is activated (CVE-2016-8652,#1401025) diff --git a/sources b/sources index 4112778..dbc705a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -85bc42328de41d1eb8d6d3f1db666db8 dovecot-2.2.26.0.tar.gz +20133518f5bc0e64dd07ce55b83df2fb dovecot-2.2.27.tar.gz e03eed707b39cffc4b2a82867de45d9c dovecot-2.2-pigeonhole-0.4.16.tar.gz From e50e9918595cacb5d2c9df2b06e27f0043161382 Mon Sep 17 00:00:00 2001 From: Than Ngo Date: Wed, 14 Dec 2016 17:09:11 +0100 Subject: [PATCH 005/163] fixed bz#1403760, big endian issue --- dovecot-2.2.27-endian.patch | 12 ++++++++++++ dovecot.spec | 8 +++++++- 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 dovecot-2.2.27-endian.patch diff --git a/dovecot-2.2.27-endian.patch b/dovecot-2.2.27-endian.patch new file mode 100644 index 0000000..75c1e37 --- /dev/null +++ b/dovecot-2.2.27-endian.patch @@ -0,0 +1,12 @@ +diff -up dovecot-2.2.27/src/lib/sha3.c.than dovecot-2.2.27/src/lib/sha3.c +--- dovecot-2.2.27/src/lib/sha3.c.than 2016-12-13 07:46:26.173797063 -0500 ++++ dovecot-2.2.27/src/lib/sha3.c 2016-12-13 07:45:47.693129174 -0500 +@@ -232,7 +232,7 @@ sha3_finalize(struct sha3_ctx *ctx) + SHA3_CONST(0x8000000000000000UL); + keccakf(ctx->s); + +-#ifndef WORDS_BIGENDIAN ++#ifdef WORDS_BIGENDIAN + { + unsigned i; + for(i = 0; i < SHA3_KECCAK_SPONGE_WORDS; i++) { diff --git a/dovecot.spec b/dovecot.spec index a143afc..ab85cf6 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.2.27 %global prever %{nil} -Release: 1%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -33,6 +33,7 @@ Patch7: dovecot-2.2.13-online.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch +Patch10: dovecot-2.2.27-endian.patch Source15: prestartscript @@ -129,6 +130,8 @@ This package provides the development files for dovecot. %patch7 -p1 -b .online %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem +%patch10 -p1 -b .endian + #pushd dovecot-2*2-pigeonhole-%{pigeonholever} #popd sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in @@ -484,6 +487,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Dec 14 2016 Than Ngo - 1:2.2.27-2 +- fixed bz#1403760, big endian issue + * Mon Dec 05 2016 Michal Hlavinka - 1:2.2.27-1 - Fixed crash in auth process when auth-policy was configured and authentication was aborted/failed without a username set. From 60fba238a23ef3a1ffe80e834568c756c3ef58ae Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 10 Feb 2017 08:34:30 +0000 Subject: [PATCH 006/163] - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index ab85cf6..a4076ad 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.2.27 %global prever %{nil} -Release: 2%{?dist} +Release: 3%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -487,6 +487,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Fri Feb 10 2017 Fedora Release Engineering - 1:2.2.27-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + * Wed Dec 14 2016 Than Ngo - 1:2.2.27-2 - fixed bz#1403760, big endian issue From 6cde4f186ad441f2ab365e1afef3cc282d66a95a Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 27 Feb 2017 10:23:36 +0100 Subject: [PATCH 007/163] dovecot updated to 2.2.28, pigeonhole to 0.4.17 auth: Support OAUTHBEARER and XOAUTH2 mechanisms. Also support them in lib-dsasl for client side. imap: SEARCH/SORT may have assert-crashed in client_check_command_hangs imap: FETCH X-MAILBOX may have assert-crashed in virtual mailboxes. search: Using NOT n:* or NOT UID n:* wasn't handled correctly fts: fts_autoindex_exclude = \Special-use caused crashes doveadm-server: Fix leaks and other problems when process is reused for multiple requests (service_count != 1) sdbox: Fix assert-crash on mailbox create race lda/lmtp: deliver_log_format values weren't entirely correct if Sieve was used. especially %{storage_id} was broken. imapsieve plugin: Fixed assert failure occurring when used with virtual mailboxes. doveadm sieve plugin: Fixed crash when setting Sieve script via attribute's string value. --- .gitignore | 2 ++ dovecot-2.2.22-systemd_w_protectsystem.patch | 13 +++++----- dovecot-2.2.27-endian.patch | 12 --------- dovecot.spec | 27 ++++++++++++++++---- sources | 4 +-- 5 files changed, 33 insertions(+), 25 deletions(-) delete mode 100644 dovecot-2.2.27-endian.patch diff --git a/.gitignore b/.gitignore index f811ba3..7bc1eff 100644 --- a/.gitignore +++ b/.gitignore @@ -106,3 +106,5 @@ pigeonhole-snap0592366457df.tar.bz2 /dovecot-2.2.26.0.tar.gz /dovecot-2.2-pigeonhole-0.4.16.tar.gz /dovecot-2.2.27.tar.gz +/dovecot-2.2.28.tar.gz +/dovecot-2.2-pigeonhole-0.4.17.tar.gz diff --git a/dovecot-2.2.22-systemd_w_protectsystem.patch b/dovecot-2.2.22-systemd_w_protectsystem.patch index 10fe4b8..6fcddac 100644 --- a/dovecot-2.2.22-systemd_w_protectsystem.patch +++ b/dovecot-2.2.22-systemd_w_protectsystem.patch @@ -1,7 +1,8 @@ -diff -up dovecot-2.2.22/dovecot.service.in.systemd_w_protectsystem dovecot-2.2.22/dovecot.service.in ---- dovecot-2.2.22/dovecot.service.in.systemd_w_protectsystem 2016-03-16 13:49:46.678894652 +0100 -+++ dovecot-2.2.22/dovecot.service.in 2016-03-16 13:49:46.690894592 +0100 -@@ -33,7 +33,7 @@ ExecStop=@bindir@/doveadm stop +diff -up dovecot-2.2.28/dovecot.service.in.systemd_w_protectsystem dovecot-2.2.28/dovecot.service.in +--- dovecot-2.2.28/dovecot.service.in.systemd_w_protectsystem 2017-02-27 10:00:14.647423500 +0100 ++++ dovecot-2.2.28/dovecot.service.in 2017-02-27 10:02:18.051377067 +0100 +@@ -20,8 +20,8 @@ ExecReload=@bindir@/doveadm reload + ExecStop=@bindir@/doveadm stop PrivateTmp=true NonBlocking=yes -# Enable this if your systemd is new enough to support it: @@ -9,5 +10,5 @@ diff -up dovecot-2.2.22/dovecot.service.in.systemd_w_protectsystem dovecot-2.2.2 +# Enable this if your systemd is new enough to support it: (it will make /usr /boot /etc read only for dovecot) +ProtectSystem=full - [Install] - WantedBy=multi-user.target + # You can add environment variables with e.g.: + #Environment='CORE_OUTOFMEM=1' diff --git a/dovecot-2.2.27-endian.patch b/dovecot-2.2.27-endian.patch deleted file mode 100644 index 75c1e37..0000000 --- a/dovecot-2.2.27-endian.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up dovecot-2.2.27/src/lib/sha3.c.than dovecot-2.2.27/src/lib/sha3.c ---- dovecot-2.2.27/src/lib/sha3.c.than 2016-12-13 07:46:26.173797063 -0500 -+++ dovecot-2.2.27/src/lib/sha3.c 2016-12-13 07:45:47.693129174 -0500 -@@ -232,7 +232,7 @@ sha3_finalize(struct sha3_ctx *ctx) - SHA3_CONST(0x8000000000000000UL); - keccakf(ctx->s); - --#ifndef WORDS_BIGENDIAN -+#ifdef WORDS_BIGENDIAN - { - unsigned i; - for(i = 0; i < SHA3_KECCAK_SPONGE_WORDS; i++) { diff --git a/dovecot.spec b/dovecot.spec index a4076ad..f4a5e43 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,9 +3,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.2.27 +Version: 2.2.28 %global prever %{nil} -Release: 3%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -14,7 +14,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.2/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.4.16 +%global pigeonholever 0.4.17 Source8: http://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -33,7 +33,6 @@ Patch7: dovecot-2.2.13-online.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch -Patch10: dovecot-2.2.27-endian.patch Source15: prestartscript @@ -130,7 +129,6 @@ This package provides the development files for dovecot. %patch7 -p1 -b .online %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem -%patch10 -p1 -b .endian #pushd dovecot-2*2-pigeonhole-%{pigeonholever} #popd @@ -487,6 +485,25 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Feb 27 2017 Michal Hlavinka - 1:2.2.28-1 +- dovecot updated to 2.2.28, pigeonhole to 0.4.17 +- auth: Support OAUTHBEARER and XOAUTH2 mechanisms. Also support them + in lib-dsasl for client side. +- imap: SEARCH/SORT may have assert-crashed in + client_check_command_hangs +- imap: FETCH X-MAILBOX may have assert-crashed in virtual mailboxes. +- search: Using NOT n:* or NOT UID n:* wasn't handled correctly +- fts: fts_autoindex_exclude = \Special-use caused crashes +- doveadm-server: Fix leaks and other problems when process is reused + for multiple requests (service_count != 1) +- sdbox: Fix assert-crash on mailbox create race +- lda/lmtp: deliver_log_format values weren't entirely correct if Sieve + was used. especially %{storage_id} was broken. +- imapsieve plugin: Fixed assert failure occurring when used with virtual + mailboxes. +- doveadm sieve plugin: Fixed crash when setting Sieve script via attribute's + string value. + * Fri Feb 10 2017 Fedora Release Engineering - 1:2.2.27-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild diff --git a/sources b/sources index dbc705a..7d055e1 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -20133518f5bc0e64dd07ce55b83df2fb dovecot-2.2.27.tar.gz -e03eed707b39cffc4b2a82867de45d9c dovecot-2.2-pigeonhole-0.4.16.tar.gz +SHA512 (dovecot-2.2.28.tar.gz) = 3f40eb52413130dd47da98470d797ede63db3296923c2888b48f1a021e473cfcad064671ad804037d101990457ee57def30f2c27010ede2d758f3d3cfd8ef741 +SHA512 (dovecot-2.2-pigeonhole-0.4.17.tar.gz) = 3ea6faebf04154649c32612f204e909aa131582c99867865bff3d3a78a75593d96109586eeb6403bc915046b8b6f02e8bacbf6cb6733ea186d2e1a209a7e2b79 From 627140a00c2b290a9ac0ec229bad59fad8db8725 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 11 Apr 2017 10:32:58 +0200 Subject: [PATCH 008/163] dovecot updated to 2.2.29 fts-tika: Fixed crash when parsing attachment without Content-Disposition header. Broken by 2.2.28. trash plugin was broken in 2.2.28 auth: When passdb/userdb lookups were done via auth-workers, too much data was added to auth cache. This could have resulted in wrong replies when using multiple passdbs/userdbs. auth: passdb { skip & mechanisms } were ignored for the first passdb oauth2: Various fixes, including fixes to crashes dsync: Large Sieve scripts (or other large metadata) weren't always synced. Index rebuild (e.g. doveadm force-resync) set all mails as \Recent imap-hibernate: %{userdb:*} wasn't expanded in mail_log_prefix doveadm: Exit codes weren't preserved when proxying commands via doveadm-server. Almost all errors used exit code 75 (tempfail). ACLs weren't applied to not-yet-existing autocreated mailboxes. Fixed a potential crash when parsing a broken message header. cassandra: Fallback consistency settings weren't working correctly. doveadm director status : "Initial config" was always empty imapc: Various reconnection fixes. --- .gitignore | 1 + dovecot.spec | 24 +++++++++++++++++++++++- sources | 2 +- 3 files changed, 25 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 7bc1eff..de4355f 100644 --- a/.gitignore +++ b/.gitignore @@ -108,3 +108,4 @@ pigeonhole-snap0592366457df.tar.bz2 /dovecot-2.2.27.tar.gz /dovecot-2.2.28.tar.gz /dovecot-2.2-pigeonhole-0.4.17.tar.gz +/dovecot-2.2.29.tar.gz diff --git a/dovecot.spec b/dovecot.spec index f4a5e43..3504acc 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.2.28 +Version: 2.2.29 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -485,6 +485,28 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Apr 11 2017 Michal Hlavinka - 1:2.2.29-1 +- dovecot updated to 2.2.29 +- fts-tika: Fixed crash when parsing attachment without + Content-Disposition header. Broken by 2.2.28. +- trash plugin was broken in 2.2.28 +- auth: When passdb/userdb lookups were done via auth-workers, too much + data was added to auth cache. This could have resulted in wrong + replies when using multiple passdbs/userdbs. +- auth: passdb { skip & mechanisms } were ignored for the first passdb +- oauth2: Various fixes, including fixes to crashes +- dsync: Large Sieve scripts (or other large metadata) weren't always + synced. +- Index rebuild (e.g. doveadm force-resync) set all mails as \Recent +- imap-hibernate: %{userdb:*} wasn't expanded in mail_log_prefix +- doveadm: Exit codes weren't preserved when proxying commands via + doveadm-server. Almost all errors used exit code 75 (tempfail). +- ACLs weren't applied to not-yet-existing autocreated mailboxes. +- Fixed a potential crash when parsing a broken message header. +- cassandra: Fallback consistency settings weren't working correctly. +- doveadm director status : "Initial config" was always empty +- imapc: Various reconnection fixes. + * Mon Feb 27 2017 Michal Hlavinka - 1:2.2.28-1 - dovecot updated to 2.2.28, pigeonhole to 0.4.17 - auth: Support OAUTHBEARER and XOAUTH2 mechanisms. Also support them diff --git a/sources b/sources index 7d055e1..1d2f10c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.2.28.tar.gz) = 3f40eb52413130dd47da98470d797ede63db3296923c2888b48f1a021e473cfcad064671ad804037d101990457ee57def30f2c27010ede2d758f3d3cfd8ef741 +SHA512 (dovecot-2.2.29.tar.gz) = 75d3160d7ad5c4c753639bc0dc2eab4e91592e865081b94a71354a16a6ce3bb7a94dbb10191b9e4d18159eee95889fd4c07df2362637faa1357a5f5328ff002f SHA512 (dovecot-2.2-pigeonhole-0.4.17.tar.gz) = 3ea6faebf04154649c32612f204e909aa131582c99867865bff3d3a78a75593d96109586eeb6403bc915046b8b6f02e8bacbf6cb6733ea186d2e1a209a7e2b79 From 8be51b99feb36841b7054f4b6474e061f1cc3a68 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 11 Apr 2017 12:55:08 +0200 Subject: [PATCH 009/163] fix regression test --- ...64363a64cdfe9153eb6292d8923f38955d82.patch | 76 +++++++++++++++++++ dovecot.spec | 7 +- 2 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 dovecot-2.2.29-3a1c64363a64cdfe9153eb6292d8923f38955d82.patch diff --git a/dovecot-2.2.29-3a1c64363a64cdfe9153eb6292d8923f38955d82.patch b/dovecot-2.2.29-3a1c64363a64cdfe9153eb6292d8923f38955d82.patch new file mode 100644 index 0000000..95d8479 --- /dev/null +++ b/dovecot-2.2.29-3a1c64363a64cdfe9153eb6292d8923f38955d82.patch @@ -0,0 +1,76 @@ +From 3a1c64363a64cdfe9153eb6292d8923f38955d82 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen +Date: Mon, 10 Apr 2017 17:07:28 +0300 +Subject: [PATCH] lib-imap-client: Fix reconnection + +There was already code for reconnection. We just shouldn't have gone very +far in imapc_connection_connect() if we were still waiting for reconnection +delay to pass. +--- + src/lib-imap-client/imapc-connection.c | 25 +++++++++---------------- + 1 file changed, 9 insertions(+), 16 deletions(-) + +diff --git a/src/lib-imap-client/imapc-connection.c b/src/lib-imap-client/imapc-connection.c +index 95067e6..6eaf1ab 100644 +--- a/src/lib-imap-client/imapc-connection.c ++++ b/src/lib-imap-client/imapc-connection.c +@@ -130,6 +130,7 @@ struct imapc_connection { + struct timeout *to_throttle, *to_throttle_shrink; + + unsigned int reconnecting:1; ++ unsigned int reconnect_waiting:1; + unsigned int reconnect_ok:1; + unsigned int idling:1; + unsigned int idle_stopping:1; +@@ -504,6 +505,7 @@ static bool imapc_connection_can_reconnect(struct imapc_connection *conn) + static void imapc_connection_reconnect(struct imapc_connection *conn) + { + conn->reconnect_ok = FALSE; ++ conn->reconnect_waiting = FALSE; + + if (conn->selected_box != NULL) + imapc_client_mailbox_reconnect(conn->selected_box); +@@ -536,6 +538,7 @@ imapc_connection_try_reconnect(struct imapc_connection *conn, + imapc_connection_disconnect_full(conn, TRUE); + conn->to = timeout_add(delay_msecs, imapc_connection_reconnect, conn); + conn->reconnect_count++; ++ conn->reconnect_waiting = TRUE; + } + } + } +@@ -1785,6 +1788,12 @@ void imapc_connection_connect(struct imapc_connection *conn) + + if (conn->fd != -1 || conn->dns_lookup != NULL) + return; ++ if (conn->reconnect_waiting) { ++ /* wait for the reconnection delay to finish before ++ doing anything. */ ++ return; ++ } ++ + conn->reconnecting = FALSE; + /* if we get disconnected before we've finished all the pending + commands, don't reconnect */ +@@ -1792,22 +1801,6 @@ void imapc_connection_connect(struct imapc_connection *conn) + array_count(&conn->cmd_send_queue); + + imapc_connection_input_reset(conn); +- +- int msecs_since_last_connect = +- timeval_diff_msecs(&ioloop_timeval, &conn->last_connect); +- if (!conn->reconnect_ok && +- msecs_since_last_connect < (int)conn->client->set.connect_retry_interval_msecs) { +- if (conn->to != NULL) +- timeout_remove(&conn->to); +- conn->reconnecting = TRUE; +- imapc_connection_set_disconnected(conn); +- /* don't wait longer than necessary */ +- unsigned int delay_msecs = +- conn->client->set.connect_retry_interval_msecs - +- msecs_since_last_connect; +- conn->to = timeout_add(delay_msecs, imapc_connection_reconnect, conn); +- return; +- } + conn->last_connect = ioloop_timeval; + + if (conn->client->set.debug) { diff --git a/dovecot.spec b/dovecot.spec index 3504acc..e43f508 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -33,6 +33,7 @@ Patch7: dovecot-2.2.13-online.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch +Patch10: dovecot-2.2.29-3a1c64363a64cdfe9153eb6292d8923f38955d82.patch Source15: prestartscript @@ -129,6 +130,7 @@ This package provides the development files for dovecot. %patch7 -p1 -b .online %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem +%patch10 -p1 -b .3a1c64363a64cdfe9153eb6292d8923f38955d82 #pushd dovecot-2*2-pigeonhole-%{pigeonholever} #popd @@ -406,9 +408,10 @@ make check %{_libdir}/dovecot/doveadm %exclude %{_libdir}/dovecot/doveadm/*sieve* %{_libdir}/dovecot/*.so.* -#these (*.so files) are plugins, not a devel files +#these (*.so files) are plugins, not devel files %{_libdir}/dovecot/*_plugin.so %exclude %{_libdir}/dovecot/*_sieve_plugin.so +%{_libdir}/dovecot/auth/lib20_auth_var_expand_crypt.so %{_libdir}/dovecot/auth/libauthdb_imap.so %{_libdir}/dovecot/auth/libauthdb_ldap.so %{_libdir}/dovecot/auth/libmech_gssapi.so @@ -423,6 +426,8 @@ make check %{_libdir}/dovecot/libfs_crypt.so %{_libdir}/dovecot/libfs_mail_crypt.so %{_libdir}/dovecot/libdcrypt_openssl.so +%{_libdir}/dovecot/lib20_var_expand_crypt.so + %dir %{_libdir}/dovecot/settings %{_libexecdir}/%{name} From 47787255f7bf032a6a31ad3cf1ac5ec114def859 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 12 Apr 2017 15:15:59 +0200 Subject: [PATCH 010/163] dovecot updated to 2.2.29.1 dict-sql: Merging multiple UPDATEs to a single statement wasn't actually working. pigeonhole updated to 0.4.18 imapsieve plugin: Implemented the copy_source_after rule action. When this is enabled for a mailbox rule, the specified Sieve script is executed for the message in the source mailbox during a "COPY" event. This happens only after the Sieve script that is executed for the corresponding message in the destination mailbox finishes running successfully. imapsieve plugin: Added non-standard Sieve environment items for the source and destination mailbox. multiscript: The execution of the discard script had an implicit "keep", rather than an implicit "discard". --- .gitignore | 2 + ...64363a64cdfe9153eb6292d8923f38955d82.patch | 76 ------------------- dovecot.spec | 21 ++++- sources | 4 +- 4 files changed, 21 insertions(+), 82 deletions(-) delete mode 100644 dovecot-2.2.29-3a1c64363a64cdfe9153eb6292d8923f38955d82.patch diff --git a/.gitignore b/.gitignore index de4355f..0eda740 100644 --- a/.gitignore +++ b/.gitignore @@ -109,3 +109,5 @@ pigeonhole-snap0592366457df.tar.bz2 /dovecot-2.2.28.tar.gz /dovecot-2.2-pigeonhole-0.4.17.tar.gz /dovecot-2.2.29.tar.gz +/dovecot-2.2.29.1.tar.gz +/dovecot-2.2-pigeonhole-0.4.18.tar.gz diff --git a/dovecot-2.2.29-3a1c64363a64cdfe9153eb6292d8923f38955d82.patch b/dovecot-2.2.29-3a1c64363a64cdfe9153eb6292d8923f38955d82.patch deleted file mode 100644 index 95d8479..0000000 --- a/dovecot-2.2.29-3a1c64363a64cdfe9153eb6292d8923f38955d82.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 3a1c64363a64cdfe9153eb6292d8923f38955d82 Mon Sep 17 00:00:00 2001 -From: Timo Sirainen -Date: Mon, 10 Apr 2017 17:07:28 +0300 -Subject: [PATCH] lib-imap-client: Fix reconnection - -There was already code for reconnection. We just shouldn't have gone very -far in imapc_connection_connect() if we were still waiting for reconnection -delay to pass. ---- - src/lib-imap-client/imapc-connection.c | 25 +++++++++---------------- - 1 file changed, 9 insertions(+), 16 deletions(-) - -diff --git a/src/lib-imap-client/imapc-connection.c b/src/lib-imap-client/imapc-connection.c -index 95067e6..6eaf1ab 100644 ---- a/src/lib-imap-client/imapc-connection.c -+++ b/src/lib-imap-client/imapc-connection.c -@@ -130,6 +130,7 @@ struct imapc_connection { - struct timeout *to_throttle, *to_throttle_shrink; - - unsigned int reconnecting:1; -+ unsigned int reconnect_waiting:1; - unsigned int reconnect_ok:1; - unsigned int idling:1; - unsigned int idle_stopping:1; -@@ -504,6 +505,7 @@ static bool imapc_connection_can_reconnect(struct imapc_connection *conn) - static void imapc_connection_reconnect(struct imapc_connection *conn) - { - conn->reconnect_ok = FALSE; -+ conn->reconnect_waiting = FALSE; - - if (conn->selected_box != NULL) - imapc_client_mailbox_reconnect(conn->selected_box); -@@ -536,6 +538,7 @@ imapc_connection_try_reconnect(struct imapc_connection *conn, - imapc_connection_disconnect_full(conn, TRUE); - conn->to = timeout_add(delay_msecs, imapc_connection_reconnect, conn); - conn->reconnect_count++; -+ conn->reconnect_waiting = TRUE; - } - } - } -@@ -1785,6 +1788,12 @@ void imapc_connection_connect(struct imapc_connection *conn) - - if (conn->fd != -1 || conn->dns_lookup != NULL) - return; -+ if (conn->reconnect_waiting) { -+ /* wait for the reconnection delay to finish before -+ doing anything. */ -+ return; -+ } -+ - conn->reconnecting = FALSE; - /* if we get disconnected before we've finished all the pending - commands, don't reconnect */ -@@ -1792,22 +1801,6 @@ void imapc_connection_connect(struct imapc_connection *conn) - array_count(&conn->cmd_send_queue); - - imapc_connection_input_reset(conn); -- -- int msecs_since_last_connect = -- timeval_diff_msecs(&ioloop_timeval, &conn->last_connect); -- if (!conn->reconnect_ok && -- msecs_since_last_connect < (int)conn->client->set.connect_retry_interval_msecs) { -- if (conn->to != NULL) -- timeout_remove(&conn->to); -- conn->reconnecting = TRUE; -- imapc_connection_set_disconnected(conn); -- /* don't wait longer than necessary */ -- unsigned int delay_msecs = -- conn->client->set.connect_retry_interval_msecs - -- msecs_since_last_connect; -- conn->to = timeout_add(delay_msecs, imapc_connection_reconnect, conn); -- return; -- } - conn->last_connect = ioloop_timeval; - - if (conn->client->set.debug) { diff --git a/dovecot.spec b/dovecot.spec index e43f508..2e59517 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.2.29 +Version: 2.2.29.1 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -14,7 +14,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.2/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.4.17 +%global pigeonholever 0.4.18 Source8: http://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -33,7 +33,6 @@ Patch7: dovecot-2.2.13-online.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch -Patch10: dovecot-2.2.29-3a1c64363a64cdfe9153eb6292d8923f38955d82.patch Source15: prestartscript @@ -130,7 +129,6 @@ This package provides the development files for dovecot. %patch7 -p1 -b .online %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem -%patch10 -p1 -b .3a1c64363a64cdfe9153eb6292d8923f38955d82 #pushd dovecot-2*2-pigeonhole-%{pigeonholever} #popd @@ -490,6 +488,21 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Apr 12 2017 Michal Hlavinka - 1:2.2.29.1-1 +- dovecot updated to 2.2.29.1 +- dict-sql: Merging multiple UPDATEs to a single statement wasn't + actually working. +- pigeonhole updated to 0.4.18 +- imapsieve plugin: Implemented the copy_source_after rule action. When this + is enabled for a mailbox rule, the specified Sieve script is executed for + the message in the source mailbox during a "COPY" event. This happens only + after the Sieve script that is executed for the corresponding message in the + destination mailbox finishes running successfully. +- imapsieve plugin: Added non-standard Sieve environment items for the source + and destination mailbox. +- multiscript: The execution of the discard script had an implicit "keep", + rather than an implicit "discard". + * Tue Apr 11 2017 Michal Hlavinka - 1:2.2.29-1 - dovecot updated to 2.2.29 - fts-tika: Fixed crash when parsing attachment without diff --git a/sources b/sources index 1d2f10c..6c73cb0 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.2.29.tar.gz) = 75d3160d7ad5c4c753639bc0dc2eab4e91592e865081b94a71354a16a6ce3bb7a94dbb10191b9e4d18159eee95889fd4c07df2362637faa1357a5f5328ff002f -SHA512 (dovecot-2.2-pigeonhole-0.4.17.tar.gz) = 3ea6faebf04154649c32612f204e909aa131582c99867865bff3d3a78a75593d96109586eeb6403bc915046b8b6f02e8bacbf6cb6733ea186d2e1a209a7e2b79 +SHA512 (dovecot-2.2.29.1.tar.gz) = 1e5ea6080ebe7dd4afe6fcfe8e98ed6d2ad2735655a18cc96e439dd044ccc3a1a6a80428bc746b4d6250820895d6a62121562e97e4b46c8b1cf88a19443bc111 +SHA512 (dovecot-2.2-pigeonhole-0.4.18.tar.gz) = 6f49a6a6435b0e4dcbe29f852ce17c016df2f367f5460301a2a2c6bd5f5ba6260b23bfe1c5e78b91c6041554ee67d1ce14ad3adf219505f692c61681d9e70cc4 From b6c95e87edd778447de22f99342a915fae0c6fc3 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 1 Jun 2017 16:25:11 +0200 Subject: [PATCH 011/163] dovecot updated to 2.2.30.1 More fixes to automatically fix corruption in dovecot.list.index dsync-server: Fix support for dsync_features=empty-header-workaround imapc: Various bugfixes, including infinite loops on some errors IMAP NOTIFY wasn't working for non-INBOX if IMAP client hadn't enabled modseq tracking via CONDSTORE/QRESYNC. fts-lucene: Fix it to work again with mbox format Some internal error messages may have contained garbage in v2.2.29 mail-crypt: Re-encrypt when copying/moving mails and per-mailbox keys are used. Otherwise the copied mails can't be opened. --- .gitignore | 1 + dovecot.spec | 14 +++++++++++++- sources | 2 +- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 0eda740..196dd4d 100644 --- a/.gitignore +++ b/.gitignore @@ -111,3 +111,4 @@ pigeonhole-snap0592366457df.tar.bz2 /dovecot-2.2.29.tar.gz /dovecot-2.2.29.1.tar.gz /dovecot-2.2-pigeonhole-0.4.18.tar.gz +/dovecot-2.2.30.1.tar.gz diff --git a/dovecot.spec b/dovecot.spec index 2e59517..604141f 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.2.29.1 +Version: 2.2.30.1 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -488,6 +488,18 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Jun 01 2017 Michal Hlavinka - 1:2.2.30.1-1 +- dovecot updated to 2.2.30.1 +- More fixes to automatically fix corruption in dovecot.list.index +- dsync-server: Fix support for dsync_features=empty-header-workaround +- imapc: Various bugfixes, including infinite loops on some errors +- IMAP NOTIFY wasn't working for non-INBOX if IMAP client hadn't + enabled modseq tracking via CONDSTORE/QRESYNC. +- fts-lucene: Fix it to work again with mbox format +- Some internal error messages may have contained garbage in v2.2.29 +- mail-crypt: Re-encrypt when copying/moving mails and per-mailbox keys + are used. Otherwise the copied mails can't be opened. + * Wed Apr 12 2017 Michal Hlavinka - 1:2.2.29.1-1 - dovecot updated to 2.2.29.1 - dict-sql: Merging multiple UPDATEs to a single statement wasn't diff --git a/sources b/sources index 6c73cb0..6f5c43b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.2.29.1.tar.gz) = 1e5ea6080ebe7dd4afe6fcfe8e98ed6d2ad2735655a18cc96e439dd044ccc3a1a6a80428bc746b4d6250820895d6a62121562e97e4b46c8b1cf88a19443bc111 +SHA512 (dovecot-2.2.30.1.tar.gz) = f95e85093e1f671b1e9d067974880eaaf8ab021df1f6d298977c40146a1db2a2b71b4029842785ffaae1aeedec83b2218ff03112537045e08dfc7c845f9e27c3 SHA512 (dovecot-2.2-pigeonhole-0.4.18.tar.gz) = 6f49a6a6435b0e4dcbe29f852ce17c016df2f367f5460301a2a2c6bd5f5ba6260b23bfe1c5e78b91c6041554ee67d1ce14ad3adf219505f692c61681d9e70cc4 From e20207d3732feca2261cedca626daf98e3e992bf Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 8 Jun 2017 15:25:06 +0200 Subject: [PATCH 012/163] dovecot updated to 2.2.30.2 auth: Multiple failed authentications within short time caused crashes push-notification: OX driver crashed at deinit --- .gitignore | 1 + dovecot.spec | 7 ++++++- sources | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 196dd4d..b9003e2 100644 --- a/.gitignore +++ b/.gitignore @@ -112,3 +112,4 @@ pigeonhole-snap0592366457df.tar.bz2 /dovecot-2.2.29.1.tar.gz /dovecot-2.2-pigeonhole-0.4.18.tar.gz /dovecot-2.2.30.1.tar.gz +/dovecot-2.2.30.2.tar.gz diff --git a/dovecot.spec b/dovecot.spec index 604141f..6b47072 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.2.30.1 +Version: 2.2.30.2 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -488,6 +488,11 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Jun 07 2017 Michal Hlavinka - 1:2.2.30.2-1 +- dovecot updated to 2.2.30.2 +- auth: Multiple failed authentications within short time caused crashes +- push-notification: OX driver crashed at deinit + * Thu Jun 01 2017 Michal Hlavinka - 1:2.2.30.1-1 - dovecot updated to 2.2.30.1 - More fixes to automatically fix corruption in dovecot.list.index diff --git a/sources b/sources index 6f5c43b..20dba4a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.2.30.1.tar.gz) = f95e85093e1f671b1e9d067974880eaaf8ab021df1f6d298977c40146a1db2a2b71b4029842785ffaae1aeedec83b2218ff03112537045e08dfc7c845f9e27c3 +SHA512 (dovecot-2.2.30.2.tar.gz) = 740118e3081864234168593bd83f2f5e7b9f5c7cefff3a3a7795369cf791f300c0881fbfacae2c76c0bb42e366ad26e7613c487708d113b19887ebe869d711ea SHA512 (dovecot-2.2-pigeonhole-0.4.18.tar.gz) = 6f49a6a6435b0e4dcbe29f852ce17c016df2f367f5460301a2a2c6bd5f5ba6260b23bfe1c5e78b91c6041554ee67d1ce14ad3adf219505f692c61681d9e70cc4 From 7d2c75b7dc4d63f121595a8155874382a7d21031 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 27 Jun 2017 10:38:30 +0200 Subject: [PATCH 013/163] dovecot updated to 2.2.31 Various fixes to handling mailbox listing. Especially related to handling nonexistent autocreated/autosubscribed mailboxes and ACLs. Global ACL file was parsed as if it was local ACL file. This caused some of the ACL rule interactions to not work exactly as intended. Using mail_sort_max_read_count may have caused very high CPU usage. Message address parsing could have crashed on invalid input. imapc_features=fetch-headers wasn't always working correctly and caused the full header to be fetched. imapc: Various bugfixes related to connection failure handling. quota=count: quota_warning = -storage=.. was never executed quota=count: Add support for "ns" parameter dsync: Fix incremental syncing for mails that don't have Date or Message-ID headers. imap: Fix hang when client sends pipelined SEARCH + EXPUNGE/CLOSE/LOGOUT. oauth2: Token validation didn't accept empty server responses. imap: NOTIFY command has been almost completely broken since the beginning. pigeonhole updated to 0.4.19 Fixed bug in handling of implicit keep in some cases. include extension: Fixed segfault that (sometimes) occurred when the global script location was left unconfigured. --- .gitignore | 2 ++ dovecot.spec | 29 +++++++++++++++++++++++++++-- sources | 4 ++-- 3 files changed, 31 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index b9003e2..e659068 100644 --- a/.gitignore +++ b/.gitignore @@ -113,3 +113,5 @@ pigeonhole-snap0592366457df.tar.bz2 /dovecot-2.2-pigeonhole-0.4.18.tar.gz /dovecot-2.2.30.1.tar.gz /dovecot-2.2.30.2.tar.gz +/dovecot-2.2.31.tar.gz +/dovecot-2.2-pigeonhole-0.4.19.tar.gz diff --git a/dovecot.spec b/dovecot.spec index 6b47072..39f26d3 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.2.30.2 +Version: 2.2.31 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -14,7 +14,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.2/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.4.18 +%global pigeonholever 0.4.19 Source8: http://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -488,6 +488,31 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Jun 27 2017 Michal Hlavinka - 1:2.2.31-1 +- dovecot updated to 2.2.31 +- Various fixes to handling mailbox listing. Especially related to + handling nonexistent autocreated/autosubscribed mailboxes and ACLs. +- Global ACL file was parsed as if it was local ACL file. This caused + some of the ACL rule interactions to not work exactly as intended. +- Using mail_sort_max_read_count may have caused very high CPU usage. +- Message address parsing could have crashed on invalid input. +- imapc_features=fetch-headers wasn't always working correctly and + caused the full header to be fetched. +- imapc: Various bugfixes related to connection failure handling. +- quota=count: quota_warning = -storage=.. was never executed +- quota=count: Add support for "ns" parameter +- dsync: Fix incremental syncing for mails that don't have Date or + Message-ID headers. +- imap: Fix hang when client sends pipelined SEARCH + + EXPUNGE/CLOSE/LOGOUT. +- oauth2: Token validation didn't accept empty server responses. +- imap: NOTIFY command has been almost completely broken since the + beginning. +- pigeonhole updated to 0.4.19 +- Fixed bug in handling of implicit keep in some cases. +- include extension: Fixed segfault that (sometimes) occurred when the + global script location was left unconfigured. + * Wed Jun 07 2017 Michal Hlavinka - 1:2.2.30.2-1 - dovecot updated to 2.2.30.2 - auth: Multiple failed authentications within short time caused crashes diff --git a/sources b/sources index 20dba4a..ebcda8b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.2.30.2.tar.gz) = 740118e3081864234168593bd83f2f5e7b9f5c7cefff3a3a7795369cf791f300c0881fbfacae2c76c0bb42e366ad26e7613c487708d113b19887ebe869d711ea -SHA512 (dovecot-2.2-pigeonhole-0.4.18.tar.gz) = 6f49a6a6435b0e4dcbe29f852ce17c016df2f367f5460301a2a2c6bd5f5ba6260b23bfe1c5e78b91c6041554ee67d1ce14ad3adf219505f692c61681d9e70cc4 +SHA512 (dovecot-2.2.31.tar.gz) = 071797e260a75de9117b03c0fa9d903de82b1f1c039c2aece2d7313587e6673c49174bfce17b80fe3f3725fcbc42ed3a1bd1f1c22efef5bc016752277eff3266 +SHA512 (dovecot-2.2-pigeonhole-0.4.19.tar.gz) = c1211a3c65b25995770309c427ec5cd888ddb962f2f64884640163b492a11ffa8937aac1eb66d25e48f0e00131da1cc98c1cb307781576780de47b8816333ff1 From 4d309a7ae22aa7b253b71d233ecc4634cfd4ea96 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 4 Jul 2017 09:22:38 +0200 Subject: [PATCH 014/163] revert commit breaking NOTIFY support --- dovecot-2.2.31-notifyrevert.patch | 28 ++++++++++++++++++++++++++++ dovecot.spec | 7 ++++++- 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 dovecot-2.2.31-notifyrevert.patch diff --git a/dovecot-2.2.31-notifyrevert.patch b/dovecot-2.2.31-notifyrevert.patch new file mode 100644 index 0000000..a0fa251 --- /dev/null +++ b/dovecot-2.2.31-notifyrevert.patch @@ -0,0 +1,28 @@ +From 64d2efdc4b0bdf92249840e9db89b91c8dc0f3a3 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen +Date: Sat, 17 Jun 2017 14:38:22 +0300 +Subject: [PATCH] imap: Fix NOTIFY to parse more than just the first + event-group + +--- + src/imap/cmd-notify.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/imap/cmd-notify.c b/src/imap/cmd-notify.c +index 4c6aad975..94cf103b8 100644 +--- a/src/imap/cmd-notify.c ++++ b/src/imap/cmd-notify.c +@@ -292,10 +292,10 @@ cmd_notify_set(struct imap_notify_context *ctx, const struct imap_arg *args) + ctx->send_immediate_status = TRUE; + args++; + } ++ for (; args->type != IMAP_ARG_EOL; args++) { ++ if (!imap_arg_get_list(args, &event_group)) ++ return -1; + +- if (!imap_arg_get_list(args, &event_group)) +- return -1; +- for (; event_group->type != IMAP_ARG_EOL; event_group++) { + /* filter-mailboxes */ + if (!imap_arg_get_atom(event_group, &filter_mailboxes)) + return -1; diff --git a/dovecot.spec b/dovecot.spec index 39f26d3..6112285 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.2.31 %global prever %{nil} -Release: 1%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -33,6 +33,7 @@ Patch7: dovecot-2.2.13-online.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch +Patch10: dovecot-2.2.31-notifyrevert.patch Source15: prestartscript @@ -129,6 +130,7 @@ This package provides the development files for dovecot. %patch7 -p1 -b .online %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem +%patch10 -p1 -b .notifyrevert #pushd dovecot-2*2-pigeonhole-%{pigeonholever} #popd @@ -488,6 +490,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Jul 04 2017 Michal Hlavinka - 1:2.2.31-2 +- revert commit breaking NOTIFY support + * Tue Jun 27 2017 Michal Hlavinka - 1:2.2.31-1 - dovecot updated to 2.2.31 - Various fixes to handling mailbox listing. Especially related to From bcee2255b995a1849174d87483db3cce021ec50a Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 11 Jul 2017 15:20:28 +0200 Subject: [PATCH 015/163] enable tcpwrap support (#1450587) --- dovecot.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 6112285..774e8e9 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.2.31 %global prever %{nil} -Release: 2%{?dist} +Release: 3%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -46,6 +46,7 @@ BuildRequires: openldap-devel BuildRequires: krb5-devel BuildRequires: quota-devel BuildRequires: xz-devel +BuildRequires: tcp_wrappers-devel # gettext-devel is needed for running autoconf because of the # presence of AM_ICONV @@ -162,6 +163,7 @@ autoreconf -I . -fiv #required for aarch64 support --with-sqlite \ --with-zlib \ --with-libcap \ + --with-libwrap \ %if %{?fedora}0 > 150 || %{?rhel}0 >60 --with-lucene \ %endif @@ -490,6 +492,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Jul 11 2017 Michal Hlavinka - 1:2.2.31-3 +- enable tcpwrap support (#1450587) + * Tue Jul 04 2017 Michal Hlavinka - 1:2.2.31-2 - revert commit breaking NOTIFY support From ade4ef471ee67c8c81ee0bf5bf6785acc7c31d1a Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 26 Jul 2017 06:30:36 +0000 Subject: [PATCH 016/163] - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 774e8e9..bcfdef0 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.2.31 %global prever %{nil} -Release: 3%{?dist} +Release: 4%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -492,6 +492,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Jul 26 2017 Fedora Release Engineering - 1:2.2.31-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + * Tue Jul 11 2017 Michal Hlavinka - 1:2.2.31-3 - enable tcpwrap support (#1450587) From 45577f12825bc8b4452324ec6443306df578ba81 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 2 Aug 2017 19:44:38 +0000 Subject: [PATCH 017/163] - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index bcfdef0..51cc853 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.2.31 %global prever %{nil} -Release: 4%{?dist} +Release: 5%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -492,6 +492,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Aug 02 2017 Fedora Release Engineering - 1:2.2.31-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + * Wed Jul 26 2017 Fedora Release Engineering - 1:2.2.31-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild From 2d992c6f39ee058c55905a7ae3989bda08c490c1 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Fri, 25 Aug 2017 09:50:33 +0200 Subject: [PATCH 018/163] dovecot updated to 2.2.32 Modseq tracking didn't always work correctly. This could have caused imap unhibernation to fail or IMAP QRESYNC/CONDSTORE extensions to not work perfectly. mdbox: "Inconsistency in map index" wasn't fixed automatically dict-ldap: %variable values used in the LDAP filter weren't escaped. quota=count: quota_warning = -storage=.. was never executed (try #2). imapc: >= 32 kB mail bodies were supposed to be cached for subsequent FETCHes, but weren't. quota-status service didn't support recipient_delimiter acl: Don't access dovecot-acl-list files with acl_globals_only=yes mail_location: If INDEX dir is set, mailbox deletion deletes its childrens' indexes. director: v2.2.31 caused rapid reconnection loops to directors that were down. --- .gitignore | 1 + dovecot-2.2.31-notifyrevert.patch | 28 ---------------------------- dovecot.spec | 23 +++++++++++++++++++---- sources | 2 +- 4 files changed, 21 insertions(+), 33 deletions(-) delete mode 100644 dovecot-2.2.31-notifyrevert.patch diff --git a/.gitignore b/.gitignore index e659068..c9f1ee9 100644 --- a/.gitignore +++ b/.gitignore @@ -115,3 +115,4 @@ pigeonhole-snap0592366457df.tar.bz2 /dovecot-2.2.30.2.tar.gz /dovecot-2.2.31.tar.gz /dovecot-2.2-pigeonhole-0.4.19.tar.gz +/dovecot-2.2.32.tar.gz diff --git a/dovecot-2.2.31-notifyrevert.patch b/dovecot-2.2.31-notifyrevert.patch deleted file mode 100644 index a0fa251..0000000 --- a/dovecot-2.2.31-notifyrevert.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 64d2efdc4b0bdf92249840e9db89b91c8dc0f3a3 Mon Sep 17 00:00:00 2001 -From: Timo Sirainen -Date: Sat, 17 Jun 2017 14:38:22 +0300 -Subject: [PATCH] imap: Fix NOTIFY to parse more than just the first - event-group - ---- - src/imap/cmd-notify.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/imap/cmd-notify.c b/src/imap/cmd-notify.c -index 4c6aad975..94cf103b8 100644 ---- a/src/imap/cmd-notify.c -+++ b/src/imap/cmd-notify.c -@@ -292,10 +292,10 @@ cmd_notify_set(struct imap_notify_context *ctx, const struct imap_arg *args) - ctx->send_immediate_status = TRUE; - args++; - } -+ for (; args->type != IMAP_ARG_EOL; args++) { -+ if (!imap_arg_get_list(args, &event_group)) -+ return -1; - -- if (!imap_arg_get_list(args, &event_group)) -- return -1; -- for (; event_group->type != IMAP_ARG_EOL; event_group++) { - /* filter-mailboxes */ - if (!imap_arg_get_atom(event_group, &filter_mailboxes)) - return -1; diff --git a/dovecot.spec b/dovecot.spec index 51cc853..dd85a9d 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,9 +3,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.2.31 +Version: 2.2.32 %global prever %{nil} -Release: 5%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -33,7 +33,6 @@ Patch7: dovecot-2.2.13-online.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch -Patch10: dovecot-2.2.31-notifyrevert.patch Source15: prestartscript @@ -131,7 +130,6 @@ This package provides the development files for dovecot. %patch7 -p1 -b .online %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem -%patch10 -p1 -b .notifyrevert #pushd dovecot-2*2-pigeonhole-%{pigeonholever} #popd @@ -492,6 +490,23 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Fri Aug 25 2017 Michal Hlavinka - 1:2.2.32-1 +- dovecot updated to 2.2.32 +- Modseq tracking didn't always work correctly. This could have caused + imap unhibernation to fail or IMAP QRESYNC/CONDSTORE extensions to + not work perfectly. +- mdbox: "Inconsistency in map index" wasn't fixed automatically +- dict-ldap: %variable values used in the LDAP filter weren't escaped. +- quota=count: quota_warning = -storage=.. was never executed (try #2). +- imapc: >= 32 kB mail bodies were supposed to be cached for subsequent + FETCHes, but weren't. +- quota-status service didn't support recipient_delimiter +- acl: Don't access dovecot-acl-list files with acl_globals_only=yes +- mail_location: If INDEX dir is set, mailbox deletion deletes its + childrens' indexes. +- director: v2.2.31 caused rapid reconnection loops to directors + that were down. + * Wed Aug 02 2017 Fedora Release Engineering - 1:2.2.31-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild diff --git a/sources b/sources index ebcda8b..714e103 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.2.31.tar.gz) = 071797e260a75de9117b03c0fa9d903de82b1f1c039c2aece2d7313587e6673c49174bfce17b80fe3f3725fcbc42ed3a1bd1f1c22efef5bc016752277eff3266 +SHA512 (dovecot-2.2.32.tar.gz) = a26ce763fdea7d72ff9801d3b7d57a1f0d00278e4a1aa60d1be070fe5a6d2c6a15f266a519119492bee7a3e7a6b7d0732e9879e5c5841adbab8c0952cd1b7c7c SHA512 (dovecot-2.2-pigeonhole-0.4.19.tar.gz) = c1211a3c65b25995770309c427ec5cd888ddb962f2f64884640163b492a11ffa8937aac1eb66d25e48f0e00131da1cc98c1cb307781576780de47b8816333ff1 From e0034abe1a1ed95351bf708ddaa2e20ea3e61e37 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 28 Aug 2017 14:26:57 +0200 Subject: [PATCH 019/163] pigeonhole updated to 0.4.20 Made the retention period for redirect duplicate identifiers configurable. Changed the default retention period from 24 to 12 hours. sieve-filter: Fixed memory leak: forgot to clean up script binary at end of execution managesieve-login: Fixed handling of AUTHENTICATE command. A second authenticate command would be parsed wrong. --- .gitignore | 1 + dovecot.spec | 13 +++++++++++-- sources | 2 +- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index c9f1ee9..fcc1ff0 100644 --- a/.gitignore +++ b/.gitignore @@ -116,3 +116,4 @@ pigeonhole-snap0592366457df.tar.bz2 /dovecot-2.2.31.tar.gz /dovecot-2.2-pigeonhole-0.4.19.tar.gz /dovecot-2.2.32.tar.gz +/dovecot-2.2-pigeonhole-0.4.20.tar.gz diff --git a/dovecot.spec b/dovecot.spec index dd85a9d..a0e0e31 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.2.32 %global prever %{nil} -Release: 1%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -14,7 +14,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.2/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.4.19 +%global pigeonholever 0.4.20 Source8: http://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -490,6 +490,15 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Aug 28 2017 Michal Hlavinka - 1:2.2.32-2 +- pigeonhole updated to 0.4.20 +- Made the retention period for redirect duplicate identifiers + configurable. Changed the default retention period from 24 to 12 hours. +- sieve-filter: Fixed memory leak: forgot to clean up script binary at + end of execution +- managesieve-login: Fixed handling of AUTHENTICATE command. A second + authenticate command would be parsed wrong. + * Fri Aug 25 2017 Michal Hlavinka - 1:2.2.32-1 - dovecot updated to 2.2.32 - Modseq tracking didn't always work correctly. This could have caused diff --git a/sources b/sources index 714e103..3825a8c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (dovecot-2.2.32.tar.gz) = a26ce763fdea7d72ff9801d3b7d57a1f0d00278e4a1aa60d1be070fe5a6d2c6a15f266a519119492bee7a3e7a6b7d0732e9879e5c5841adbab8c0952cd1b7c7c -SHA512 (dovecot-2.2-pigeonhole-0.4.19.tar.gz) = c1211a3c65b25995770309c427ec5cd888ddb962f2f64884640163b492a11ffa8937aac1eb66d25e48f0e00131da1cc98c1cb307781576780de47b8816333ff1 +SHA512 (dovecot-2.2-pigeonhole-0.4.20.tar.gz) = 84a28842be206e05cb96c07cf1c1b62c9c378ba4c952caa47cf79a44b9428e076f4182eadd9c4fb8f45d3605b881f91e8e520c41705017ac4039240d4bcace39 From 184d8e3feb5288073ce89a316f56f49b154d9291 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 18 Oct 2017 14:41:24 +0200 Subject: [PATCH 020/163] dovecot updated to 2.2.33.1, pigeonhole updated to Added %{if}, see https://wiki2.dovecot.org/Variables#Conditionals sdbox: Mails were always opened when expunging, unless mail_attachment_fs was explicitly set to empty. lmtp/doveadm proxy: hostip passdb field was ignored, which caused unnecessary DNS lookups if host field wasn't an IP lmtp proxy: Fix crash when receiving unexpected reply in RCPT TO quota_clone: Update also when quota is unlimited (broken in v2.2.31) mbox, zlib: Fix assert-crash when accessing compressed mbox doveadm director kick -f parameter didn't work doveadm director flush resulted flushing all hosts, if wasn't an IP address. director: Various fixes to handling backend/director changes at abnormal times, especially while ring was unsynced. director: Use less CPU in imap-login processes when moving/kicking many users. lmtp: Session IDs were duplicated/confusing with multiple RCPT TOs when lmtp_rcpt_check_quota=yes LDA Sieve plugin: Fixed sequential execution of LDAP-based scripts. A missing LDAP-based script could cause the script sequence to exit earlier. sieve-filter: Removed the (now) duplicate utf8 to mutf7 mailbox name conversion. This caused problems with mailbox names containing UTF-8 characters. --- .gitignore | 2 ++ dovecot.spec | 31 ++++++++++++++++++++++++++++--- sources | 4 ++-- 3 files changed, 32 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index fcc1ff0..dc37e27 100644 --- a/.gitignore +++ b/.gitignore @@ -117,3 +117,5 @@ pigeonhole-snap0592366457df.tar.bz2 /dovecot-2.2-pigeonhole-0.4.19.tar.gz /dovecot-2.2.32.tar.gz /dovecot-2.2-pigeonhole-0.4.20.tar.gz +/dovecot-2.2.33.1.tar.gz +/dovecot-2.2-pigeonhole-0.4.21.tar.gz diff --git a/dovecot.spec b/dovecot.spec index a0e0e31..90a60f1 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,9 +3,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.2.32 +Version: 2.2.33.1 %global prever %{nil} -Release: 2%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -14,7 +14,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.2/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.4.20 +%global pigeonholever 0.4.21 Source8: http://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -490,6 +490,31 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Oct 18 2017 Michal Hlavinka - 1:2.2.33.1-1 +- dovecot updated to 2.2.33.1, pigeonhole updated to +- Added %{if}, see https://wiki2.dovecot.org/Variables#Conditionals +- sdbox: Mails were always opened when expunging, unless + mail_attachment_fs was explicitly set to empty. +- lmtp/doveadm proxy: hostip passdb field was ignored, which caused + unnecessary DNS lookups if host field wasn't an IP +- lmtp proxy: Fix crash when receiving unexpected reply in RCPT TO +- quota_clone: Update also when quota is unlimited (broken in v2.2.31) +- mbox, zlib: Fix assert-crash when accessing compressed mbox +- doveadm director kick -f parameter didn't work +- doveadm director flush resulted flushing all hosts, if + wasn't an IP address. +- director: Various fixes to handling backend/director changes at + abnormal times, especially while ring was unsynced. +- director: Use less CPU in imap-login processes when moving/kicking + many users. +- lmtp: Session IDs were duplicated/confusing with multiple RCPT TOs + when lmtp_rcpt_check_quota=yes +- LDA Sieve plugin: Fixed sequential execution of LDAP-based scripts. A + missing LDAP-based script could cause the script sequence to exit earlier. +- sieve-filter: Removed the (now) duplicate utf8 to mutf7 mailbox name + conversion. This caused problems with mailbox names containing UTF-8 + characters. + * Mon Aug 28 2017 Michal Hlavinka - 1:2.2.32-2 - pigeonhole updated to 0.4.20 - Made the retention period for redirect duplicate identifiers diff --git a/sources b/sources index 3825a8c..f18be0c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.2.32.tar.gz) = a26ce763fdea7d72ff9801d3b7d57a1f0d00278e4a1aa60d1be070fe5a6d2c6a15f266a519119492bee7a3e7a6b7d0732e9879e5c5841adbab8c0952cd1b7c7c -SHA512 (dovecot-2.2-pigeonhole-0.4.20.tar.gz) = 84a28842be206e05cb96c07cf1c1b62c9c378ba4c952caa47cf79a44b9428e076f4182eadd9c4fb8f45d3605b881f91e8e520c41705017ac4039240d4bcace39 +SHA512 (dovecot-2.2.33.1.tar.gz) = 46760a1d52f8d64c36bd4f589f7f240a13d66500c93e47ce479551647e8e4ef7322fc0c325c418c3e0495910292abae105ca5680cd4b0fcd78746723f1549b71 +SHA512 (dovecot-2.2-pigeonhole-0.4.21.tar.gz) = 4751f449ede1b05173c706b414ebf9f7f670ff78589ce6f0b687c32c9abe6dae8b3064ed1b20e893d9ec0147b0139ce479e1d74ebe94747c33f2d8ca177912de From a061dc525c1220b6a340e23c62852e9d47429a11 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 24 Oct 2017 10:51:09 +0200 Subject: [PATCH 021/163] dovecot updated to 2.2.33.2 doveadm: Fix crash in proxying (or dsync replication) if remote is running older than v2.2.33 auth: Fix memory leak in %{ldap_dn} dict-sql: Fix data types to work correctly with Cassandra --- .gitignore | 1 + dovecot.spec | 9 ++++++++- sources | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index dc37e27..2472335 100644 --- a/.gitignore +++ b/.gitignore @@ -119,3 +119,4 @@ pigeonhole-snap0592366457df.tar.bz2 /dovecot-2.2-pigeonhole-0.4.20.tar.gz /dovecot-2.2.33.1.tar.gz /dovecot-2.2-pigeonhole-0.4.21.tar.gz +/dovecot-2.2.33.2.tar.gz diff --git a/dovecot.spec b/dovecot.spec index 90a60f1..6f11de1 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.2.33.1 +Version: 2.2.33.2 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -490,6 +490,13 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Oct 24 2017 Michal Hlavinka - 1:2.2.33.2-1 +- dovecot updated to 2.2.33.2 +- doveadm: Fix crash in proxying (or dsync replication) if remote is + running older than v2.2.33 +- auth: Fix memory leak in %%{ldap_dn} +- dict-sql: Fix data types to work correctly with Cassandra + * Wed Oct 18 2017 Michal Hlavinka - 1:2.2.33.1-1 - dovecot updated to 2.2.33.1, pigeonhole updated to - Added %{if}, see https://wiki2.dovecot.org/Variables#Conditionals diff --git a/sources b/sources index f18be0c..7e35512 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.2.33.1.tar.gz) = 46760a1d52f8d64c36bd4f589f7f240a13d66500c93e47ce479551647e8e4ef7322fc0c325c418c3e0495910292abae105ca5680cd4b0fcd78746723f1549b71 +SHA512 (dovecot-2.2.33.2.tar.gz) = 028910a4d02b1630f1ada4d1c45fcc3ea2057969db7078a78d46e2a578b4dceaf8be0ac8de4a613b4890019e721871f2d366ec651db658da4cc72977d3e09931 SHA512 (dovecot-2.2-pigeonhole-0.4.21.tar.gz) = 4751f449ede1b05173c706b414ebf9f7f670ff78589ce6f0b687c32c9abe6dae8b3064ed1b20e893d9ec0147b0139ce479e1d74ebe94747c33f2d8ca177912de From 70e36f28d3cdb4b6ca91acb82236b7eafb9445f7 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 8 Jan 2018 13:40:19 +0100 Subject: [PATCH 022/163] remove tcp_wrappers on Fedora 28 and later (#1518761) use use mariadb-connector-c-devel instead of mysql-devel on Fedora 28 and later (#1493624) --- dovecot.spec | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 6f11de1..93fd84c 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.2.33.2 %global prever %{nil} -Release: 1%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -40,12 +40,16 @@ BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel BuildRequires: libtool, autoconf, automake, pkgconfig BuildRequires: sqlite-devel BuildRequires: postgresql-devel +%if %{?fedora}0 < 280 BuildRequires: mysql-devel +BuildRequires: tcp_wrappers-devel +%else +BuildRequires: mariadb-connector-c-devel +%endif BuildRequires: openldap-devel BuildRequires: krb5-devel BuildRequires: quota-devel BuildRequires: xz-devel -BuildRequires: tcp_wrappers-devel # gettext-devel is needed for running autoconf because of the # presence of AM_ICONV @@ -161,7 +165,9 @@ autoreconf -I . -fiv #required for aarch64 support --with-sqlite \ --with-zlib \ --with-libcap \ +%if %{?fedora}0 < 280 --with-libwrap \ +%endif %if %{?fedora}0 > 150 || %{?rhel}0 >60 --with-lucene \ %endif @@ -490,6 +496,10 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Jan 08 2018 Michal Hlavinka - 1:2.2.33.2-2 +- remove tcp_wrappers on Fedora 28 and later (#1518761) +- use use mariadb-connector-c-devel instead of mysql-devel on Fedora 28 and later (#1493624) + * Tue Oct 24 2017 Michal Hlavinka - 1:2.2.33.2-1 - dovecot updated to 2.2.33.2 - doveadm: Fix crash in proxying (or dsync replication) if remote is From 2cb29a2a448cced57a78eb47d1262d8c4a7db685 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Sat, 20 Jan 2018 23:06:40 +0100 Subject: [PATCH 023/163] Rebuilt for switch to libxcrypt --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 93fd84c..57a2226 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.2.33.2 %global prever %{nil} -Release: 2%{?dist} +Release: 3%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -496,6 +496,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Sat Jan 20 2018 Björn Esser - 1:2.2.33.2-3 +- Rebuilt for switch to libxcrypt + * Mon Jan 08 2018 Michal Hlavinka - 1:2.2.33.2-2 - remove tcp_wrappers on Fedora 28 and later (#1518761) - use use mariadb-connector-c-devel instead of mysql-devel on Fedora 28 and later (#1493624) From 971df4330277542bc8528e5ec255d6ef943f9e27 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 7 Feb 2018 07:14:22 +0000 Subject: [PATCH 024/163] - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 57a2226..345dc45 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.2.33.2 %global prever %{nil} -Release: 3%{?dist} +Release: 4%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -496,6 +496,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Feb 07 2018 Fedora Release Engineering - 1:2.2.33.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + * Sat Jan 20 2018 Björn Esser - 1:2.2.33.2-3 - Rebuilt for switch to libxcrypt From 203deaf4c3547178a7ae11c816377953a771cd39 Mon Sep 17 00:00:00 2001 From: Igor Gnatenko Date: Fri, 9 Feb 2018 09:04:23 +0100 Subject: [PATCH 025/163] Escape macros in %changelog Reference: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/Y2ZUKK2B7T2IKXPMODNF6HB2O5T5TS6H/ Signed-off-by: Igor Gnatenko --- dovecot.spec | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 345dc45..d822dc3 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.2.33.2 %global prever %{nil} -Release: 4%{?dist} +Release: 5%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -496,6 +496,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Fri Feb 09 2018 Igor Gnatenko - 1:2.2.33.2-5 +- Escape macros in %%changelog + * Wed Feb 07 2018 Fedora Release Engineering - 1:2.2.33.2-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild @@ -515,7 +518,7 @@ make check * Wed Oct 18 2017 Michal Hlavinka - 1:2.2.33.1-1 - dovecot updated to 2.2.33.1, pigeonhole updated to -- Added %{if}, see https://wiki2.dovecot.org/Variables#Conditionals +- Added %%{if}, see https://wiki2.dovecot.org/Variables#Conditionals - sdbox: Mails were always opened when expunging, unless mail_attachment_fs was explicitly set to empty. - lmtp/doveadm proxy: hostip passdb field was ignored, which caused @@ -553,7 +556,7 @@ make check imap unhibernation to fail or IMAP QRESYNC/CONDSTORE extensions to not work perfectly. - mdbox: "Inconsistency in map index" wasn't fixed automatically -- dict-ldap: %variable values used in the LDAP filter weren't escaped. +- dict-ldap: %%variable values used in the LDAP filter weren't escaped. - quota=count: quota_warning = -storage=.. was never executed (try #2). - imapc: >= 32 kB mail bodies were supposed to be cached for subsequent FETCHes, but weren't. @@ -646,7 +649,7 @@ make check - dsync: Large Sieve scripts (or other large metadata) weren't always synced. - Index rebuild (e.g. doveadm force-resync) set all mails as \Recent -- imap-hibernate: %{userdb:*} wasn't expanded in mail_log_prefix +- imap-hibernate: %%{userdb:*} wasn't expanded in mail_log_prefix - doveadm: Exit codes weren't preserved when proxying commands via doveadm-server. Almost all errors used exit code 75 (tempfail). - ACLs weren't applied to not-yet-existing autocreated mailboxes. @@ -668,7 +671,7 @@ make check for multiple requests (service_count != 1) - sdbox: Fix assert-crash on mailbox create race - lda/lmtp: deliver_log_format values weren't entirely correct if Sieve - was used. especially %{storage_id} was broken. + was used. especially %%{storage_id} was broken. - imapsieve plugin: Fixed assert failure occurring when used with virtual mailboxes. - doveadm sieve plugin: Fixed crash when setting Sieve script via attribute's @@ -713,10 +716,10 @@ make check This might have allowed untrusted processes to capture and prevent "doveadm service stop" comands from working. - login proxy: Fixed crash when outgoing SSL connections were hanging. -- auth: userdb fields weren't passed to auth-workers, so %{userdb:*} +- auth: userdb fields weren't passed to auth-workers, so %%{userdb:*} from previous userdbs didn't work there. - auth: Fixed auth_bind=yes + sasl_bind=yes to work together -- lmtp: %{userdb:*} variables didn't work in mail_log_prefix +- lmtp: %%{userdb:*} variables didn't work in mail_log_prefix - Fixed writing >2GB to iostream-temp files (used by fs-compress, fs-metawrap, doveadm-http) - fts-solr: Fixed searching multiple mailboxes @@ -769,7 +772,7 @@ make check * Wed Mar 16 2016 Michal Hlavinka - 1:2.2.22-1 - dovecot updated to 2.2.22 -- auth: Auth caching was done too aggressively when %variables were +- auth: Auth caching was done too aggressively when %%variables were used in default_fields, override_fields or LDAP pass/user_attrs. userdb result_* were also ignored when user was found from cache. - imap: Fixed various assert-crashes caused v2.2.20+. Some of them @@ -830,7 +833,7 @@ make check allocation in the sieve command implementations. * Tue Dec 08 2015 Michal Hlavinka - 1:2.2.20-2 -- move ssl initialization from %post to dovecot-init.service +- move ssl initialization from %%post to dovecot-init.service * Tue Dec 08 2015 Michal Hlavinka - 1:2.2.20-1 - dovecot updated to 2.2.20 @@ -1339,7 +1342,7 @@ make check - updated to 2.1.rc1 - major changes since 2.0.x: - plugins now use UTF-8 mailbox names rather than mUTF-7 -- auth_username_format default changed to %Lu +- auth_username_format default changed to %%Lu - solr full text search backend changed to use mailbox GUIDs instead of mailbox names, requiring reindexing everything From 88a20bf4a4274dfe249e6f9dc8fbbb5ade016008 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 1 Mar 2018 14:04:22 +0100 Subject: [PATCH 026/163] dovecot updated to 2.3.0.1, pigeonhole updated to 0.5.0.1 --- .gitignore | 2 ++ dovecot-2.0-defaultconfig.patch | 28 ++++++++++---------- dovecot-2.1.10-waitonline.patch | 12 ++++----- dovecot-2.2.13-online.patch | 12 --------- dovecot-2.2.20-initbysystemd.patch | 24 ++++++++--------- dovecot-2.2.22-systemd_w_protectsystem.patch | 19 ++++++------- dovecot.spec | 26 +++++++++--------- sources | 4 +-- 8 files changed, 56 insertions(+), 71 deletions(-) delete mode 100644 dovecot-2.2.13-online.patch diff --git a/.gitignore b/.gitignore index 2472335..84688a6 100644 --- a/.gitignore +++ b/.gitignore @@ -120,3 +120,5 @@ pigeonhole-snap0592366457df.tar.bz2 /dovecot-2.2.33.1.tar.gz /dovecot-2.2-pigeonhole-0.4.21.tar.gz /dovecot-2.2.33.2.tar.gz +/dovecot-2.3.0.1.tar.gz +/dovecot-2.3-pigeonhole-0.5.0.1.tar.gz diff --git a/dovecot-2.0-defaultconfig.patch b/dovecot-2.0-defaultconfig.patch index 1f537f7..3f7173f 100644 --- a/dovecot-2.0-defaultconfig.patch +++ b/dovecot-2.0-defaultconfig.patch @@ -1,7 +1,7 @@ -diff -up dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf ---- dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf.default-settings 2014-06-02 13:50:10.000000000 +0200 -+++ dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf 2015-08-24 17:09:03.866648631 +0200 -@@ -283,6 +283,7 @@ namespace inbox { +diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf +--- dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings 2018-02-28 15:28:57.000000000 +0100 ++++ dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf 2018-03-01 10:29:38.208368555 +0100 +@@ -322,6 +322,7 @@ protocol !indexer-worker { # them simultaneously. #mbox_read_locks = fcntl #mbox_write_locks = dotlock fcntl @@ -9,9 +9,9 @@ diff -up dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf.default-settings # Maximum time to wait for lock (all of them) before aborting. #mbox_lock_timeout = 5 mins -diff -up dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf ---- dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf.default-settings 2014-10-03 16:36:00.000000000 +0200 -+++ dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf 2015-08-24 17:10:49.536071649 +0200 +diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf +--- dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings 2018-02-28 15:28:57.000000000 +0100 ++++ dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf 2018-03-01 10:33:54.779499044 +0100 @@ -3,7 +3,9 @@ ## @@ -23,11 +23,11 @@ diff -up dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf.default-settings d # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but -@@ -50,6 +52,7 @@ ssl_key = /dev/null 2>&1; \ +fi' + -diff -up dovecot-2.2.22/dovecot.service.in.initbysystemd dovecot-2.2.22/dovecot.service.in ---- dovecot-2.2.22/dovecot.service.in.initbysystemd 2016-03-16 13:48:25.996297203 +0100 -+++ dovecot-2.2.22/dovecot.service.in 2016-03-16 13:49:17.619039641 +0100 -@@ -20,7 +20,8 @@ +diff -up dovecot-2.3.0.1/dovecot.service.in.initbysystemd dovecot-2.3.0.1/dovecot.service.in +--- dovecot-2.3.0.1/dovecot.service.in.initbysystemd 2018-03-01 10:38:22.060716016 +0100 ++++ dovecot-2.3.0.1/dovecot.service.in 2018-03-01 10:40:45.524901319 +0100 +@@ -8,7 +8,8 @@ Description=Dovecot IMAP/POP3 email server Documentation=man:dovecot(1) Documentation=http://wiki2.dovecot.org/ @@ -32,11 +32,11 @@ diff -up dovecot-2.2.22/dovecot.service.in.initbysystemd dovecot-2.2.22/dovecot. +Requires=dovecot-init.service [Service] - Type=forking -diff -up dovecot-2.2.22/Makefile.am.initbysystemd dovecot-2.2.22/Makefile.am ---- dovecot-2.2.22/Makefile.am.initbysystemd 2016-03-04 12:04:33.000000000 +0100 -+++ dovecot-2.2.22/Makefile.am 2016-03-16 13:48:25.996297203 +0100 -@@ -51,9 +51,10 @@ if HAVE_SYSTEMD + Type=simple +diff -up dovecot-2.3.0.1/Makefile.am.initbysystemd dovecot-2.3.0.1/Makefile.am +--- dovecot-2.3.0.1/Makefile.am.initbysystemd 2018-02-28 15:28:57.000000000 +0100 ++++ dovecot-2.3.0.1/Makefile.am 2018-03-01 10:38:22.060716016 +0100 +@@ -63,9 +63,10 @@ if HAVE_SYSTEMD systemdsystemunit_DATA = \ dovecot.socket \ diff --git a/dovecot-2.2.22-systemd_w_protectsystem.patch b/dovecot-2.2.22-systemd_w_protectsystem.patch index 6fcddac..0ffb043 100644 --- a/dovecot-2.2.22-systemd_w_protectsystem.patch +++ b/dovecot-2.2.22-systemd_w_protectsystem.patch @@ -1,14 +1,11 @@ -diff -up dovecot-2.2.28/dovecot.service.in.systemd_w_protectsystem dovecot-2.2.28/dovecot.service.in ---- dovecot-2.2.28/dovecot.service.in.systemd_w_protectsystem 2017-02-27 10:00:14.647423500 +0100 -+++ dovecot-2.2.28/dovecot.service.in 2017-02-27 10:02:18.051377067 +0100 -@@ -20,8 +20,8 @@ ExecReload=@bindir@/doveadm reload +diff -up dovecot-2.3.0.1/dovecot.service.in.systemd_w_protectsystem dovecot-2.3.0.1/dovecot.service.in +--- dovecot-2.3.0.1/dovecot.service.in.systemd_w_protectsystem 2018-03-01 10:41:05.591067106 +0100 ++++ dovecot-2.3.0.1/dovecot.service.in 2018-03-01 10:42:52.859959021 +0100 +@@ -20,6 +20,7 @@ ExecReload=@bindir@/doveadm reload ExecStop=@bindir@/doveadm stop PrivateTmp=true NonBlocking=yes --# Enable this if your systemd is new enough to support it: --#ProtectSystem=full -+# Enable this if your systemd is new enough to support it: (it will make /usr /boot /etc read only for dovecot) -+ProtectSystem=full - - # You can add environment variables with e.g.: - #Environment='CORE_OUTOFMEM=1' ++# this will make /usr /boot /etc read only for dovecot + ProtectSystem=full + PrivateDevices=true + # disable this if you want to use apparmor plugin diff --git a/dovecot.spec b/dovecot.spec index d822dc3..43c8158 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,19 +3,19 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.2.33.2 +Version: 2.3.0.1 %global prever %{nil} -Release: 5%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons URL: http://www.dovecot.org/ -Source: http://www.dovecot.org/releases/2.2/%{name}-%{version}%{?prever}.tar.gz +Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.4.21 -Source8: http://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-%{pigeonholever}.tar.gz +%global pigeonholever 0.5.0.1 +Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -29,7 +29,6 @@ Patch3: dovecot-1.0.rc7-mkcert-paths.patch #wait for network Patch6: dovecot-2.1.10-waitonline.patch -Patch7: dovecot-2.2.13-online.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch @@ -131,11 +130,10 @@ This package provides the development files for dovecot. %patch2 -p1 -b .mkcert-permissions %patch3 -p1 -b .mkcert-paths %patch6 -p1 -b .waitonline -%patch7 -p1 -b .online %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem -#pushd dovecot-2*2-pigeonhole-%{pigeonholever} +#pushd dovecot-2*3-pigeonhole-%{pigeonholever} #popd sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in @@ -184,7 +182,7 @@ sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10 make %{?_smp_mflags} #pigeonhole -pushd dovecot-2*2-pigeonhole-%{pigeonholever} +pushd dovecot-2*3-pigeonhole-%{pigeonholever} # required for snapshot [ -f configure ] || autoreconf -fiv @@ -208,7 +206,7 @@ make install DESTDIR=$RPM_BUILD_ROOT mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/docinstall -pushd dovecot-2*2-pigeonhole-%{pigeonholever} +pushd dovecot-2*3-pigeonhole-%{pigeonholever} make install DESTDIR=$RPM_BUILD_ROOT mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole @@ -347,7 +345,7 @@ fi %check make check -cd dovecot-2*2-pigeonhole-%{pigeonholever} +cd dovecot-2*3-pigeonhole-%{pigeonholever} make check %files @@ -410,7 +408,6 @@ make check %dir %{_libdir}/dovecot %dir %{_libdir}/dovecot/auth %dir %{_libdir}/dovecot/dict -%dir %{_libdir}/dovecot/stats %{_libdir}/dovecot/doveadm %exclude %{_libdir}/dovecot/doveadm/*sieve* %{_libdir}/dovecot/*.so.* @@ -424,8 +421,6 @@ make check %{_libdir}/dovecot/auth/libdriver_sqlite.so %{_libdir}/dovecot/dict/libdriver_sqlite.so %{_libdir}/dovecot/dict/libdict_ldap.so -%{_libdir}/dovecot/stats/libstats_auth.so -%{_libdir}/dovecot/stats/libstats_mail.so %{_libdir}/dovecot/libdriver_sqlite.so %{_libdir}/dovecot/libssl_iostream_openssl.so %{_libdir}/dovecot/libfs_compress.so @@ -496,6 +491,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Mar 01 2018 Michal Hlavinka - 1:2.3.0.1-1 +- dovecot updated to 2.3.0.1, pigeonhole updated to 0.5.0.1 + * Fri Feb 09 2018 Igor Gnatenko - 1:2.2.33.2-5 - Escape macros in %%changelog diff --git a/sources b/sources index 7e35512..c5c7083 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.2.33.2.tar.gz) = 028910a4d02b1630f1ada4d1c45fcc3ea2057969db7078a78d46e2a578b4dceaf8be0ac8de4a613b4890019e721871f2d366ec651db658da4cc72977d3e09931 -SHA512 (dovecot-2.2-pigeonhole-0.4.21.tar.gz) = 4751f449ede1b05173c706b414ebf9f7f670ff78589ce6f0b687c32c9abe6dae8b3064ed1b20e893d9ec0147b0139ce479e1d74ebe94747c33f2d8ca177912de +SHA512 (dovecot-2.3.0.1.tar.gz) = 2b30c46c1660f425f6303a15cf638388439fd7a8065c91d28caf41d9a6403a4fccb530df3f69037a634bc3b0b9e498037da6b0b93c176f5e3b5808907d3f759d +SHA512 (dovecot-2.3-pigeonhole-0.5.0.1.tar.gz) = 60016145caa444eeba13b49735f87ab2ebe7f178f104ad57283b5aa7e5119920d9f579032b775547e0866e86045a4ab653fd084068187d0cbe2e088cc15fc288 From 8a2b51c871ce6d7020b9072a473e74579954b4e1 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Sun, 4 Mar 2018 16:30:54 +0000 Subject: [PATCH 027/163] use wildcards in source file names --- .gitignore | 126 +---------------------------------------------------- 1 file changed, 2 insertions(+), 124 deletions(-) diff --git a/.gitignore b/.gitignore index 84688a6..0628189 100644 --- a/.gitignore +++ b/.gitignore @@ -1,124 +1,2 @@ -dovecot-2.0.rc3.tar.gz -pigeonhole-snap01ee63b788c9.tar.bz2 -dovecot-2.0.rc4.tar.gz -pigeonhole-snapcac6acdc4d0e.tar.bz2 -dovecot-2.0.rc5.tar.gz -pigeonhole-snap0592366457df.tar.bz2 -/dovecot-2.0.0.tar.gz -/pigeonhole-snap1ae9569b0383.tar.bz2 -/dovecot-2.0.1.tar.gz -/pigeonhole-snapd51650c8af85.tar.bz2 -/dovecot-2.0.2.tar.gz -/pigeonhole-snapfbcb05e7eda1.tar.bz2 -/dovecot-2.0.3.tar.gz -/pigeonhole-snapcb4c1ebecff3.tar.bz2 -/dovecot-2.0.4.tar.gz -/pigeonhole-snap824454514f08.tar.bz2 -/dovecot-2.0.5.tar.gz -/pigeonhole-snapa50464354f5a.tar.bz2 -/dovecot-2.0.6.tar.gz -/pigeonhole-snap2023f8c74250.tar.bz2 -/dovecot-2.0.7.tar.gz -/pigeonhole-snapa8cc6294071e.tar.bz2 -/dovecot-2.0.8.tar.gz -/pigeonhole-snap67d2240966ec.tar.bz2 -/dovecot-2.0-pigeonhole-0.2.2.tar.gz -/dovecot-2.0.9.tar.gz -/dovecot-2.0.11.tar.gz -/dovecot-2.0.12.tar.gz -/dovecot-2.0-pigeonhole-0.2.3.tar.gz -/dovecot-2.0.13.tar.gz -/dovecot-2.0.14.tar.gz -/dovecot-2.0.15.tar.gz -/dovecot-2.0.16.tar.gz -/dovecot-2.1.rc1.tar.gz -/dovecot-2.1-pigeonhole-b3bff60a18da.tar.bz2 -/dovecot-2.1.rc3.tar.gz -/dovecot-2.1.rc5.tar.gz -/dovecot-2.1-pigeonhole-a130a50f82e1.tar.bz2 -/dovecot-2.1.rc6.tar.gz -/dovecot-2.1-pigeonhole-b2a456e15ed5.tar.bz2 -/dovecot-2.1.0.tar.gz -/dovecot-2.1-pigeonhole-0.3.0.tar.gz -/dovecot-2.1.1.tar.gz -/pigeonhole-snap67950c9d3675.tar.bz2 -/dovecot-2.1.2.tar.gz -/pigeonhole-snap08a2d2718a65.tar.bz2 -/dovecot-2.1.3.tar.gz -/dovecot-2.1.4.tar.gz -/dovecot-2.1.5.tar.gz -/dovecot-2.1.6.tar.gz -/dovecot-2.1.7.tar.gz -/dovecot-2.1-pigeonhole-0.3.1.tar.gz -/dovecot-2.1.8.tar.gz -/dovecot-2.1.9.tar.gz -/dovecot-2.1.10.tar.gz -/dovecot-2.1-pigeonhole-0.3.3.tar.gz -/dovecot-2.1.12.tar.gz -/dovecot-2.1.13.tar.gz -/dovecot-2.1.14.tar.gz -/dovecot-2.1.15.tar.gz -/dovecot-2.2.rc2.tar.gz -/pigeonhole-99eec511aa2c.tar.bz2 -/dovecot-2.2.rc3.tar.gz -/dovecot-2.2.rc4.tar.gz -/dovecot-2.2.0.tar.gz -/dovecot-2.2.1.tar.gz -/pigeonhole-snape42a38f02d28.tar.bz2 -/dovecot-2.2-pigeonhole-0.4.0.tar.gz -/dovecot-2.2.2.tar.gz -/dovecot-2.2.3.tar.gz -/dovecot-2.2.4.tar.gz -/dovecot-2.2-pigeonhole-0.4.1.tar.gz -/dovecot-2.2.5.tar.gz -/dovecot-2.2.6.tar.gz -/dovecot-2.2-pigeonhole-0.4.2.tar.gz -/dovecot-2.2.7.tar.gz -/dovecot-2.2.8.tar.gz -/dovecot-2.2.9.tar.gz -/dovecot-2.2.10.tar.gz -/dovecot-2.2.11.tar.gz -/dovecot-2.2.12.tar.gz -/dovecot-2.2.13.tar.gz -/dovecot-2.2.14.tar.gz -/dovecot-2.2-pigeonhole-0.4.3.tar.gz -/dovecot-2.2.15.tar.gz -/pigeonhole-snapded0c5a467aa.tar.bz2 -/dovecot-2.2-pigeonhole-0.4.6.tar.gz -/dovecot-2.2.16.tar.gz -/dovecot-2.2.17.tar.gz -/dovecot-2.2.18.tar.gz -/dovecot-2.2-pigeonhole-0.4.7.tar.gz -/dovecot-2.2-pigeonhole-0.4.8.tar.gz -/dovecot-2.2.19.tar.gz -/dovecot-2.2-pigeonhole-0.4.9.tar.gz -/dovecot-2.2.20.tar.gz -/dovecot-2.2.21.tar.gz -/dovecot-2.2-pigeonhole-0.4.10.tar.gz -/dovecot-2.2-pigeonhole-0.4.11.tar.gz -/dovecot-2.2-pigeonhole-0.4.12.tar.gz -/dovecot-2.2.22.tar.gz -/dovecot-2.2.23.tar.gz -/dovecot-2.2-pigeonhole-0.4.13.tar.gz -/dovecot-2.2.24.tar.gz -/dovecot-2.2-pigeonhole-0.4.14.tar.gz -/dovecot-2.2.25.tar.gz -/dovecot-2.2.26.0.tar.gz -/dovecot-2.2-pigeonhole-0.4.16.tar.gz -/dovecot-2.2.27.tar.gz -/dovecot-2.2.28.tar.gz -/dovecot-2.2-pigeonhole-0.4.17.tar.gz -/dovecot-2.2.29.tar.gz -/dovecot-2.2.29.1.tar.gz -/dovecot-2.2-pigeonhole-0.4.18.tar.gz -/dovecot-2.2.30.1.tar.gz -/dovecot-2.2.30.2.tar.gz -/dovecot-2.2.31.tar.gz -/dovecot-2.2-pigeonhole-0.4.19.tar.gz -/dovecot-2.2.32.tar.gz -/dovecot-2.2-pigeonhole-0.4.20.tar.gz -/dovecot-2.2.33.1.tar.gz -/dovecot-2.2-pigeonhole-0.4.21.tar.gz -/dovecot-2.2.33.2.tar.gz -/dovecot-2.3.0.1.tar.gz -/dovecot-2.3-pigeonhole-0.5.0.1.tar.gz +/dovecot-*.tar.gz +/pigeonhole-*.tar.bz2 From 6f1094ca9fe98d12f97b9ed8344ec9d9a5a17668 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 21 Mar 2018 17:17:24 +0100 Subject: [PATCH 028/163] add gcc buildrequire --- dovecot.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 43c8158..fcd1257 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.0.1 %global prever %{nil} -Release: 1%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -35,7 +35,7 @@ Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch Source15: prestartscript -BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel +BuildRequires: gcc openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel BuildRequires: libtool, autoconf, automake, pkgconfig BuildRequires: sqlite-devel BuildRequires: postgresql-devel @@ -491,6 +491,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Mar 07 2018 Michal Hlavinka - 1:2.3.0.1-2 +- add gcc buildrequire + * Thu Mar 01 2018 Michal Hlavinka - 1:2.3.0.1-1 - dovecot updated to 2.3.0.1, pigeonhole updated to 0.5.0.1 From 233f79dabd2f0f71077b276c891f3303d7799299 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 27 Mar 2018 12:40:22 +0200 Subject: [PATCH 029/163] use libxcrypt for Fedora >= 28, part of ftbfs fix (#1548520) --- dovecot-2.3.0.1-libxcrypt.patch | 11 +++++++++++ dovecot.spec | 11 ++++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 dovecot-2.3.0.1-libxcrypt.patch diff --git a/dovecot-2.3.0.1-libxcrypt.patch b/dovecot-2.3.0.1-libxcrypt.patch new file mode 100644 index 0000000..a8c33bf --- /dev/null +++ b/dovecot-2.3.0.1-libxcrypt.patch @@ -0,0 +1,11 @@ +diff -up dovecot-2.3.0.1/src/auth/mycrypt.c.libxcrypt dovecot-2.3.0.1/src/auth/mycrypt.c +--- dovecot-2.3.0.1/src/auth/mycrypt.c.libxcrypt 2018-02-28 15:28:58.000000000 +0100 ++++ dovecot-2.3.0.1/src/auth/mycrypt.c 2018-03-27 10:57:38.447769201 +0200 +@@ -14,6 +14,7 @@ + # define _XPG6 /* Some Solaris versions require this, some break with this */ + #endif + #include ++#include + + #include "mycrypt.h" + diff --git a/dovecot.spec b/dovecot.spec index fcd1257..92f4f15 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.0.1 %global prever %{nil} -Release: 2%{?dist} +Release: 3%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -32,6 +32,7 @@ Patch6: dovecot-2.1.10-waitonline.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch +Patch10: dovecot-2.3.0.1-libxcrypt.patch Source15: prestartscript @@ -44,6 +45,7 @@ BuildRequires: mysql-devel BuildRequires: tcp_wrappers-devel %else BuildRequires: mariadb-connector-c-devel +BuildRequires: libxcrypt-devel %endif BuildRequires: openldap-devel BuildRequires: krb5-devel @@ -132,6 +134,7 @@ This package provides the development files for dovecot. %patch6 -p1 -b .waitonline %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem +%patch10 -p1 -b .libxcrypt #pushd dovecot-2*3-pigeonhole-%{pigeonholever} #popd @@ -382,6 +385,7 @@ make check %config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-imap.conf %config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-lmtp.conf %config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-pop3.conf +%config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-submission.conf %config(noreplace) %{_sysconfdir}/dovecot/conf.d/90-acl.conf %config(noreplace) %{_sysconfdir}/dovecot/conf.d/90-quota.conf %config(noreplace) %{_sysconfdir}/dovecot/conf.d/90-plugin.conf @@ -428,6 +432,8 @@ make check %{_libdir}/dovecot/libfs_mail_crypt.so %{_libdir}/dovecot/libdcrypt_openssl.so %{_libdir}/dovecot/lib20_var_expand_crypt.so +%{_libdir}/dovecot/old-stats/libold_stats_mail.so +%{_libdir}/dovecot/old-stats/libstats_auth.so %dir %{_libdir}/dovecot/settings @@ -491,6 +497,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Mar 27 2018 Michal Hlavinka - 1:2.3.0.1-3 +- use libxcrypt for Fedora >= 28, part of ftbfs fix (#1548520) + * Wed Mar 07 2018 Michal Hlavinka - 1:2.3.0.1-2 - add gcc buildrequire From 4e81ae69303618da7d1572374ae5f5566a82a287 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 28 Mar 2018 10:43:59 +0200 Subject: [PATCH 030/163] dovecot updated to 2.3.1, pigeonhole updated to 0.5.1 --- dovecot.spec | 9 ++++++--- sources | 4 ++-- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 92f4f15..f466d86 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,9 +3,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.0.1 +Version: 2.3.1 %global prever %{nil} -Release: 3%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -14,7 +14,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.0.1 +%global pigeonholever 0.5.1 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -497,6 +497,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Mar 28 2018 Michal Hlavinka - 1:2.3.1-1 +- dovecot updated to 2.3.1, pigeonhole updated to 0.5.1 + * Tue Mar 27 2018 Michal Hlavinka - 1:2.3.0.1-3 - use libxcrypt for Fedora >= 28, part of ftbfs fix (#1548520) diff --git a/sources b/sources index c5c7083..32f0896 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.0.1.tar.gz) = 2b30c46c1660f425f6303a15cf638388439fd7a8065c91d28caf41d9a6403a4fccb530df3f69037a634bc3b0b9e498037da6b0b93c176f5e3b5808907d3f759d -SHA512 (dovecot-2.3-pigeonhole-0.5.0.1.tar.gz) = 60016145caa444eeba13b49735f87ab2ebe7f178f104ad57283b5aa7e5119920d9f579032b775547e0866e86045a4ab653fd084068187d0cbe2e088cc15fc288 +SHA512 (dovecot-2.3.1.tar.gz) = fe664ab771145f2390fef45839ff2756e36731c61e571dfa6975014f9cea43144e2aca0acf1a83b1dac55ad50042d0fa170b83570aa411228557861ada410b79 +SHA512 (dovecot-2.3-pigeonhole-0.5.1.tar.gz) = 5d65c3c9f3131c4e82287d054bd8b963d7c56c3e0677d7384881cf109ca82080d6222f672d8f973447d98be823a4df5bf43760d4ba87b76447d13abab30130c4 From 8a7475f62a0ef6e3ec0fa8dc363f4cb5380e9fcd Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 28 Mar 2018 16:20:45 +0200 Subject: [PATCH 031/163] fix ftbfs - murmurhash3 check fail --- dovecot-2.3.1-murmurfix.patch | 280 ++++++++++++++++++++++++++++++++++ dovecot.spec | 9 +- 2 files changed, 288 insertions(+), 1 deletion(-) create mode 100644 dovecot-2.3.1-murmurfix.patch diff --git a/dovecot-2.3.1-murmurfix.patch b/dovecot-2.3.1-murmurfix.patch new file mode 100644 index 0000000..b096717 --- /dev/null +++ b/dovecot-2.3.1-murmurfix.patch @@ -0,0 +1,280 @@ +diff -up dovecot-2.3.1/src/lib/murmurhash3.c.murmurfix dovecot-2.3.1/src/lib/murmurhash3.c +--- dovecot-2.3.1/src/lib/murmurhash3.c.murmurfix 2017-12-28 09:46:56.000000000 +0100 ++++ dovecot-2.3.1/src/lib/murmurhash3.c 2018-03-28 13:45:07.282004287 +0200 +@@ -23,7 +23,7 @@ + + static inline uint32_t getblock32(const uint32_t *p, int i) + { +- return p[i]; ++ return le32_to_cpu(p[i]); + } + + //----------------------------------------------------------------------------- +@@ -94,6 +94,8 @@ void murmurhash3_32 (const void *key, si + + h1 = fmix32(h1); + ++ h1 = cpu32_to_be(h1); ++ + memcpy(out, &h1, sizeof(h1)); + } + +@@ -103,7 +105,7 @@ void murmurhash3_32 (const void *key, si + + static inline uint64_t getblock64(const uint64_t *p, int i) + { +- return p[i]; ++ return le64_to_cpu(p[i]); + } + + static inline uint64_t fmix64(uint64_t k) +@@ -206,6 +208,9 @@ void murmurhash3_128(const void *key, si + h1 += h2; + h2 += h1; + ++ h1 = cpu64_to_be(h1); ++ h2 = cpu64_to_be(h2); ++ + memcpy(out, &h1, sizeof(h1)); + memcpy(out+sizeof(h1), &h2, sizeof(h2)); + } +@@ -323,6 +328,11 @@ void murmurhash3_128(const void *key, si + h1 += h2; h1 += h3; h1 += h4; + h2 += h1; h3 += h1; h4 += h1; + ++ h1 = cpu32_to_be(h1); ++ h2 = cpu32_to_be(h2); ++ h3 = cpu32_to_be(h3); ++ h4 = cpu32_to_be(h4); ++ + memcpy(out, &h1, sizeof(h1)); + memcpy(out+sizeof(h1), &h2, sizeof(h2)); + memcpy(out+sizeof(h1)*2, &h3, sizeof(h3)); +diff -up dovecot-2.3.1/src/lib/test-murmurhash3.c.murmurfix dovecot-2.3.1/src/lib/test-murmurhash3.c +--- dovecot-2.3.1/src/lib/test-murmurhash3.c.murmurfix 2018-03-20 11:15:40.000000000 +0100 ++++ dovecot-2.3.1/src/lib/test-murmurhash3.c 2018-03-28 13:45:15.207074149 +0200 +@@ -7,7 +7,19 @@ struct murmur3_test_vectors { + const char *input; + size_t len; + uint32_t seed; +- uint32_t result[4]; /* fits all results */ ++ ++ /* murmurhash3_128() produces a different output on ILP32 and LP64 ++ systems (by design). Therefore, we must use different expected ++ results based on what system we're on. We define both all the ++ time, but use the below pre-processor magic to select which ++ version we'll use. */ ++ uint8_t result_ilp32[MURMURHASH3_128_RESULTBYTES]; /* fits all results */ ++ uint8_t result_lp64[MURMURHASH3_128_RESULTBYTES]; /* fits all results */ ++#ifdef _LP64 ++#define result result_lp64 ++#else ++#define result result_ilp32 ++#endif + }; + + static void test_murmurhash3_algorithm(const char *name, +@@ -29,24 +41,49 @@ static void test_murmurhash3_algorithm(c + + static void test_murmurhash3_32(void) + { ++ /* murmurhash3_32() produces the same output on both ILP32 and LP64 ++ systems, so use the same expected outputs for both */ + struct murmur3_test_vectors vectors[] = { +- { "", 0, 0, { 0, 0, 0, 0}}, +- { "", 0, 0x1, { 0x514E28B7, 0, 0, 0 }}, +- { "", 0, 0xFFFFFFFF, { 0x81F16F39, 0, 0, 0 }}, +- { "\0\0\0\0", 4, 0, { 0x2362F9DE, 0, 0, 0 }}, +- { "aaaa", 4, 0x9747b28c, { 0x5A97808A, 0, 0, 0 }}, +- { "aaa", 3, 0x9747b28c, { 0x283E0130, 0, 0, 0 }}, +- { "aa", 2, 0x9747b28c, { 0x5D211726, 0, 0, 0 }}, +- { "a", 1, 0x9747b28c, { 0x7FA09EA6, 0, 0, 0 }}, +- { "abcd", 4, 0x9747b28c, { 0xF0478627, 0, 0, 0 }}, +- { "abc", 3, 0x9747b28c, { 0xC84A62DD, 0, 0, 0 }}, +- { "ab", 2, 0x9747b28c, { 0x74875592, 0, 0, 0 }}, +- { "Hello, world!", 13, 0x9747b28c, { 0x24884CBA, 0, 0, 0 }}, ++ { "", 0, 0, { 0, }, { 0, } }, ++ { "", 0, 0x1, ++ { 0x51, 0x4E, 0x28, 0xB7, }, ++ { 0x51, 0x4E, 0x28, 0xB7, } }, ++ { "", 0, 0xFFFFFFFF, ++ { 0x81, 0xF1, 0x6F, 0x39, }, ++ { 0x81, 0xF1, 0x6F, 0x39, } }, ++ { "\0\0\0\0", 4, 0, ++ { 0x23, 0x62, 0xF9, 0xDE, }, ++ { 0x23, 0x62, 0xF9, 0xDE, } }, ++ { "aaaa", 4, 0x9747b28c, ++ { 0x5A, 0x97, 0x80, 0x8A, }, ++ { 0x5A, 0x97, 0x80, 0x8A, } }, ++ { "aaa", 3, 0x9747b28c, ++ { 0x28, 0x3E, 0x01, 0x30, }, ++ { 0x28, 0x3E, 0x01, 0x30, } }, ++ { "aa", 2, 0x9747b28c, ++ { 0x5D, 0x21, 0x17, 0x26, }, ++ { 0x5D, 0x21, 0x17, 0x26, } }, ++ { "a", 1, 0x9747b28c, ++ { 0x7F, 0xA0, 0x9E, 0xA6, }, ++ { 0x7F, 0xA0, 0x9E, 0xA6, } }, ++ { "abcd", 4, 0x9747b28c, ++ { 0xF0, 0x47, 0x86, 0x27, }, ++ { 0xF0, 0x47, 0x86, 0x27, } }, ++ { "abc", 3, 0x9747b28c, ++ { 0xC8, 0x4A, 0x62, 0xDD, }, ++ { 0xC8, 0x4A, 0x62, 0xDD, } }, ++ { "ab", 2, 0x9747b28c, ++ { 0x74, 0x87, 0x55, 0x92, }, ++ { 0x74, 0x87, 0x55, 0x92, } }, ++ { "Hello, world!", 13, 0x9747b28c, ++ { 0x24, 0x88, 0x4C, 0xBA, }, ++ { 0x24, 0x88, 0x4C, 0xBA, } }, + { + "\xcf\x80\xcf\x80\xcf\x80\xcf\x80\xcf\x80\xcf\x80\xcf\x80\xcf\x80", + 16, + 0x9747b28c, +- { 0xD58063C1, 0, 0, 0 } ++ { 0xD5, 0x80, 0x63, 0xC1, }, ++ { 0xD5, 0x80, 0x63, 0xC1, } + }, /* 8 U+03C0 (Greek Small Letter Pi) */ + { + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" +@@ -56,7 +93,8 @@ static void test_murmurhash3_32(void) + "aaaaaaaaaaaaaaaaaaaa", + 256, + 0x9747b28c, +- { 0x37405BDC, 0, 0, 0 } ++ { 0x37, 0x40, 0x5B, 0xDC, }, ++ { 0x37, 0x40, 0x5B, 0xDC, } + }, + }; + +@@ -67,25 +105,73 @@ static void test_murmurhash3_32(void) + + static void test_murmurhash3_128(void) + { ++ /* murmurhash3_128() produces a different output on ILP32 and LP64 ++ systems (by design). */ + struct murmur3_test_vectors vectors[] = { +-#ifdef _LP64 +- { "", 0, 0x00000000, { 0x00000000, 0x00000000, 0x00000000, 0x00000000 }}, +- { "", 0, 0x00000001, { 0x6eff5cb5, 0x4610abe5, 0x78f83583, 0x51622daa }}, +- { "", 0, 0xffffffff, { 0x9d3bc9ec, 0x6af1df4d, 0x1ee6446b, 0x85742112 }}, +- { "\0\0\0\0", 4, 0x00000000, { 0xd84c76bc, 0xcfa0f7dd, 0x1cf526f1, 0x58962316 }}, +- { "aaaa", 4, 0x9747b28c, { 0x5e649bf0, 0xb4e0a5f7, 0x038c569f, 0xa5d3e8e9 }}, +- { "aaa", 3, 0x9747b28c, { 0xe4c7466b, 0x8ea5e37a, 0x35dc931c, 0xf925bef0 }}, +- { "aa", 2, 0x9747b28c, { 0xbee5bb1f, 0x12a698a9, 0x5e269401, 0xe93630ff }}, +- { "a", 1, 0x9747b28c, { 0x2db25a1d, 0x5ce8d851, 0x9208f004, 0x9e6dab0f }}, +- { "abcd", 4, 0x9747b28c, { 0xac553791, 0x49b4709e, 0xe9d3a7bb, 0x8a7e67e7 }}, +- { "abc", 3, 0x9747b28c, { 0xbfc3cedc, 0x3743630d, 0x20b504bf, 0xcde0a234 }}, +- { "ab", 2, 0x9747b28c, { 0x1a44280b, 0x8434eead, 0x63ce372b, 0x7eb933e7 }}, +- { "Hello, world!", 13, 0x9747b28c, { 0x62a8392e, 0xedc485d6, 0x31d576ba, 0xf85e7e76 }}, ++ { "", 0, 0x00000000, { 0, }, { 0, }}, ++ { "", 0, 0x00000001, ++ { 0x88, 0xc4, 0xad, 0xec, 0x54, 0xd2, 0x01, 0xb9, ++ 0x54, 0xd2, 0x01, 0xb9, 0x54, 0xd2, 0x01, 0xb9 }, ++ { 0x46, 0x10, 0xab, 0xe5, 0x6e, 0xff, 0x5c, 0xb5, ++ 0x51, 0x62, 0x2d, 0xaa, 0x78, 0xf8, 0x35, 0x83 }}, ++ { "", 0, 0xffffffff, ++ { 0x05, 0x1e, 0x08, 0xa9, 0x98, 0x9d, 0x49, 0xf7, ++ 0x98, 0x9d, 0x49, 0xf7, 0x98, 0x9d, 0x49, 0xf7 }, ++ { 0x6a, 0xf1, 0xdf, 0x4d, 0x9d, 0x3b, 0xc9, 0xec, ++ 0x85, 0x74, 0x21, 0x12, 0x1e, 0xe6, 0x44, 0x6b }}, ++ { "\0\0\0\0", 4, 0x00000000, ++ { 0xcc, 0x06, 0x6f, 0x1f, 0x9e, 0x51, 0x78, 0x40, ++ 0x9e, 0x51, 0x78, 0x40, 0x9e, 0x51, 0x78, 0x40 }, ++ { 0xcf, 0xa0, 0xf7, 0xdd, 0xd8, 0x4c, 0x76, 0xbc, ++ 0x58, 0x96, 0x23, 0x16, 0x1c, 0xf5, 0x26, 0xf1 }}, ++ { "aaaa", 4, 0x9747b28c, ++ { 0x36, 0x80, 0x4c, 0xef, 0x2a, 0x61, 0xc2, 0x24, ++ 0x2a, 0x61, 0xc2, 0x24, 0x2a, 0x61, 0xc2, 0x24 }, ++ { 0xb4, 0xe0, 0xa5, 0xf7, 0x5e, 0x64, 0x9b, 0xf0, ++ 0xa5, 0xd3, 0xe8, 0xe9, 0x03, 0x8c, 0x56, 0x9f }}, ++ { "aaa", 3, 0x9747b28c, ++ { 0x83, 0x83, 0x89, 0xbe, 0x9a, 0xad, 0x7f, 0x88, ++ 0x9a, 0xad, 0x7f, 0x88, 0x9a, 0xad, 0x7f, 0x88 }, ++ { 0x8e, 0xa5, 0xe3, 0x7a, 0xe4, 0xc7, 0x46, 0x6b, ++ 0xf9, 0x25, 0xbe, 0xf0, 0x35, 0xdc, 0x93, 0x1c }}, ++ { "aa", 2, 0x9747b28c, ++ { 0xdf, 0xbe, 0x4a, 0x86, 0x4a, 0x9c, 0x35, 0x0b, ++ 0x4a, 0x9c, 0x35, 0x0b, 0x4a, 0x9c, 0x35, 0x0b }, ++ { 0x12, 0xa6, 0x98, 0xa9, 0xbe, 0xe5, 0xbb, 0x1f, ++ 0xe9, 0x36, 0x30, 0xff, 0x5e, 0x26, 0x94, 0x01 }}, ++ { "a", 1, 0x9747b28c, ++ { 0x08, 0x4e, 0xf9, 0x44, 0x21, 0xa1, 0x18, 0x6e, ++ 0x21, 0xa1, 0x18, 0x6e, 0x21, 0xa1, 0x18, 0x6e }, ++ { 0x5c, 0xe8, 0xd8, 0x51, 0x2d, 0xb2, 0x5a, 0x1d, ++ 0x9e, 0x6d, 0xab, 0x0f, 0x92, 0x08, 0xf0, 0x04 }}, ++ { "abcd", 4, 0x9747b28c, ++ { 0x47, 0x95, 0xc5, 0x29, 0xce, 0xc1, 0x88, 0x5e, ++ 0xce, 0xc1, 0x88, 0x5e, 0xce, 0xc1, 0x88, 0x5e }, ++ { 0x49, 0xb4, 0x70, 0x9e, 0xac, 0x55, 0x37, 0x91, ++ 0x8a, 0x7e, 0x67, 0xe7, 0xe9, 0xd3, 0xa7, 0xbb }}, ++ { "abc", 3, 0x9747b28c, ++ { 0xd6, 0x35, 0x9e, 0xaf, 0x48, 0xfc, 0x3a, 0xc3, ++ 0x48, 0xfc, 0x3a, 0xc3, 0x48, 0xfc, 0x3a, 0xc3 }, ++ { 0x37, 0x43, 0x63, 0x0d, 0xbf, 0xc3, 0xce, 0xdc, ++ 0xcd, 0xe0, 0xa2, 0x34, 0x20, 0xb5, 0x04, 0xbf }}, ++ { "ab", 2, 0x9747b28c, ++ { 0x38, 0x37, 0xd7, 0x95, 0xc7, 0xfe, 0x58, 0x96, ++ 0xc7, 0xfe, 0x58, 0x96, 0xc7, 0xfe, 0x58, 0x96 }, ++ { 0x84, 0x34, 0xee, 0xad, 0x1a, 0x44, 0x28, 0x0b, ++ 0x7e, 0xb9, 0x33, 0xe7, 0x63, 0xce, 0x37, 0x2b }}, ++ { "Hello, world!", 13, 0x9747b28c, ++ { 0x75, 0x6d, 0x54, 0x60, 0xbb, 0x87, 0x22, 0x16, ++ 0xb7, 0xd4, 0x8b, 0x7c, 0x53, 0xc8, 0xc6, 0x36 }, ++ { 0xed, 0xc4, 0x85, 0xd6, 0x62, 0xa8, 0x39, 0x2e, ++ 0xf8, 0x5e, 0x7e, 0x76, 0x31, 0xd5, 0x76, 0xba }}, + { + "\xcf\x80\xcf\x80\xcf\x80\xcf\x80\xcf\x80\xcf\x80\xcf\x80\xcf\x80", + 16, + 0x9747b28c, +- { 0xc0361a1f, 0x96ea5bd8, 0x094be17b, 0xf8b72bd0 } ++ { 0xaf, 0x2a, 0xd3, 0x25, 0x3a, 0x74, 0xdf, 0x88, ++ 0x38, 0xcc, 0x75, 0x34, 0xf1, 0x97, 0xcc, 0x0d }, ++ { 0x96, 0xea, 0x5b, 0xd8, 0xc0, 0x36, 0x1a, 0x1f, ++ 0xf8, 0xb7, 0x2b, 0xd0, 0x09, 0x4b, 0xe1, 0x7b } + }, + { + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" +@@ -95,38 +181,11 @@ static void test_murmurhash3_128(void) + "aaaaaaaaaaaaaaaaaaaa", + 256, + 0x9747b28c, +- { 0xa5dec1c4, 0x07bd957c, 0x1f6cee55, 0xc4d8bb8d } +- }, +-#else /* 32 bit test vectors */ +- { "", 0, 0x00000000, { 0x00000000, 0x00000000, 0x00000000, 0x00000000 }}, +- { "", 0, 0x00000001, { 0x88c4adec, 0x54d201b9, 0x54d201b9, 0x54d201b9 }}, +- { "", 0, 0xffffffff, { 0x051e08a9, 0x989d49f7, 0x989d49f7, 0x989d49f7 }}, +- { "\0\0\0\0", 4, 0x00000000, { 0xcc066f1f, 0x9e517840, 0x9e517840, 0x9e517840 }}, +- { "aaaa", 4, 0x9747b28c, { 0x36804cef, 0x2a61c224, 0x2a61c224, 0x2a61c224 }}, +- { "aaa", 3, 0x9747b28c, { 0x838389be, 0x9aad7f88, 0x9aad7f88, 0x9aad7f88 }}, +- { "aa", 2, 0x9747b28c, { 0xdfbe4a86, 0x4a9c350b, 0x4a9c350b, 0x4a9c350b }}, +- { "a", 1, 0x9747b28c, { 0x084ef944, 0x21a1186e, 0x21a1186e, 0x21a1186e }}, +- { "abcd", 4, 0x9747b28c, { 0x4795c529, 0xcec1885e, 0xcec1885e, 0xcec1885e }}, +- { "abc", 3, 0x9747b28c, { 0xd6359eaf, 0x48fc3ac3, 0x48fc3ac3, 0x48fc3ac3 }}, +- { "ab", 2, 0x9747b28c, { 0x3837d795, 0xc7fe5896, 0xc7fe5896, 0xc7fe5896 }}, +- { "Hello, world!", 13, 0x9747b28c, { 0x756d5460, 0xbb872216, 0xb7d48b7c, 0x53c8c636 }}, +- { +- "\xcf\x80\xcf\x80\xcf\x80\xcf\x80\xcf\x80\xcf\x80\xcf\x80\xcf\x80", +- 16, +- 0x9747b28c, +- { 0xaf2ad325, 0x3a74df88, 0x38cc7534, 0xf197cc0d } ++ { 0xd3, 0xf2, 0xb7, 0xbb, 0xf6, 0x66, 0xc0, 0xcc, ++ 0xd4, 0xa4, 0x00, 0x60, 0x5e, 0xc8, 0xd3, 0x2a }, ++ { 0x07, 0xbd, 0x95, 0x7c, 0xa5, 0xde, 0xc1, 0xc4, ++ 0xc4, 0xd8, 0xbb, 0x8d, 0x1f, 0x6c, 0xee, 0x55 } + }, +- { +- "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" +- "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" +- "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" +- "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" +- "aaaaaaaaaaaaaaaaaaaa", +- 256, +- 0x9747b28c, +- { 0xd3f2b7bb, 0xf666c0cc, 0xd4a40060, 0x5ec8d32a } +- }, +-#endif + }; + + test_murmurhash3_algorithm("murmurhash3_128", murmurhash3_128, diff --git a/dovecot.spec b/dovecot.spec index f466d86..1122e27 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.1 %global prever %{nil} -Release: 1%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -34,6 +34,9 @@ Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch Patch10: dovecot-2.3.0.1-libxcrypt.patch +# from upstream, for dovecot < 2.3.2 +Patch11: dovecot-2.3.1-murmurfix.patch + Source15: prestartscript BuildRequires: gcc openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel @@ -135,6 +138,7 @@ This package provides the development files for dovecot. %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem %patch10 -p1 -b .libxcrypt +%patch11 -p1 -b .murmurfix #pushd dovecot-2*3-pigeonhole-%{pigeonholever} #popd @@ -497,6 +501,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Mar 28 2018 Michal Hlavinka - 1:2.3.1-2 +- fix ftbfs - murmurhash3 check fail + * Wed Mar 28 2018 Michal Hlavinka - 1:2.3.1-1 - dovecot updated to 2.3.1, pigeonhole updated to 0.5.1 From f874d6b553bf3c4bc9d58ef3fd448b4ef7f5a174 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 19 Apr 2018 16:20:52 +0200 Subject: [PATCH 032/163] fix typo and add c++ BR --- dovecot-2.0-defaultconfig.patch | 2 +- dovecot.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dovecot-2.0-defaultconfig.patch b/dovecot-2.0-defaultconfig.patch index 3f7173f..c18dd47 100644 --- a/dovecot-2.0-defaultconfig.patch +++ b/dovecot-2.0-defaultconfig.patch @@ -27,7 +27,7 @@ diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH # To disable non-EC DH, use: #ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH -+ssl_ciper_list = PROFILE=SYSTEM ++ssl_cipher_list = PROFILE=SYSTEM # Colon separated list of elliptic curves to use. Empty value (the default) # means use the defaults from the SSL library. P-521:P-384:P-256 would be an diff --git a/dovecot.spec b/dovecot.spec index 1122e27..1baec19 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -39,7 +39,7 @@ Patch11: dovecot-2.3.1-murmurfix.patch Source15: prestartscript -BuildRequires: gcc openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel +BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel BuildRequires: libtool, autoconf, automake, pkgconfig BuildRequires: sqlite-devel BuildRequires: postgresql-devel From b6cdfb140c0f3618c4531178f0f82f368e2b747f Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 9 Jul 2018 12:09:49 +0200 Subject: [PATCH 033/163] dovecot updated to 2.3.2, pigeonhole to 0.5.2 --- dovecot-2.2.22-systemd_w_protectsystem.patch | 10 +- dovecot-2.3.1-murmurfix.patch | 280 ------------------- dovecot.spec | 13 +- sources | 4 +- 4 files changed, 13 insertions(+), 294 deletions(-) delete mode 100644 dovecot-2.3.1-murmurfix.patch diff --git a/dovecot-2.2.22-systemd_w_protectsystem.patch b/dovecot-2.2.22-systemd_w_protectsystem.patch index 0ffb043..d00a9b9 100644 --- a/dovecot-2.2.22-systemd_w_protectsystem.patch +++ b/dovecot-2.2.22-systemd_w_protectsystem.patch @@ -1,11 +1,11 @@ -diff -up dovecot-2.3.0.1/dovecot.service.in.systemd_w_protectsystem dovecot-2.3.0.1/dovecot.service.in ---- dovecot-2.3.0.1/dovecot.service.in.systemd_w_protectsystem 2018-03-01 10:41:05.591067106 +0100 -+++ dovecot-2.3.0.1/dovecot.service.in 2018-03-01 10:42:52.859959021 +0100 -@@ -20,6 +20,7 @@ ExecReload=@bindir@/doveadm reload +diff -up dovecot-2.3.2/dovecot.service.in.systemd_w_protectsystem dovecot-2.3.2/dovecot.service.in +--- dovecot-2.3.2/dovecot.service.in.systemd_w_protectsystem 2018-07-09 12:00:13.359193526 +0200 ++++ dovecot-2.3.2/dovecot.service.in 2018-07-09 12:00:46.387716884 +0200 +@@ -23,6 +23,7 @@ ExecReload=@bindir@/doveadm reload ExecStop=@bindir@/doveadm stop PrivateTmp=true NonBlocking=yes +# this will make /usr /boot /etc read only for dovecot ProtectSystem=full + ProtectHome=no PrivateDevices=true - # disable this if you want to use apparmor plugin diff --git a/dovecot-2.3.1-murmurfix.patch b/dovecot-2.3.1-murmurfix.patch deleted file mode 100644 index b096717..0000000 --- a/dovecot-2.3.1-murmurfix.patch +++ /dev/null @@ -1,280 +0,0 @@ -diff -up dovecot-2.3.1/src/lib/murmurhash3.c.murmurfix dovecot-2.3.1/src/lib/murmurhash3.c ---- dovecot-2.3.1/src/lib/murmurhash3.c.murmurfix 2017-12-28 09:46:56.000000000 +0100 -+++ dovecot-2.3.1/src/lib/murmurhash3.c 2018-03-28 13:45:07.282004287 +0200 -@@ -23,7 +23,7 @@ - - static inline uint32_t getblock32(const uint32_t *p, int i) - { -- return p[i]; -+ return le32_to_cpu(p[i]); - } - - //----------------------------------------------------------------------------- -@@ -94,6 +94,8 @@ void murmurhash3_32 (const void *key, si - - h1 = fmix32(h1); - -+ h1 = cpu32_to_be(h1); -+ - memcpy(out, &h1, sizeof(h1)); - } - -@@ -103,7 +105,7 @@ void murmurhash3_32 (const void *key, si - - static inline uint64_t getblock64(const uint64_t *p, int i) - { -- return p[i]; -+ return le64_to_cpu(p[i]); - } - - static inline uint64_t fmix64(uint64_t k) -@@ -206,6 +208,9 @@ void murmurhash3_128(const void *key, si - h1 += h2; - h2 += h1; - -+ h1 = cpu64_to_be(h1); -+ h2 = cpu64_to_be(h2); -+ - memcpy(out, &h1, sizeof(h1)); - memcpy(out+sizeof(h1), &h2, sizeof(h2)); - } -@@ -323,6 +328,11 @@ void murmurhash3_128(const void *key, si - h1 += h2; h1 += h3; h1 += h4; - h2 += h1; h3 += h1; h4 += h1; - -+ h1 = cpu32_to_be(h1); -+ h2 = cpu32_to_be(h2); -+ h3 = cpu32_to_be(h3); -+ h4 = cpu32_to_be(h4); -+ - memcpy(out, &h1, sizeof(h1)); - memcpy(out+sizeof(h1), &h2, sizeof(h2)); - memcpy(out+sizeof(h1)*2, &h3, sizeof(h3)); -diff -up dovecot-2.3.1/src/lib/test-murmurhash3.c.murmurfix dovecot-2.3.1/src/lib/test-murmurhash3.c ---- dovecot-2.3.1/src/lib/test-murmurhash3.c.murmurfix 2018-03-20 11:15:40.000000000 +0100 -+++ dovecot-2.3.1/src/lib/test-murmurhash3.c 2018-03-28 13:45:15.207074149 +0200 -@@ -7,7 +7,19 @@ struct murmur3_test_vectors { - const char *input; - size_t len; - uint32_t seed; -- uint32_t result[4]; /* fits all results */ -+ -+ /* murmurhash3_128() produces a different output on ILP32 and LP64 -+ systems (by design). Therefore, we must use different expected -+ results based on what system we're on. We define both all the -+ time, but use the below pre-processor magic to select which -+ version we'll use. */ -+ uint8_t result_ilp32[MURMURHASH3_128_RESULTBYTES]; /* fits all results */ -+ uint8_t result_lp64[MURMURHASH3_128_RESULTBYTES]; /* fits all results */ -+#ifdef _LP64 -+#define result result_lp64 -+#else -+#define result result_ilp32 -+#endif - }; - - static void test_murmurhash3_algorithm(const char *name, -@@ -29,24 +41,49 @@ static void test_murmurhash3_algorithm(c - - static void test_murmurhash3_32(void) - { -+ /* murmurhash3_32() produces the same output on both ILP32 and LP64 -+ systems, so use the same expected outputs for both */ - struct murmur3_test_vectors vectors[] = { -- { "", 0, 0, { 0, 0, 0, 0}}, -- { "", 0, 0x1, { 0x514E28B7, 0, 0, 0 }}, -- { "", 0, 0xFFFFFFFF, { 0x81F16F39, 0, 0, 0 }}, -- { "\0\0\0\0", 4, 0, { 0x2362F9DE, 0, 0, 0 }}, -- { "aaaa", 4, 0x9747b28c, { 0x5A97808A, 0, 0, 0 }}, -- { "aaa", 3, 0x9747b28c, { 0x283E0130, 0, 0, 0 }}, -- { "aa", 2, 0x9747b28c, { 0x5D211726, 0, 0, 0 }}, -- { "a", 1, 0x9747b28c, { 0x7FA09EA6, 0, 0, 0 }}, -- { "abcd", 4, 0x9747b28c, { 0xF0478627, 0, 0, 0 }}, -- { "abc", 3, 0x9747b28c, { 0xC84A62DD, 0, 0, 0 }}, -- { "ab", 2, 0x9747b28c, { 0x74875592, 0, 0, 0 }}, -- { "Hello, world!", 13, 0x9747b28c, { 0x24884CBA, 0, 0, 0 }}, -+ { "", 0, 0, { 0, }, { 0, } }, -+ { "", 0, 0x1, -+ { 0x51, 0x4E, 0x28, 0xB7, }, -+ { 0x51, 0x4E, 0x28, 0xB7, } }, -+ { "", 0, 0xFFFFFFFF, -+ { 0x81, 0xF1, 0x6F, 0x39, }, -+ { 0x81, 0xF1, 0x6F, 0x39, } }, -+ { "\0\0\0\0", 4, 0, -+ { 0x23, 0x62, 0xF9, 0xDE, }, -+ { 0x23, 0x62, 0xF9, 0xDE, } }, -+ { "aaaa", 4, 0x9747b28c, -+ { 0x5A, 0x97, 0x80, 0x8A, }, -+ { 0x5A, 0x97, 0x80, 0x8A, } }, -+ { "aaa", 3, 0x9747b28c, -+ { 0x28, 0x3E, 0x01, 0x30, }, -+ { 0x28, 0x3E, 0x01, 0x30, } }, -+ { "aa", 2, 0x9747b28c, -+ { 0x5D, 0x21, 0x17, 0x26, }, -+ { 0x5D, 0x21, 0x17, 0x26, } }, -+ { "a", 1, 0x9747b28c, -+ { 0x7F, 0xA0, 0x9E, 0xA6, }, -+ { 0x7F, 0xA0, 0x9E, 0xA6, } }, -+ { "abcd", 4, 0x9747b28c, -+ { 0xF0, 0x47, 0x86, 0x27, }, -+ { 0xF0, 0x47, 0x86, 0x27, } }, -+ { "abc", 3, 0x9747b28c, -+ { 0xC8, 0x4A, 0x62, 0xDD, }, -+ { 0xC8, 0x4A, 0x62, 0xDD, } }, -+ { "ab", 2, 0x9747b28c, -+ { 0x74, 0x87, 0x55, 0x92, }, -+ { 0x74, 0x87, 0x55, 0x92, } }, -+ { "Hello, world!", 13, 0x9747b28c, -+ { 0x24, 0x88, 0x4C, 0xBA, }, -+ { 0x24, 0x88, 0x4C, 0xBA, } }, - { - "\xcf\x80\xcf\x80\xcf\x80\xcf\x80\xcf\x80\xcf\x80\xcf\x80\xcf\x80", - 16, - 0x9747b28c, -- { 0xD58063C1, 0, 0, 0 } -+ { 0xD5, 0x80, 0x63, 0xC1, }, -+ { 0xD5, 0x80, 0x63, 0xC1, } - }, /* 8 U+03C0 (Greek Small Letter Pi) */ - { - "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -@@ -56,7 +93,8 @@ static void test_murmurhash3_32(void) - "aaaaaaaaaaaaaaaaaaaa", - 256, - 0x9747b28c, -- { 0x37405BDC, 0, 0, 0 } -+ { 0x37, 0x40, 0x5B, 0xDC, }, -+ { 0x37, 0x40, 0x5B, 0xDC, } - }, - }; - -@@ -67,25 +105,73 @@ static void test_murmurhash3_32(void) - - static void test_murmurhash3_128(void) - { -+ /* murmurhash3_128() produces a different output on ILP32 and LP64 -+ systems (by design). */ - struct murmur3_test_vectors vectors[] = { --#ifdef _LP64 -- { "", 0, 0x00000000, { 0x00000000, 0x00000000, 0x00000000, 0x00000000 }}, -- { "", 0, 0x00000001, { 0x6eff5cb5, 0x4610abe5, 0x78f83583, 0x51622daa }}, -- { "", 0, 0xffffffff, { 0x9d3bc9ec, 0x6af1df4d, 0x1ee6446b, 0x85742112 }}, -- { "\0\0\0\0", 4, 0x00000000, { 0xd84c76bc, 0xcfa0f7dd, 0x1cf526f1, 0x58962316 }}, -- { "aaaa", 4, 0x9747b28c, { 0x5e649bf0, 0xb4e0a5f7, 0x038c569f, 0xa5d3e8e9 }}, -- { "aaa", 3, 0x9747b28c, { 0xe4c7466b, 0x8ea5e37a, 0x35dc931c, 0xf925bef0 }}, -- { "aa", 2, 0x9747b28c, { 0xbee5bb1f, 0x12a698a9, 0x5e269401, 0xe93630ff }}, -- { "a", 1, 0x9747b28c, { 0x2db25a1d, 0x5ce8d851, 0x9208f004, 0x9e6dab0f }}, -- { "abcd", 4, 0x9747b28c, { 0xac553791, 0x49b4709e, 0xe9d3a7bb, 0x8a7e67e7 }}, -- { "abc", 3, 0x9747b28c, { 0xbfc3cedc, 0x3743630d, 0x20b504bf, 0xcde0a234 }}, -- { "ab", 2, 0x9747b28c, { 0x1a44280b, 0x8434eead, 0x63ce372b, 0x7eb933e7 }}, -- { "Hello, world!", 13, 0x9747b28c, { 0x62a8392e, 0xedc485d6, 0x31d576ba, 0xf85e7e76 }}, -+ { "", 0, 0x00000000, { 0, }, { 0, }}, -+ { "", 0, 0x00000001, -+ { 0x88, 0xc4, 0xad, 0xec, 0x54, 0xd2, 0x01, 0xb9, -+ 0x54, 0xd2, 0x01, 0xb9, 0x54, 0xd2, 0x01, 0xb9 }, -+ { 0x46, 0x10, 0xab, 0xe5, 0x6e, 0xff, 0x5c, 0xb5, -+ 0x51, 0x62, 0x2d, 0xaa, 0x78, 0xf8, 0x35, 0x83 }}, -+ { "", 0, 0xffffffff, -+ { 0x05, 0x1e, 0x08, 0xa9, 0x98, 0x9d, 0x49, 0xf7, -+ 0x98, 0x9d, 0x49, 0xf7, 0x98, 0x9d, 0x49, 0xf7 }, -+ { 0x6a, 0xf1, 0xdf, 0x4d, 0x9d, 0x3b, 0xc9, 0xec, -+ 0x85, 0x74, 0x21, 0x12, 0x1e, 0xe6, 0x44, 0x6b }}, -+ { "\0\0\0\0", 4, 0x00000000, -+ { 0xcc, 0x06, 0x6f, 0x1f, 0x9e, 0x51, 0x78, 0x40, -+ 0x9e, 0x51, 0x78, 0x40, 0x9e, 0x51, 0x78, 0x40 }, -+ { 0xcf, 0xa0, 0xf7, 0xdd, 0xd8, 0x4c, 0x76, 0xbc, -+ 0x58, 0x96, 0x23, 0x16, 0x1c, 0xf5, 0x26, 0xf1 }}, -+ { "aaaa", 4, 0x9747b28c, -+ { 0x36, 0x80, 0x4c, 0xef, 0x2a, 0x61, 0xc2, 0x24, -+ 0x2a, 0x61, 0xc2, 0x24, 0x2a, 0x61, 0xc2, 0x24 }, -+ { 0xb4, 0xe0, 0xa5, 0xf7, 0x5e, 0x64, 0x9b, 0xf0, -+ 0xa5, 0xd3, 0xe8, 0xe9, 0x03, 0x8c, 0x56, 0x9f }}, -+ { "aaa", 3, 0x9747b28c, -+ { 0x83, 0x83, 0x89, 0xbe, 0x9a, 0xad, 0x7f, 0x88, -+ 0x9a, 0xad, 0x7f, 0x88, 0x9a, 0xad, 0x7f, 0x88 }, -+ { 0x8e, 0xa5, 0xe3, 0x7a, 0xe4, 0xc7, 0x46, 0x6b, -+ 0xf9, 0x25, 0xbe, 0xf0, 0x35, 0xdc, 0x93, 0x1c }}, -+ { "aa", 2, 0x9747b28c, -+ { 0xdf, 0xbe, 0x4a, 0x86, 0x4a, 0x9c, 0x35, 0x0b, -+ 0x4a, 0x9c, 0x35, 0x0b, 0x4a, 0x9c, 0x35, 0x0b }, -+ { 0x12, 0xa6, 0x98, 0xa9, 0xbe, 0xe5, 0xbb, 0x1f, -+ 0xe9, 0x36, 0x30, 0xff, 0x5e, 0x26, 0x94, 0x01 }}, -+ { "a", 1, 0x9747b28c, -+ { 0x08, 0x4e, 0xf9, 0x44, 0x21, 0xa1, 0x18, 0x6e, -+ 0x21, 0xa1, 0x18, 0x6e, 0x21, 0xa1, 0x18, 0x6e }, -+ { 0x5c, 0xe8, 0xd8, 0x51, 0x2d, 0xb2, 0x5a, 0x1d, -+ 0x9e, 0x6d, 0xab, 0x0f, 0x92, 0x08, 0xf0, 0x04 }}, -+ { "abcd", 4, 0x9747b28c, -+ { 0x47, 0x95, 0xc5, 0x29, 0xce, 0xc1, 0x88, 0x5e, -+ 0xce, 0xc1, 0x88, 0x5e, 0xce, 0xc1, 0x88, 0x5e }, -+ { 0x49, 0xb4, 0x70, 0x9e, 0xac, 0x55, 0x37, 0x91, -+ 0x8a, 0x7e, 0x67, 0xe7, 0xe9, 0xd3, 0xa7, 0xbb }}, -+ { "abc", 3, 0x9747b28c, -+ { 0xd6, 0x35, 0x9e, 0xaf, 0x48, 0xfc, 0x3a, 0xc3, -+ 0x48, 0xfc, 0x3a, 0xc3, 0x48, 0xfc, 0x3a, 0xc3 }, -+ { 0x37, 0x43, 0x63, 0x0d, 0xbf, 0xc3, 0xce, 0xdc, -+ 0xcd, 0xe0, 0xa2, 0x34, 0x20, 0xb5, 0x04, 0xbf }}, -+ { "ab", 2, 0x9747b28c, -+ { 0x38, 0x37, 0xd7, 0x95, 0xc7, 0xfe, 0x58, 0x96, -+ 0xc7, 0xfe, 0x58, 0x96, 0xc7, 0xfe, 0x58, 0x96 }, -+ { 0x84, 0x34, 0xee, 0xad, 0x1a, 0x44, 0x28, 0x0b, -+ 0x7e, 0xb9, 0x33, 0xe7, 0x63, 0xce, 0x37, 0x2b }}, -+ { "Hello, world!", 13, 0x9747b28c, -+ { 0x75, 0x6d, 0x54, 0x60, 0xbb, 0x87, 0x22, 0x16, -+ 0xb7, 0xd4, 0x8b, 0x7c, 0x53, 0xc8, 0xc6, 0x36 }, -+ { 0xed, 0xc4, 0x85, 0xd6, 0x62, 0xa8, 0x39, 0x2e, -+ 0xf8, 0x5e, 0x7e, 0x76, 0x31, 0xd5, 0x76, 0xba }}, - { - "\xcf\x80\xcf\x80\xcf\x80\xcf\x80\xcf\x80\xcf\x80\xcf\x80\xcf\x80", - 16, - 0x9747b28c, -- { 0xc0361a1f, 0x96ea5bd8, 0x094be17b, 0xf8b72bd0 } -+ { 0xaf, 0x2a, 0xd3, 0x25, 0x3a, 0x74, 0xdf, 0x88, -+ 0x38, 0xcc, 0x75, 0x34, 0xf1, 0x97, 0xcc, 0x0d }, -+ { 0x96, 0xea, 0x5b, 0xd8, 0xc0, 0x36, 0x1a, 0x1f, -+ 0xf8, 0xb7, 0x2b, 0xd0, 0x09, 0x4b, 0xe1, 0x7b } - }, - { - "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -@@ -95,38 +181,11 @@ static void test_murmurhash3_128(void) - "aaaaaaaaaaaaaaaaaaaa", - 256, - 0x9747b28c, -- { 0xa5dec1c4, 0x07bd957c, 0x1f6cee55, 0xc4d8bb8d } -- }, --#else /* 32 bit test vectors */ -- { "", 0, 0x00000000, { 0x00000000, 0x00000000, 0x00000000, 0x00000000 }}, -- { "", 0, 0x00000001, { 0x88c4adec, 0x54d201b9, 0x54d201b9, 0x54d201b9 }}, -- { "", 0, 0xffffffff, { 0x051e08a9, 0x989d49f7, 0x989d49f7, 0x989d49f7 }}, -- { "\0\0\0\0", 4, 0x00000000, { 0xcc066f1f, 0x9e517840, 0x9e517840, 0x9e517840 }}, -- { "aaaa", 4, 0x9747b28c, { 0x36804cef, 0x2a61c224, 0x2a61c224, 0x2a61c224 }}, -- { "aaa", 3, 0x9747b28c, { 0x838389be, 0x9aad7f88, 0x9aad7f88, 0x9aad7f88 }}, -- { "aa", 2, 0x9747b28c, { 0xdfbe4a86, 0x4a9c350b, 0x4a9c350b, 0x4a9c350b }}, -- { "a", 1, 0x9747b28c, { 0x084ef944, 0x21a1186e, 0x21a1186e, 0x21a1186e }}, -- { "abcd", 4, 0x9747b28c, { 0x4795c529, 0xcec1885e, 0xcec1885e, 0xcec1885e }}, -- { "abc", 3, 0x9747b28c, { 0xd6359eaf, 0x48fc3ac3, 0x48fc3ac3, 0x48fc3ac3 }}, -- { "ab", 2, 0x9747b28c, { 0x3837d795, 0xc7fe5896, 0xc7fe5896, 0xc7fe5896 }}, -- { "Hello, world!", 13, 0x9747b28c, { 0x756d5460, 0xbb872216, 0xb7d48b7c, 0x53c8c636 }}, -- { -- "\xcf\x80\xcf\x80\xcf\x80\xcf\x80\xcf\x80\xcf\x80\xcf\x80\xcf\x80", -- 16, -- 0x9747b28c, -- { 0xaf2ad325, 0x3a74df88, 0x38cc7534, 0xf197cc0d } -+ { 0xd3, 0xf2, 0xb7, 0xbb, 0xf6, 0x66, 0xc0, 0xcc, -+ 0xd4, 0xa4, 0x00, 0x60, 0x5e, 0xc8, 0xd3, 0x2a }, -+ { 0x07, 0xbd, 0x95, 0x7c, 0xa5, 0xde, 0xc1, 0xc4, -+ 0xc4, 0xd8, 0xbb, 0x8d, 0x1f, 0x6c, 0xee, 0x55 } - }, -- { -- "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -- "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -- "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -- "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -- "aaaaaaaaaaaaaaaaaaaa", -- 256, -- 0x9747b28c, -- { 0xd3f2b7bb, 0xf666c0cc, 0xd4a40060, 0x5ec8d32a } -- }, --#endif - }; - - test_murmurhash3_algorithm("murmurhash3_128", murmurhash3_128, diff --git a/dovecot.spec b/dovecot.spec index 1baec19..33a49af 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,9 +3,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.1 +Version: 2.3.2 %global prever %{nil} -Release: 2%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -14,7 +14,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.1 +%global pigeonholever 0.5.2 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -34,9 +34,6 @@ Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch Patch10: dovecot-2.3.0.1-libxcrypt.patch -# from upstream, for dovecot < 2.3.2 -Patch11: dovecot-2.3.1-murmurfix.patch - Source15: prestartscript BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel @@ -138,7 +135,6 @@ This package provides the development files for dovecot. %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem %patch10 -p1 -b .libxcrypt -%patch11 -p1 -b .murmurfix #pushd dovecot-2*3-pigeonhole-%{pigeonholever} #popd @@ -501,6 +497,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Jul 09 2018 Michal Hlavinka - 1:2.3.2-1 +- dovecot updated to 2.3.2, pigeonhole to 0.5.2 + * Wed Mar 28 2018 Michal Hlavinka - 1:2.3.1-2 - fix ftbfs - murmurhash3 check fail diff --git a/sources b/sources index 32f0896..140a873 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.1.tar.gz) = fe664ab771145f2390fef45839ff2756e36731c61e571dfa6975014f9cea43144e2aca0acf1a83b1dac55ad50042d0fa170b83570aa411228557861ada410b79 -SHA512 (dovecot-2.3-pigeonhole-0.5.1.tar.gz) = 5d65c3c9f3131c4e82287d054bd8b963d7c56c3e0677d7384881cf109ca82080d6222f672d8f973447d98be823a4df5bf43760d4ba87b76447d13abab30130c4 +SHA512 (dovecot-2.3.2.tar.gz) = e040a02226aadfe1a81b89225c11e08d0a1aa7ac51c309a95acbc13beb8c1df8a5c891709c7dde0dfb11af0c0bc8a82d27ffba1fb5d9166379241f945d1e8402 +SHA512 (dovecot-2.3-pigeonhole-0.5.2.tar.gz) = 6bc24d9241f94db795a012346d9bc94b5cc7d7ce0175c03213c2b5d179d80dec95e9bdbd50bed628c8f9f7c51639e692ba5e429212a3b4a654c1e4764ac4f11c From d8aa10f515eb3ff2741d2db646480862e8cb9dfa Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 9 Jul 2018 14:03:21 +0200 Subject: [PATCH 034/163] add compression test suite assert crash fix --- ...464385bbcd763f90abc5e212c569b9279ffa.patch | 41 +++++++++++++++++++ dovecot.spec | 4 ++ 2 files changed, 45 insertions(+) create mode 100644 64f4464385bbcd763f90abc5e212c569b9279ffa.patch diff --git a/64f4464385bbcd763f90abc5e212c569b9279ffa.patch b/64f4464385bbcd763f90abc5e212c569b9279ffa.patch new file mode 100644 index 0000000..e846809 --- /dev/null +++ b/64f4464385bbcd763f90abc5e212c569b9279ffa.patch @@ -0,0 +1,41 @@ +From 64f4464385bbcd763f90abc5e212c569b9279ffa Mon Sep 17 00:00:00 2001 +From: Paul Howarth +Date: Mon, 2 Jul 2018 11:52:14 +0100 +Subject: [PATCH] lib-compression: Fix assert-crash in test suite on 32bit + systems + +Fix compilation warnings in test-compression.c due to mismatches +between size_t and uoff_t, which then manifests in assert-crashes +running the test suite on 32bit systems. +--- + src/lib-compression/test-compression.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/lib-compression/test-compression.c b/src/lib-compression/test-compression.c +index 0f7df3d1fe..f62d7d6094 100644 +--- a/src/lib-compression/test-compression.c ++++ b/src/lib-compression/test-compression.c +@@ -20,6 +20,7 @@ static void test_compression_handler(const struct compression_handler *handler) + unsigned char buf[IO_BLOCK_SIZE]; + const unsigned char *data; + size_t size; ++ uoff_t stream_size; + struct sha1_ctxt sha1; + unsigned char output_sha1[SHA1_RESULTLEN], input_sha1[SHA1_RESULTLEN]; + unsigned int i; +@@ -73,11 +74,11 @@ static void test_compression_handler(const struct compression_handler *handler) + file_input = i_stream_create_fd(fd, IO_BLOCK_SIZE); + input = handler->create_istream(file_input, FALSE); + +- test_assert(i_stream_get_size(input, FALSE, &size) == 1); +- test_assert(size == compressed_size); ++ test_assert(i_stream_get_size(input, FALSE, &stream_size) == 1); ++ test_assert(stream_size == compressed_size); + +- test_assert(i_stream_get_size(input, TRUE, &size) == 1); +- test_assert(size == uncompressed_size); ++ test_assert(i_stream_get_size(input, TRUE, &stream_size) == 1); ++ test_assert(stream_size == uncompressed_size); + + sha1_init(&sha1); + for (bool seeked = FALSE;;) { diff --git a/dovecot.spec b/dovecot.spec index 33a49af..bdb377c 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -34,6 +34,9 @@ Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch Patch10: dovecot-2.3.0.1-libxcrypt.patch +# for dovecot <= 2.3.2 +Patch11: 64f4464385bbcd763f90abc5e212c569b9279ffa.patch + Source15: prestartscript BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel @@ -135,6 +138,7 @@ This package provides the development files for dovecot. %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem %patch10 -p1 -b .libxcrypt +%patch11 -p1 -b .64f4464385bbcd763f90abc5e212c569b9279ffa #pushd dovecot-2*3-pigeonhole-%{pigeonholever} #popd From 5cdfe068e439d6d8c9c84cd8d41bf1f47e8d9259 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 10 Jul 2018 09:19:54 +0200 Subject: [PATCH 035/163] SSL/TLS servers may have crashed during client disconnection --- ...464385bbcd763f90abc5e212c569b9279ffa.patch | 41 ------------------- dovecot.spec | 9 ++-- sources | 2 +- 3 files changed, 5 insertions(+), 47 deletions(-) delete mode 100644 64f4464385bbcd763f90abc5e212c569b9279ffa.patch diff --git a/64f4464385bbcd763f90abc5e212c569b9279ffa.patch b/64f4464385bbcd763f90abc5e212c569b9279ffa.patch deleted file mode 100644 index e846809..0000000 --- a/64f4464385bbcd763f90abc5e212c569b9279ffa.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 64f4464385bbcd763f90abc5e212c569b9279ffa Mon Sep 17 00:00:00 2001 -From: Paul Howarth -Date: Mon, 2 Jul 2018 11:52:14 +0100 -Subject: [PATCH] lib-compression: Fix assert-crash in test suite on 32bit - systems - -Fix compilation warnings in test-compression.c due to mismatches -between size_t and uoff_t, which then manifests in assert-crashes -running the test suite on 32bit systems. ---- - src/lib-compression/test-compression.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/src/lib-compression/test-compression.c b/src/lib-compression/test-compression.c -index 0f7df3d1fe..f62d7d6094 100644 ---- a/src/lib-compression/test-compression.c -+++ b/src/lib-compression/test-compression.c -@@ -20,6 +20,7 @@ static void test_compression_handler(const struct compression_handler *handler) - unsigned char buf[IO_BLOCK_SIZE]; - const unsigned char *data; - size_t size; -+ uoff_t stream_size; - struct sha1_ctxt sha1; - unsigned char output_sha1[SHA1_RESULTLEN], input_sha1[SHA1_RESULTLEN]; - unsigned int i; -@@ -73,11 +74,11 @@ static void test_compression_handler(const struct compression_handler *handler) - file_input = i_stream_create_fd(fd, IO_BLOCK_SIZE); - input = handler->create_istream(file_input, FALSE); - -- test_assert(i_stream_get_size(input, FALSE, &size) == 1); -- test_assert(size == compressed_size); -+ test_assert(i_stream_get_size(input, FALSE, &stream_size) == 1); -+ test_assert(stream_size == compressed_size); - -- test_assert(i_stream_get_size(input, TRUE, &size) == 1); -- test_assert(size == uncompressed_size); -+ test_assert(i_stream_get_size(input, TRUE, &stream_size) == 1); -+ test_assert(stream_size == uncompressed_size); - - sha1_init(&sha1); - for (bool seeked = FALSE;;) { diff --git a/dovecot.spec b/dovecot.spec index bdb377c..0d5e2a4 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.2 +Version: 2.3.2.1 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -34,9 +34,6 @@ Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch Patch10: dovecot-2.3.0.1-libxcrypt.patch -# for dovecot <= 2.3.2 -Patch11: 64f4464385bbcd763f90abc5e212c569b9279ffa.patch - Source15: prestartscript BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel @@ -138,7 +135,6 @@ This package provides the development files for dovecot. %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem %patch10 -p1 -b .libxcrypt -%patch11 -p1 -b .64f4464385bbcd763f90abc5e212c569b9279ffa #pushd dovecot-2*3-pigeonhole-%{pigeonholever} #popd @@ -501,6 +497,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Jul 10 2018 Michal Hlavinka - 1:2.3.2.1-1 +- SSL/TLS servers may have crashed during client disconnection + * Mon Jul 09 2018 Michal Hlavinka - 1:2.3.2-1 - dovecot updated to 2.3.2, pigeonhole to 0.5.2 diff --git a/sources b/sources index 140a873..daab9d6 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.2.tar.gz) = e040a02226aadfe1a81b89225c11e08d0a1aa7ac51c309a95acbc13beb8c1df8a5c891709c7dde0dfb11af0c0bc8a82d27ffba1fb5d9166379241f945d1e8402 +SHA512 (dovecot-2.3.2.1.tar.gz) = c085a0d04925485423086736a3c7d919ad0ca9efeff005890382da5333edb68c7d23ccb89fbe2ac44f8f016fc993bf2c669e450794c3ab13463676cbb47c7bf7 SHA512 (dovecot-2.3-pigeonhole-0.5.2.tar.gz) = 6bc24d9241f94db795a012346d9bc94b5cc7d7ce0175c03213c2b5d179d80dec95e9bdbd50bed628c8f9f7c51639e692ba5e429212a3b4a654c1e4764ac4f11c From 97ed87d1518f002f221feb60d559653e1794912f Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 12 Jul 2018 23:06:07 +0000 Subject: [PATCH 036/163] - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 0d5e2a4..9d874c9 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.2.1 %global prever %{nil} -Release: 1%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -497,6 +497,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Jul 12 2018 Fedora Release Engineering - 1:2.3.2.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + * Tue Jul 10 2018 Michal Hlavinka - 1:2.3.2.1-1 - SSL/TLS servers may have crashed during client disconnection From 08134424664464c56a4981d011c3a6f383d403c3 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 13 Aug 2018 17:51:07 +0200 Subject: [PATCH 037/163] do not try to generate ssl-params as its obsolete (#1614640) --- dovecot-2.2.20-initbysystemd.patch | 7 +------ dovecot.spec | 5 ++++- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/dovecot-2.2.20-initbysystemd.patch b/dovecot-2.2.20-initbysystemd.patch index 4acaaa6..01e8263 100644 --- a/dovecot-2.2.20-initbysystemd.patch +++ b/dovecot-2.2.20-initbysystemd.patch @@ -1,10 +1,9 @@ diff -up dovecot-2.3.0.1/dovecot-init.service.initbysystemd dovecot-2.3.0.1/dovecot-init.service --- dovecot-2.3.0.1/dovecot-init.service.initbysystemd 2018-03-01 10:38:22.059716008 +0100 +++ dovecot-2.3.0.1/dovecot-init.service 2018-03-01 10:38:22.059716008 +0100 -@@ -0,0 +1,18 @@ +@@ -0,0 +1,13 @@ +[Unit] +Description=One-time Dovecot init service -+ConditionPathExists=|!/var/lib/dovecot/ssl-parameters.dat +ConditionPathExists=|!/etc/pki/dovecot/certs/dovecot.pem + +[Service] @@ -15,10 +14,6 @@ diff -up dovecot-2.3.0.1/dovecot-init.service.initbysystemd dovecot-2.3.0.1/dove +then\ + SSLDIR=/etc/pki/dovecot/ OPENSSLCONFIG=/etc/pki/dovecot/dovecot-openssl.cnf /usr/libexec/dovecot/mkcert.sh /dev/null 2>&1;\ +fi;\ -+if [ ! -f /var/lib/dovecot/ssl-parameters.dat ]; \ -+then\ -+ /usr/libexec/dovecot/ssl-params >/dev/null 2>&1; \ -+fi' + diff -up dovecot-2.3.0.1/dovecot.service.in.initbysystemd dovecot-2.3.0.1/dovecot.service.in --- dovecot-2.3.0.1/dovecot.service.in.initbysystemd 2018-03-01 10:38:22.060716016 +0100 diff --git a/dovecot.spec b/dovecot.spec index 9d874c9..df6d636 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.2.1 %global prever %{nil} -Release: 2%{?dist} +Release: 3%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -497,6 +497,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Aug 13 2018 Michal Hlavinka - 1:2.3.2.1-3 +- do not try to generate ssl-params as its obsolete (#1614640) + * Thu Jul 12 2018 Fedora Release Engineering - 1:2.3.2.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild From 571d3e074e81aa08f8a37765bc56172d13d4a4a4 Mon Sep 17 00:00:00 2001 From: Pavel Raiskup Date: Wed, 5 Sep 2018 15:07:12 +0200 Subject: [PATCH 038/163] BuildRequires: s/postgresql-devel/libpq-devel/ That's because we moved libpq.so.5 into libpq package. Related: rhbz#1618698, rhbz#1623764 --- dovecot.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index df6d636..3bab8da 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -39,7 +39,7 @@ Source15: prestartscript BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel BuildRequires: libtool, autoconf, automake, pkgconfig BuildRequires: sqlite-devel -BuildRequires: postgresql-devel +BuildRequires: libpq-devel %if %{?fedora}0 < 280 BuildRequires: mysql-devel BuildRequires: tcp_wrappers-devel From ac25631e9277f8623c5e866c987c68ebfaeb1ea5 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 2 Oct 2018 10:36:12 +0200 Subject: [PATCH 039/163] fix dovecot-init service syntax error (#1635017) --- dovecot-2.2.20-initbysystemd.patch | 2 +- dovecot.spec | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/dovecot-2.2.20-initbysystemd.patch b/dovecot-2.2.20-initbysystemd.patch index 01e8263..7e3d94c 100644 --- a/dovecot-2.2.20-initbysystemd.patch +++ b/dovecot-2.2.20-initbysystemd.patch @@ -13,7 +13,7 @@ diff -up dovecot-2.3.0.1/dovecot-init.service.initbysystemd dovecot-2.3.0.1/dove +if [ ! -f /etc/pki/dovecot/certs/dovecot.pem ]; \ +then\ + SSLDIR=/etc/pki/dovecot/ OPENSSLCONFIG=/etc/pki/dovecot/dovecot-openssl.cnf /usr/libexec/dovecot/mkcert.sh /dev/null 2>&1;\ -+fi;\ ++fi' + diff -up dovecot-2.3.0.1/dovecot.service.in.initbysystemd dovecot-2.3.0.1/dovecot.service.in --- dovecot-2.3.0.1/dovecot.service.in.initbysystemd 2018-03-01 10:38:22.060716016 +0100 diff --git a/dovecot.spec b/dovecot.spec index 3bab8da..be1fe03 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.2.1 %global prever %{nil} -Release: 3%{?dist} +Release: 4%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -497,6 +497,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Oct 02 2018 Michal Hlavinka - 1:2.3.2.1-4 +- fix dovecot-init service syntax error (#1635017) + * Mon Aug 13 2018 Michal Hlavinka - 1:2.3.2.1-3 - do not try to generate ssl-params as its obsolete (#1614640) From 6d73939b5f803aeb6c04ef7186d68aee9219b064 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 2 Oct 2018 10:41:13 +0200 Subject: [PATCH 040/163] dovecot updated to 2.3.3, pigeonhole pdated to 0.5.3 doveconf hides more secrets now in the default output NUL bytes in mail headers can cause truncated replies when fetched. virtual plugin: Some searches used 100% CPU for many seconds dsync assert-crashed with acl plugin in some situations. imapc: Fixed various assert-crashes when reconnecting to server. --- dovecot.spec | 15 ++++++++++++--- sources | 4 ++-- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index be1fe03..1e5e846 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,9 +3,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.2.1 +Version: 2.3.3 %global prever %{nil} -Release: 4%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -14,7 +14,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.2 +%global pigeonholever 0.5.3 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -497,6 +497,15 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Oct 02 2018 Michal Hlavinka - 1:2.3.3-1 +- dovecot updated to 2.3.3, pigeonhole pdated to 0.5.3 +- doveconf hides more secrets now in the default output +- NUL bytes in mail headers can cause truncated replies when fetched. +- virtual plugin: Some searches used 100% CPU for many seconds +- dsync assert-crashed with acl plugin in some situations. +- imapc: Fixed various assert-crashes when reconnecting to server. + + * Tue Oct 02 2018 Michal Hlavinka - 1:2.3.2.1-4 - fix dovecot-init service syntax error (#1635017) diff --git a/sources b/sources index daab9d6..99f9b1e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.2.1.tar.gz) = c085a0d04925485423086736a3c7d919ad0ca9efeff005890382da5333edb68c7d23ccb89fbe2ac44f8f016fc993bf2c669e450794c3ab13463676cbb47c7bf7 -SHA512 (dovecot-2.3-pigeonhole-0.5.2.tar.gz) = 6bc24d9241f94db795a012346d9bc94b5cc7d7ce0175c03213c2b5d179d80dec95e9bdbd50bed628c8f9f7c51639e692ba5e429212a3b4a654c1e4764ac4f11c +SHA512 (dovecot-2.3.3.tar.gz) = 8666c4f92f7df883067540f85be9d03dbe6815b58a7f5de55b4292e986e9a2a1ef52c7e0c72dde2bc781fe40d57488b78a99b6b813745b8e4683f1a2fdc1f2ff +SHA512 (dovecot-2.3-pigeonhole-0.5.3.tar.gz) = 8403b1976a915836ba875b96825446d46e0d8c7ff245ed1f2b014347fdc78a81f9ed6dbd05bd3b4f1f7072edc5e9a302201cdb375de44436adcbb83919f203f5 From aa4c0451e31c08e0ac20b8b5a13bf24c9a8746c6 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 9 Jan 2019 17:09:09 +0100 Subject: [PATCH 041/163] dovecot updated to 2.3.4, pigeonhole updated to 0.5.4 --- dovecot.spec | 10 +++++++--- sources | 4 ++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 1e5e846..aa5de6b 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.3 +Version: 2.3.4 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -14,7 +14,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.3 +%global pigeonholever 0.5.4 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -51,6 +51,7 @@ BuildRequires: openldap-devel BuildRequires: krb5-devel BuildRequires: quota-devel BuildRequires: xz-devel +BuildRequires: libsodium-devel # gettext-devel is needed for running autoconf because of the # presence of AM_ICONV @@ -134,7 +135,7 @@ This package provides the development files for dovecot. %patch6 -p1 -b .waitonline %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem -%patch10 -p1 -b .libxcrypt +#%patch10 -p1 -b .libxcrypt #pushd dovecot-2*3-pigeonhole-%{pigeonholever} #popd @@ -497,6 +498,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Jan 09 2019 Michal Hlavinka - 1:2.3.4-1 +- dovecot updated to 2.3.4, pigeonhole updated to 0.5.4 + * Tue Oct 02 2018 Michal Hlavinka - 1:2.3.3-1 - dovecot updated to 2.3.3, pigeonhole pdated to 0.5.3 - doveconf hides more secrets now in the default output diff --git a/sources b/sources index 99f9b1e..05b6440 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.3.tar.gz) = 8666c4f92f7df883067540f85be9d03dbe6815b58a7f5de55b4292e986e9a2a1ef52c7e0c72dde2bc781fe40d57488b78a99b6b813745b8e4683f1a2fdc1f2ff -SHA512 (dovecot-2.3-pigeonhole-0.5.3.tar.gz) = 8403b1976a915836ba875b96825446d46e0d8c7ff245ed1f2b014347fdc78a81f9ed6dbd05bd3b4f1f7072edc5e9a302201cdb375de44436adcbb83919f203f5 +SHA512 (dovecot-2.3.4.tar.gz) = 9e97eb08c319c417e8abcb430b3e6c87ed5aa820d6288656fdfd958ff34664f67202a66e4846763bfc85b309b116cea8012e49dab98b478c57974cc178a37a5a +SHA512 (dovecot-2.3-pigeonhole-0.5.4.tar.gz) = 9c82cce7540f8ab66e2e370e0220c99048d6ac53ed680cd763e0b03d0200e2451cee4303ef97b87a16e7248e1c73b92ba91b47a2a20c75cb2cd62695a28046f3 From d111f39fa0e74932996076e3c3e480c575b7bc4f Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 9 Jan 2019 17:46:45 +0100 Subject: [PATCH 042/163] fix tests --- dovecot-2.3.4-de42b54.patch | 69 +++++++++++++++++++++++++++++++++++++ dovecot.spec | 2 ++ 2 files changed, 71 insertions(+) create mode 100644 dovecot-2.3.4-de42b54.patch diff --git a/dovecot-2.3.4-de42b54.patch b/dovecot-2.3.4-de42b54.patch new file mode 100644 index 0000000..534ce98 --- /dev/null +++ b/dovecot-2.3.4-de42b54.patch @@ -0,0 +1,69 @@ +diff --git a/src/lib-master/test-event-stats.c b/src/lib-master/test-event-stats.c +index 8fcb3dd22d..2d8a13cd40 100644 +--- a/src/lib-master/test-event-stats.c ++++ b/src/lib-master/test-event-stats.c +@@ -344,7 +344,7 @@ static void test_no_merging2(void) + event_unref(&child_ev); + test_assert( + compare_test_stats_to( +- "EVENT %lu 1 0 0" ++ "EVENT %"PRIu64" 1 0 0" + " stest-event-stats.c %d" + " l0 0 ctest2\n", id, l)); + test_end(); +@@ -370,12 +370,12 @@ static void test_no_merging3(void) + event_unref(&child_ev); + test_assert( + compare_test_stats_to( +- "BEGIN %lu 0 1 0 0" ++ "BEGIN %"PRIu64" 0 1 0 0" + " stest-event-stats.c %d ctest1\n" +- "EVENT %lu 1 1 0" ++ "EVENT %"PRIu64" 1 1 0" + " stest-event-stats.c %d" + " l1 0 ctest2\n" +- "END\t%lu\n", idp, lp, idp, l, idp)); ++ "END\t%"PRIu64"\n", idp, lp, idp, l, idp)); + test_end(); + } + +@@ -435,7 +435,7 @@ static void test_merge_events2(void) + event_unref(&merge_ev2); + test_assert( + compare_test_stats_to( +- "EVENT %lu 1 0 0" ++ "EVENT %"PRIu64" 1 0 0" + " stest-event-stats.c %d l0 0" + " ctest3 ctest2 ctest1 Tkey3" + " 10 0 Ikey2 20" +@@ -467,11 +467,11 @@ static void test_skip_parents(void) + event_unref(&child_ev); + test_assert( + compare_test_stats_to( +- "BEGIN %lu 0 1 0 0" ++ "BEGIN %"PRIu64" 0 1 0 0" + " stest-event-stats.c %d ctest1\n" +- "EVENT %lu 1 3 0 " ++ "EVENT %"PRIu64" 1 3 0 " + "stest-event-stats.c %d l3 0" +- " ctest2\nEND\t%lu\n", id, lp, id, l, id)); ++ " ctest2\nEND\t%"PRIu64"\n", id, lp, id, l, id)); + test_end(); + } + +@@ -509,12 +509,12 @@ static void test_merge_events_skip_parents(void) + event_unref(&child2_ev); + test_assert( + compare_test_stats_to( +- "BEGIN %lu 0 1 0 0" ++ "BEGIN %"PRIu64" 0 1 0 0" + " stest-event-stats.c %d ctest1\n" +- "EVENT %lu 1 3 0 " ++ "EVENT %"PRIu64" 1 3 0 " + "stest-event-stats.c %d l3 0 " + "ctest4 ctest5 Tkey3 10 0 Skey4" +- " str4\nEND\t%lu\n", id, lp, id, l, id)); ++ " str4\nEND\t%"PRIu64"\n", id, lp, id, l, id)); + test_end(); + } + diff --git a/dovecot.spec b/dovecot.spec index aa5de6b..5f3eee4 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -33,6 +33,7 @@ Patch6: dovecot-2.1.10-waitonline.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch Patch10: dovecot-2.3.0.1-libxcrypt.patch +Patch11: dovecot-2.3.4-de42b54.patch Source15: prestartscript @@ -136,6 +137,7 @@ This package provides the development files for dovecot. %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem #%patch10 -p1 -b .libxcrypt +%patch11 -p1 -b .de42b54 #pushd dovecot-2*3-pigeonhole-%{pigeonholever} #popd From 751cddedc287c2085850d2162ecacf0f205a188d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Mon, 14 Jan 2019 19:00:28 +0100 Subject: [PATCH 043/163] Rebuilt for libcrypt.so.2 (#1666033) --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 5f3eee4..038a130 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.4 %global prever %{nil} -Release: 1%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -500,6 +500,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Jan 14 2019 Björn Esser - 1:2.3.4-2 +- Rebuilt for libcrypt.so.2 (#1666033) + * Wed Jan 09 2019 Michal Hlavinka - 1:2.3.4-1 - dovecot updated to 2.3.4, pigeonhole updated to 0.5.4 From b41067db5bd50cc991e647b4db55145cc92db49c Mon Sep 17 00:00:00 2001 From: Igor Gnatenko Date: Mon, 28 Jan 2019 20:17:42 +0100 Subject: [PATCH 044/163] Remove obsolete Group tag References: https://fedoraproject.org/wiki/Changes/Remove_Group_Tag --- dovecot.spec | 5 ----- 1 file changed, 5 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 038a130..8d4f7d9 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -8,7 +8,6 @@ Version: 2.3.4 Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 -Group: System Environment/Daemons URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz @@ -101,7 +100,6 @@ The SQL drivers and authentication plug-ins are in their subpackages. %package pigeonhole Requires: %{name} = %{epoch}:%{version}-%{release} Summary: Sieve and managesieve plug-in for dovecot -Group: System Environment/Daemons License: MIT and LGPLv2 %description pigeonhole @@ -110,21 +108,18 @@ This package provides sieve and managesieve plug-in for dovecot LDA. %package pgsql Requires: %{name} = %{epoch}:%{version}-%{release} Summary: Postgres SQL back end for dovecot -Group: System Environment/Daemons %description pgsql This package provides the Postgres SQL back end for dovecot-auth etc. %package mysql Requires: %{name} = %{epoch}:%{version}-%{release} Summary: MySQL back end for dovecot -Group: System Environment/Daemons %description mysql This package provides the MySQL back end for dovecot-auth etc. %package devel Requires: %{name} = %{epoch}:%{version}-%{release} Summary: Development files for dovecot -Group: Development/Libraries %description devel This package provides the development files for dovecot. From 436dc795a1ca61c32bb83296538336af0088dedd Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 31 Jan 2019 17:32:20 +0000 Subject: [PATCH 045/163] - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 8d4f7d9..4193a1f 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.4 %global prever %{nil} -Release: 2%{?dist} +Release: 3%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -495,6 +495,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Jan 31 2019 Fedora Release Engineering - 1:2.3.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + * Mon Jan 14 2019 Björn Esser - 1:2.3.4-2 - Rebuilt for libcrypt.so.2 (#1666033) From 04058156dc279e526dbae378281383cb1ca459ae Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 6 Mar 2019 15:41:52 +0100 Subject: [PATCH 046/163] dovecot updated to 2.3.5, pigeonhole updated to 0.5.5 --- dovecot-2.3.4-de42b54.patch | 69 ------------------------------------- dovecot.spec | 11 +++--- sources | 4 +-- 3 files changed, 8 insertions(+), 76 deletions(-) delete mode 100644 dovecot-2.3.4-de42b54.patch diff --git a/dovecot-2.3.4-de42b54.patch b/dovecot-2.3.4-de42b54.patch deleted file mode 100644 index 534ce98..0000000 --- a/dovecot-2.3.4-de42b54.patch +++ /dev/null @@ -1,69 +0,0 @@ -diff --git a/src/lib-master/test-event-stats.c b/src/lib-master/test-event-stats.c -index 8fcb3dd22d..2d8a13cd40 100644 ---- a/src/lib-master/test-event-stats.c -+++ b/src/lib-master/test-event-stats.c -@@ -344,7 +344,7 @@ static void test_no_merging2(void) - event_unref(&child_ev); - test_assert( - compare_test_stats_to( -- "EVENT %lu 1 0 0" -+ "EVENT %"PRIu64" 1 0 0" - " stest-event-stats.c %d" - " l0 0 ctest2\n", id, l)); - test_end(); -@@ -370,12 +370,12 @@ static void test_no_merging3(void) - event_unref(&child_ev); - test_assert( - compare_test_stats_to( -- "BEGIN %lu 0 1 0 0" -+ "BEGIN %"PRIu64" 0 1 0 0" - " stest-event-stats.c %d ctest1\n" -- "EVENT %lu 1 1 0" -+ "EVENT %"PRIu64" 1 1 0" - " stest-event-stats.c %d" - " l1 0 ctest2\n" -- "END\t%lu\n", idp, lp, idp, l, idp)); -+ "END\t%"PRIu64"\n", idp, lp, idp, l, idp)); - test_end(); - } - -@@ -435,7 +435,7 @@ static void test_merge_events2(void) - event_unref(&merge_ev2); - test_assert( - compare_test_stats_to( -- "EVENT %lu 1 0 0" -+ "EVENT %"PRIu64" 1 0 0" - " stest-event-stats.c %d l0 0" - " ctest3 ctest2 ctest1 Tkey3" - " 10 0 Ikey2 20" -@@ -467,11 +467,11 @@ static void test_skip_parents(void) - event_unref(&child_ev); - test_assert( - compare_test_stats_to( -- "BEGIN %lu 0 1 0 0" -+ "BEGIN %"PRIu64" 0 1 0 0" - " stest-event-stats.c %d ctest1\n" -- "EVENT %lu 1 3 0 " -+ "EVENT %"PRIu64" 1 3 0 " - "stest-event-stats.c %d l3 0" -- " ctest2\nEND\t%lu\n", id, lp, id, l, id)); -+ " ctest2\nEND\t%"PRIu64"\n", id, lp, id, l, id)); - test_end(); - } - -@@ -509,12 +509,12 @@ static void test_merge_events_skip_parents(void) - event_unref(&child2_ev); - test_assert( - compare_test_stats_to( -- "BEGIN %lu 0 1 0 0" -+ "BEGIN %"PRIu64" 0 1 0 0" - " stest-event-stats.c %d ctest1\n" -- "EVENT %lu 1 3 0 " -+ "EVENT %"PRIu64" 1 3 0 " - "stest-event-stats.c %d l3 0 " - "ctest4 ctest5 Tkey3 10 0 Skey4" -- " str4\nEND\t%lu\n", id, lp, id, l, id)); -+ " str4\nEND\t%"PRIu64"\n", id, lp, id, l, id)); - test_end(); - } - diff --git a/dovecot.spec b/dovecot.spec index 4193a1f..4212779 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,9 +3,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.4 +Version: 2.3.5 %global prever %{nil} -Release: 3%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.4 +%global pigeonholever 0.5.5 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -32,7 +32,6 @@ Patch6: dovecot-2.1.10-waitonline.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch Patch10: dovecot-2.3.0.1-libxcrypt.patch -Patch11: dovecot-2.3.4-de42b54.patch Source15: prestartscript @@ -132,7 +131,6 @@ This package provides the development files for dovecot. %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem #%patch10 -p1 -b .libxcrypt -%patch11 -p1 -b .de42b54 #pushd dovecot-2*3-pigeonhole-%{pigeonholever} #popd @@ -495,6 +493,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Mar 06 2019 Michal Hlavinka - 1:2.3.5-1 +- dovecot updated to 2.3.5, pigeonhole updated to 0.5.5 + * Thu Jan 31 2019 Fedora Release Engineering - 1:2.3.4-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild diff --git a/sources b/sources index 05b6440..ea5c3e2 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.4.tar.gz) = 9e97eb08c319c417e8abcb430b3e6c87ed5aa820d6288656fdfd958ff34664f67202a66e4846763bfc85b309b116cea8012e49dab98b478c57974cc178a37a5a -SHA512 (dovecot-2.3-pigeonhole-0.5.4.tar.gz) = 9c82cce7540f8ab66e2e370e0220c99048d6ac53ed680cd763e0b03d0200e2451cee4303ef97b87a16e7248e1c73b92ba91b47a2a20c75cb2cd62695a28046f3 +SHA512 (dovecot-2.3.5.tar.gz) = 10513c371aeadd52184daaf8dbb9a7559c6db55e34182bbb2c9539dae0897ddcc76f6fe2ce6a81c7ce0cb94c7f79438ae3bb0e7db8ed46615feb337b4078ecc6 +SHA512 (dovecot-2.3-pigeonhole-0.5.5.tar.gz) = 21519fc9b1152a947b64ce4251e1a4bdbe003b48233b1856a32696f9c1e29f730268c56eb38f9431bbfac345e6cd42e8c78c87d0702f39ebf20c6d326dcdbb94 From b9ba0bbcd9e43649fcf2d0903072d1cbf8f743b7 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 28 Mar 2019 14:56:50 +0100 Subject: [PATCH 047/163] dovecot updated to 2.3.5.1 CVE-2019-7524: Missing input buffer size validation leads into arbitrary buffer overflow when reading fts or pop3 uidl header from Dovecot index. --- dovecot.spec | 8 +++++++- sources | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 4212779..4f642b7 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.5 +Version: 2.3.5.1 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -493,6 +493,12 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Mar 28 2019 Michal Hlavinka - 1:2.3.5.1-1 +- dovecot updated to 2.3.5.1 +- CVE-2019-7524: Missing input buffer size validation leads into + arbitrary buffer overflow when reading fts or pop3 uidl header + from Dovecot index. + * Wed Mar 06 2019 Michal Hlavinka - 1:2.3.5-1 - dovecot updated to 2.3.5, pigeonhole updated to 0.5.5 diff --git a/sources b/sources index ea5c3e2..1a5e4f7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.5.tar.gz) = 10513c371aeadd52184daaf8dbb9a7559c6db55e34182bbb2c9539dae0897ddcc76f6fe2ce6a81c7ce0cb94c7f79438ae3bb0e7db8ed46615feb337b4078ecc6 +SHA512 (dovecot-2.3.5.1.tar.gz) = e87754461fb0b065acd0ff10dc955000a2fe5baffed69efaf328ce9268f90140e9de444bc68e0bd48b565c7622885a79b1f90ff3dd2335c0c2362d05d9e73e8a SHA512 (dovecot-2.3-pigeonhole-0.5.5.tar.gz) = 21519fc9b1152a947b64ce4251e1a4bdbe003b48233b1856a32696f9c1e29f730268c56eb38f9431bbfac345e6cd42e8c78c87d0702f39ebf20c6d326dcdbb94 From e9463061ff9bb04ba5cdc039c1ac537d2b54b60e Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 18 Apr 2019 14:45:08 +0200 Subject: [PATCH 048/163] dovecot updated to 2.3.5.2 fixes CVE-2019-10691: Trying to login with 8bit username containing invalid UTF8 input causes auth process to crash if auth policy is enabled. --- dovecot.spec | 7 ++++++- sources | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 4f642b7..05c6aa2 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.5.1 +Version: 2.3.5.2 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -493,6 +493,11 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Apr 18 2019 Michal Hlavinka - 1:2.3.5.2-1 +- dovecot updated to 2.3.5.2 +- fixes CVE-2019-10691: Trying to login with 8bit username containing + invalid UTF8 input causes auth process to crash if auth policy is enabled. + * Thu Mar 28 2019 Michal Hlavinka - 1:2.3.5.1-1 - dovecot updated to 2.3.5.1 - CVE-2019-7524: Missing input buffer size validation leads into diff --git a/sources b/sources index 1a5e4f7..2af39ad 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.5.1.tar.gz) = e87754461fb0b065acd0ff10dc955000a2fe5baffed69efaf328ce9268f90140e9de444bc68e0bd48b565c7622885a79b1f90ff3dd2335c0c2362d05d9e73e8a +SHA512 (dovecot-2.3.5.2.tar.gz) = 041ec1c33c6accb5c89d96d7ab2f7dd59795f496c17faea1906e7977983e4a387aa855a238376515c09532731634d9d42e6d6be22659062855241847ea0213d5 SHA512 (dovecot-2.3-pigeonhole-0.5.5.tar.gz) = 21519fc9b1152a947b64ce4251e1a4bdbe003b48233b1856a32696f9c1e29f730268c56eb38f9431bbfac345e6cd42e8c78c87d0702f39ebf20c6d326dcdbb94 From 82caf4b446b3efb43033b2d8bf4fbf8d79ad8c01 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 2 May 2019 13:49:42 +0200 Subject: [PATCH 049/163] dovecot updated to 2.3.6, pigeonhole updated to 0.5.6 --- dovecot.spec | 7 +++++-- sources | 4 ++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 05c6aa2..48998ae 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.5.2 +Version: 2.3.6 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.5 +%global pigeonholever 0.5.6 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -493,6 +493,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu May 02 2019 Michal Hlavinka - 1:2.3.6-1 +- dovecot updated to 2.3.6, pigeonhole updated to 0.5.6 + * Thu Apr 18 2019 Michal Hlavinka - 1:2.3.5.2-1 - dovecot updated to 2.3.5.2 - fixes CVE-2019-10691: Trying to login with 8bit username containing diff --git a/sources b/sources index 2af39ad..f5c7b43 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.5.2.tar.gz) = 041ec1c33c6accb5c89d96d7ab2f7dd59795f496c17faea1906e7977983e4a387aa855a238376515c09532731634d9d42e6d6be22659062855241847ea0213d5 -SHA512 (dovecot-2.3-pigeonhole-0.5.5.tar.gz) = 21519fc9b1152a947b64ce4251e1a4bdbe003b48233b1856a32696f9c1e29f730268c56eb38f9431bbfac345e6cd42e8c78c87d0702f39ebf20c6d326dcdbb94 +SHA512 (dovecot-2.3.6.tar.gz) = ec28af2efcbd4ab534298c3342709251074dcdb0f0f4bcad0d24b996b273387e2ce557d7ab54abafb69be3ed7dd61f25c82b9710d78156932e2eff7f941c9eb2 +SHA512 (dovecot-2.3-pigeonhole-0.5.6.tar.gz) = 998a046d2eb5ff7bba615fd1a3efdfb1e7e1dabf191257f7fa2882074acc1735a0a4c11c5f31bab1e964b0118f1a8e9e51b3d5529b8fff6d1312c9a8257d9c20 From b242522b1ee00bfbde7f78518b73d473f778c419 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 13 May 2019 16:15:48 +0200 Subject: [PATCH 050/163] use /run instead of /var/run (#1706372) --- dovecot.spec | 23 +++++++++++++---------- dovecot.tmpfilesd | 2 +- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 48998ae..287dcf3 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.6 %global prever %{nil} -Release: 1%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -87,7 +87,7 @@ BuildRequires: curl-devel expat-devel BuildRequires: libcurl-devel expat-devel %endif -%global restart_flag /var/run/%{name}/%{name}-restart-after-rpm-install +%global restart_flag /run/%{name}/%{name}-restart-after-rpm-install %description Dovecot is an IMAP server for Linux/UNIX-like systems, written with security @@ -241,7 +241,7 @@ install -p -D -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_initddir}/dovecot install -p -D -m 600 %{SOURCE9} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/dovecot %endif -mkdir -p $RPM_BUILD_ROOT/var/run/dovecot/{login,empty,token-login} +mkdir -p $RPM_BUILD_ROOT/run/dovecot/{login,empty,token-login} # Install dovecot configuration and dovecot-openssl.cnf mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d @@ -298,11 +298,11 @@ then %endif fi -install -d -m 0755 -g dovecot -d /var/run/dovecot -install -d -m 0755 -d /var/run/dovecot/empty -install -d -m 0750 -g dovenull -d /var/run/dovecot/login -install -d -m 0755 -g dovenull -d /var/run/dovecot/token-login -[ -x /sbin/restorecon ] && /sbin/restorecon -R /var/run/dovecot +install -d -m 0755 -g dovecot -d /run/dovecot +install -d -m 0755 -d /run/dovecot/empty +install -d -m 0750 -g dovenull -d /run/dovecot/login +install -d -m 0755 -g dovenull -d /run/dovecot/token-login +[ -x /sbin/restorecon ] && /sbin/restorecon -R /run/dovecot %preun if [ $1 = 0 ]; then @@ -313,7 +313,7 @@ if [ $1 = 0 ]; then /sbin/service %{name} stop > /dev/null 2>&1 /sbin/chkconfig --del %{name} %endif - rm -rf /var/run/dovecot + rm -rf /run/dovecot fi %postun @@ -436,7 +436,7 @@ make check %{_libexecdir}/%{name} %exclude %{_libexecdir}/%{name}/managesieve* -%ghost /var/run/dovecot +%ghost /run/dovecot %attr(0750,dovecot,dovecot) /var/lib/dovecot %{_datadir}/%{name} @@ -493,6 +493,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon May 13 2019 Michal Hlavinka - 1:2.3.6-2 +- use /run instead of /var/run (#1706372) + * Thu May 02 2019 Michal Hlavinka - 1:2.3.6-1 - dovecot updated to 2.3.6, pigeonhole updated to 0.5.6 diff --git a/dovecot.tmpfilesd b/dovecot.tmpfilesd index 7178498..d96639a 100644 --- a/dovecot.tmpfilesd +++ b/dovecot.tmpfilesd @@ -1,2 +1,2 @@ -d /var/run/dovecot 0755 root dovecot - +d /run/dovecot 0755 root dovecot - From 4f0fa7c121956e8543bc5ea5a1ad41074e9b7cab Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Fri, 31 May 2019 12:42:18 +0200 Subject: [PATCH 051/163] disable gcc 9 stack reuse temporarily --- dovecot.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 287dcf3..c05ed8f 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.6 %global prever %{nil} -Release: 2%{?dist} +Release: 3%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -139,7 +139,7 @@ sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src %build #required for fdpass.c line 125,190: dereferencing type-punned pointer will break strict-aliasing rules %global _hardened_build 1 -export CFLAGS="%{__global_cflags} -fno-strict-aliasing" +export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none" export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}" # el6 autoconf too old to regen; use packaged files (#1082384) %if %{?fedora}00%{?rhel} > 6 @@ -493,6 +493,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Fri May 31 2019 Michal Hlavinka - 1:2.3.6-3 +- disable gcc 9 stack reuse temporarily + * Mon May 13 2019 Michal Hlavinka - 1:2.3.6-2 - use /run instead of /var/run (#1706372) From 3797f0a3522f84e6d4df28971720713ac6a7374f Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 24 Jul 2019 22:19:32 +0000 Subject: [PATCH 052/163] - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index c05ed8f..f32232d 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.6 %global prever %{nil} -Release: 3%{?dist} +Release: 4%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -493,6 +493,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Jul 24 2019 Fedora Release Engineering - 1:2.3.6-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + * Fri May 31 2019 Michal Hlavinka - 1:2.3.6-3 - disable gcc 9 stack reuse temporarily From 581436bcf316629f248501934e5c1c711aaadf38 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 19 Aug 2019 15:25:24 +0200 Subject: [PATCH 053/163] dovecot updated to 2.3.7.1, pigeonhole updated to 0.5.7.1 --- dovecot.spec | 9 ++++++--- sources | 4 ++-- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index f32232d..7ee0d5e 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,9 +3,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.6 +Version: 2.3.7.1 %global prever %{nil} -Release: 4%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.6 +%global pigeonholever 0.5.7.1 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -493,6 +493,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Aug 19 2019 Michal Hlavinka - 1:1-2.3.7.1 +- dovecot updated to 2.3.7.1, pigeonhole updated to 0.5.7.1 + * Wed Jul 24 2019 Fedora Release Engineering - 1:2.3.6-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild diff --git a/sources b/sources index f5c7b43..8b8981e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.6.tar.gz) = ec28af2efcbd4ab534298c3342709251074dcdb0f0f4bcad0d24b996b273387e2ce557d7ab54abafb69be3ed7dd61f25c82b9710d78156932e2eff7f941c9eb2 -SHA512 (dovecot-2.3-pigeonhole-0.5.6.tar.gz) = 998a046d2eb5ff7bba615fd1a3efdfb1e7e1dabf191257f7fa2882074acc1735a0a4c11c5f31bab1e964b0118f1a8e9e51b3d5529b8fff6d1312c9a8257d9c20 +SHA512 (dovecot-2.3.7.1.tar.gz) = 9addfe2be9ae745ac9164e1658e6638df96bd611d45f172e2cd1cb2c6596e4ce534674e9eea3c1d17f497555061031916e0fb9a9fbc6de0eb6034e2fd0bed3b9 +SHA512 (dovecot-2.3-pigeonhole-0.5.7.1.tar.gz) = 121eac4ad8bc1ddc55c554d00338bb553590b6aedffcb11e34f6cba102d59bd34580cb7218bd5fe820038c004d12db73f7a27ca135c3d4a12c4449bae3216355 From c4e66bf29778aa908204979c13f6e64005b246f0 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 29 Aug 2019 09:44:35 +0200 Subject: [PATCH 054/163] dovecot updated to 2.3.7.2, pigeonhole 0.5.7.2 fixes CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap memory writes --- dovecot.spec | 10 ++++++++-- sources | 4 ++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 7ee0d5e..eba9723 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.7.1 +Version: 2.3.7.2 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.7.1 +%global pigeonholever 0.5.7.2 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -493,6 +493,12 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Aug 29 2019 Michal Hlavinka - 1:2.3.7.2-1 +- dovecot updated to 2.3.7.2, pigeonhole 0.5.7.2 +- fixes CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte + when scanning data in quoted strings, leading to out of bounds heap + memory writes + * Mon Aug 19 2019 Michal Hlavinka - 1:1-2.3.7.1 - dovecot updated to 2.3.7.1, pigeonhole updated to 0.5.7.1 diff --git a/sources b/sources index 8b8981e..9a8ce1a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.7.1.tar.gz) = 9addfe2be9ae745ac9164e1658e6638df96bd611d45f172e2cd1cb2c6596e4ce534674e9eea3c1d17f497555061031916e0fb9a9fbc6de0eb6034e2fd0bed3b9 -SHA512 (dovecot-2.3-pigeonhole-0.5.7.1.tar.gz) = 121eac4ad8bc1ddc55c554d00338bb553590b6aedffcb11e34f6cba102d59bd34580cb7218bd5fe820038c004d12db73f7a27ca135c3d4a12c4449bae3216355 +SHA512 (dovecot-2.3.7.2.tar.gz) = 172f7f0edb884259e4c050607510aee67a35c3a20b7dd147e7c8a25a04921c18f7d6b5c85af2c69ae8c4d53791550970e471b033dbfae94253e331053b6a317d +SHA512 (dovecot-2.3-pigeonhole-0.5.7.2.tar.gz) = 7fc8d89ee31c8e8c16a9aeaeffb591f4188de36fc80e3a30a9ae10bc5acd7ea5d5d91e077fda566e61d588d9221ec53044ce17a9cc0c9c219dbe6824558a1d60 From 2a068bb47996168ac0ae01ffb509d19ab72d6a77 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 10 Oct 2019 13:04:27 +0200 Subject: [PATCH 055/163] add more buildrequires --- dovecot.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dovecot.spec b/dovecot.spec index eba9723..a1c3dee 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -50,7 +50,10 @@ BuildRequires: openldap-devel BuildRequires: krb5-devel BuildRequires: quota-devel BuildRequires: xz-devel +BuildRequires: lz4-devel BuildRequires: libsodium-devel +BuildRequires: libexttextcat-devel +BuildRequires: libstemmer-devel # gettext-devel is needed for running autoconf because of the # presence of AM_ICONV From 71a430ba9d4a2446f467de61e737079a53138613 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 10 Oct 2019 13:59:30 +0200 Subject: [PATCH 056/163] dovecot updated to 2.3.8, pigeonhole 0.5.8 --- dovecot.spec | 7 +++++-- sources | 4 ++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index a1c3dee..bb7322b 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.7.2 +Version: 2.3.8 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.7.2 +%global pigeonholever 0.5.8 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -496,6 +496,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Oct 10 2019 Michal Hlavinka - 1:2.3.8-1 +- dovecot updated to 2.3.8, pigeonhole 0.5.8 + * Thu Aug 29 2019 Michal Hlavinka - 1:2.3.7.2-1 - dovecot updated to 2.3.7.2, pigeonhole 0.5.7.2 - fixes CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte diff --git a/sources b/sources index 9a8ce1a..05fd840 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.7.2.tar.gz) = 172f7f0edb884259e4c050607510aee67a35c3a20b7dd147e7c8a25a04921c18f7d6b5c85af2c69ae8c4d53791550970e471b033dbfae94253e331053b6a317d -SHA512 (dovecot-2.3-pigeonhole-0.5.7.2.tar.gz) = 7fc8d89ee31c8e8c16a9aeaeffb591f4188de36fc80e3a30a9ae10bc5acd7ea5d5d91e077fda566e61d588d9221ec53044ce17a9cc0c9c219dbe6824558a1d60 +SHA512 (dovecot-2.3.8.tar.gz) = f62439e2ea77ffb544a7752c07085582c5653c64671cb42dd7a7e5aa69eb87059c677aa1fa071efa1ddd2287ab621e9a264ec115be2aeb2f43ab4c685411eae3 +SHA512 (dovecot-2.3-pigeonhole-0.5.8.tar.gz) = ddf009c755cc87c362ddf1c17ac1403b0f6a504b039efef3244f2d5bd4d3963fb25baaaa4d98c089b3e8bddd4675d131765fee5499d9aaf01015e44f7d631d2d From 29bbb4096a3df7dcd05169acedec2012482aa52b Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 5 Dec 2019 18:10:32 +0100 Subject: [PATCH 057/163] dovecot updated to 2.3.9, pigeonhole updated to 0.5.9 --- dovecot.spec | 7 +++++-- sources | 4 ++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index bb7322b..2bae171 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.8 +Version: 2.3.9 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.8 +%global pigeonholever 0.5.9 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -496,6 +496,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Dec 04 2019 Michal Hlavinka - 1:2.3.9-1 +- dovecot updated to 2.3.9, pigeonhole updated to 0.5.9 + * Thu Oct 10 2019 Michal Hlavinka - 1:2.3.8-1 - dovecot updated to 2.3.8, pigeonhole 0.5.8 diff --git a/sources b/sources index 05fd840..42fbb78 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.8.tar.gz) = f62439e2ea77ffb544a7752c07085582c5653c64671cb42dd7a7e5aa69eb87059c677aa1fa071efa1ddd2287ab621e9a264ec115be2aeb2f43ab4c685411eae3 -SHA512 (dovecot-2.3-pigeonhole-0.5.8.tar.gz) = ddf009c755cc87c362ddf1c17ac1403b0f6a504b039efef3244f2d5bd4d3963fb25baaaa4d98c089b3e8bddd4675d131765fee5499d9aaf01015e44f7d631d2d +SHA512 (dovecot-2.3.9.tar.gz) = 6f7cfebb0d89709d971a6cd623375805dc018c6d8c4cdaa5f274a5a5b0830c2b135c9cf6c90d0983c70ca76e3def855c501ea32aeb7a67b104cb6676bb9d37db +SHA512 (dovecot-2.3-pigeonhole-0.5.9.tar.gz) = 1b8d2ac8d3985dde035fc45df519788a924ba971f3e39717f5196ea56a982d4156226586d0a964473525d086967883ea52f2e624e81f7035cb0952b76f2414d8 From deb9d38bed7e6cc459e2e9cc365e16dd3802780b Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 19 Dec 2019 15:17:08 +0100 Subject: [PATCH 058/163] CVE-2019-19722: Mails with group addresses in From or To fields caused crash in push notification drivers. --- dovecot.spec | 6 +++++- sources | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 2bae171..5d6c3c3 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.9 +Version: 2.3.9.2 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -496,6 +496,10 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Dec 19 2019 Michal Hlavinka - 1:2.3.9.2-1 +- CVE-2019-19722: Mails with group addresses in From or To fields + caused crash in push notification drivers. + * Wed Dec 04 2019 Michal Hlavinka - 1:2.3.9-1 - dovecot updated to 2.3.9, pigeonhole updated to 0.5.9 diff --git a/sources b/sources index 42fbb78..c3d0413 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.9.tar.gz) = 6f7cfebb0d89709d971a6cd623375805dc018c6d8c4cdaa5f274a5a5b0830c2b135c9cf6c90d0983c70ca76e3def855c501ea32aeb7a67b104cb6676bb9d37db +SHA512 (dovecot-2.3.9.2.tar.gz) = 36e8270bfa33e2bd6aa89017e65c7d1650c494c79ff297759a4b01c026aebcfdf5b1b542d4357e1f9dc2bb8169ef67064f0699b17ca36d658deb70b4c800b253 SHA512 (dovecot-2.3-pigeonhole-0.5.9.tar.gz) = 1b8d2ac8d3985dde035fc45df519788a924ba971f3e39717f5196ea56a982d4156226586d0a964473525d086967883ea52f2e624e81f7035cb0952b76f2414d8 From fc993dbf7d4ca60afaf889d2401118d1fbf095ce Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 9 Jan 2020 15:31:55 +0100 Subject: [PATCH 059/163] fix permissions of ghost files --- dovecot.spec | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 5d6c3c3..8af015d 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -304,7 +304,7 @@ fi install -d -m 0755 -g dovecot -d /run/dovecot install -d -m 0755 -d /run/dovecot/empty install -d -m 0750 -g dovenull -d /run/dovecot/login -install -d -m 0755 -g dovenull -d /run/dovecot/token-login +install -d -m 0750 -g dovenull -d /run/dovecot/token-login [ -x /sbin/restorecon ] && /sbin/restorecon -R /run/dovecot %preun @@ -439,7 +439,11 @@ make check %{_libexecdir}/%{name} %exclude %{_libexecdir}/%{name}/managesieve* -%ghost /run/dovecot +%attr(0755,root,dovecot) %ghost /run/dovecot +%attr(0750,root,dovenull) %ghost /run/dovecot/login +%attr(0750,root,dovenull) %ghost /run/dovecot/token-login +%attr(0755,root,root) %ghost /run/dovecot/empty + %attr(0750,dovecot,dovecot) /var/lib/dovecot %{_datadir}/%{name} From adf9e045a905c45b380dceef6d6cd69ba0b20baf Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Tue, 28 Jan 2020 16:12:26 +0000 Subject: [PATCH 060/163] - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 8af015d..4fdfb59 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.9.2 %global prever %{nil} -Release: 1%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -500,6 +500,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Jan 28 2020 Fedora Release Engineering - 1:2.3.9.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + * Thu Dec 19 2019 Michal Hlavinka - 1:2.3.9.2-1 - CVE-2019-19722: Mails with group addresses in From or To fields caused crash in push notification drivers. From 1040ee253b23348a61671b2d13c86f063804db9c Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 12 Feb 2020 15:16:26 +0100 Subject: [PATCH 061/163] dovecot updated to 2.3.9.3 fixes CVE-2020-7046: Truncated UTF-8 can be used to DoS submission-login and lmtp processes. fixes CVE-2020-7957: Specially crafted mail can crash snippet generation. --- dovecot.spec | 11 +++++++++-- sources | 2 +- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 4fdfb59..b85d60f 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,9 +3,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.9.2 +Version: 2.3.9.3 %global prever %{nil} -Release: 2%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -500,6 +500,13 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Feb 12 2020 Michal Hlavinka - 1:2.3.9.3-1 +- dovecot updated to 2.3.9.3 +- fixes CVE-2020-7046: Truncated UTF-8 can be used to DoS + submission-login and lmtp processes. +- fixes CVE-2020-7957: Specially crafted mail can crash snippet generation. + + * Tue Jan 28 2020 Fedora Release Engineering - 1:2.3.9.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild diff --git a/sources b/sources index c3d0413..27cc3f5 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.9.2.tar.gz) = 36e8270bfa33e2bd6aa89017e65c7d1650c494c79ff297759a4b01c026aebcfdf5b1b542d4357e1f9dc2bb8169ef67064f0699b17ca36d658deb70b4c800b253 +SHA512 (dovecot-2.3.9.3.tar.gz) = e39dc825a03f009928b67d01747bb70487fbec155e6be5109037db67b78301aa761db432f7355e96d927abf30c68f0116a5f2cf518b9eebf7f5c7806ac00ae41 SHA512 (dovecot-2.3-pigeonhole-0.5.9.tar.gz) = 1b8d2ac8d3985dde035fc45df519788a924ba971f3e39717f5196ea56a982d4156226586d0a964473525d086967883ea52f2e624e81f7035cb0952b76f2414d8 From 64b3f1c790592c5e5600e0c72da8708125873e17 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 21 Apr 2020 19:12:22 +0200 Subject: [PATCH 062/163] dovecot updated to 2.3.10, pigeonhole updated to 0.5.10 --- dovecot.spec | 10 +++++++--- sources | 4 ++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index b85d60f..b91f5f8 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.9.3 +Version: 2.3.10 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.9 +%global pigeonholever 0.5.10 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -357,6 +357,7 @@ make check %{_bindir}/doveadm %{_bindir}/doveconf %{_bindir}/dsync +%{_bindir}/dovecot-sysreport %if %{?fedora}0 > 140 || %{?rhel}0 > 60 @@ -439,7 +440,7 @@ make check %{_libexecdir}/%{name} %exclude %{_libexecdir}/%{name}/managesieve* -%attr(0755,root,dovecot) %ghost /run/dovecot +%dir %attr(0755,root,dovecot) %ghost /run/dovecot %attr(0750,root,dovenull) %ghost /run/dovecot/login %attr(0750,root,dovenull) %ghost /run/dovecot/token-login %attr(0755,root,root) %ghost /run/dovecot/empty @@ -500,6 +501,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Apr 21 2020 Michal Hlavinka - 1:2.3.10-1 +- dovecot updated to 2.3.10, pigeonhole updated to 0.5.10 + * Wed Feb 12 2020 Michal Hlavinka - 1:2.3.9.3-1 - dovecot updated to 2.3.9.3 - fixes CVE-2020-7046: Truncated UTF-8 can be used to DoS diff --git a/sources b/sources index 27cc3f5..29b0faa 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.9.3.tar.gz) = e39dc825a03f009928b67d01747bb70487fbec155e6be5109037db67b78301aa761db432f7355e96d927abf30c68f0116a5f2cf518b9eebf7f5c7806ac00ae41 -SHA512 (dovecot-2.3-pigeonhole-0.5.9.tar.gz) = 1b8d2ac8d3985dde035fc45df519788a924ba971f3e39717f5196ea56a982d4156226586d0a964473525d086967883ea52f2e624e81f7035cb0952b76f2414d8 +SHA512 (dovecot-2.3.10.tar.gz) = 73e10d7d1e616d6599eb53f2d2d1ac0f0f2e6e84019faac5cd525e833da44839a7e483635b61d432e3254a9e5f6f90915bec8940c584210341085241949dffa2 +SHA512 (dovecot-2.3-pigeonhole-0.5.10.tar.gz) = f3d380edba4d25d20ee52db21d2965e3a6b229924e9a04fbf45cfe32e1d25448977ee41b12ba41ad8cf8b795f19bb1dbef1d7d09e775598d782123268f61dc8b From 4e11662dbe4cc1f6eaea784e71a958ab8f488626 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 18 May 2020 18:12:36 +0200 Subject: [PATCH 063/163] dovecot updated to 2.3.10.1 fixes CVE-2020-10967, CVE-2020-10958, CVE-2020-10957 --- dovecot.spec | 6 +++++- sources | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index b91f5f8..d32cc87 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,7 +3,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.10 +Version: 2.3.10.1 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -501,6 +501,10 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon May 18 2020 Michal Hlavinka - 1:2.3.10.1-1 +- dovecot updated to 2.3.10.1 +- fixes CVE-2020-10967, CVE-2020-10958, CVE-2020-10957 + * Tue Apr 21 2020 Michal Hlavinka - 1:2.3.10-1 - dovecot updated to 2.3.10, pigeonhole updated to 0.5.10 diff --git a/sources b/sources index 29b0faa..649f5e0 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.10.tar.gz) = 73e10d7d1e616d6599eb53f2d2d1ac0f0f2e6e84019faac5cd525e833da44839a7e483635b61d432e3254a9e5f6f90915bec8940c584210341085241949dffa2 +SHA512 (dovecot-2.3.10.1.tar.gz) = 5c07436a3e861993f241caa2c60f035c533c5fceb5c8540c1717d31bedd54b82299f7ea11bfee12c72d4d33985d93a7130c4f56877864a7ad21cf7373a29cc06 SHA512 (dovecot-2.3-pigeonhole-0.5.10.tar.gz) = f3d380edba4d25d20ee52db21d2965e3a6b229924e9a04fbf45cfe32e1d25448977ee41b12ba41ad8cf8b795f19bb1dbef1d7d09e775598d782123268f61dc8b From 9aea43c6d864883d53e5082656cd8bdb40049a7f Mon Sep 17 00:00:00 2001 From: Troy Dawson Date: Thu, 16 Jul 2020 06:53:01 -0700 Subject: [PATCH 064/163] spec file cleanup --- dovecot.spec | 69 ---------------------------------------------------- 1 file changed, 69 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index d32cc87..db69282 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -39,13 +39,8 @@ BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, BuildRequires: libtool, autoconf, automake, pkgconfig BuildRequires: sqlite-devel BuildRequires: libpq-devel -%if %{?fedora}0 < 280 -BuildRequires: mysql-devel -BuildRequires: tcp_wrappers-devel -%else BuildRequires: mariadb-connector-c-devel BuildRequires: libxcrypt-devel -%endif BuildRequires: openldap-devel BuildRequires: krb5-devel BuildRequires: quota-devel @@ -64,31 +59,16 @@ Requires: openssl >= 0.9.7f-4 # Package includes an initscript service file, needs to require initscripts package Requires(pre): shadow-utils -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 Requires: systemd Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units -%else -Requires: initscripts -Requires(post): chkconfig -Requires(preun): chkconfig initscripts -Requires(postun): initscripts -%endif -%if %{?fedora}0 > 150 || %{?rhel}0 >60 -#clucene in fedora <=15 and rhel<=6 is too old BuildRequires: clucene-core-devel -%endif %global ssldir %{_sysconfdir}/pki/%{name} -%if %{?fedora}00%{?rhel} < 6 -%global _initddir %{_initrddir} -BuildRequires: curl-devel expat-devel -%else BuildRequires: libcurl-devel expat-devel -%endif %global restart_flag /run/%{name}/%{name}-restart-after-rpm-install @@ -144,11 +124,8 @@ sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src %global _hardened_build 1 export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none" export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}" -# el6 autoconf too old to regen; use packaged files (#1082384) -%if %{?fedora}00%{?rhel} > 6 mkdir -p m4 autoreconf -I . -fiv #required for aarch64 support -%endif %configure \ INSTALL_DATA="install -c -p -m644" \ --docdir=%{_docdir}/%{name} \ @@ -165,18 +142,11 @@ autoreconf -I . -fiv #required for aarch64 support --with-sqlite \ --with-zlib \ --with-libcap \ -%if %{?fedora}0 < 280 - --with-libwrap \ -%endif -%if %{?fedora}0 > 150 || %{?rhel}0 >60 --with-lucene \ -%endif --with-ssl=openssl \ --with-ssldir=%{ssldir} \ --with-solr \ -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 --with-systemdsystemunitdir=%{_unitdir} \ -%endif --with-docs sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10-ssl.conf @@ -216,11 +186,6 @@ mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonh install -m 644 AUTHORS ChangeLog COPYING COPYING.LGPL INSTALL NEWS README $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole popd - -%if %{?fedora}00%{?rhel} < 6 -sed -i 's|password-auth|system-auth|' %{SOURCE2} -%endif - install -p -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/dovecot #install man pages @@ -237,12 +202,7 @@ chmod 600 $RPM_BUILD_ROOT%{ssldir}/certs/dovecot.pem touch $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem chmod 600 $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 install -p -D -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_tmpfilesdir}/dovecot.conf -%else -install -p -D -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_initddir}/dovecot -install -p -D -m 600 %{SOURCE9} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/dovecot -%endif mkdir -p $RPM_BUILD_ROOT/run/dovecot/{login,empty,token-login} @@ -282,23 +242,14 @@ useradd -r -g dovenull -d /usr/libexec/dovecot -s /sbin/nologin -c "Dovecot's un # do not let dovecot run during upgrade rhbz#134325 if [ "$1" = "2" ]; then rm -f %restart_flag -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 /bin/systemctl is-active %{name}.service >/dev/null 2>&1 && touch %restart_flag ||: /bin/systemctl stop %{name}.service >/dev/null 2>&1 -%else - /sbin/service %{name} status >/dev/null 2>&1 && touch %restart_flag ||: - /sbin/service %{name} stop >/dev/null 2>&1 -%endif fi %post if [ $1 -eq 1 ] then -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 %systemd_post dovecot.service -%else - /sbin/chkconfig --add %{name} -%endif fi install -d -m 0755 -g dovecot -d /run/dovecot @@ -309,27 +260,16 @@ install -d -m 0750 -g dovenull -d /run/dovecot/token-login %preun if [ $1 = 0 ]; then -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 /bin/systemctl disable dovecot.service dovecot.socket >/dev/null 2>&1 || : /bin/systemctl stop dovecot.service dovecot.socket >/dev/null 2>&1 || : -%else - /sbin/service %{name} stop > /dev/null 2>&1 - /sbin/chkconfig --del %{name} -%endif rm -rf /run/dovecot fi %postun -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 /bin/systemctl daemon-reload >/dev/null 2>&1 || : -%endif if [ "$1" -ge "1" -a -e %restart_flag ]; then -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 /bin/systemctl start dovecot.service >/dev/null 2>&1 || : -%else - /sbin/service %{name} start >/dev/null 2>&1 || : -%endif rm -f %restart_flag fi @@ -337,11 +277,7 @@ fi # dovecot should be started again in %%postun, but it's not executed on reinstall # if it was already started, restart_flag won't be here, so it's ok to test it again if [ -e %restart_flag ]; then -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 /bin/systemctl start dovecot.service >/dev/null 2>&1 || : -%else - /sbin/service %{name} start >/dev/null 2>&1 || : -%endif rm -f %restart_flag fi @@ -360,15 +296,10 @@ make check %{_bindir}/dovecot-sysreport -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 %_tmpfilesdir/dovecot.conf %{_unitdir}/dovecot.service %{_unitdir}/dovecot-init.service %{_unitdir}/dovecot.socket -%else -%{_initddir}/dovecot -%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/dovecot -%endif %dir %{_sysconfdir}/dovecot %dir %{_sysconfdir}/dovecot/conf.d From 1d11ef9e9434baf5fd17ee6e0d04e6c7bf48be22 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Mon, 27 Jul 2020 15:41:53 +0000 Subject: [PATCH 065/163] - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index db69282..5754ef4 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.10.1 %global prever %{nil} -Release: 1%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -432,6 +432,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Jul 27 2020 Fedora Release Engineering - 1:2.3.10.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + * Mon May 18 2020 Michal Hlavinka - 1:2.3.10.1-1 - dovecot updated to 2.3.10.1 - fixes CVE-2020-10967, CVE-2020-10958, CVE-2020-10957 From b5c6b67b96c8aec4084b26c8a90739d63daf34de Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 1 Aug 2020 00:40:29 +0000 Subject: [PATCH 066/163] - Second attempt - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- dovecot.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 5754ef4..2094a00 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.10.1 %global prever %{nil} -Release: 2%{?dist} +Release: 3%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -432,6 +432,10 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Sat Aug 01 2020 Fedora Release Engineering - 1:2.3.10.1-3 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + * Mon Jul 27 2020 Fedora Release Engineering - 1:2.3.10.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild From 8f461376e77d79e11f0b5ef1eda3ed59ce72b508 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Sat, 15 Aug 2020 18:22:04 +0200 Subject: [PATCH 067/163] CVE-2020-12100: Parsing mails with a large number of MIME parts could have resulted in excessive CPU usage or a crash due to running out of stack memory. CVE-2020-12673: Dovecot's NTLM implementation does not correctly check message buffer size, which leads to reading past allocation which can lead to crash. CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an address that has the empty quoted string as local-part causes the lmtp service to crash. CVE-2020-12674: Dovecot's RPA mechanism implementation accepts zero-length message, which leads to assert-crash later on. --- dovecot.spec | 19 ++++++++++++++++--- sources | 4 ++-- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 2094a00..1f50dc1 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,9 +3,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.10.1 +Version: 2.3.11.3 %global prever %{nil} -Release: 3%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.10 +%global pigeonholever 0.5.11 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -432,6 +432,19 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Sat Aug 15 2020 Michal Hlavinka - 1:2.3.11.3-1 +- CVE-2020-12100: Parsing mails with a large number of MIME parts could + have resulted in excessive CPU usage or a crash due to running out of + stack memory. +- CVE-2020-12673: Dovecot's NTLM implementation does not correctly check + message buffer size, which leads to reading past allocation which can + lead to crash. +- CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an + address that has the empty quoted string as local-part causes the lmtp + service to crash. +- CVE-2020-12674: Dovecot's RPA mechanism implementation accepts + zero-length message, which leads to assert-crash later on. + * Sat Aug 01 2020 Fedora Release Engineering - 1:2.3.10.1-3 - Second attempt - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild diff --git a/sources b/sources index 649f5e0..a256f67 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.10.1.tar.gz) = 5c07436a3e861993f241caa2c60f035c533c5fceb5c8540c1717d31bedd54b82299f7ea11bfee12c72d4d33985d93a7130c4f56877864a7ad21cf7373a29cc06 -SHA512 (dovecot-2.3-pigeonhole-0.5.10.tar.gz) = f3d380edba4d25d20ee52db21d2965e3a6b229924e9a04fbf45cfe32e1d25448977ee41b12ba41ad8cf8b795f19bb1dbef1d7d09e775598d782123268f61dc8b +SHA512 (dovecot-2.3.11.3.tar.gz) = d83e52a7faab918a8e6f6257acc5936b81733c10489affd042c3a043cb842db060286cba9978be378e4958e9ac2e60b55ce289d7f3a88df08e7637e4785e23bb +SHA512 (dovecot-2.3-pigeonhole-0.5.11.tar.gz) = 793d93edc50192c52654e2f7244d3e01aaa4e69f786e3ecfcd658a4ab26a5099cc5319cb93221150db4ce94bc4515ffb38115b1d0eeb6e052b956efec680b33d From b50f4be9694aeb0644861004326e504121445829 Mon Sep 17 00:00:00 2001 From: Jeff Law Date: Mon, 17 Aug 2020 14:52:59 -0600 Subject: [PATCH 068/163] Disable LTO for now --- dovecot.spec | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 1f50dc1..f005cc5 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.11.3 %global prever %{nil} -Release: 1%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -120,6 +120,9 @@ This package provides the development files for dovecot. sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in %build +# This package references hidden symbols during an LTO link. This needs further +# investigation. Until then, disable LTO +%define _lto_cflags %{nil} #required for fdpass.c line 125,190: dereferencing type-punned pointer will break strict-aliasing rules %global _hardened_build 1 export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none" @@ -432,6 +435,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Aug 17 2020 Jeff Law - 1:2.3.11.3-2 +- Disable LTO + * Sat Aug 15 2020 Michal Hlavinka - 1:2.3.11.3-1 - CVE-2020-12100: Parsing mails with a large number of MIME parts could have resulted in excessive CPU usage or a crash due to running out of From 98f6723298c5d040a37ac8d1f1b6d44c143453b2 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 26 Aug 2020 19:06:39 +0200 Subject: [PATCH 069/163] fix FTBFS on 32bit systems --- dovecot-2.3.11.3-ftbfs1.patch | 15 +++++++++++++++ dovecot-2.3.11.3-ftbfs2.patch | 22 ++++++++++++++++++++++ dovecot.spec | 9 ++++++++- 3 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 dovecot-2.3.11.3-ftbfs1.patch create mode 100644 dovecot-2.3.11.3-ftbfs2.patch diff --git a/dovecot-2.3.11.3-ftbfs1.patch b/dovecot-2.3.11.3-ftbfs1.patch new file mode 100644 index 0000000..42059ad --- /dev/null +++ b/dovecot-2.3.11.3-ftbfs1.patch @@ -0,0 +1,15 @@ +diff --git a/src/auth/test-mech.c b/src/auth/test-mech.c +index cf05370035..0a030a2be0 100644 +--- a/src/auth/test-mech.c ++++ b/src/auth/test-mech.c +@@ -196,8 +196,8 @@ test_mech_construct_apop_challenge(unsigned int connect_uid, unsigned long *len_ + { + string_t *apop_challenge = t_str_new(128); + +- str_printfa(apop_challenge,"<%lx.%u.%"PRIdTIME_T"", (unsigned long) getpid(), +- connect_uid, process_start_time+10); ++ str_printfa(apop_challenge,"<%lx.%lx.%"PRIxTIME_T".", (unsigned long)getpid(), ++ (unsigned long)connect_uid, process_start_time+10); + str_append_data(apop_challenge, "\0testuser\0responseoflen16-", 26); + *len_r = apop_challenge->used; + return apop_challenge->data; diff --git a/dovecot-2.3.11.3-ftbfs2.patch b/dovecot-2.3.11.3-ftbfs2.patch new file mode 100644 index 0000000..107a4cd --- /dev/null +++ b/dovecot-2.3.11.3-ftbfs2.patch @@ -0,0 +1,22 @@ +diff --git a/src/auth/test-mech.c b/src/auth/test-mech.c +index 0a030a2be0..0a22ff46d0 100644 +--- a/src/auth/test-mech.c ++++ b/src/auth/test-mech.c +@@ -192,7 +192,7 @@ static void test_mech_handle_challenge(struct auth_request *request, + } + + static inline const unsigned char * +-test_mech_construct_apop_challenge(unsigned int connect_uid, unsigned long *len_r) ++test_mech_construct_apop_challenge(unsigned int connect_uid, size_t *len_r) + { + string_t *apop_challenge = t_str_new(128); + +@@ -323,7 +323,7 @@ static void test_mechs(void) + struct test_case *test_case = &tests[running_test]; + const struct mech_module *mech = test_case->mech; + struct auth_request *request; +- const char *testname = t_strdup_printf("auth mech %s %d/%lu", ++ const char *testname = t_strdup_printf("auth mech %s %d/%zu", + mech->mech_name, + running_test+1, + N_ELEMENTS(tests)); diff --git a/dovecot.spec b/dovecot.spec index f005cc5..f1b4471 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.11.3 %global prever %{nil} -Release: 2%{?dist} +Release: 4%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -32,6 +32,8 @@ Patch6: dovecot-2.1.10-waitonline.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch Patch10: dovecot-2.3.0.1-libxcrypt.patch +Patch12: dovecot-2.3.11.3-ftbfs1.patch +Patch13: dovecot-2.3.11.3-ftbfs2.patch Source15: prestartscript @@ -114,6 +116,8 @@ This package provides the development files for dovecot. %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem #%patch10 -p1 -b .libxcrypt +%patch12 -p1 -b .ftbfs1 +%patch13 -p1 -b .ftbfs2 #pushd dovecot-2*3-pigeonhole-%{pigeonholever} #popd @@ -435,6 +439,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Aug 26 2020 Michal Hlavinka - 1:2.3.11.3-4 +- fix FTBFS on 32bit systems + * Mon Aug 17 2020 Jeff Law - 1:2.3.11.3-2 - Disable LTO From 29ed947aaea4a89dbadcab2fd9c843ae48a7d156 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 2 Sep 2020 11:58:34 +0200 Subject: [PATCH 070/163] fix gssapi issue --- dovecot-2.3.11.3-gssapi.patch | 13 +++++++++++++ dovecot.spec | 7 ++++++- 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 dovecot-2.3.11.3-gssapi.patch diff --git a/dovecot-2.3.11.3-gssapi.patch b/dovecot-2.3.11.3-gssapi.patch new file mode 100644 index 0000000..18f6c45 --- /dev/null +++ b/dovecot-2.3.11.3-gssapi.patch @@ -0,0 +1,13 @@ +diff --git a/src/auth/mech-gssapi.c b/src/auth/mech-gssapi.c +index f29e48da88..966273d388 100644 +--- a/src/auth/mech-gssapi.c ++++ b/src/auth/mech-gssapi.c +@@ -735,7 +735,7 @@ mech_gssapi_auth_free(struct auth_request *request) + const struct mech_module mech_gssapi = { + "GSSAPI", + +- .flags = 0, ++ .flags = MECH_SEC_ALLOW_NULS, + .passdb_need = MECH_PASSDB_NEED_NOTHING, + + mech_gssapi_auth_new, diff --git a/dovecot.spec b/dovecot.spec index f1b4471..5077164 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.11.3 %global prever %{nil} -Release: 4%{?dist} +Release: 5%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -34,6 +34,7 @@ Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch Patch10: dovecot-2.3.0.1-libxcrypt.patch Patch12: dovecot-2.3.11.3-ftbfs1.patch Patch13: dovecot-2.3.11.3-ftbfs2.patch +Patch14: dovecot-2.3.11.3-gssapi.patch Source15: prestartscript @@ -118,6 +119,7 @@ This package provides the development files for dovecot. #%patch10 -p1 -b .libxcrypt %patch12 -p1 -b .ftbfs1 %patch13 -p1 -b .ftbfs2 +%patch14 -p1 -b .gssapi #pushd dovecot-2*3-pigeonhole-%{pigeonholever} #popd @@ -439,6 +441,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Sep 02 2020 Michal Hlavinka - 1:2.3.11.3-5 +- fix gssapi issue + * Wed Aug 26 2020 Michal Hlavinka - 1:2.3.11.3-4 - fix FTBFS on 32bit systems From e93cbad322f597213dda7585f8ecc8ecad482e44 Mon Sep 17 00:00:00 2001 From: pgfed Date: Mon, 19 Oct 2020 20:12:58 +0000 Subject: [PATCH 071/163] Update dovecot.spec --- dovecot.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dovecot.spec b/dovecot.spec index 5077164..6704885 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -50,6 +50,7 @@ BuildRequires: quota-devel BuildRequires: xz-devel BuildRequires: lz4-devel BuildRequires: libsodium-devel +BuildRequires: libicu-devel BuildRequires: libexttextcat-devel BuildRequires: libstemmer-devel @@ -151,6 +152,7 @@ autoreconf -I . -fiv #required for aarch64 support --with-sqlite \ --with-zlib \ --with-libcap \ + --with-icu \ --with-lucene \ --with-ssl=openssl \ --with-ssldir=%{ssldir} \ From 4ca072df4d19fe0a3ad5061dea0e0d767d94aa96 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 20 Oct 2020 15:39:01 +0200 Subject: [PATCH 072/163] enable zstd support --- dovecot.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dovecot.spec b/dovecot.spec index 6704885..d560cdc 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -49,6 +49,7 @@ BuildRequires: krb5-devel BuildRequires: quota-devel BuildRequires: xz-devel BuildRequires: lz4-devel +BuildRequires: libzstd-devel BuildRequires: libsodium-devel BuildRequires: libicu-devel BuildRequires: libexttextcat-devel @@ -151,6 +152,7 @@ autoreconf -I . -fiv #required for aarch64 support --with-mysql \ --with-sqlite \ --with-zlib \ + --with-zstd \ --with-libcap \ --with-icu \ --with-lucene \ From b73f4c06b076cd976a62960dc7c48ad49cb952c5 Mon Sep 17 00:00:00 2001 From: Tom Stellard Date: Thu, 17 Dec 2020 04:42:04 +0000 Subject: [PATCH 073/163] Add BuildRequires: make https://fedoraproject.org/wiki/Changes/Remove_make_from_BuildRoot --- dovecot.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/dovecot.spec b/dovecot.spec index d560cdc..ecc03f2 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -74,6 +74,7 @@ BuildRequires: clucene-core-devel %global ssldir %{_sysconfdir}/pki/%{name} BuildRequires: libcurl-devel expat-devel +BuildRequires: make %global restart_flag /run/%{name}/%{name}-restart-after-rpm-install From 5e0f363767b1b657a23527c548fee894e73809df Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 4 Jan 2021 10:18:56 +0100 Subject: [PATCH 074/163] change run directory from /var/run to /run (#1777922) --- dovecot-2.3.11-bigkey.patch | 10 ++++++++++ dovecot.spec | 11 ++++++++++- 2 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 dovecot-2.3.11-bigkey.patch diff --git a/dovecot-2.3.11-bigkey.patch b/dovecot-2.3.11-bigkey.patch new file mode 100644 index 0000000..c5b23d9 --- /dev/null +++ b/dovecot-2.3.11-bigkey.patch @@ -0,0 +1,10 @@ +diff -up dovecot-2.2.36/doc/dovecot-openssl.cnf.bigkey dovecot-2.2.36/doc/dovecot-openssl.cnf +--- dovecot-2.2.36/doc/dovecot-openssl.cnf.bigkey 2017-06-23 13:18:28.000000000 +0200 ++++ dovecot-2.2.36/doc/dovecot-openssl.cnf 2018-10-16 17:15:35.836205498 +0200 +@@ -1,5 +1,5 @@ + [ req ] +-default_bits = 1024 ++default_bits = 3072 + encrypt_key = yes + distinguished_name = req_dn + x509_extensions = cert_type diff --git a/dovecot.spec b/dovecot.spec index ecc03f2..dac9610 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.11.3 %global prever %{nil} -Release: 5%{?dist} +Release: 7%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -35,6 +35,7 @@ Patch10: dovecot-2.3.0.1-libxcrypt.patch Patch12: dovecot-2.3.11.3-ftbfs1.patch Patch13: dovecot-2.3.11.3-ftbfs2.patch Patch14: dovecot-2.3.11.3-gssapi.patch +Patch15: dovecot-2.3.11-bigkey.patch Source15: prestartscript @@ -123,6 +124,7 @@ This package provides the development files for dovecot. %patch12 -p1 -b .ftbfs1 %patch13 -p1 -b .ftbfs2 %patch14 -p1 -b .gssapi +%patch15 -p1 -b .bigkey #pushd dovecot-2*3-pigeonhole-%{pigeonholever} #popd @@ -140,6 +142,7 @@ mkdir -p m4 autoreconf -I . -fiv #required for aarch64 support %configure \ INSTALL_DATA="install -c -p -m644" \ + --localstatedir=%{_rundir} \ --docdir=%{_docdir}/%{name} \ --disable-static \ --disable-rpath \ @@ -446,6 +449,12 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Oct 21 2020 Michal Hlavinka - 1:2.3.11.3-7 +- change run directory from /var/run to /run (#1777922) + +* Wed Oct 21 2020 Michal Hlavinka - 1:2.3.11.3-6 +- use bigger default key size (#1882939) + * Wed Sep 02 2020 Michal Hlavinka - 1:2.3.11.3-5 - fix gssapi issue From f8f94ccbdfa6206bb724f43d269aa82dbaa154e5 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 4 Jan 2021 19:46:26 +0100 Subject: [PATCH 075/163] dovecot updated to 2.3.13, pigeonhole to 0.5.13 CVE-2020-24386: Specially crafted command can cause IMAP hibernate to allow logged in user to access other people's emails and filesystem information. Metric filter and global event filter variable syntax changed to a SQL-like format. auth: Added new aliases for %{variables}. Usage of the old ones is possible, but discouraged. auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth mechanism and related password schemes. auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail. auth: Removed postfix postmap socket --- dovecot-2.3.11.3-ftbfs1.patch | 15 --------------- dovecot-2.3.11.3-ftbfs2.patch | 22 ---------------------- dovecot-2.3.11.3-gssapi.patch | 13 ------------- dovecot.spec | 30 ++++++++++++++++++++---------- sources | 4 ++-- 5 files changed, 22 insertions(+), 62 deletions(-) delete mode 100644 dovecot-2.3.11.3-ftbfs1.patch delete mode 100644 dovecot-2.3.11.3-ftbfs2.patch delete mode 100644 dovecot-2.3.11.3-gssapi.patch diff --git a/dovecot-2.3.11.3-ftbfs1.patch b/dovecot-2.3.11.3-ftbfs1.patch deleted file mode 100644 index 42059ad..0000000 --- a/dovecot-2.3.11.3-ftbfs1.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/src/auth/test-mech.c b/src/auth/test-mech.c -index cf05370035..0a030a2be0 100644 ---- a/src/auth/test-mech.c -+++ b/src/auth/test-mech.c -@@ -196,8 +196,8 @@ test_mech_construct_apop_challenge(unsigned int connect_uid, unsigned long *len_ - { - string_t *apop_challenge = t_str_new(128); - -- str_printfa(apop_challenge,"<%lx.%u.%"PRIdTIME_T"", (unsigned long) getpid(), -- connect_uid, process_start_time+10); -+ str_printfa(apop_challenge,"<%lx.%lx.%"PRIxTIME_T".", (unsigned long)getpid(), -+ (unsigned long)connect_uid, process_start_time+10); - str_append_data(apop_challenge, "\0testuser\0responseoflen16-", 26); - *len_r = apop_challenge->used; - return apop_challenge->data; diff --git a/dovecot-2.3.11.3-ftbfs2.patch b/dovecot-2.3.11.3-ftbfs2.patch deleted file mode 100644 index 107a4cd..0000000 --- a/dovecot-2.3.11.3-ftbfs2.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff --git a/src/auth/test-mech.c b/src/auth/test-mech.c -index 0a030a2be0..0a22ff46d0 100644 ---- a/src/auth/test-mech.c -+++ b/src/auth/test-mech.c -@@ -192,7 +192,7 @@ static void test_mech_handle_challenge(struct auth_request *request, - } - - static inline const unsigned char * --test_mech_construct_apop_challenge(unsigned int connect_uid, unsigned long *len_r) -+test_mech_construct_apop_challenge(unsigned int connect_uid, size_t *len_r) - { - string_t *apop_challenge = t_str_new(128); - -@@ -323,7 +323,7 @@ static void test_mechs(void) - struct test_case *test_case = &tests[running_test]; - const struct mech_module *mech = test_case->mech; - struct auth_request *request; -- const char *testname = t_strdup_printf("auth mech %s %d/%lu", -+ const char *testname = t_strdup_printf("auth mech %s %d/%zu", - mech->mech_name, - running_test+1, - N_ELEMENTS(tests)); diff --git a/dovecot-2.3.11.3-gssapi.patch b/dovecot-2.3.11.3-gssapi.patch deleted file mode 100644 index 18f6c45..0000000 --- a/dovecot-2.3.11.3-gssapi.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/src/auth/mech-gssapi.c b/src/auth/mech-gssapi.c -index f29e48da88..966273d388 100644 ---- a/src/auth/mech-gssapi.c -+++ b/src/auth/mech-gssapi.c -@@ -735,7 +735,7 @@ mech_gssapi_auth_free(struct auth_request *request) - const struct mech_module mech_gssapi = { - "GSSAPI", - -- .flags = 0, -+ .flags = MECH_SEC_ALLOW_NULS, - .passdb_need = MECH_PASSDB_NEED_NOTHING, - - mech_gssapi_auth_new, diff --git a/dovecot.spec b/dovecot.spec index dac9610..1e16213 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,9 +3,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.11.3 +Version: 2.3.13 %global prever %{nil} -Release: 7%{?dist} +Release: %{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.11 +%global pigeonholever 0.5.13 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -32,9 +32,6 @@ Patch6: dovecot-2.1.10-waitonline.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch Patch10: dovecot-2.3.0.1-libxcrypt.patch -Patch12: dovecot-2.3.11.3-ftbfs1.patch -Patch13: dovecot-2.3.11.3-ftbfs2.patch -Patch14: dovecot-2.3.11.3-gssapi.patch Patch15: dovecot-2.3.11-bigkey.patch Source15: prestartscript @@ -121,9 +118,9 @@ This package provides the development files for dovecot. %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem #%patch10 -p1 -b .libxcrypt -%patch12 -p1 -b .ftbfs1 -%patch13 -p1 -b .ftbfs2 -%patch14 -p1 -b .gssapi +#patch12 -p1 -b .ftbfs1 +#patch13 -p1 -b .ftbfs2 +#patch14 -p1 -b .gssapi %patch15 -p1 -b .bigkey #pushd dovecot-2*3-pigeonhole-%{pigeonholever} @@ -346,7 +343,6 @@ make check %config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-sql.conf.ext %config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-static.conf.ext %config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-system.conf.ext -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-vpopmail.conf.ext %config(noreplace) %{_sysconfdir}/pam.d/dovecot %config(noreplace) %{ssldir}/dovecot-openssl.cnf @@ -449,6 +445,20 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Jan 04 2021 Michal Hlavinka - 1: +- dovecot updated to 2.3.13, pigeonhole to 0.5.13 +- CVE-2020-24386: Specially crafted command can cause IMAP hibernate to + allow logged in user to access other people's emails and filesystem + information. +- Metric filter and global event filter variable syntax changed to a + SQL-like format. +- auth: Added new aliases for %{variables}. Usage of the old ones is + possible, but discouraged. +- auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth + mechanism and related password schemes. +- auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail. +- auth: Removed postfix postmap socket + * Wed Oct 21 2020 Michal Hlavinka - 1:2.3.11.3-7 - change run directory from /var/run to /run (#1777922) diff --git a/sources b/sources index a256f67..a3e1632 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.11.3.tar.gz) = d83e52a7faab918a8e6f6257acc5936b81733c10489affd042c3a043cb842db060286cba9978be378e4958e9ac2e60b55ce289d7f3a88df08e7637e4785e23bb -SHA512 (dovecot-2.3-pigeonhole-0.5.11.tar.gz) = 793d93edc50192c52654e2f7244d3e01aaa4e69f786e3ecfcd658a4ab26a5099cc5319cb93221150db4ce94bc4515ffb38115b1d0eeb6e052b956efec680b33d +SHA512 (dovecot-2.3.13.tar.gz) = 758a169fba8925637ed18fa7522a6f06c9fe01a1707b1ca0d0a4d8757c578a8e117c91733e8314403839f9a484bbcac71ce3532c82379eb583b480756d556a95 +SHA512 (dovecot-2.3-pigeonhole-0.5.13.tar.gz) = fcbc13d71af4e6dd4e34192484e203d755e5015da76a4774b11a79182b2baad36cab5a471346093111ace36a7775dfe8294555f8b777786dde386820b3ec5cd3 From 432e04624d1bb1734264c443a54cc4412650f880 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 6 Jan 2021 11:29:46 +0100 Subject: [PATCH 076/163] dovecot updated to 2.3.13, pigeonhole to 0.5.13 CVE-2020-24386: Specially crafted command can cause IMAP hibernate to allow logged in user to access other people's emails and filesystem information. Metric filter and global event filter variable syntax changed to a SQL-like format. auth: Added new aliases for %{variables}. Usage of the old ones is possible, but discouraged. auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth mechanism and related password schemes. auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail. auth: Removed postfix postmap socket --- dovecot-2.3.13-bigtvsec.patch | 36 +++++++++++++++++++++++++++++++++++ dovecot.spec | 2 ++ 2 files changed, 38 insertions(+) create mode 100644 dovecot-2.3.13-bigtvsec.patch diff --git a/dovecot-2.3.13-bigtvsec.patch b/dovecot-2.3.13-bigtvsec.patch new file mode 100644 index 0000000..1c91c0b --- /dev/null +++ b/dovecot-2.3.13-bigtvsec.patch @@ -0,0 +1,36 @@ +diff -up dovecot-2.3.13/src/lib/test-time-util.c.bigtvsec dovecot-2.3.13/src/lib/test-time-util.c +--- dovecot-2.3.13/src/lib/test-time-util.c.bigtvsec 2021-01-06 11:27:06.793315308 +0100 ++++ dovecot-2.3.13/src/lib/test-time-util.c 2021-01-06 11:27:06.815315088 +0100 +@@ -358,7 +358,7 @@ static void test_str_to_timeval(void) + { + struct { + const char *str; +- time_t tv_sec, tv_usec; ++ long int tv_sec, tv_usec; + } tests[] = { + { "0", 0, 0 }, + { "0.0", 0, 0 }, +diff -up dovecot-2.3.13/src/lib/time-util.c.bigtvsec dovecot-2.3.13/src/lib/time-util.c +--- dovecot-2.3.13/src/lib/time-util.c.bigtvsec 2021-01-06 11:10:49.791094852 +0100 ++++ dovecot-2.3.13/src/lib/time-util.c 2021-01-06 11:10:08.255501319 +0100 +@@ -43,16 +43,16 @@ int timeval_cmp_margin(const struct time + + if (tv1->tv_sec < tv2->tv_sec) { + sec_margin = ((int)usec_margin / 1000000) + 1; +- if ((tv2->tv_sec - tv1->tv_sec) > sec_margin) ++ if (((long long)tv2->tv_sec - tv1->tv_sec) > sec_margin) + return -1; +- usecs_diff = (tv2->tv_sec - tv1->tv_sec) * 1000000LL + ++ usecs_diff = ((long long)tv2->tv_sec - tv1->tv_sec) * 1000000LL + + (tv2->tv_usec - tv1->tv_usec); + ret = -1; + } else if (tv1->tv_sec > tv2->tv_sec) { + sec_margin = ((int)usec_margin / 1000000) + 1; +- if ((tv1->tv_sec - tv2->tv_sec) > sec_margin) ++ if (((long long)tv1->tv_sec - tv2->tv_sec) > sec_margin) + return 1; +- usecs_diff = (tv1->tv_sec - tv2->tv_sec) * 1000000LL + ++ usecs_diff = ((long long)tv1->tv_sec - tv2->tv_sec) * 1000000LL + + (tv1->tv_usec - tv2->tv_usec); + ret = 1; + } else if (tv1->tv_usec < tv2->tv_usec) { diff --git a/dovecot.spec b/dovecot.spec index 1e16213..20e110d 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -33,6 +33,7 @@ Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch Patch10: dovecot-2.3.0.1-libxcrypt.patch Patch15: dovecot-2.3.11-bigkey.patch +Patch16: dovecot-2.3.13-bigtvsec.patch Source15: prestartscript @@ -122,6 +123,7 @@ This package provides the development files for dovecot. #patch13 -p1 -b .ftbfs2 #patch14 -p1 -b .gssapi %patch15 -p1 -b .bigkey +%patch16 -p1 -b .bigtvsec #pushd dovecot-2*3-pigeonhole-%{pigeonholever} #popd From e1b1e2910c24597e944961e71806d71f60f16b2d Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 6 Jan 2021 11:43:31 +0100 Subject: [PATCH 077/163] fix patch --- dovecot-2.3.13-bigtvsec.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dovecot-2.3.13-bigtvsec.patch b/dovecot-2.3.13-bigtvsec.patch index 1c91c0b..3bd7ce6 100644 --- a/dovecot-2.3.13-bigtvsec.patch +++ b/dovecot-2.3.13-bigtvsec.patch @@ -5,7 +5,7 @@ diff -up dovecot-2.3.13/src/lib/test-time-util.c.bigtvsec dovecot-2.3.13/src/lib { struct { const char *str; -- time_t tv_sec, tv_usec; +- unsigned int tv_sec, tv_usec; + long int tv_sec, tv_usec; } tests[] = { { "0", 0, 0 }, From cc81c97592bfe982ac27cee8d042a66cc78e4b37 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 6 Jan 2021 14:01:36 +0100 Subject: [PATCH 078/163] fix release number --- dovecot.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 20e110d..dd6b889 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.13 %global prever %{nil} -Release: %{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -447,7 +447,10 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog -* Mon Jan 04 2021 Michal Hlavinka - 1: +* Wed Jan 06 2021 Michal Hlavinka - 1:2.3.13-1 +- fix release number + +* Mon Jan 04 2021 Michal Hlavinka - 1:2.3.13-0 - dovecot updated to 2.3.13, pigeonhole to 0.5.13 - CVE-2020-24386: Specially crafted command can cause IMAP hibernate to allow logged in user to access other people's emails and filesystem From f1771ed0fa45715cc15a5feb3533a5acc74e016f Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 7 Jan 2021 18:28:31 +0100 Subject: [PATCH 079/163] fix rundir location --- dovecot.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index dd6b889..ab21e66 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.13 %global prever %{nil} -Release: 1%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -141,7 +141,7 @@ mkdir -p m4 autoreconf -I . -fiv #required for aarch64 support %configure \ INSTALL_DATA="install -c -p -m644" \ - --localstatedir=%{_rundir} \ + --with-rundir=%{_rundir}/%{name} \ --docdir=%{_docdir}/%{name} \ --disable-static \ --disable-rpath \ @@ -447,6 +447,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Jan 07 2021 Michal Hlavinka - 1:2.3.13-2 +- fix rundir location + * Wed Jan 06 2021 Michal Hlavinka - 1:2.3.13-1 - fix release number From abd275bba1f5a3dd61e0bbce564a821d96f4eede Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 18 Jan 2021 13:57:17 +0100 Subject: [PATCH 080/163] bump release and rebuild --- dovecot.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index ab21e66..7672068 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.13 %global prever %{nil} -Release: 2%{?dist} +Release: 3%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -49,7 +49,9 @@ BuildRequires: quota-devel BuildRequires: xz-devel BuildRequires: lz4-devel BuildRequires: libzstd-devel +%if %{?rhel}0 == 0 BuildRequires: libsodium-devel +%endif BuildRequires: libicu-devel BuildRequires: libexttextcat-devel BuildRequires: libstemmer-devel @@ -447,6 +449,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Jan 18 2021 Michal Hlavinka - 1:2.3.13-3 +- bump release and rebuild + * Thu Jan 07 2021 Michal Hlavinka - 1:2.3.13-2 - fix rundir location From 2860368c09267a07a2173ffe1b4d987fced8dfed Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 18 Jan 2021 14:33:47 +0100 Subject: [PATCH 081/163] fix multilib issues --- dovecot.spec | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 7672068..02862e0 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.13 %global prever %{nil} -Release: 3%{?dist} +Release: 4%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -55,6 +55,7 @@ BuildRequires: libsodium-devel BuildRequires: libicu-devel BuildRequires: libexttextcat-devel BuildRequires: libstemmer-devel +BuildRequires: multilib-rpm-config # gettext-devel is needed for running autoconf because of the # presence of AM_ICONV @@ -192,9 +193,11 @@ rm -rf $RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT -#move doc dir back to build dir so doc macro in files section can use it +# move doc dir back to build dir so doc macro in files section can use it mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/docinstall +# fix multilib issues +%multilib_fix_c_header --file %{_includedir}/dovecot/config.h pushd dovecot-2*3-pigeonhole-%{pigeonholever} make install DESTDIR=$RPM_BUILD_ROOT @@ -449,6 +452,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Jan 18 2021 Michal Hlavinka - 1:2.3.13-4 +- fix multilib issues + * Mon Jan 18 2021 Michal Hlavinka - 1:2.3.13-3 - bump release and rebuild From 06d34fe3ea08345276d6c5053536132f98594e46 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Tue, 26 Jan 2021 03:42:56 +0000 Subject: [PATCH 082/163] - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 02862e0..c300c8a 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.13 %global prever %{nil} -Release: 4%{?dist} +Release: 5%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -452,6 +452,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Jan 26 2021 Fedora Release Engineering - 1:2.3.13-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + * Mon Jan 18 2021 Michal Hlavinka - 1:2.3.13-4 - fix multilib issues From 886a96b230d1c52f5b076d6c818df91cbdc54231 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 1 Feb 2021 13:51:01 +0100 Subject: [PATCH 083/163] use make macros --- dovecot.spec | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index c300c8a..4f5e87b 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.13 %global prever %{nil} -Release: 5%{?dist} +Release: 6%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -170,7 +170,7 @@ autoreconf -I . -fiv #required for aarch64 support sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10-ssl.conf -make %{?_smp_mflags} +%make_build #pigeonhole pushd dovecot-2*3-pigeonhole-%{pigeonholever} @@ -185,13 +185,13 @@ pushd dovecot-2*3-pigeonhole-%{pigeonholever} --with-dovecot=../ \ --without-unfinished-features -make %{?_smp_mflags} +%make_build popd %install rm -rf $RPM_BUILD_ROOT -make install DESTDIR=$RPM_BUILD_ROOT +%make_install # move doc dir back to build dir so doc macro in files section can use it mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/docinstall @@ -200,7 +200,7 @@ mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/ %multilib_fix_c_header --file %{_includedir}/dovecot/config.h pushd dovecot-2*3-pigeonhole-%{pigeonholever} -make install DESTDIR=$RPM_BUILD_ROOT +%make_install mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole @@ -452,6 +452,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Feb 01 2021 Michal Hlavinka - 1:2.3.13-6 +- use make macros + * Tue Jan 26 2021 Fedora Release Engineering - 1:2.3.13-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild From abd5abe3b45b384e879674b95135dda1bf8a3cad Mon Sep 17 00:00:00 2001 From: Pavel Raiskup Date: Mon, 8 Feb 2021 09:24:17 +0100 Subject: [PATCH 084/163] rebuild for libpq ABI fix Related: rhbz#1908268 --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 4f5e87b..6ee95b3 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.13 %global prever %{nil} -Release: 6%{?dist} +Release: 7%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -452,6 +452,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Feb 08 2021 Pavel Raiskup - 1:2.3.13-7 +- rebuild for libpq ABI fix rhbz#1908268 + * Mon Feb 01 2021 Michal Hlavinka - 1:2.3.13-6 - use make macros From 8550d54fac848459d6797cc0f5d6e95ebc776ac6 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 22 Mar 2021 19:30:17 +0100 Subject: [PATCH 085/163] do not use own implementation of HMAC, use OpenSSL --- dovecot-2.3.6-opensslhmac.patch | 763 ++++++++++++++++++++++++++++++++ dovecot.spec | 10 +- 2 files changed, 769 insertions(+), 4 deletions(-) create mode 100644 dovecot-2.3.6-opensslhmac.patch diff --git a/dovecot-2.3.6-opensslhmac.patch b/dovecot-2.3.6-opensslhmac.patch new file mode 100644 index 0000000..a95202e --- /dev/null +++ b/dovecot-2.3.6-opensslhmac.patch @@ -0,0 +1,763 @@ +diff -up dovecot-2.3.13/src/auth/auth-token.c.opensslhmac dovecot-2.3.13/src/auth/auth-token.c +--- dovecot-2.3.13/src/auth/auth-token.c.opensslhmac 2020-12-22 14:26:52.000000000 +0100 ++++ dovecot-2.3.13/src/auth/auth-token.c 2021-03-22 18:44:06.946142422 +0100 +@@ -161,17 +161,17 @@ void auth_token_deinit(void) + const char *auth_token_get(const char *service, const char *session_pid, + const char *username, const char *session_id) + { +- struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + unsigned char result[SHA1_RESULTLEN]; + +- hmac_init(&ctx, (const unsigned char*)username, strlen(username), ++ openssl_hmac_init(&ctx, (const unsigned char*)username, strlen(username), + &hash_method_sha1); +- hmac_update(&ctx, session_pid, strlen(session_pid)); ++ openssl_hmac_update(&ctx, session_pid, strlen(session_pid)); + if (session_id != NULL && *session_id != '\0') +- hmac_update(&ctx, session_id, strlen(session_id)); +- hmac_update(&ctx, service, strlen(service)); +- hmac_update(&ctx, auth_token_secret, sizeof(auth_token_secret)); +- hmac_final(&ctx, result); ++ openssl_hmac_update(&ctx, session_id, strlen(session_id)); ++ openssl_hmac_update(&ctx, service, strlen(service)); ++ openssl_hmac_update(&ctx, auth_token_secret, sizeof(auth_token_secret)); ++ openssl_hmac_final(&ctx, result); + + return binary_to_hex(result, sizeof(result)); + } +diff -up dovecot-2.3.13/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.13/src/auth/mech-cram-md5.c +--- dovecot-2.3.13/src/auth/mech-cram-md5.c.opensslhmac 2020-12-22 14:26:52.000000000 +0100 ++++ dovecot-2.3.13/src/auth/mech-cram-md5.c 2021-03-22 18:44:06.946142422 +0100 +@@ -51,7 +51,7 @@ static bool verify_credentials(struct cr + { + + unsigned char digest[MD5_RESULTLEN]; +- struct hmac_context ctx; ++ struct orig_hmac_context ctx; + const char *response_hex; + + if (size != CRAM_MD5_CONTEXTLEN) { +@@ -60,10 +60,10 @@ static bool verify_credentials(struct cr + return FALSE; + } + +- hmac_init(&ctx, NULL, 0, &hash_method_md5); ++ orig_hmac_init(&ctx, NULL, 0, &hash_method_md5); + hmac_md5_set_cram_context(&ctx, credentials); +- hmac_update(&ctx, request->challenge, strlen(request->challenge)); +- hmac_final(&ctx, digest); ++ orig_hmac_update(&ctx, request->challenge, strlen(request->challenge)); ++ orig_hmac_final(&ctx, digest); + + response_hex = binary_to_hex(digest, sizeof(digest)); + +diff -up dovecot-2.3.13/src/auth/mech-scram.c.opensslhmac dovecot-2.3.13/src/auth/mech-scram.c +--- dovecot-2.3.13/src/auth/mech-scram.c.opensslhmac 2020-12-22 14:26:52.000000000 +0100 ++++ dovecot-2.3.13/src/auth/mech-scram.c 2021-03-22 18:44:06.946142422 +0100 +@@ -78,7 +78,7 @@ static const char *get_scram_server_firs + static const char *get_scram_server_final(struct scram_auth_request *request) + { + const struct hash_method *hmethod = request->hash_method; +- struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + const char *auth_message; + unsigned char server_signature[hmethod->digest_size]; + string_t *str; +@@ -87,9 +87,9 @@ static const char *get_scram_server_fina + request->server_first_message, ",", + request->client_final_message_without_proof, NULL); + +- hmac_init(&ctx, request->server_key, hmethod->digest_size, hmethod); +- hmac_update(&ctx, auth_message, strlen(auth_message)); +- hmac_final(&ctx, server_signature); ++ openssl_hmac_init(&ctx, request->server_key, hmethod->digest_size, hmethod); ++ openssl_hmac_update(&ctx, auth_message, strlen(auth_message)); ++ openssl_hmac_final(&ctx, server_signature); + + str = t_str_new(MAX_BASE64_ENCODED_SIZE(sizeof(server_signature))); + str_append(str, "v="); +@@ -228,7 +228,7 @@ static bool parse_scram_client_first(str + static bool verify_credentials(struct scram_auth_request *request) + { + const struct hash_method *hmethod = request->hash_method; +- struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + const char *auth_message; + unsigned char client_key[hmethod->digest_size]; + unsigned char client_signature[hmethod->digest_size]; +@@ -239,9 +239,9 @@ static bool verify_credentials(struct sc + request->server_first_message, ",", + request->client_final_message_without_proof, NULL); + +- hmac_init(&ctx, request->stored_key, hmethod->digest_size, hmethod); +- hmac_update(&ctx, auth_message, strlen(auth_message)); +- hmac_final(&ctx, client_signature); ++ openssl_hmac_init(&ctx, request->stored_key, hmethod->digest_size, hmethod); ++ openssl_hmac_update(&ctx, auth_message, strlen(auth_message)); ++ openssl_hmac_final(&ctx, client_signature); + + const unsigned char *proof_data = request->proof->data; + for (i = 0; i < sizeof(client_signature); i++) +diff -up dovecot-2.3.13/src/auth/password-scheme.c.opensslhmac dovecot-2.3.13/src/auth/password-scheme.c +--- dovecot-2.3.13/src/auth/password-scheme.c.opensslhmac 2020-12-22 14:26:52.000000000 +0100 ++++ dovecot-2.3.13/src/auth/password-scheme.c 2021-03-22 18:44:06.947142409 +0100 +@@ -639,11 +639,11 @@ static void + cram_md5_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, + const unsigned char **raw_password_r, size_t *size_r) + { +- struct hmac_context ctx; ++ struct orig_hmac_context ctx; + unsigned char *context_digest; + + context_digest = t_malloc_no0(CRAM_MD5_CONTEXTLEN); +- hmac_init(&ctx, (const unsigned char *)plaintext, ++ orig_hmac_init(&ctx, (const unsigned char *)plaintext, + strlen(plaintext), &hash_method_md5); + hmac_md5_get_cram_context(&ctx, context_digest); + +diff -up dovecot-2.3.13/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3.13/src/auth/password-scheme-scram.c +--- dovecot-2.3.13/src/auth/password-scheme-scram.c.opensslhmac 2020-12-22 14:26:52.000000000 +0100 ++++ dovecot-2.3.13/src/auth/password-scheme-scram.c 2021-03-22 18:44:06.947142409 +0100 +@@ -30,23 +30,23 @@ Hi(const struct hash_method *hmethod, co + const unsigned char *salt, size_t salt_size, unsigned int i, + unsigned char *result) + { +- struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + unsigned char U[hmethod->digest_size]; + unsigned int j, k; + + /* Calculate U1 */ +- hmac_init(&ctx, str, str_size, hmethod); +- hmac_update(&ctx, salt, salt_size); +- hmac_update(&ctx, "\0\0\0\1", 4); +- hmac_final(&ctx, U); ++ openssl_hmac_init(&ctx, str, str_size, hmethod); ++ openssl_hmac_update(&ctx, salt, salt_size); ++ openssl_hmac_update(&ctx, "\0\0\0\1", 4); ++ openssl_hmac_final(&ctx, U); + + memcpy(result, U, hmethod->digest_size); + + /* Calculate U2 to Ui and Hi */ + for (j = 2; j <= i; j++) { +- hmac_init(&ctx, str, str_size, hmethod); +- hmac_update(&ctx, U, sizeof(U)); +- hmac_final(&ctx, U); ++ openssl_hmac_init(&ctx, str, str_size, hmethod); ++ openssl_hmac_update(&ctx, U, sizeof(U)); ++ openssl_hmac_final(&ctx, U); + for (k = 0; k < hmethod->digest_size; k++) + result[k] ^= U[k]; + } +@@ -102,7 +102,7 @@ int scram_verify(const struct hash_metho + const char *plaintext, const unsigned char *raw_password, + size_t size, const char **error_r) + { +- struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + const char *salt_base64; + unsigned int iter_count; + const unsigned char *salt; +@@ -126,9 +126,9 @@ int scram_verify(const struct hash_metho + salt, salt_len, iter_count, salted_password); + + /* Calculate ClientKey */ +- hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); +- hmac_update(&ctx, "Client Key", 10); +- hmac_final(&ctx, client_key); ++ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); ++ openssl_hmac_update(&ctx, "Client Key", 10); ++ openssl_hmac_final(&ctx, client_key); + + /* Calculate StoredKey */ + hash_method_get_digest(hmethod, client_key, sizeof(client_key), +@@ -147,7 +147,7 @@ void scram_generate(const struct hash_me + const unsigned char **raw_password_r, size_t *size_r) + { + string_t *str; +- struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + unsigned char salt[16]; + unsigned char salted_password[hmethod->digest_size]; + unsigned char client_key[hmethod->digest_size]; +@@ -165,9 +165,9 @@ void scram_generate(const struct hash_me + sizeof(salt), SCRAM_DEFAULT_ITERATE_COUNT, salted_password); + + /* Calculate ClientKey */ +- hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); +- hmac_update(&ctx, "Client Key", 10); +- hmac_final(&ctx, client_key); ++ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); ++ openssl_hmac_update(&ctx, "Client Key", 10); ++ openssl_hmac_final(&ctx, client_key); + + /* Calculate StoredKey */ + hash_method_get_digest(hmethod, client_key, sizeof(client_key), +@@ -176,9 +176,9 @@ void scram_generate(const struct hash_me + base64_encode(stored_key, sizeof(stored_key), str); + + /* Calculate ServerKey */ +- hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); +- hmac_update(&ctx, "Server Key", 10); +- hmac_final(&ctx, server_key); ++ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); ++ openssl_hmac_update(&ctx, "Server Key", 10); ++ openssl_hmac_final(&ctx, server_key); + str_append_c(str, ','); + base64_encode(server_key, sizeof(server_key), str); + +diff -up dovecot-2.3.13/src/lib/hmac.c.opensslhmac dovecot-2.3.13/src/lib/hmac.c +--- dovecot-2.3.13/src/lib/hmac.c.opensslhmac 2020-12-22 14:26:52.000000000 +0100 ++++ dovecot-2.3.13/src/lib/hmac.c 2021-03-22 18:44:06.947142409 +0100 +@@ -7,6 +7,10 @@ + * This software is released under the MIT license. + */ + ++#include ++#include ++#include ++#include + #include "lib.h" + #include "hmac.h" + #include "safe-memset.h" +@@ -14,10 +18,65 @@ + + #include "hex-binary.h" + +-void hmac_init(struct hmac_context *_ctx, const unsigned char *key, ++#ifndef HAVE_HMAC_CTX_NEW ++# define HMAC_Init_ex(ctx, key, key_len, md, impl) \ ++ HMAC_Init_ex(&(ctx), key, key_len, md, impl) ++# define HMAC_Update(ctx, data, len) HMAC_Update(&(ctx), data, len) ++# define HMAC_Final(ctx, md, len) HMAC_Final(&(ctx), md, len) ++# define HMAC_CTX_free(ctx) HMAC_cleanup(&(ctx)) ++#else ++# define HMAC_CTX_free(ctx) \ ++ STMT_START { HMAC_CTX_free(ctx); (ctx) = NULL; } STMT_END ++#endif ++ ++ ++void openssl_hmac_init(struct openssl_hmac_context *_ctx, const unsigned char *key, + size_t key_len, const struct hash_method *meth) + { +- struct hmac_context_priv *ctx = &_ctx->u.priv; ++ struct openssl_hmac_context_priv *ctx = &_ctx->u.priv; ++ ++ const EVP_MD *md; ++ const char *ebuf = NULL; ++ const char **error_r = &ebuf; ++ ++ md = EVP_get_digestbyname(meth->name); ++ if(md == NULL) { ++ if (error_r != NULL) { ++ *error_r = t_strdup_printf("Invalid digest %s", ++ meth->name); ++ } ++ //return FALSE; ++ } ++ ++// int ec; ++ ++ i_assert(md != NULL); ++#ifdef HAVE_HMAC_CTX_NEW ++ ctx->ctx = HMAC_CTX_new(); ++/* if (ctx->ctx == NULL) ++ dcrypt_openssl_error(error_r);*/ ++#endif ++ /*ec = */HMAC_Init_ex(ctx->ctx, key, key_len, md, NULL); ++} ++ ++void orig_hmac_init(struct orig_hmac_context *_ctx, const unsigned char *key, ++ size_t key_len, const struct hash_method *meth) ++{ ++ static int no_fips = -1; ++ if (no_fips == -1) { ++ int fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY); ++ if (fd != -1) ++ { ++ char buf[4]; ++ if (read(fd, buf, 4) > 0) ++ { ++ no_fips = buf[0] == '0'; ++ } ++ close(fd); ++ } ++ } ++ i_assert(no_fips); ++ struct orig_hmac_context_priv *ctx = &_ctx->u.priv; + int i; + unsigned char k_ipad[64]; + unsigned char k_opad[64]; +@@ -53,9 +112,27 @@ void hmac_init(struct hmac_context *_ctx + safe_memset(k_opad, 0, 64); + } + +-void hmac_final(struct hmac_context *_ctx, unsigned char *digest) ++void openssl_hmac_final(struct openssl_hmac_context *_ctx, unsigned char *digest) ++{ ++ int ec; ++ unsigned char buf[HMAC_MAX_MD_CBLOCK]; ++ unsigned int outl; ++// const char *ebuf = NULL; ++// const char **error_r = &ebuf; ++ ++ struct openssl_hmac_context_priv *ctx = &_ctx->u.priv; ++ ec = HMAC_Final(ctx->ctx, buf, &outl); ++ HMAC_CTX_free(ctx->ctx); ++ if (ec == 1) ++ memcpy(digest, buf, outl); ++// else ++// dcrypt_openssl_error(error_r); ++ ++} ++ ++void orig_hmac_final(struct orig_hmac_context *_ctx, unsigned char *digest) + { +- struct hmac_context_priv *ctx = &_ctx->u.priv; ++ struct orig_hmac_context_priv *ctx = &_ctx->u.priv; + + ctx->hash->result(ctx->ctx, digest); + +@@ -63,53 +140,50 @@ void hmac_final(struct hmac_context *_ct + ctx->hash->result(ctx->ctxo, digest); + } + +-buffer_t *t_hmac_data(const struct hash_method *meth, ++buffer_t *openssl_t_hmac_data(const struct hash_method *meth, + const unsigned char *key, size_t key_len, + const void *data, size_t data_len) + { +- struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + i_assert(meth != NULL); + i_assert(key != NULL && key_len > 0); + i_assert(data != NULL || data_len == 0); + + buffer_t *res = t_buffer_create(meth->digest_size); +- hmac_init(&ctx, key, key_len, meth); ++ openssl_hmac_init(&ctx, key, key_len, meth); + if (data_len > 0) +- hmac_update(&ctx, data, data_len); ++ openssl_hmac_update(&ctx, data, data_len); + unsigned char *buf = buffer_get_space_unsafe(res, 0, meth->digest_size); +- hmac_final(&ctx, buf); ++ openssl_hmac_final(&ctx, buf); + return res; + } + +-buffer_t *t_hmac_buffer(const struct hash_method *meth, ++buffer_t *openssl_t_hmac_buffer(const struct hash_method *meth, + const unsigned char *key, size_t key_len, + const buffer_t *data) + { +- return t_hmac_data(meth, key, key_len, data->data, data->used); ++ return openssl_t_hmac_data(meth, key, key_len, data->data, data->used); + } + +-buffer_t *t_hmac_str(const struct hash_method *meth, ++buffer_t *openssl_t_hmac_str(const struct hash_method *meth, + const unsigned char *key, size_t key_len, + const char *data) + { +- return t_hmac_data(meth, key, key_len, data, strlen(data)); ++ return openssl_t_hmac_data(meth, key, key_len, data, strlen(data)); + } + +-void hmac_hkdf(const struct hash_method *method, ++void openssl_hmac_hkdf(const struct hash_method *method, + const unsigned char *salt, size_t salt_len, + const unsigned char *ikm, size_t ikm_len, + const unsigned char *info, size_t info_len, + buffer_t *okm_r, size_t okm_len) + { ++ const EVP_MD *md; ++ EVP_PKEY_CTX *pctx; ++ int r = 1; ++ + i_assert(method != NULL); + i_assert(okm_len < 255*method->digest_size); +- struct hmac_context key_mac; +- struct hmac_context info_mac; +- size_t remain = okm_len; +- unsigned char prk[method->digest_size]; +- unsigned char okm[method->digest_size]; +- /* N = ceil(L/HashLen) */ +- unsigned int rounds = (okm_len + method->digest_size - 1)/method->digest_size; + + /* salt and info can be NULL */ + i_assert(salt != NULL || salt_len == 0); +@@ -118,35 +192,30 @@ void hmac_hkdf(const struct hash_method + i_assert(ikm != NULL && ikm_len > 0); + i_assert(okm_r != NULL && okm_len > 0); + +- /* but they still need valid pointer, reduces +- complains from static analysers */ +- if (salt == NULL) +- salt = &uchar_nul; +- if (info == NULL) +- info = &uchar_nul; +- +- /* extract */ +- hmac_init(&key_mac, salt, salt_len, method); +- hmac_update(&key_mac, ikm, ikm_len); +- hmac_final(&key_mac, prk); +- +- /* expand */ +- for (unsigned int i = 0; remain > 0 && i < rounds; i++) { +- unsigned char round = (i+1); +- size_t amt = remain; +- if (amt > method->digest_size) +- amt = method->digest_size; +- hmac_init(&info_mac, prk, method->digest_size, method); +- if (i > 0) +- hmac_update(&info_mac, okm, method->digest_size); +- hmac_update(&info_mac, info, info_len); +- hmac_update(&info_mac, &round, 1); +- memset(okm, 0, method->digest_size); +- hmac_final(&info_mac, okm); +- buffer_append(okm_r, okm, amt); +- remain -= amt; ++ ++ md = EVP_get_digestbyname(method->name); ++ pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); ++ unsigned char *okm_buf = buffer_get_space_unsafe(okm_r, 0, okm_len); ++ ++ if ((r=EVP_PKEY_derive_init(pctx)) <= 0) ++ goto out; ++ if ((r=EVP_PKEY_CTX_set_hkdf_md(pctx, md)) <= 0) ++ goto out; ++ if ((r=EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, salt_len)) <= 0) ++ goto out; ++ if ((r=EVP_PKEY_CTX_set1_hkdf_key(pctx, ikm, ikm_len)) <= 0) ++ goto out; ++ if ((r=EVP_PKEY_CTX_add1_hkdf_info(pctx, info, info_len)) <= 0) ++ goto out; ++ if ((r=EVP_PKEY_derive(pctx, okm_buf, &okm_len)) <= 0) ++ goto out; ++ ++ out: ++ EVP_PKEY_CTX_free(pctx); ++ if (r <= 0) { ++ unsigned long ec = ERR_get_error(); ++ unsigned char *error = t_strdup_printf("%s", ERR_error_string(ec, NULL)); ++ i_error("%s", error); + } + +- safe_memset(prk, 0, sizeof(prk)); +- safe_memset(okm, 0, sizeof(okm)); + } +diff -up dovecot-2.3.13/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.13/src/lib/hmac-cram-md5.c +--- dovecot-2.3.13/src/lib/hmac-cram-md5.c.opensslhmac 2020-12-22 14:26:52.000000000 +0100 ++++ dovecot-2.3.13/src/lib/hmac-cram-md5.c 2021-03-22 18:44:06.947142409 +0100 +@@ -9,10 +9,10 @@ + #include "md5.h" + #include "hmac-cram-md5.h" + +-void hmac_md5_get_cram_context(struct hmac_context *_hmac_ctx, ++void hmac_md5_get_cram_context(struct orig_hmac_context *_hmac_ctx, + unsigned char context_digest[CRAM_MD5_CONTEXTLEN]) + { +- struct hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv; ++ struct orig_hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv; + unsigned char *cdp; + + struct md5_context *ctx = (void*)hmac_ctx->ctx; +@@ -35,10 +35,10 @@ void hmac_md5_get_cram_context(struct hm + CDPUT(cdp, ctx->d); + } + +-void hmac_md5_set_cram_context(struct hmac_context *_hmac_ctx, ++void hmac_md5_set_cram_context(struct orig_hmac_context *_hmac_ctx, + const unsigned char context_digest[CRAM_MD5_CONTEXTLEN]) + { +- struct hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv; ++ struct orig_hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv; + const unsigned char *cdp; + + struct md5_context *ctx = (void*)hmac_ctx->ctx; +diff -up dovecot-2.3.13/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.13/src/lib/hmac-cram-md5.h +--- dovecot-2.3.13/src/lib/hmac-cram-md5.h.opensslhmac 2020-12-22 14:26:52.000000000 +0100 ++++ dovecot-2.3.13/src/lib/hmac-cram-md5.h 2021-03-22 18:44:06.947142409 +0100 +@@ -5,9 +5,9 @@ + + #define CRAM_MD5_CONTEXTLEN 32 + +-void hmac_md5_get_cram_context(struct hmac_context *ctx, ++void hmac_md5_get_cram_context(struct orig_hmac_context *ctx, + unsigned char context_digest[CRAM_MD5_CONTEXTLEN]); +-void hmac_md5_set_cram_context(struct hmac_context *ctx, ++void hmac_md5_set_cram_context(struct orig_hmac_context *ctx, + const unsigned char context_digest[CRAM_MD5_CONTEXTLEN]); + + +diff -up dovecot-2.3.13/src/lib/hmac.h.opensslhmac dovecot-2.3.13/src/lib/hmac.h +--- dovecot-2.3.13/src/lib/hmac.h.opensslhmac 2020-12-22 14:26:52.000000000 +0100 ++++ dovecot-2.3.13/src/lib/hmac.h 2021-03-22 18:44:06.947142409 +0100 +@@ -3,60 +3,97 @@ + + #include "hash-method.h" + #include "sha1.h" ++#include ++#include ++#include ++#include + + #define HMAC_MAX_CONTEXT_SIZE 256 + +-struct hmac_context_priv { ++struct openssl_hmac_context_priv { ++#ifdef HAVE_HMAC_CTX_NEW ++ HMAC_CTX *ctx; ++#else ++ HMAC_CTX ctx; ++#endif ++ const struct hash_method *hash; ++}; ++ ++struct orig_hmac_context_priv { + char ctx[HMAC_MAX_CONTEXT_SIZE]; + char ctxo[HMAC_MAX_CONTEXT_SIZE]; + const struct hash_method *hash; + }; + +-struct hmac_context { ++struct openssl_hmac_context { ++ union { ++ struct openssl_hmac_context_priv priv; ++ uint64_t padding_requirement; ++ } u; ++}; ++ ++struct orig_hmac_context { + union { +- struct hmac_context_priv priv; ++ struct orig_hmac_context_priv priv; + uint64_t padding_requirement; + } u; + }; + +-void hmac_init(struct hmac_context *ctx, const unsigned char *key, ++void openssl_hmac_init(struct openssl_hmac_context *ctx, const unsigned char *key, ++ size_t key_len, const struct hash_method *meth); ++void openssl_hmac_final(struct openssl_hmac_context *ctx, unsigned char *digest); ++ ++static inline void ++openssl_hmac_update(struct openssl_hmac_context *_ctx, const void *data, size_t size) ++{ ++ struct openssl_hmac_context_priv *ctx = &_ctx->u.priv; ++ HMAC_Update(ctx->ctx, data, size); ++/* if (ec != 1) ++ { ++ const char *ebuf = NULL; ++ const char **error_r = &ebuf; ++ dcrypt_openssl_error(error_r); ++ }*/ ++} ++ ++void orig_hmac_init(struct orig_hmac_context *ctx, const unsigned char *key, + size_t key_len, const struct hash_method *meth); +-void hmac_final(struct hmac_context *ctx, unsigned char *digest); ++void orig_hmac_final(struct orig_hmac_context *ctx, unsigned char *digest); + + + static inline void +-hmac_update(struct hmac_context *_ctx, const void *data, size_t size) ++orig_hmac_update(struct orig_hmac_context *_ctx, const void *data, size_t size) + { +- struct hmac_context_priv *ctx = &_ctx->u.priv; ++ struct orig_hmac_context_priv *ctx = &_ctx->u.priv; + + ctx->hash->loop(ctx->ctx, data, size); + } + +-buffer_t *t_hmac_data(const struct hash_method *meth, ++buffer_t *openssl_t_hmac_data(const struct hash_method *meth, + const unsigned char *key, size_t key_len, + const void *data, size_t data_len); +-buffer_t *t_hmac_buffer(const struct hash_method *meth, ++buffer_t *openssl_t_hmac_buffer(const struct hash_method *meth, + const unsigned char *key, size_t key_len, + const buffer_t *data); +-buffer_t *t_hmac_str(const struct hash_method *meth, ++buffer_t *openssl_t_hmac_str(const struct hash_method *meth, + const unsigned char *key, size_t key_len, + const char *data); + +-void hmac_hkdf(const struct hash_method *method, ++void openssl_hmac_hkdf(const struct hash_method *method, + const unsigned char *salt, size_t salt_len, + const unsigned char *ikm, size_t ikm_len, + const unsigned char *info, size_t info_len, + buffer_t *okm_r, size_t okm_len); + + static inline buffer_t * +-t_hmac_hkdf(const struct hash_method *method, ++openssl_t_hmac_hkdf(const struct hash_method *method, + const unsigned char *salt, size_t salt_len, + const unsigned char *ikm, size_t ikm_len, + const unsigned char *info, size_t info_len, + size_t okm_len) + { + buffer_t *okm_buffer = t_buffer_create(okm_len); +- hmac_hkdf(method, salt, salt_len, ikm, ikm_len, info, info_len, ++ openssl_hmac_hkdf(method, salt, salt_len, ikm, ikm_len, info, info_len, + okm_buffer, okm_len); + return okm_buffer; + } +diff -up dovecot-2.3.13/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.3.13/src/lib-imap-urlauth/imap-urlauth.c +--- dovecot-2.3.13/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac 2020-12-22 14:26:52.000000000 +0100 ++++ dovecot-2.3.13/src/lib-imap-urlauth/imap-urlauth.c 2021-03-22 18:44:06.948142396 +0100 +@@ -85,15 +85,15 @@ imap_urlauth_internal_generate(const cha + const unsigned char mailbox_key[IMAP_URLAUTH_KEY_LEN], + size_t *token_len_r) + { +- struct hmac_context hmac; ++ struct openssl_hmac_context hmac; + unsigned char *token; + + token = t_new(unsigned char, SHA1_RESULTLEN + 1); + token[0] = IMAP_URLAUTH_MECH_INTERNAL_VERSION; + +- hmac_init(&hmac, mailbox_key, IMAP_URLAUTH_KEY_LEN, &hash_method_sha1); +- hmac_update(&hmac, rumpurl, strlen(rumpurl)); +- hmac_final(&hmac, token+1); ++ openssl_hmac_init(&hmac, mailbox_key, IMAP_URLAUTH_KEY_LEN, &hash_method_sha1); ++ openssl_hmac_update(&hmac, rumpurl, strlen(rumpurl)); ++ openssl_hmac_final(&hmac, token+1); + + *token_len_r = SHA1_RESULTLEN + 1; + return token; +diff -up dovecot-2.3.13/src/lib/Makefile.am.opensslhmac dovecot-2.3.13/src/lib/Makefile.am +--- dovecot-2.3.13/src/lib/Makefile.am.opensslhmac 2020-12-22 14:26:52.000000000 +0100 ++++ dovecot-2.3.13/src/lib/Makefile.am 2021-03-22 18:44:06.948142396 +0100 +@@ -352,6 +352,9 @@ headers = \ + wildcard-match.h \ + write-full.h + ++liblib_la_LIBADD = $(SSL_LIBS) ++liblib_la_CFLAGS = $(SSL_CFLAGS) ++ + test_programs = test-lib + noinst_PROGRAMS = $(test_programs) + +diff -up dovecot-2.3.13/src/lib-oauth2/oauth2-jwt.c.opensslhmac dovecot-2.3.13/src/lib-oauth2/oauth2-jwt.c +--- dovecot-2.3.13/src/lib-oauth2/oauth2-jwt.c.opensslhmac 2021-03-22 18:46:42.645100171 +0100 ++++ dovecot-2.3.13/src/lib-oauth2/oauth2-jwt.c 2021-03-22 18:46:42.657100014 +0100 +@@ -96,14 +96,14 @@ static int oauth2_validate_hmac(const st + const buffer_t *key; + if (oauth2_lookup_hmac_key(set, azp, alg, key_id, &key, error_r) < 0) + return -1; +- struct hmac_context ctx; +- hmac_init(&ctx, key->data, key->used, method); +- hmac_update(&ctx, blobs[0], strlen(blobs[0])); +- hmac_update(&ctx, ".", 1); +- hmac_update(&ctx, blobs[1], strlen(blobs[1])); ++ struct openssl_hmac_context ctx; ++ openssl_hmac_init(&ctx, key->data, key->used, method); ++ openssl_hmac_update(&ctx, blobs[0], strlen(blobs[0])); ++ openssl_hmac_update(&ctx, ".", 1); ++ openssl_hmac_update(&ctx, blobs[1], strlen(blobs[1])); + unsigned char digest[method->digest_size]; + +- hmac_final(&ctx, digest); ++ openssl_hmac_final(&ctx, digest); + + buffer_t *their_digest = + t_base64url_decode_str(BASE64_DECODE_FLAG_NO_PADDING, blobs[2]); +diff -up dovecot-2.3.13/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3.13/src/lib-oauth2/test-oauth2-jwt.c +--- dovecot-2.3.13/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac 2020-12-22 14:26:52.000000000 +0100 ++++ dovecot-2.3.13/src/lib-oauth2/test-oauth2-jwt.c 2021-03-22 18:44:06.948142396 +0100 +@@ -219,7 +219,7 @@ static void save_key_to(const char *algo + static void sign_jwt_token_hs256(buffer_t *tokenbuf, buffer_t *key) + { + i_assert(key != NULL); +- buffer_t *sig = t_hmac_buffer(&hash_method_sha256, key->data, key->used, ++ buffer_t *sig = openssl_t_hmac_buffer(&hash_method_sha256, key->data, key->used, + tokenbuf); + buffer_append(tokenbuf, ".", 1); + base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX, +diff -up dovecot-2.3.13/src/lib/pkcs5.c.opensslhmac dovecot-2.3.13/src/lib/pkcs5.c +--- dovecot-2.3.13/src/lib/pkcs5.c.opensslhmac 2020-12-22 14:26:52.000000000 +0100 ++++ dovecot-2.3.13/src/lib/pkcs5.c 2021-03-22 18:44:06.948142396 +0100 +@@ -52,7 +52,7 @@ int pkcs5_pbkdf2(const struct hash_metho + size_t l = (length + hash->digest_size - 1)/hash->digest_size; /* same as ceil(length/hash->digest_size) */ + unsigned char dk[l * hash->digest_size]; + unsigned char *block; +- struct hmac_context hctx; ++ struct openssl_hmac_context hctx; + unsigned int c,i,t; + unsigned char U_c[hash->digest_size]; + +@@ -60,17 +60,17 @@ int pkcs5_pbkdf2(const struct hash_metho + block = &(dk[t*hash->digest_size]); + /* U_1 = PRF(Password, Salt|| INT_BE32(Block_Number)) */ + c = htonl(t+1); +- hmac_init(&hctx, password, password_len, hash); +- hmac_update(&hctx, salt, salt_len); +- hmac_update(&hctx, &c, sizeof(c)); +- hmac_final(&hctx, U_c); ++ openssl_hmac_init(&hctx, password, password_len, hash); ++ openssl_hmac_update(&hctx, salt, salt_len); ++ openssl_hmac_update(&hctx, &c, sizeof(c)); ++ openssl_hmac_final(&hctx, U_c); + /* block = U_1 ^ .. ^ U_iter */ + memcpy(block, U_c, hash->digest_size); + /* U_c = PRF(Password, U_c-1) */ + for(c = 1; c < iter; c++) { +- hmac_init(&hctx, password, password_len, hash); +- hmac_update(&hctx, U_c, hash->digest_size); +- hmac_final(&hctx, U_c); ++ openssl_hmac_init(&hctx, password, password_len, hash); ++ openssl_hmac_update(&hctx, U_c, hash->digest_size); ++ openssl_hmac_final(&hctx, U_c); + for(i = 0; i < hash->digest_size; i++) + block[i] ^= U_c[i]; + } +diff -up dovecot-2.3.13/src/lib/test-hmac.c.opensslhmac dovecot-2.3.13/src/lib/test-hmac.c +--- dovecot-2.3.13/src/lib/test-hmac.c.opensslhmac 2020-12-22 14:26:52.000000000 +0100 ++++ dovecot-2.3.13/src/lib/test-hmac.c 2021-03-22 18:44:06.948142396 +0100 +@@ -112,11 +112,11 @@ static void test_hmac_rfc(void) + test_begin("hmac sha256 rfc4231 vectors"); + for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) { + const struct test_vector *vec = &(test_vectors[i]); +- struct hmac_context ctx; +- hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf)); +- hmac_update(&ctx, vec->data, vec->data_len); ++ struct openssl_hmac_context ctx; ++ openssl_hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf)); ++ openssl_hmac_update(&ctx, vec->data, vec->data_len); + unsigned char res[SHA256_RESULTLEN]; +- hmac_final(&ctx, res); ++ openssl_hmac_final(&ctx, res); + test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i); + } + test_end(); +@@ -129,7 +129,7 @@ static void test_hmac_buffer(void) + + buffer_t *tmp; + +- tmp = t_hmac_data(hash_method_lookup(vec->prf), vec->key, vec->key_len, ++ tmp = openssl_t_hmac_data(hash_method_lookup(vec->prf), vec->key, vec->key_len, + vec->data, vec->data_len); + + test_assert(tmp->used == vec->res_len && +@@ -146,7 +146,7 @@ static void test_hkdf_rfc(void) + buffer_set_used_size(res, 0); + const struct test_vector_5869 *vec = &(test_vectors_5869[i]); + const struct hash_method *m = hash_method_lookup(vec->prf); +- hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm, vec->ikm_len, ++ openssl_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm, vec->ikm_len, + vec->info, vec->info_len, res, vec->okm_len); + test_assert_idx(memcmp(res->data, vec->okm, vec->okm_len) == 0, i); + } +@@ -159,7 +159,7 @@ static void test_hkdf_buffer(void) + test_begin("hkdf temporary buffer"); + const struct test_vector_5869 *vec = &(test_vectors_5869[0]); + const struct hash_method *m = hash_method_lookup(vec->prf); +- buffer_t *tmp = t_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm, ++ buffer_t *tmp = openssl_t_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm, + vec->ikm_len, vec->info, vec->info_len, + vec->okm_len); + test_assert(tmp->used == vec->okm_len && diff --git a/dovecot.spec b/dovecot.spec index 6ee95b3..7e769e6 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -35,6 +35,11 @@ Patch10: dovecot-2.3.0.1-libxcrypt.patch Patch15: dovecot-2.3.11-bigkey.patch Patch16: dovecot-2.3.13-bigtvsec.patch +# do not use own implementation of HMAC, use OpenSSL for certification purposes +# not sent upstream as proper fix would use dovecot's lib-dcrypt but it introduces +# hard to break circular dependency between lib and lib-dcrypt +Patch17: dovecot-2.3.6-opensslhmac.patch + Source15: prestartscript BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel @@ -121,12 +126,9 @@ This package provides the development files for dovecot. %patch6 -p1 -b .waitonline %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem -#%patch10 -p1 -b .libxcrypt -#patch12 -p1 -b .ftbfs1 -#patch13 -p1 -b .ftbfs2 -#patch14 -p1 -b .gssapi %patch15 -p1 -b .bigkey %patch16 -p1 -b .bigtvsec +%patch17 -p1 -b .opensslhmac #pushd dovecot-2*3-pigeonhole-%{pigeonholever} #popd From 25d565523c37b64b947072151fa5afb928444d55 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 22 Mar 2021 21:06:01 +0100 Subject: [PATCH 086/163] dovecot updated to 2.3.14, pigeonhole to 0.5.14 use OpenSSL's implementation of HMAC Remove autocreate, expire, snarf and mail-filter plugins. Remove cydir storage driver. Remove XZ/LZMA write support. Read support will be removed in future release. --- dovecot-2.2.20-initbysystemd.patch | 2 +- dovecot-2.3.13-bigtvsec.patch | 36 ------- dovecot-2.3.6-opensslhmac.patch | 168 +++++++++++++++++++---------- dovecot.spec | 21 ++-- sources | 4 +- 5 files changed, 125 insertions(+), 106 deletions(-) delete mode 100644 dovecot-2.3.13-bigtvsec.patch diff --git a/dovecot-2.2.20-initbysystemd.patch b/dovecot-2.2.20-initbysystemd.patch index 7e3d94c..85327ee 100644 --- a/dovecot-2.2.20-initbysystemd.patch +++ b/dovecot-2.2.20-initbysystemd.patch @@ -21,7 +21,7 @@ diff -up dovecot-2.3.0.1/dovecot.service.in.initbysystemd dovecot-2.3.0.1/doveco @@ -8,7 +8,8 @@ Description=Dovecot IMAP/POP3 email server Documentation=man:dovecot(1) - Documentation=http://wiki2.dovecot.org/ + Documentation=https://doc.dovecot.org/ -After=local-fs.target network-online.target +After=local-fs.target network-online.target dovecot-init.service +Requires=dovecot-init.service diff --git a/dovecot-2.3.13-bigtvsec.patch b/dovecot-2.3.13-bigtvsec.patch deleted file mode 100644 index 3bd7ce6..0000000 --- a/dovecot-2.3.13-bigtvsec.patch +++ /dev/null @@ -1,36 +0,0 @@ -diff -up dovecot-2.3.13/src/lib/test-time-util.c.bigtvsec dovecot-2.3.13/src/lib/test-time-util.c ---- dovecot-2.3.13/src/lib/test-time-util.c.bigtvsec 2021-01-06 11:27:06.793315308 +0100 -+++ dovecot-2.3.13/src/lib/test-time-util.c 2021-01-06 11:27:06.815315088 +0100 -@@ -358,7 +358,7 @@ static void test_str_to_timeval(void) - { - struct { - const char *str; -- unsigned int tv_sec, tv_usec; -+ long int tv_sec, tv_usec; - } tests[] = { - { "0", 0, 0 }, - { "0.0", 0, 0 }, -diff -up dovecot-2.3.13/src/lib/time-util.c.bigtvsec dovecot-2.3.13/src/lib/time-util.c ---- dovecot-2.3.13/src/lib/time-util.c.bigtvsec 2021-01-06 11:10:49.791094852 +0100 -+++ dovecot-2.3.13/src/lib/time-util.c 2021-01-06 11:10:08.255501319 +0100 -@@ -43,16 +43,16 @@ int timeval_cmp_margin(const struct time - - if (tv1->tv_sec < tv2->tv_sec) { - sec_margin = ((int)usec_margin / 1000000) + 1; -- if ((tv2->tv_sec - tv1->tv_sec) > sec_margin) -+ if (((long long)tv2->tv_sec - tv1->tv_sec) > sec_margin) - return -1; -- usecs_diff = (tv2->tv_sec - tv1->tv_sec) * 1000000LL + -+ usecs_diff = ((long long)tv2->tv_sec - tv1->tv_sec) * 1000000LL + - (tv2->tv_usec - tv1->tv_usec); - ret = -1; - } else if (tv1->tv_sec > tv2->tv_sec) { - sec_margin = ((int)usec_margin / 1000000) + 1; -- if ((tv1->tv_sec - tv2->tv_sec) > sec_margin) -+ if (((long long)tv1->tv_sec - tv2->tv_sec) > sec_margin) - return 1; -- usecs_diff = (tv1->tv_sec - tv2->tv_sec) * 1000000LL + -+ usecs_diff = ((long long)tv1->tv_sec - tv2->tv_sec) * 1000000LL + - (tv1->tv_usec - tv2->tv_usec); - ret = 1; - } else if (tv1->tv_usec < tv2->tv_usec) { diff --git a/dovecot-2.3.6-opensslhmac.patch b/dovecot-2.3.6-opensslhmac.patch index a95202e..ba6453b 100644 --- a/dovecot-2.3.6-opensslhmac.patch +++ b/dovecot-2.3.6-opensslhmac.patch @@ -1,6 +1,6 @@ -diff -up dovecot-2.3.13/src/auth/auth-token.c.opensslhmac dovecot-2.3.13/src/auth/auth-token.c ---- dovecot-2.3.13/src/auth/auth-token.c.opensslhmac 2020-12-22 14:26:52.000000000 +0100 -+++ dovecot-2.3.13/src/auth/auth-token.c 2021-03-22 18:44:06.946142422 +0100 +diff -up dovecot-2.3.14/src/auth/auth-token.c.opensslhmac dovecot-2.3.14/src/auth/auth-token.c +--- dovecot-2.3.14/src/auth/auth-token.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 ++++ dovecot-2.3.14/src/auth/auth-token.c 2021-03-22 20:44:13.022912242 +0100 @@ -161,17 +161,17 @@ void auth_token_deinit(void) const char *auth_token_get(const char *service, const char *session_pid, const char *username, const char *session_id) @@ -26,9 +26,9 @@ diff -up dovecot-2.3.13/src/auth/auth-token.c.opensslhmac dovecot-2.3.13/src/aut return binary_to_hex(result, sizeof(result)); } -diff -up dovecot-2.3.13/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.13/src/auth/mech-cram-md5.c ---- dovecot-2.3.13/src/auth/mech-cram-md5.c.opensslhmac 2020-12-22 14:26:52.000000000 +0100 -+++ dovecot-2.3.13/src/auth/mech-cram-md5.c 2021-03-22 18:44:06.946142422 +0100 +diff -up dovecot-2.3.14/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.14/src/auth/mech-cram-md5.c +--- dovecot-2.3.14/src/auth/mech-cram-md5.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 ++++ dovecot-2.3.14/src/auth/mech-cram-md5.c 2021-03-22 20:44:13.022912242 +0100 @@ -51,7 +51,7 @@ static bool verify_credentials(struct cr { @@ -52,9 +52,9 @@ diff -up dovecot-2.3.13/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.13/src/ response_hex = binary_to_hex(digest, sizeof(digest)); -diff -up dovecot-2.3.13/src/auth/mech-scram.c.opensslhmac dovecot-2.3.13/src/auth/mech-scram.c ---- dovecot-2.3.13/src/auth/mech-scram.c.opensslhmac 2020-12-22 14:26:52.000000000 +0100 -+++ dovecot-2.3.13/src/auth/mech-scram.c 2021-03-22 18:44:06.946142422 +0100 +diff -up dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac dovecot-2.3.14/src/auth/mech-scram.c +--- dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 ++++ dovecot-2.3.14/src/auth/mech-scram.c 2021-03-22 20:44:13.022912242 +0100 @@ -78,7 +78,7 @@ static const char *get_scram_server_firs static const char *get_scram_server_final(struct scram_auth_request *request) { @@ -99,9 +99,9 @@ diff -up dovecot-2.3.13/src/auth/mech-scram.c.opensslhmac dovecot-2.3.13/src/aut const unsigned char *proof_data = request->proof->data; for (i = 0; i < sizeof(client_signature); i++) -diff -up dovecot-2.3.13/src/auth/password-scheme.c.opensslhmac dovecot-2.3.13/src/auth/password-scheme.c ---- dovecot-2.3.13/src/auth/password-scheme.c.opensslhmac 2020-12-22 14:26:52.000000000 +0100 -+++ dovecot-2.3.13/src/auth/password-scheme.c 2021-03-22 18:44:06.947142409 +0100 +diff -up dovecot-2.3.14/src/auth/password-scheme.c.opensslhmac dovecot-2.3.14/src/auth/password-scheme.c +--- dovecot-2.3.14/src/auth/password-scheme.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 ++++ dovecot-2.3.14/src/auth/password-scheme.c 2021-03-22 20:44:13.022912242 +0100 @@ -639,11 +639,11 @@ static void cram_md5_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, const unsigned char **raw_password_r, size_t *size_r) @@ -116,9 +116,9 @@ diff -up dovecot-2.3.13/src/auth/password-scheme.c.opensslhmac dovecot-2.3.13/sr strlen(plaintext), &hash_method_md5); hmac_md5_get_cram_context(&ctx, context_digest); -diff -up dovecot-2.3.13/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3.13/src/auth/password-scheme-scram.c ---- dovecot-2.3.13/src/auth/password-scheme-scram.c.opensslhmac 2020-12-22 14:26:52.000000000 +0100 -+++ dovecot-2.3.13/src/auth/password-scheme-scram.c 2021-03-22 18:44:06.947142409 +0100 +diff -up dovecot-2.3.14/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3.14/src/auth/password-scheme-scram.c +--- dovecot-2.3.14/src/auth/password-scheme-scram.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 ++++ dovecot-2.3.14/src/auth/password-scheme-scram.c 2021-03-22 20:44:13.023912229 +0100 @@ -30,23 +30,23 @@ Hi(const struct hash_method *hmethod, co const unsigned char *salt, size_t salt_size, unsigned int i, unsigned char *result) @@ -208,9 +208,9 @@ diff -up dovecot-2.3.13/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3 str_append_c(str, ','); base64_encode(server_key, sizeof(server_key), str); -diff -up dovecot-2.3.13/src/lib/hmac.c.opensslhmac dovecot-2.3.13/src/lib/hmac.c ---- dovecot-2.3.13/src/lib/hmac.c.opensslhmac 2020-12-22 14:26:52.000000000 +0100 -+++ dovecot-2.3.13/src/lib/hmac.c 2021-03-22 18:44:06.947142409 +0100 +diff -up dovecot-2.3.14/src/lib/hmac.c.opensslhmac dovecot-2.3.14/src/lib/hmac.c +--- dovecot-2.3.14/src/lib/hmac.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 ++++ dovecot-2.3.14/src/lib/hmac.c 2021-03-22 20:44:13.023912229 +0100 @@ -7,6 +7,10 @@ * This software is released under the MIT license. */ @@ -287,11 +287,11 @@ diff -up dovecot-2.3.13/src/lib/hmac.c.opensslhmac dovecot-2.3.13/src/lib/hmac.c + } + i_assert(no_fips); + struct orig_hmac_context_priv *ctx = &_ctx->u.priv; - int i; - unsigned char k_ipad[64]; - unsigned char k_opad[64]; + unsigned int i; + unsigned char k_ipad[meth->block_size]; + unsigned char k_opad[meth->block_size]; @@ -53,9 +112,27 @@ void hmac_init(struct hmac_context *_ctx - safe_memset(k_opad, 0, 64); + safe_memset(k_opad, 0, meth->block_size); } -void hmac_final(struct hmac_context *_ctx, unsigned char *digest) @@ -448,9 +448,9 @@ diff -up dovecot-2.3.13/src/lib/hmac.c.opensslhmac dovecot-2.3.13/src/lib/hmac.c - safe_memset(prk, 0, sizeof(prk)); - safe_memset(okm, 0, sizeof(okm)); } -diff -up dovecot-2.3.13/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.13/src/lib/hmac-cram-md5.c ---- dovecot-2.3.13/src/lib/hmac-cram-md5.c.opensslhmac 2020-12-22 14:26:52.000000000 +0100 -+++ dovecot-2.3.13/src/lib/hmac-cram-md5.c 2021-03-22 18:44:06.947142409 +0100 +diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.14/src/lib/hmac-cram-md5.c +--- dovecot-2.3.14/src/lib/hmac-cram-md5.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 ++++ dovecot-2.3.14/src/lib/hmac-cram-md5.c 2021-03-22 20:44:13.023912229 +0100 @@ -9,10 +9,10 @@ #include "md5.h" #include "hmac-cram-md5.h" @@ -477,9 +477,9 @@ diff -up dovecot-2.3.13/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.13/src/l const unsigned char *cdp; struct md5_context *ctx = (void*)hmac_ctx->ctx; -diff -up dovecot-2.3.13/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.13/src/lib/hmac-cram-md5.h ---- dovecot-2.3.13/src/lib/hmac-cram-md5.h.opensslhmac 2020-12-22 14:26:52.000000000 +0100 -+++ dovecot-2.3.13/src/lib/hmac-cram-md5.h 2021-03-22 18:44:06.947142409 +0100 +diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.14/src/lib/hmac-cram-md5.h +--- dovecot-2.3.14/src/lib/hmac-cram-md5.h.opensslhmac 2021-03-04 09:38:06.000000000 +0100 ++++ dovecot-2.3.14/src/lib/hmac-cram-md5.h 2021-03-22 20:44:13.023912229 +0100 @@ -5,9 +5,9 @@ #define CRAM_MD5_CONTEXTLEN 32 @@ -492,19 +492,19 @@ diff -up dovecot-2.3.13/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.13/src/l const unsigned char context_digest[CRAM_MD5_CONTEXTLEN]); -diff -up dovecot-2.3.13/src/lib/hmac.h.opensslhmac dovecot-2.3.13/src/lib/hmac.h ---- dovecot-2.3.13/src/lib/hmac.h.opensslhmac 2020-12-22 14:26:52.000000000 +0100 -+++ dovecot-2.3.13/src/lib/hmac.h 2021-03-22 18:44:06.947142409 +0100 -@@ -3,60 +3,97 @@ - +diff -up dovecot-2.3.14/src/lib/hmac.h.opensslhmac dovecot-2.3.14/src/lib/hmac.h +--- dovecot-2.3.14/src/lib/hmac.h.opensslhmac 2021-03-04 09:38:06.000000000 +0100 ++++ dovecot-2.3.14/src/lib/hmac.h 2021-03-22 20:44:13.023912229 +0100 +@@ -4,60 +4,97 @@ #include "hash-method.h" #include "sha1.h" + #include "sha2.h" +#include +#include +#include +#include - #define HMAC_MAX_CONTEXT_SIZE 256 + #define HMAC_MAX_CONTEXT_SIZE sizeof(struct sha512_ctx) -struct hmac_context_priv { +struct openssl_hmac_context_priv { @@ -606,9 +606,9 @@ diff -up dovecot-2.3.13/src/lib/hmac.h.opensslhmac dovecot-2.3.13/src/lib/hmac.h okm_buffer, okm_len); return okm_buffer; } -diff -up dovecot-2.3.13/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.3.13/src/lib-imap-urlauth/imap-urlauth.c ---- dovecot-2.3.13/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac 2020-12-22 14:26:52.000000000 +0100 -+++ dovecot-2.3.13/src/lib-imap-urlauth/imap-urlauth.c 2021-03-22 18:44:06.948142396 +0100 +diff -up dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c +--- dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 ++++ dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c 2021-03-22 20:44:13.023912229 +0100 @@ -85,15 +85,15 @@ imap_urlauth_internal_generate(const cha const unsigned char mailbox_key[IMAP_URLAUTH_KEY_LEN], size_t *token_len_r) @@ -629,9 +629,9 @@ diff -up dovecot-2.3.13/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot- *token_len_r = SHA1_RESULTLEN + 1; return token; -diff -up dovecot-2.3.13/src/lib/Makefile.am.opensslhmac dovecot-2.3.13/src/lib/Makefile.am ---- dovecot-2.3.13/src/lib/Makefile.am.opensslhmac 2020-12-22 14:26:52.000000000 +0100 -+++ dovecot-2.3.13/src/lib/Makefile.am 2021-03-22 18:44:06.948142396 +0100 +diff -up dovecot-2.3.14/src/lib/Makefile.am.opensslhmac dovecot-2.3.14/src/lib/Makefile.am +--- dovecot-2.3.14/src/lib/Makefile.am.opensslhmac 2021-03-04 09:38:06.000000000 +0100 ++++ dovecot-2.3.14/src/lib/Makefile.am 2021-03-22 20:44:13.023912229 +0100 @@ -352,6 +352,9 @@ headers = \ wildcard-match.h \ write-full.h @@ -642,13 +642,13 @@ diff -up dovecot-2.3.13/src/lib/Makefile.am.opensslhmac dovecot-2.3.13/src/lib/M test_programs = test-lib noinst_PROGRAMS = $(test_programs) -diff -up dovecot-2.3.13/src/lib-oauth2/oauth2-jwt.c.opensslhmac dovecot-2.3.13/src/lib-oauth2/oauth2-jwt.c ---- dovecot-2.3.13/src/lib-oauth2/oauth2-jwt.c.opensslhmac 2021-03-22 18:46:42.645100171 +0100 -+++ dovecot-2.3.13/src/lib-oauth2/oauth2-jwt.c 2021-03-22 18:46:42.657100014 +0100 -@@ -96,14 +96,14 @@ static int oauth2_validate_hmac(const st - const buffer_t *key; +diff -up dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c.opensslhmac dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c +--- dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 ++++ dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c 2021-03-22 20:44:13.024912217 +0100 +@@ -106,14 +106,14 @@ oauth2_validate_hmac(const struct oauth2 if (oauth2_lookup_hmac_key(set, azp, alg, key_id, &key, error_r) < 0) return -1; + - struct hmac_context ctx; - hmac_init(&ctx, key->data, key->used, method); - hmac_update(&ctx, blobs[0], strlen(blobs[0])); @@ -666,10 +666,10 @@ diff -up dovecot-2.3.13/src/lib-oauth2/oauth2-jwt.c.opensslhmac dovecot-2.3.13/s buffer_t *their_digest = t_base64url_decode_str(BASE64_DECODE_FLAG_NO_PADDING, blobs[2]); -diff -up dovecot-2.3.13/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3.13/src/lib-oauth2/test-oauth2-jwt.c ---- dovecot-2.3.13/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac 2020-12-22 14:26:52.000000000 +0100 -+++ dovecot-2.3.13/src/lib-oauth2/test-oauth2-jwt.c 2021-03-22 18:44:06.948142396 +0100 -@@ -219,7 +219,7 @@ static void save_key_to(const char *algo +diff -up dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c +--- dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 ++++ dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c 2021-03-22 20:46:09.524440794 +0100 +@@ -236,7 +236,7 @@ static void save_key_to(const char *algo static void sign_jwt_token_hs256(buffer_t *tokenbuf, buffer_t *key) { i_assert(key != NULL); @@ -678,9 +678,27 @@ diff -up dovecot-2.3.13/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3 tokenbuf); buffer_append(tokenbuf, ".", 1); base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX, -diff -up dovecot-2.3.13/src/lib/pkcs5.c.opensslhmac dovecot-2.3.13/src/lib/pkcs5.c ---- dovecot-2.3.13/src/lib/pkcs5.c.opensslhmac 2020-12-22 14:26:52.000000000 +0100 -+++ dovecot-2.3.13/src/lib/pkcs5.c 2021-03-22 18:44:06.948142396 +0100 +@@ -246,7 +246,7 @@ static void sign_jwt_token_hs256(buffer_ + static void sign_jwt_token_hs384(buffer_t *tokenbuf, buffer_t *key) + { + i_assert(key != NULL); +- buffer_t *sig = t_hmac_buffer(&hash_method_sha384, key->data, key->used, ++ buffer_t *sig = openssl_t_hmac_buffer(&hash_method_sha384, key->data, key->used, + tokenbuf); + buffer_append(tokenbuf, ".", 1); + base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX, +@@ -256,7 +256,7 @@ static void sign_jwt_token_hs384(buffer_ + static void sign_jwt_token_hs512(buffer_t *tokenbuf, buffer_t *key) + { + i_assert(key != NULL); +- buffer_t *sig = t_hmac_buffer(&hash_method_sha512, key->data, key->used, ++ buffer_t *sig = openssl_t_hmac_buffer(&hash_method_sha512, key->data, key->used, + tokenbuf); + buffer_append(tokenbuf, ".", 1); + base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX, +diff -up dovecot-2.3.14/src/lib/pkcs5.c.opensslhmac dovecot-2.3.14/src/lib/pkcs5.c +--- dovecot-2.3.14/src/lib/pkcs5.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 ++++ dovecot-2.3.14/src/lib/pkcs5.c 2021-03-22 20:44:13.024912217 +0100 @@ -52,7 +52,7 @@ int pkcs5_pbkdf2(const struct hash_metho size_t l = (length + hash->digest_size - 1)/hash->digest_size; /* same as ceil(length/hash->digest_size) */ unsigned char dk[l * hash->digest_size]; @@ -715,10 +733,10 @@ diff -up dovecot-2.3.13/src/lib/pkcs5.c.opensslhmac dovecot-2.3.13/src/lib/pkcs5 for(i = 0; i < hash->digest_size; i++) block[i] ^= U_c[i]; } -diff -up dovecot-2.3.13/src/lib/test-hmac.c.opensslhmac dovecot-2.3.13/src/lib/test-hmac.c ---- dovecot-2.3.13/src/lib/test-hmac.c.opensslhmac 2020-12-22 14:26:52.000000000 +0100 -+++ dovecot-2.3.13/src/lib/test-hmac.c 2021-03-22 18:44:06.948142396 +0100 -@@ -112,11 +112,11 @@ static void test_hmac_rfc(void) +diff -up dovecot-2.3.14/src/lib/test-hmac.c.opensslhmac dovecot-2.3.14/src/lib/test-hmac.c +--- dovecot-2.3.14/src/lib/test-hmac.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 ++++ dovecot-2.3.14/src/lib/test-hmac.c 2021-03-22 20:44:13.024912217 +0100 +@@ -206,11 +206,11 @@ static void test_hmac_rfc(void) test_begin("hmac sha256 rfc4231 vectors"); for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) { const struct test_vector *vec = &(test_vectors[i]); @@ -734,7 +752,39 @@ diff -up dovecot-2.3.13/src/lib/test-hmac.c.opensslhmac dovecot-2.3.13/src/lib/t test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i); } test_end(); -@@ -129,7 +129,7 @@ static void test_hmac_buffer(void) +@@ -221,11 +221,11 @@ static void test_hmac384_rfc(void) + test_begin("hmac sha384 rfc4231 vectors"); + for (size_t i = 0; i < N_ELEMENTS(test_vectors_hmac384); i++) { + const struct test_vector *vec = &(test_vectors_hmac384[i]); +- struct hmac_context ctx; +- hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf)); +- hmac_update(&ctx, vec->data, vec->data_len); ++ struct openssl_hmac_context ctx; ++ openssl_hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf)); ++ openssl_hmac_update(&ctx, vec->data, vec->data_len); + unsigned char res[SHA384_RESULTLEN]; +- hmac_final(&ctx, res); ++ openssl_hmac_final(&ctx, res); + test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i); + } + test_end(); +@@ -236,11 +236,11 @@ static void test_hmac512_rfc(void) + test_begin("hmac sha512 rfc4231 vectors"); + for (size_t i = 0; i < N_ELEMENTS(test_vectors_hmac512); i++) { + const struct test_vector *vec = &(test_vectors_hmac512[i]); +- struct hmac_context ctx; +- hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf)); +- hmac_update(&ctx, vec->data, vec->data_len); ++ struct openssl_hmac_context ctx; ++ openssl_hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf)); ++ openssl_hmac_update(&ctx, vec->data, vec->data_len); + unsigned char res[SHA512_RESULTLEN]; +- hmac_final(&ctx, res); ++ openssl_hmac_final(&ctx, res); + test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i); + } + test_end(); +@@ -253,7 +253,7 @@ static void test_hmac_buffer(void) buffer_t *tmp; @@ -743,7 +793,7 @@ diff -up dovecot-2.3.13/src/lib/test-hmac.c.opensslhmac dovecot-2.3.13/src/lib/t vec->data, vec->data_len); test_assert(tmp->used == vec->res_len && -@@ -146,7 +146,7 @@ static void test_hkdf_rfc(void) +@@ -270,7 +270,7 @@ static void test_hkdf_rfc(void) buffer_set_used_size(res, 0); const struct test_vector_5869 *vec = &(test_vectors_5869[i]); const struct hash_method *m = hash_method_lookup(vec->prf); @@ -752,7 +802,7 @@ diff -up dovecot-2.3.13/src/lib/test-hmac.c.opensslhmac dovecot-2.3.13/src/lib/t vec->info, vec->info_len, res, vec->okm_len); test_assert_idx(memcmp(res->data, vec->okm, vec->okm_len) == 0, i); } -@@ -159,7 +159,7 @@ static void test_hkdf_buffer(void) +@@ -283,7 +283,7 @@ static void test_hkdf_buffer(void) test_begin("hkdf temporary buffer"); const struct test_vector_5869 *vec = &(test_vectors_5869[0]); const struct hash_method *m = hash_method_lookup(vec->prf); diff --git a/dovecot.spec b/dovecot.spec index 7e769e6..aba275c 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,9 +3,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.13 +Version: 2.3.14 %global prever %{nil} -Release: 7%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.13 +%global pigeonholever 0.5.14 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -33,12 +33,11 @@ Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch Patch10: dovecot-2.3.0.1-libxcrypt.patch Patch15: dovecot-2.3.11-bigkey.patch -Patch16: dovecot-2.3.13-bigtvsec.patch # do not use own implementation of HMAC, use OpenSSL for certification purposes # not sent upstream as proper fix would use dovecot's lib-dcrypt but it introduces # hard to break circular dependency between lib and lib-dcrypt -Patch17: dovecot-2.3.6-opensslhmac.patch +Patch16: dovecot-2.3.6-opensslhmac.patch Source15: prestartscript @@ -127,8 +126,7 @@ This package provides the development files for dovecot. %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem %patch15 -p1 -b .bigkey -%patch16 -p1 -b .bigtvsec -%patch17 -p1 -b .opensslhmac +%patch16 -p1 -b .opensslhmac #pushd dovecot-2*3-pigeonhole-%{pigeonholever} #popd @@ -333,6 +331,7 @@ make check %config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-logging.conf %config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-mail.conf %config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-master.conf +%config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-metrics.conf %config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-ssl.conf %config(noreplace) %{_sysconfdir}/dovecot/conf.d/15-lda.conf %config(noreplace) %{_sysconfdir}/dovecot/conf.d/15-mailboxes.conf @@ -352,7 +351,6 @@ make check %config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-sql.conf.ext %config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-static.conf.ext %config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-system.conf.ext - %config(noreplace) %{_sysconfdir}/pam.d/dovecot %config(noreplace) %{ssldir}/dovecot-openssl.cnf @@ -454,6 +452,13 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Mar 22 2021 Michal Hlavinka - 1:2.3.14-1 +- dovecot updated to 2.3.14, pigeonhole to 0.5.14 +- use OpenSSL's implementation of HMAC +- Remove autocreate, expire, snarf and mail-filter plugins. +- Remove cydir storage driver. +- Remove XZ/LZMA write support. Read support will be removed in future release. + * Mon Feb 08 2021 Pavel Raiskup - 1:2.3.13-7 - rebuild for libpq ABI fix rhbz#1908268 diff --git a/sources b/sources index a3e1632..a7b5e63 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.13.tar.gz) = 758a169fba8925637ed18fa7522a6f06c9fe01a1707b1ca0d0a4d8757c578a8e117c91733e8314403839f9a484bbcac71ce3532c82379eb583b480756d556a95 -SHA512 (dovecot-2.3-pigeonhole-0.5.13.tar.gz) = fcbc13d71af4e6dd4e34192484e203d755e5015da76a4774b11a79182b2baad36cab5a471346093111ace36a7775dfe8294555f8b777786dde386820b3ec5cd3 +SHA512 (dovecot-2.3.14.tar.gz) = 69df234cb739c7ee7ae3acfb9756bc22481e94c95463d32bfac315c7ec4b1ba0dfbff552b769f2ab7ee554087ca2ebbe331aa008d3af26417016612dc7cad103 +SHA512 (dovecot-2.3-pigeonhole-0.5.14.tar.gz) = c5d5d309769eabe2c0971646d0c14d166b6b524acf59e1069eca803f764544fa2535c09c9a630ca706aa70442b688ee26af831d29e674823bac7ea7c0e1f33cc From 4345d3c47bcb2687e1a46cbb793d71939a477610 Mon Sep 17 00:00:00 2001 From: Jeff Law Date: Mon, 10 May 2021 12:08:39 -0600 Subject: [PATCH 087/163] Re-enable LTO --- dovecot.spec | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index aba275c..5c8751a 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.14 %global prever %{nil} -Release: 1%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -133,9 +133,6 @@ This package provides the development files for dovecot. sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in %build -# This package references hidden symbols during an LTO link. This needs further -# investigation. Until then, disable LTO -%define _lto_cflags %{nil} #required for fdpass.c line 125,190: dereferencing type-punned pointer will break strict-aliasing rules %global _hardened_build 1 export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none" @@ -452,6 +449,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon May 10 2021 Jeff Law - 1:2.3.14-2 +- Re-enable LTO + * Mon Mar 22 2021 Michal Hlavinka - 1:2.3.14-1 - dovecot updated to 2.3.14, pigeonhole to 0.5.14 - use OpenSSL's implementation of HMAC From ec859bf9de446e4e1d1d5b333871ab3bf662338d Mon Sep 17 00:00:00 2001 From: Pete Walter Date: Wed, 19 May 2021 16:45:17 +0100 Subject: [PATCH 088/163] Rebuild for ICU 69 --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 5c8751a..5b72de5 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.14 %global prever %{nil} -Release: 2%{?dist} +Release: 3%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -449,6 +449,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed May 19 2021 Pete Walter - 1:2.3.14-3 +- Rebuild for ICU 69 + * Mon May 10 2021 Jeff Law - 1:2.3.14-2 - Re-enable LTO From 9e2964f1dde7dee5a366c7e0d0cd3431dd9a9b14 Mon Sep 17 00:00:00 2001 From: Pete Walter Date: Thu, 20 May 2021 00:58:00 +0100 Subject: [PATCH 089/163] Rebuild for ICU 69 --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 5b72de5..6c24c47 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.3.14 %global prever %{nil} -Release: 3%{?dist} +Release: 4%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -449,6 +449,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed May 19 2021 Pete Walter - 1:2.3.14-4 +- Rebuild for ICU 69 + * Wed May 19 2021 Pete Walter - 1:2.3.14-3 - Rebuild for ICU 69 From f838a05fb90576dd53b8339860d7bea120a83778 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 21 Jun 2021 23:25:54 +0200 Subject: [PATCH 090/163] dovecot updated to 2.3.15, pigeonhole updated to 0.5.15 CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens, if attacker has local access. CVE-2021-33515: On-path attacker could have injected plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client. Add TSLv1.3 support to min_protocols. Allow configuring ssl_cipher_suites. (for TLSv1.3+) --- dovecot-2.1.10-waitonline.patch | 12 +++++----- dovecot-2.2.20-initbysystemd.patch | 35 +++++++++++++++++------------- dovecot-2.3.11-bigkey.patch | 8 +++---- dovecot-2.3.15-fixvalcond.patch | 24 ++++++++++++++++++++ dovecot-2.3.15-valbasherr.patch | 20 +++++++++++++++++ dovecot.spec | 24 +++++++++++++++++--- sources | 4 ++-- 7 files changed, 97 insertions(+), 30 deletions(-) create mode 100644 dovecot-2.3.15-fixvalcond.patch create mode 100644 dovecot-2.3.15-valbasherr.patch diff --git a/dovecot-2.1.10-waitonline.patch b/dovecot-2.1.10-waitonline.patch index 2b1cd42..af3ce19 100644 --- a/dovecot-2.1.10-waitonline.patch +++ b/dovecot-2.1.10-waitonline.patch @@ -1,11 +1,11 @@ -diff -up dovecot-2.3.0.1/dovecot.service.in.waitonline dovecot-2.3.0.1/dovecot.service.in ---- dovecot-2.3.0.1/dovecot.service.in.waitonline 2018-03-01 10:35:39.888371078 +0100 -+++ dovecot-2.3.0.1/dovecot.service.in 2018-03-01 10:36:29.738784661 +0100 -@@ -12,6 +12,7 @@ After=local-fs.target network-online.tar +diff -up dovecot-2.3.15/dovecot.service.in.waitonline dovecot-2.3.15/dovecot.service.in +--- dovecot-2.3.15/dovecot.service.in.waitonline 2021-06-21 20:19:19.560494654 +0200 ++++ dovecot-2.3.15/dovecot.service.in 2021-06-21 20:21:17.443066248 +0200 +@@ -15,6 +15,7 @@ After=local-fs.target network-online.tar [Service] - Type=simple + Type=@systemdservicetype@ +ExecStartPre=/usr/libexec/dovecot/prestartscript ExecStart=@sbindir@/dovecot -F - PIDFile=@rundir@/master.pid ExecReload=@bindir@/doveadm reload + ExecStop=@bindir@/doveadm stop diff --git a/dovecot-2.2.20-initbysystemd.patch b/dovecot-2.2.20-initbysystemd.patch index 85327ee..313e26b 100644 --- a/dovecot-2.2.20-initbysystemd.patch +++ b/dovecot-2.2.20-initbysystemd.patch @@ -1,6 +1,6 @@ -diff -up dovecot-2.3.0.1/dovecot-init.service.initbysystemd dovecot-2.3.0.1/dovecot-init.service ---- dovecot-2.3.0.1/dovecot-init.service.initbysystemd 2018-03-01 10:38:22.059716008 +0100 -+++ dovecot-2.3.0.1/dovecot-init.service 2018-03-01 10:38:22.059716008 +0100 +diff -up dovecot-2.3.15/dovecot-init.service.initbysystemd dovecot-2.3.15/dovecot-init.service +--- dovecot-2.3.15/dovecot-init.service.initbysystemd 2021-06-21 20:21:49.250680889 +0200 ++++ dovecot-2.3.15/dovecot-init.service 2021-06-21 20:21:49.250680889 +0200 @@ -0,0 +1,13 @@ +[Unit] +Description=One-time Dovecot init service @@ -15,10 +15,10 @@ diff -up dovecot-2.3.0.1/dovecot-init.service.initbysystemd dovecot-2.3.0.1/dove + SSLDIR=/etc/pki/dovecot/ OPENSSLCONFIG=/etc/pki/dovecot/dovecot-openssl.cnf /usr/libexec/dovecot/mkcert.sh /dev/null 2>&1;\ +fi' + -diff -up dovecot-2.3.0.1/dovecot.service.in.initbysystemd dovecot-2.3.0.1/dovecot.service.in ---- dovecot-2.3.0.1/dovecot.service.in.initbysystemd 2018-03-01 10:38:22.060716016 +0100 -+++ dovecot-2.3.0.1/dovecot.service.in 2018-03-01 10:40:45.524901319 +0100 -@@ -8,7 +8,8 @@ +diff -up dovecot-2.3.15/dovecot.service.in.initbysystemd dovecot-2.3.15/dovecot.service.in +--- dovecot-2.3.15/dovecot.service.in.initbysystemd 2021-06-21 20:21:49.250680889 +0200 ++++ dovecot-2.3.15/dovecot.service.in 2021-06-21 20:22:46.935981920 +0200 +@@ -11,7 +11,8 @@ Description=Dovecot IMAP/POP3 email server Documentation=man:dovecot(1) Documentation=https://doc.dovecot.org/ @@ -27,20 +27,25 @@ diff -up dovecot-2.3.0.1/dovecot.service.in.initbysystemd dovecot-2.3.0.1/doveco +Requires=dovecot-init.service [Service] - Type=simple -diff -up dovecot-2.3.0.1/Makefile.am.initbysystemd dovecot-2.3.0.1/Makefile.am ---- dovecot-2.3.0.1/Makefile.am.initbysystemd 2018-02-28 15:28:57.000000000 +0100 -+++ dovecot-2.3.0.1/Makefile.am 2018-03-01 10:38:22.060716016 +0100 -@@ -63,9 +63,10 @@ if HAVE_SYSTEMD + Type=@systemdservicetype@ +diff -up dovecot-2.3.15/Makefile.am.initbysystemd dovecot-2.3.15/Makefile.am +--- dovecot-2.3.15/Makefile.am.initbysystemd 2021-06-21 20:21:49.250680889 +0200 ++++ dovecot-2.3.15/Makefile.am 2021-06-21 20:24:26.676765849 +0200 +@@ -21,6 +21,7 @@ EXTRA_DIST = \ + run-test-valgrind.supp \ + dovecot.service.in \ + dovecot.socket \ ++ dovecot-init.service \ + $(conf_DATA) + noinst_DATA = dovecot-config +@@ -69,7 +70,8 @@ dovecot-config: dovecot-config.in Makefi + if WANT_SYSTEMD systemdsystemunit_DATA = \ dovecot.socket \ - dovecot.service + dovecot.service \ + dovecot-init.service - else --EXTRA_DIST += dovecot.socket dovecot.service.in -+EXTRA_DIST += dovecot.socket dovecot.service.in dovecot-init.service endif install-exec-hook: diff --git a/dovecot-2.3.11-bigkey.patch b/dovecot-2.3.11-bigkey.patch index c5b23d9..dc81a33 100644 --- a/dovecot-2.3.11-bigkey.patch +++ b/dovecot-2.3.11-bigkey.patch @@ -1,9 +1,9 @@ -diff -up dovecot-2.2.36/doc/dovecot-openssl.cnf.bigkey dovecot-2.2.36/doc/dovecot-openssl.cnf ---- dovecot-2.2.36/doc/dovecot-openssl.cnf.bigkey 2017-06-23 13:18:28.000000000 +0200 -+++ dovecot-2.2.36/doc/dovecot-openssl.cnf 2018-10-16 17:15:35.836205498 +0200 +diff -up dovecot-2.3.15/doc/dovecot-openssl.cnf.bigkey dovecot-2.3.15/doc/dovecot-openssl.cnf +--- dovecot-2.3.15/doc/dovecot-openssl.cnf.bigkey 2021-06-21 20:24:51.913456628 +0200 ++++ dovecot-2.3.15/doc/dovecot-openssl.cnf 2021-06-21 20:25:36.352912123 +0200 @@ -1,5 +1,5 @@ [ req ] --default_bits = 1024 +-default_bits = 2048 +default_bits = 3072 encrypt_key = yes distinguished_name = req_dn diff --git a/dovecot-2.3.15-fixvalcond.patch b/dovecot-2.3.15-fixvalcond.patch new file mode 100644 index 0000000..6262271 --- /dev/null +++ b/dovecot-2.3.15-fixvalcond.patch @@ -0,0 +1,24 @@ +diff -up dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c +--- dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2021-06-21 23:07:55.269814896 +0200 ++++ dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c 2021-06-21 23:07:55.298814544 +0200 +@@ -109,7 +109,7 @@ static int sieve_dict_script_get_stream + { + struct sieve_dict_script *dscript = + (struct sieve_dict_script *)script; +- const char *path, *name = script->name, *data, *error; ++ const char *path, *name = script->name, *data, *error = NULL; + int ret; + + dscript->data_pool = +diff -up dovecot-2.3.15/src/lib-storage/index/index-attribute.c.fixvalcond dovecot-2.3.15/src/lib-storage/index/index-attribute.c +--- dovecot-2.3.15/src/lib-storage/index/index-attribute.c.fixvalcond 2021-06-14 15:40:37.000000000 +0200 ++++ dovecot-2.3.15/src/lib-storage/index/index-attribute.c 2021-06-21 21:52:22.963171229 +0200 +@@ -249,7 +249,7 @@ int index_storage_attribute_get(struct m + struct mail_attribute_value *value_r) + { + struct dict *dict; +- const char *mailbox_prefix, *error; ++ const char *mailbox_prefix, *error = NULL; + int ret; + + i_zero(value_r); diff --git a/dovecot-2.3.15-valbasherr.patch b/dovecot-2.3.15-valbasherr.patch new file mode 100644 index 0000000..bbcb86f --- /dev/null +++ b/dovecot-2.3.15-valbasherr.patch @@ -0,0 +1,20 @@ +diff -up dovecot-2.3.15/run-test-valgrind.supp.valbasherr dovecot-2.3.15/run-test-valgrind.supp +--- dovecot-2.3.15/run-test-valgrind.supp.valbasherr 2021-06-21 22:52:53.272707239 +0200 ++++ dovecot-2.3.15/run-test-valgrind.supp 2021-06-21 22:54:19.786668430 +0200 +@@ -1,4 +1,16 @@ + { ++ ++ Memcheck:Leak ++ match-leak-kinds: definite ++ fun:malloc ++ fun:make_if_command ++ fun:yyparse ++ fun:parse_command ++ fun:read_command ++ fun:reader_loop ++ fun:main ++} ++{ + + Memcheck:Leak + fun:malloc diff --git a/dovecot.spec b/dovecot.spec index 6c24c47..77819bd 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,9 +3,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.14 +Version: 2.3.15 %global prever %{nil} -Release: 4%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.14 +%global pigeonholever 0.5.15 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -38,6 +38,8 @@ Patch15: dovecot-2.3.11-bigkey.patch # not sent upstream as proper fix would use dovecot's lib-dcrypt but it introduces # hard to break circular dependency between lib and lib-dcrypt Patch16: dovecot-2.3.6-opensslhmac.patch +Patch17: dovecot-2.3.15-fixvalcond.patch +Patch18: dovecot-2.3.15-valbasherr.patch Source15: prestartscript @@ -127,6 +129,11 @@ This package provides the development files for dovecot. %patch9 -p1 -b .systemd_w_protectsystem %patch15 -p1 -b .bigkey %patch16 -p1 -b .opensslhmac +%patch17 -p1 -b .fixvalcond +%patch18 -p1 -b .valbasherr +cp run-test-valgrind.supp dovecot-2.3-pigeonhole-%{pigeonholever}/ +# valgrind would fail with shell wrapper +echo "testsuite" >dovecot-2.3-pigeonhole-%{pigeonholever}/run-test-valgrind.exclude #pushd dovecot-2*3-pigeonhole-%{pigeonholever} #popd @@ -449,6 +456,17 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Jun 21 2021 Michal Hlavinka - 1:2.3.15-1 +- dovecot updated to 2.3.15, pigeonhole updated to 0.5.15 +- CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in + JWT tokens. This may be used to supply attacker controlled keys to + validate tokens, if attacker has local access. +- CVE-2021-33515: On-path attacker could have injected plaintext commands + before STARTTLS negotiation that would be executed after STARTTLS + finished with the client. +- Add TSLv1.3 support to min_protocols. +- Allow configuring ssl_cipher_suites. (for TLSv1.3+) + * Wed May 19 2021 Pete Walter - 1:2.3.14-4 - Rebuild for ICU 69 diff --git a/sources b/sources index a7b5e63..93a735e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.14.tar.gz) = 69df234cb739c7ee7ae3acfb9756bc22481e94c95463d32bfac315c7ec4b1ba0dfbff552b769f2ab7ee554087ca2ebbe331aa008d3af26417016612dc7cad103 -SHA512 (dovecot-2.3-pigeonhole-0.5.14.tar.gz) = c5d5d309769eabe2c0971646d0c14d166b6b524acf59e1069eca803f764544fa2535c09c9a630ca706aa70442b688ee26af831d29e674823bac7ea7c0e1f33cc +SHA512 (dovecot-2.3.15.tar.gz) = 75bbdbeac663da109f78dba06c42bb5193e911c6b3c64f055fc4473ae9afaf0c8304c49fc7f06c5c6b61e67dd13dc21fbed6ff160a99f38f547c88ba05e6b03a +SHA512 (dovecot-2.3-pigeonhole-0.5.15.tar.gz) = 521070080802bf2a50cd0ff0af5dc991c04d70b807abc2cd9aa567444a4869f5f42800f19d9b740a519bd4069437139e70ca6ae4b905479fcec8faa133ac5f54 From 2e3cc75314f8112272746f5e4452a7d67eae36ce Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 23 Jun 2021 09:58:10 +0200 Subject: [PATCH 091/163] fix FTBFS --- dovecot.spec | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 77819bd..2cf361e 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -1,5 +1,10 @@ %global __provides_exclude_from %{_docdir} %global __requires_exclude_from %{_docdir} + +# FIXME: lto and annobin breaks build atm, retest after 2021-08 +%global _lto_cflags %nil +%undefine _annotated_build + Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 @@ -38,6 +43,8 @@ Patch15: dovecot-2.3.11-bigkey.patch # not sent upstream as proper fix would use dovecot's lib-dcrypt but it introduces # hard to break circular dependency between lib and lib-dcrypt Patch16: dovecot-2.3.6-opensslhmac.patch + +# FTBFS Patch17: dovecot-2.3.15-fixvalcond.patch Patch18: dovecot-2.3.15-valbasherr.patch @@ -62,6 +69,11 @@ BuildRequires: libicu-devel BuildRequires: libexttextcat-devel BuildRequires: libstemmer-devel BuildRequires: multilib-rpm-config +BuildRequires: flex, bison +BuildRequires: systemd-devel +%if %{?fedora}0 >= 35 +BuildRequires: glibc-gconv-extra +%endif # gettext-devel is needed for running autoconf because of the # presence of AM_ICONV @@ -149,6 +161,7 @@ autoreconf -I . -fiv #required for aarch64 support %configure \ INSTALL_DATA="install -c -p -m644" \ --with-rundir=%{_rundir}/%{name} \ + --with-systemd \ --docdir=%{_docdir}/%{name} \ --disable-static \ --disable-rpath \ @@ -171,7 +184,6 @@ autoreconf -I . -fiv #required for aarch64 support --with-solr \ --with-systemdsystemunitdir=%{_unitdir} \ --with-docs - sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10-ssl.conf %make_build From b920232ea61ed6d8a49be619a549d0b5973a308c Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 23 Jun 2021 11:32:21 +0200 Subject: [PATCH 092/163] fix spec file condition --- dovecot.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 2cf361e..bfb1f47 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -71,7 +71,7 @@ BuildRequires: libstemmer-devel BuildRequires: multilib-rpm-config BuildRequires: flex, bison BuildRequires: systemd-devel -%if %{?fedora}0 >= 35 +%if %{?fedora}0 >= 350 BuildRequires: glibc-gconv-extra %endif From 4439c8a8338489cc888d790471f5621000b07406 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 21 Jul 2021 21:05:11 +0000 Subject: [PATCH 093/163] - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index bfb1f47..3f86e46 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -10,7 +10,7 @@ Name: dovecot Epoch: 1 Version: 2.3.15 %global prever %{nil} -Release: 1%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -468,6 +468,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Jul 21 2021 Fedora Release Engineering - 1:2.3.15-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + * Mon Jun 21 2021 Michal Hlavinka - 1:2.3.15-1 - dovecot updated to 2.3.15, pigeonhole updated to 0.5.15 - CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in From 5a2167681c759db4d023582af721b209760d7629 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Fri, 20 Aug 2021 21:40:35 +0200 Subject: [PATCH 094/163] dovecot updated to 2.3.16, pigeonhole to 0.5.16 fixes several regressions --- dovecot-2.3.15-fixvalcond.patch | 4 ++-- dovecot.spec | 10 +++++++--- sources | 4 ++-- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/dovecot-2.3.15-fixvalcond.patch b/dovecot-2.3.15-fixvalcond.patch index 6262271..82bdafc 100644 --- a/dovecot-2.3.15-fixvalcond.patch +++ b/dovecot-2.3.15-fixvalcond.patch @@ -1,6 +1,6 @@ diff -up dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c ---- dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2021-06-21 23:07:55.269814896 +0200 -+++ dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c 2021-06-21 23:07:55.298814544 +0200 +--- dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.16/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2021-06-21 23:07:55.269814896 +0200 ++++ dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.16/src/lib-sieve/storage/dict/sieve-dict-script.c 2021-06-21 23:07:55.298814544 +0200 @@ -109,7 +109,7 @@ static int sieve_dict_script_get_stream { struct sieve_dict_script *dscript = diff --git a/dovecot.spec b/dovecot.spec index 3f86e46..4bb5efb 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -8,9 +8,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.15 +Version: 2.3.16 %global prever %{nil} -Release: 2%{?dist} +Release: %{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -18,7 +18,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.15 +%global pigeonholever 0.5.16 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -468,6 +468,10 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Fri Aug 20 2021 Michal Hlavinka - 1:2.3.16-1 +- dovecot updated to 2.3.16, pigeonhole to 0.5.16 +- fixes several regressions + * Wed Jul 21 2021 Fedora Release Engineering - 1:2.3.15-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild diff --git a/sources b/sources index 93a735e..da08013 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.15.tar.gz) = 75bbdbeac663da109f78dba06c42bb5193e911c6b3c64f055fc4473ae9afaf0c8304c49fc7f06c5c6b61e67dd13dc21fbed6ff160a99f38f547c88ba05e6b03a -SHA512 (dovecot-2.3-pigeonhole-0.5.15.tar.gz) = 521070080802bf2a50cd0ff0af5dc991c04d70b807abc2cd9aa567444a4869f5f42800f19d9b740a519bd4069437139e70ca6ae4b905479fcec8faa133ac5f54 +SHA512 (dovecot-2.3-pigeonhole-0.5.16.tar.gz) = 880e00654eab85cc41b27ac470cce6011991e3cdb005642f495c2297fd9492bfb2b6b4ef63c88c2ac10bec870ad69b8bee6b11dd1bc5099e16c3cc2857312543 +SHA512 (dovecot-2.3.16.tar.gz) = 31a9d352c7ead466d65ee0535b1fbd9138e35235f1ebfeedc4eef54cba450663c59708d162eaf0712af1c40f23526ac86aab2eece8cefde3edf690127472fd1e From 76cf16c36f731857e1f57af5ec1742c7b03afe64 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Fri, 20 Aug 2021 21:41:35 +0200 Subject: [PATCH 095/163] fix release number --- dovecot.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 4bb5efb..443cf56 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -10,7 +10,7 @@ Name: dovecot Epoch: 1 Version: 2.3.16 %global prever %{nil} -Release: %{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 From 98b241328a0617ad8c08947ce56cd4fa81546ce9 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Fri, 20 Aug 2021 22:12:05 +0200 Subject: [PATCH 096/163] fix ftbfs for s390x --- dovecot-2.3.16-ftbfsbigend.patch | 53 ++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 dovecot-2.3.16-ftbfsbigend.patch diff --git a/dovecot-2.3.16-ftbfsbigend.patch b/dovecot-2.3.16-ftbfsbigend.patch new file mode 100644 index 0000000..762503b --- /dev/null +++ b/dovecot-2.3.16-ftbfsbigend.patch @@ -0,0 +1,53 @@ +commit ec4595097067a736717ef202fe8542b1b4bc2dd5 +Author: Timo Sirainen +Date: Tue Aug 10 12:22:08 2021 +0300 + + lib-index: Fix storing cache fields' last_used with 64bit big endian CPUs + +diff --git a/src/lib-index/mail-cache-fields.c b/src/lib-index/mail-cache-fields.c +index e929fb559d..429e0d234c 100644 +--- a/src/lib-index/mail-cache-fields.c ++++ b/src/lib-index/mail-cache-fields.c +@@ -524,6 +524,19 @@ static void copy_to_buf_byte(struct mail_cache *cache, buffer_t *dest, + } + } + ++static void ++copy_to_buf_last_used(struct mail_cache *cache, buffer_t *dest, bool add_new) ++{ ++ size_t offset = offsetof(struct mail_cache_field, last_used); ++#if defined(WORDS_BIGENDIAN) && SIZEOF_VOID_P == 8 ++ /* 64bit time_t with big endian CPUs: copy the last 32 bits instead of ++ the first 32 bits (that are always 0). The 32 bits are enough until ++ year 2106, so we're not in a hurry to use 64 bits on disk. */ ++ offset += sizeof(uint32_t); ++#endif ++ copy_to_buf(cache, dest, add_new, offset, sizeof(uint32_t)); ++} ++ + static int mail_cache_header_fields_update_locked(struct mail_cache *cache) + { + buffer_t *buffer; +@@ -536,9 +549,7 @@ static int mail_cache_header_fields_update_locked(struct mail_cache *cache) + + buffer = t_buffer_create(256); + +- copy_to_buf(cache, buffer, FALSE, +- offsetof(struct mail_cache_field, last_used), +- sizeof(uint32_t)); ++ copy_to_buf_last_used(cache, buffer, FALSE); + ret = mail_cache_write(cache, buffer->data, buffer->used, + offset + MAIL_CACHE_FIELD_LAST_USED()); + if (ret == 0) { +@@ -599,9 +610,7 @@ void mail_cache_header_fields_get(struct mail_cache *cache, buffer_t *dest) + buffer_append(dest, &hdr, sizeof(hdr)); + + /* we have to keep the field order for the existing fields. */ +- copy_to_buf(cache, dest, TRUE, +- offsetof(struct mail_cache_field, last_used), +- sizeof(uint32_t)); ++ copy_to_buf_last_used(cache, dest, TRUE); + copy_to_buf(cache, dest, TRUE, + offsetof(struct mail_cache_field, field_size), + sizeof(uint32_t)); + From d3bbb3608fa7e3da8531857918006d6c9c639129 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Fri, 20 Aug 2021 22:51:18 +0200 Subject: [PATCH 097/163] also spec file change --- dovecot.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dovecot.spec b/dovecot.spec index 443cf56..7201319 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -47,6 +47,7 @@ Patch16: dovecot-2.3.6-opensslhmac.patch # FTBFS Patch17: dovecot-2.3.15-fixvalcond.patch Patch18: dovecot-2.3.15-valbasherr.patch +Patch19: dovecot-2.3.16-ftbfsbigend.patch Source15: prestartscript @@ -143,6 +144,7 @@ This package provides the development files for dovecot. %patch16 -p1 -b .opensslhmac %patch17 -p1 -b .fixvalcond %patch18 -p1 -b .valbasherr +%patch19 -p1 -b .ftbfsbigend cp run-test-valgrind.supp dovecot-2.3-pigeonhole-%{pigeonholever}/ # valgrind would fail with shell wrapper echo "testsuite" >dovecot-2.3-pigeonhole-%{pigeonholever}/run-test-valgrind.exclude From a833b2f8baed0676b24dc9bb65e2ab99017413a8 Mon Sep 17 00:00:00 2001 From: Sahana Prasad Date: Tue, 14 Sep 2021 19:00:52 +0200 Subject: [PATCH 098/163] Rebuilt with OpenSSL 3.0.0 --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 7201319..bf0e87c 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -10,7 +10,7 @@ Name: dovecot Epoch: 1 Version: 2.3.16 %global prever %{nil} -Release: 1%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -470,6 +470,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Sep 14 2021 Sahana Prasad - 1:2.3.16-2 +- Rebuilt with OpenSSL 3.0.0 + * Fri Aug 20 2021 Michal Hlavinka - 1:2.3.16-1 - dovecot updated to 2.3.16, pigeonhole to 0.5.16 - fixes several regressions From b7a5210a80f05801b0fea9169010729abab70403 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 27 Sep 2021 20:04:59 +0200 Subject: [PATCH 099/163] fix OpenSSLv3 issues 2005884 --- dovecot-2.3.14-opensslv3.patch | 34 ++++++++++++++++++++++++++++++++++ dovecot.spec | 7 ++++++- 2 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 dovecot-2.3.14-opensslv3.patch diff --git a/dovecot-2.3.14-opensslv3.patch b/dovecot-2.3.14-opensslv3.patch new file mode 100644 index 0000000..fa6c44f --- /dev/null +++ b/dovecot-2.3.14-opensslv3.patch @@ -0,0 +1,34 @@ +diff -up dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3 dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c +--- dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3 2021-06-03 18:56:52.573174433 +0200 ++++ dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c 2021-06-03 18:56:52.585174274 +0200 +@@ -73,10 +73,30 @@ + 2key algo oid1symmetric algo namesalthash algoroundsE(RSA = i2d_PrivateKey, EC=Private Point)key id + **/ + ++#if OPENSSL_VERSION_MAJOR == 3 ++static EC_KEY *EVP_PKEY_get0_EC_KEYv3(EVP_PKEY *key) ++{ ++ EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key); ++ EVP_PKEY_set1_EC_KEY(key, eck); ++ EC_KEY_free(eck); ++ return eck; ++} ++ ++static EC_KEY *EVP_PKEY_get1_EC_KEYv3(EVP_PKEY *key) ++{ ++ EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key); ++ EVP_PKEY_set1_EC_KEY(key, eck); ++ return eck; ++} ++ ++#define EVP_PKEY_get0_EC_KEY EVP_PKEY_get0_EC_KEYv3 ++#define EVP_PKEY_get1_EC_KEY EVP_PKEY_get1_EC_KEYv3 ++#else + #ifndef HAVE_EVP_PKEY_get0 + #define EVP_PKEY_get0_EC_KEY(x) x->pkey.ec + #define EVP_PKEY_get0_RSA(x) x->pkey.rsa + #endif ++#endif + + #ifndef HAVE_OBJ_LENGTH + #define OBJ_length(o) ((o)->length) diff --git a/dovecot.spec b/dovecot.spec index bf0e87c..f10ae50 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -10,7 +10,7 @@ Name: dovecot Epoch: 1 Version: 2.3.16 %global prever %{nil} -Release: 2%{?dist} +Release: 3%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -48,6 +48,7 @@ Patch16: dovecot-2.3.6-opensslhmac.patch Patch17: dovecot-2.3.15-fixvalcond.patch Patch18: dovecot-2.3.15-valbasherr.patch Patch19: dovecot-2.3.16-ftbfsbigend.patch +Patch20: dovecot-2.3.14-opensslv3.patch Source15: prestartscript @@ -145,6 +146,7 @@ This package provides the development files for dovecot. %patch17 -p1 -b .fixvalcond %patch18 -p1 -b .valbasherr %patch19 -p1 -b .ftbfsbigend +%patch20 -p1 -b .opensslv3 cp run-test-valgrind.supp dovecot-2.3-pigeonhole-%{pigeonholever}/ # valgrind would fail with shell wrapper echo "testsuite" >dovecot-2.3-pigeonhole-%{pigeonholever}/run-test-valgrind.exclude @@ -470,6 +472,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Sep 27 2021 Michal Hlavinka - 1:2.3.16-3 +- fix OpenSSLv3 issues 2005884 + * Tue Sep 14 2021 Sahana Prasad - 1:2.3.16-2 - Rebuilt with OpenSSL 3.0.0 From abbc1b8cb5f6c815ea2a00bd63e7a13116ae7687 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 28 Sep 2021 13:50:59 +0200 Subject: [PATCH 100/163] reenable LTO --- dovecot.spec | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index f10ae50..538a011 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -1,25 +1,21 @@ %global __provides_exclude_from %{_docdir} %global __requires_exclude_from %{_docdir} -# FIXME: lto and annobin breaks build atm, retest after 2021-08 -%global _lto_cflags %nil -%undefine _annotated_build - Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 Version: 2.3.16 %global prever %{nil} -Release: 3%{?dist} +Release: 4%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 -URL: http://www.dovecot.org/ -Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz +URL: https://www.dovecot.org/ +Source: https://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam %global pigeonholever 0.5.16 -Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz +Source8: https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -472,6 +468,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Sep 28 2021 Michal Hlavinka - 1:2.3.16-4 +- reenable LTO + * Mon Sep 27 2021 Michal Hlavinka - 1:2.3.16-3 - fix OpenSSLv3 issues 2005884 From 00e2d877808c82b6e0c45b69dbe19052aad33164 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 2 Nov 2021 21:53:11 +0100 Subject: [PATCH 101/163] dovecot updated to 2.3.17, pigeonhole to 0.5.17 --- dovecot-2.3.15-fixvalcond.patch | 20 ++++++++++---------- dovecot.spec | 9 ++++++--- sources | 4 ++-- 3 files changed, 18 insertions(+), 15 deletions(-) diff --git a/dovecot-2.3.15-fixvalcond.patch b/dovecot-2.3.15-fixvalcond.patch index 82bdafc..5137a1d 100644 --- a/dovecot-2.3.15-fixvalcond.patch +++ b/dovecot-2.3.15-fixvalcond.patch @@ -1,19 +1,19 @@ -diff -up dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c ---- dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.16/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2021-06-21 23:07:55.269814896 +0200 -+++ dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.16/src/lib-sieve/storage/dict/sieve-dict-script.c 2021-06-21 23:07:55.298814544 +0200 -@@ -109,7 +109,7 @@ static int sieve_dict_script_get_stream - { - struct sieve_dict_script *dscript = +diff -up dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.17/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.17/src/lib-sieve/storage/dict/sieve-dict-script.c +--- dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.17/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2021-11-02 21:51:36.109032050 +0100 ++++ dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.17/src/lib-sieve/storage/dict/sieve-dict-script.c 2021-11-02 21:52:28.409344118 +0100 +@@ -114,7 +114,7 @@ static int sieve_dict_script_get_stream (struct sieve_dict_script *)script; + struct sieve_dict_storage *dstorage = + (struct sieve_dict_storage *)script->storage; - const char *path, *name = script->name, *data, *error; + const char *path, *name = script->name, *data, *error = NULL; int ret; dscript->data_pool = -diff -up dovecot-2.3.15/src/lib-storage/index/index-attribute.c.fixvalcond dovecot-2.3.15/src/lib-storage/index/index-attribute.c ---- dovecot-2.3.15/src/lib-storage/index/index-attribute.c.fixvalcond 2021-06-14 15:40:37.000000000 +0200 -+++ dovecot-2.3.15/src/lib-storage/index/index-attribute.c 2021-06-21 21:52:22.963171229 +0200 -@@ -249,7 +249,7 @@ int index_storage_attribute_get(struct m +diff -up dovecot-2.3.17/src/lib-storage/index/index-attribute.c.fixvalcond dovecot-2.3.17/src/lib-storage/index/index-attribute.c +--- dovecot-2.3.17/src/lib-storage/index/index-attribute.c.fixvalcond 2021-10-27 13:09:04.000000000 +0200 ++++ dovecot-2.3.17/src/lib-storage/index/index-attribute.c 2021-11-02 21:51:36.109032050 +0100 +@@ -248,7 +248,7 @@ int index_storage_attribute_get(struct m struct mail_attribute_value *value_r) { struct dict *dict; diff --git a/dovecot.spec b/dovecot.spec index 538a011..5991fbc 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -4,9 +4,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.16 +Version: 2.3.17 %global prever %{nil} -Release: 4%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -14,7 +14,7 @@ URL: https://www.dovecot.org/ Source: https://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.16 +%global pigeonholever 0.5.17 Source8: https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -468,6 +468,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Nov 02 2021 Michal Hlavinka - 1:2.3.17-1 +- dovecot updated to 2.3.17, pigeonhole to 0.5.17 + * Tue Sep 28 2021 Michal Hlavinka - 1:2.3.16-4 - reenable LTO diff --git a/sources b/sources index da08013..c9b3cac 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3-pigeonhole-0.5.16.tar.gz) = 880e00654eab85cc41b27ac470cce6011991e3cdb005642f495c2297fd9492bfb2b6b4ef63c88c2ac10bec870ad69b8bee6b11dd1bc5099e16c3cc2857312543 -SHA512 (dovecot-2.3.16.tar.gz) = 31a9d352c7ead466d65ee0535b1fbd9138e35235f1ebfeedc4eef54cba450663c59708d162eaf0712af1c40f23526ac86aab2eece8cefde3edf690127472fd1e +SHA512 (dovecot-2.3.17.tar.gz) = 5b45d0f2f8af5cf095aff35f8e6a74bbbfd153b6e4596510eade671507d77476544e3a012087b4d4432c0399601f29a49cdf8b34249438f440031c8d027d1cd3 +SHA512 (dovecot-2.3-pigeonhole-0.5.17.tar.gz) = c4bf69504ec22de53bfeffb55fc95438fb0f648390ca6e6485f652e2e74a34cd7508390bb595b958cbabc53f0e20fbc42e163b2682dc65159fae2acafbd94bad From 0874a3628a8033fc23930f343d97083cb18a3441 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 7 Dec 2021 22:22:53 +0100 Subject: [PATCH 102/163] dovecot updated to 2.3.17.1, pigeonhole to 0.5.17.1 dsync: Add back accidentically removed parameters. lib-ssl-iostream: Fix assert-crash when OpenSSL returned syscall error without errno. dovecot, managesieve and sieve-tool failed to run if ssl_ca was too large. --- dovecot-2.3.15-fixvalcond.patch | 4 ++-- dovecot.spec | 13 ++++++++++--- sources | 4 ++-- 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/dovecot-2.3.15-fixvalcond.patch b/dovecot-2.3.15-fixvalcond.patch index 5137a1d..26090a1 100644 --- a/dovecot-2.3.15-fixvalcond.patch +++ b/dovecot-2.3.15-fixvalcond.patch @@ -1,6 +1,6 @@ diff -up dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.17/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.17/src/lib-sieve/storage/dict/sieve-dict-script.c ---- dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.17/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2021-11-02 21:51:36.109032050 +0100 -+++ dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.17/src/lib-sieve/storage/dict/sieve-dict-script.c 2021-11-02 21:52:28.409344118 +0100 +--- dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.17.1/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2021-11-02 21:51:36.109032050 +0100 ++++ dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.17.1/src/lib-sieve/storage/dict/sieve-dict-script.c 2021-11-02 21:52:28.409344118 +0100 @@ -114,7 +114,7 @@ static int sieve_dict_script_get_stream (struct sieve_dict_script *)script; struct sieve_dict_storage *dstorage = diff --git a/dovecot.spec b/dovecot.spec index 5991fbc..c5f5885 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -4,7 +4,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.17 +Version: 2.3.17.1 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -14,7 +14,7 @@ URL: https://www.dovecot.org/ Source: https://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.17 +%global pigeonholever 0.5.17.1 Source8: https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -70,7 +70,7 @@ BuildRequires: multilib-rpm-config BuildRequires: flex, bison BuildRequires: systemd-devel %if %{?fedora}0 >= 350 -BuildRequires: glibc-gconv-extra +#BuildRequires: glibc-gconv-extra %endif # gettext-devel is needed for running autoconf because of the @@ -468,6 +468,13 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Dec 07 2021 Michal Hlavinka - 1:2.3.17.1-1 +- dovecot updated to 2.3.17.1, pigeonhole to 0.5.17.1 +- dsync: Add back accidentically removed parameters. +- lib-ssl-iostream: Fix assert-crash when OpenSSL returned syscall error + without errno. +- dovecot, managesieve and sieve-tool failed to run if ssl_ca was too large. + * Tue Nov 02 2021 Michal Hlavinka - 1:2.3.17-1 - dovecot updated to 2.3.17, pigeonhole to 0.5.17 diff --git a/sources b/sources index c9b3cac..76a3cc8 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.17.tar.gz) = 5b45d0f2f8af5cf095aff35f8e6a74bbbfd153b6e4596510eade671507d77476544e3a012087b4d4432c0399601f29a49cdf8b34249438f440031c8d027d1cd3 -SHA512 (dovecot-2.3-pigeonhole-0.5.17.tar.gz) = c4bf69504ec22de53bfeffb55fc95438fb0f648390ca6e6485f652e2e74a34cd7508390bb595b958cbabc53f0e20fbc42e163b2682dc65159fae2acafbd94bad +SHA512 (dovecot-2.3.17.1.tar.gz) = 976aa4f68e86f401e5766017e1702740d5b03892aff98f31f9ef0c6d242311d0f4b50d7faa426306bf1c902d7fc6d021438977bc887fa66ee360b069ec32ad79 +SHA512 (dovecot-2.3-pigeonhole-0.5.17.1.tar.gz) = 632a963d90a3fa052f314360d59ff25274d80952307ab5dd9193a2713ebf686500a7b2559b56f04b07e0a261066eed9b8525b14197f3be51728af09acb76e894 From e195fa62dc0843d54b378f306a6aca7669cca2e9 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 20 Jan 2022 00:59:08 +0000 Subject: [PATCH 103/163] - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index c5f5885..83c58e2 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.3.17.1 %global prever %{nil} -Release: 1%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -468,6 +468,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Jan 20 2022 Fedora Release Engineering - 1:2.3.17.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + * Tue Dec 07 2021 Michal Hlavinka - 1:2.3.17.1-1 - dovecot updated to 2.3.17.1, pigeonhole to 0.5.17.1 - dsync: Add back accidentically removed parameters. From f9a454dd49393ac6e2df3adf8d13411b2698db6c Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 9 Feb 2022 10:15:45 +0100 Subject: [PATCH 104/163] updated to 2.3.18, pigeonhole to 0.5.18 --- dovecot-2.3.15-fixvalcond.patch | 6 +- dovecot-2.3.16-ftbfsbigend.patch | 53 -------------- dovecot-2.3.6-opensslhmac.patch | 114 +++++++++++++++---------------- dovecot.spec | 11 +-- sources | 4 +- 5 files changed, 68 insertions(+), 120 deletions(-) delete mode 100644 dovecot-2.3.16-ftbfsbigend.patch diff --git a/dovecot-2.3.15-fixvalcond.patch b/dovecot-2.3.15-fixvalcond.patch index 26090a1..6711010 100644 --- a/dovecot-2.3.15-fixvalcond.patch +++ b/dovecot-2.3.15-fixvalcond.patch @@ -1,6 +1,6 @@ -diff -up dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.17/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.17/src/lib-sieve/storage/dict/sieve-dict-script.c ---- dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.17.1/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2021-11-02 21:51:36.109032050 +0100 -+++ dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.17.1/src/lib-sieve/storage/dict/sieve-dict-script.c 2021-11-02 21:52:28.409344118 +0100 +diff -up dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.18/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.18/src/lib-sieve/storage/dict/sieve-dict-script.c +--- dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.18/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2021-11-02 21:51:36.109032050 +0100 ++++ dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.18/src/lib-sieve/storage/dict/sieve-dict-script.c 2021-11-02 21:52:28.409344118 +0100 @@ -114,7 +114,7 @@ static int sieve_dict_script_get_stream (struct sieve_dict_script *)script; struct sieve_dict_storage *dstorage = diff --git a/dovecot-2.3.16-ftbfsbigend.patch b/dovecot-2.3.16-ftbfsbigend.patch deleted file mode 100644 index 762503b..0000000 --- a/dovecot-2.3.16-ftbfsbigend.patch +++ /dev/null @@ -1,53 +0,0 @@ -commit ec4595097067a736717ef202fe8542b1b4bc2dd5 -Author: Timo Sirainen -Date: Tue Aug 10 12:22:08 2021 +0300 - - lib-index: Fix storing cache fields' last_used with 64bit big endian CPUs - -diff --git a/src/lib-index/mail-cache-fields.c b/src/lib-index/mail-cache-fields.c -index e929fb559d..429e0d234c 100644 ---- a/src/lib-index/mail-cache-fields.c -+++ b/src/lib-index/mail-cache-fields.c -@@ -524,6 +524,19 @@ static void copy_to_buf_byte(struct mail_cache *cache, buffer_t *dest, - } - } - -+static void -+copy_to_buf_last_used(struct mail_cache *cache, buffer_t *dest, bool add_new) -+{ -+ size_t offset = offsetof(struct mail_cache_field, last_used); -+#if defined(WORDS_BIGENDIAN) && SIZEOF_VOID_P == 8 -+ /* 64bit time_t with big endian CPUs: copy the last 32 bits instead of -+ the first 32 bits (that are always 0). The 32 bits are enough until -+ year 2106, so we're not in a hurry to use 64 bits on disk. */ -+ offset += sizeof(uint32_t); -+#endif -+ copy_to_buf(cache, dest, add_new, offset, sizeof(uint32_t)); -+} -+ - static int mail_cache_header_fields_update_locked(struct mail_cache *cache) - { - buffer_t *buffer; -@@ -536,9 +549,7 @@ static int mail_cache_header_fields_update_locked(struct mail_cache *cache) - - buffer = t_buffer_create(256); - -- copy_to_buf(cache, buffer, FALSE, -- offsetof(struct mail_cache_field, last_used), -- sizeof(uint32_t)); -+ copy_to_buf_last_used(cache, buffer, FALSE); - ret = mail_cache_write(cache, buffer->data, buffer->used, - offset + MAIL_CACHE_FIELD_LAST_USED()); - if (ret == 0) { -@@ -599,9 +610,7 @@ void mail_cache_header_fields_get(struct mail_cache *cache, buffer_t *dest) - buffer_append(dest, &hdr, sizeof(hdr)); - - /* we have to keep the field order for the existing fields. */ -- copy_to_buf(cache, dest, TRUE, -- offsetof(struct mail_cache_field, last_used), -- sizeof(uint32_t)); -+ copy_to_buf_last_used(cache, dest, TRUE); - copy_to_buf(cache, dest, TRUE, - offsetof(struct mail_cache_field, field_size), - sizeof(uint32_t)); - diff --git a/dovecot-2.3.6-opensslhmac.patch b/dovecot-2.3.6-opensslhmac.patch index ba6453b..53f3321 100644 --- a/dovecot-2.3.6-opensslhmac.patch +++ b/dovecot-2.3.6-opensslhmac.patch @@ -1,6 +1,6 @@ -diff -up dovecot-2.3.14/src/auth/auth-token.c.opensslhmac dovecot-2.3.14/src/auth/auth-token.c ---- dovecot-2.3.14/src/auth/auth-token.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/auth/auth-token.c 2021-03-22 20:44:13.022912242 +0100 +diff -up dovecot-2.3.18/src/auth/auth-token.c.opensslhmac dovecot-2.3.18/src/auth/auth-token.c +--- dovecot-2.3.18/src/auth/auth-token.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/auth/auth-token.c 2022-02-09 09:27:15.887883359 +0100 @@ -161,17 +161,17 @@ void auth_token_deinit(void) const char *auth_token_get(const char *service, const char *session_pid, const char *username, const char *session_id) @@ -26,9 +26,9 @@ diff -up dovecot-2.3.14/src/auth/auth-token.c.opensslhmac dovecot-2.3.14/src/aut return binary_to_hex(result, sizeof(result)); } -diff -up dovecot-2.3.14/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.14/src/auth/mech-cram-md5.c ---- dovecot-2.3.14/src/auth/mech-cram-md5.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/auth/mech-cram-md5.c 2021-03-22 20:44:13.022912242 +0100 +diff -up dovecot-2.3.18/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.18/src/auth/mech-cram-md5.c +--- dovecot-2.3.18/src/auth/mech-cram-md5.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/auth/mech-cram-md5.c 2022-02-09 09:27:15.887883359 +0100 @@ -51,7 +51,7 @@ static bool verify_credentials(struct cr { @@ -52,10 +52,10 @@ diff -up dovecot-2.3.14/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.14/src/ response_hex = binary_to_hex(digest, sizeof(digest)); -diff -up dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac dovecot-2.3.14/src/auth/mech-scram.c ---- dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/auth/mech-scram.c 2021-03-22 20:44:13.022912242 +0100 -@@ -78,7 +78,7 @@ static const char *get_scram_server_firs +diff -up dovecot-2.3.18/src/auth/mech-scram.c.opensslhmac dovecot-2.3.18/src/auth/mech-scram.c +--- dovecot-2.3.18/src/auth/mech-scram.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/auth/mech-scram.c 2022-02-09 09:31:50.927146858 +0100 +@@ -93,7 +93,7 @@ get_scram_server_first(struct scram_auth static const char *get_scram_server_final(struct scram_auth_request *request) { const struct hash_method *hmethod = request->hash_method; @@ -64,7 +64,7 @@ diff -up dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac dovecot-2.3.14/src/aut const char *auth_message; unsigned char server_signature[hmethod->digest_size]; string_t *str; -@@ -87,9 +87,9 @@ static const char *get_scram_server_fina +@@ -109,9 +109,9 @@ static const char *get_scram_server_fina request->server_first_message, ",", request->client_final_message_without_proof, NULL); @@ -75,9 +75,9 @@ diff -up dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac dovecot-2.3.14/src/aut + openssl_hmac_update(&ctx, auth_message, strlen(auth_message)); + openssl_hmac_final(&ctx, server_signature); - str = t_str_new(MAX_BASE64_ENCODED_SIZE(sizeof(server_signature))); - str_append(str, "v="); -@@ -228,7 +228,7 @@ static bool parse_scram_client_first(str + /* RFC 5802, Section 7: + +@@ -292,7 +292,7 @@ parse_scram_client_first(struct scram_au static bool verify_credentials(struct scram_auth_request *request) { const struct hash_method *hmethod = request->hash_method; @@ -86,7 +86,7 @@ diff -up dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac dovecot-2.3.14/src/aut const char *auth_message; unsigned char client_key[hmethod->digest_size]; unsigned char client_signature[hmethod->digest_size]; -@@ -239,9 +239,9 @@ static bool verify_credentials(struct sc +@@ -310,9 +310,9 @@ static bool verify_credentials(struct sc request->server_first_message, ",", request->client_final_message_without_proof, NULL); @@ -97,11 +97,11 @@ diff -up dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac dovecot-2.3.14/src/aut + openssl_hmac_update(&ctx, auth_message, strlen(auth_message)); + openssl_hmac_final(&ctx, client_signature); + /* ClientProof := ClientKey XOR ClientSignature */ const unsigned char *proof_data = request->proof->data; - for (i = 0; i < sizeof(client_signature); i++) -diff -up dovecot-2.3.14/src/auth/password-scheme.c.opensslhmac dovecot-2.3.14/src/auth/password-scheme.c ---- dovecot-2.3.14/src/auth/password-scheme.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/auth/password-scheme.c 2021-03-22 20:44:13.022912242 +0100 +diff -up dovecot-2.3.18/src/auth/password-scheme.c.opensslhmac dovecot-2.3.18/src/auth/password-scheme.c +--- dovecot-2.3.18/src/auth/password-scheme.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/auth/password-scheme.c 2022-02-09 09:27:15.888883345 +0100 @@ -639,11 +639,11 @@ static void cram_md5_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, const unsigned char **raw_password_r, size_t *size_r) @@ -116,9 +116,9 @@ diff -up dovecot-2.3.14/src/auth/password-scheme.c.opensslhmac dovecot-2.3.14/sr strlen(plaintext), &hash_method_md5); hmac_md5_get_cram_context(&ctx, context_digest); -diff -up dovecot-2.3.14/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3.14/src/auth/password-scheme-scram.c ---- dovecot-2.3.14/src/auth/password-scheme-scram.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/auth/password-scheme-scram.c 2021-03-22 20:44:13.023912229 +0100 +diff -up dovecot-2.3.18/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3.18/src/auth/password-scheme-scram.c +--- dovecot-2.3.18/src/auth/password-scheme-scram.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/auth/password-scheme-scram.c 2022-02-09 09:27:15.888883345 +0100 @@ -30,23 +30,23 @@ Hi(const struct hash_method *hmethod, co const unsigned char *salt, size_t salt_size, unsigned int i, unsigned char *result) @@ -208,9 +208,9 @@ diff -up dovecot-2.3.14/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3 str_append_c(str, ','); base64_encode(server_key, sizeof(server_key), str); -diff -up dovecot-2.3.14/src/lib/hmac.c.opensslhmac dovecot-2.3.14/src/lib/hmac.c ---- dovecot-2.3.14/src/lib/hmac.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/lib/hmac.c 2021-03-22 20:44:13.023912229 +0100 +diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c +--- dovecot-2.3.18/src/lib/hmac.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/lib/hmac.c 2022-02-09 09:27:15.888883345 +0100 @@ -7,6 +7,10 @@ * This software is released under the MIT license. */ @@ -448,9 +448,9 @@ diff -up dovecot-2.3.14/src/lib/hmac.c.opensslhmac dovecot-2.3.14/src/lib/hmac.c - safe_memset(prk, 0, sizeof(prk)); - safe_memset(okm, 0, sizeof(okm)); } -diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.14/src/lib/hmac-cram-md5.c ---- dovecot-2.3.14/src/lib/hmac-cram-md5.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/lib/hmac-cram-md5.c 2021-03-22 20:44:13.023912229 +0100 +diff -up dovecot-2.3.18/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.18/src/lib/hmac-cram-md5.c +--- dovecot-2.3.18/src/lib/hmac-cram-md5.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/lib/hmac-cram-md5.c 2022-02-09 09:27:15.888883345 +0100 @@ -9,10 +9,10 @@ #include "md5.h" #include "hmac-cram-md5.h" @@ -477,9 +477,9 @@ diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.14/src/l const unsigned char *cdp; struct md5_context *ctx = (void*)hmac_ctx->ctx; -diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.14/src/lib/hmac-cram-md5.h ---- dovecot-2.3.14/src/lib/hmac-cram-md5.h.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/lib/hmac-cram-md5.h 2021-03-22 20:44:13.023912229 +0100 +diff -up dovecot-2.3.18/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.18/src/lib/hmac-cram-md5.h +--- dovecot-2.3.18/src/lib/hmac-cram-md5.h.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/lib/hmac-cram-md5.h 2022-02-09 09:27:15.888883345 +0100 @@ -5,9 +5,9 @@ #define CRAM_MD5_CONTEXTLEN 32 @@ -492,9 +492,9 @@ diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.14/src/l const unsigned char context_digest[CRAM_MD5_CONTEXTLEN]); -diff -up dovecot-2.3.14/src/lib/hmac.h.opensslhmac dovecot-2.3.14/src/lib/hmac.h ---- dovecot-2.3.14/src/lib/hmac.h.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/lib/hmac.h 2021-03-22 20:44:13.023912229 +0100 +diff -up dovecot-2.3.18/src/lib/hmac.h.opensslhmac dovecot-2.3.18/src/lib/hmac.h +--- dovecot-2.3.18/src/lib/hmac.h.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/lib/hmac.h 2022-02-09 09:27:15.888883345 +0100 @@ -4,60 +4,97 @@ #include "hash-method.h" #include "sha1.h" @@ -606,9 +606,9 @@ diff -up dovecot-2.3.14/src/lib/hmac.h.opensslhmac dovecot-2.3.14/src/lib/hmac.h okm_buffer, okm_len); return okm_buffer; } -diff -up dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c ---- dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c 2021-03-22 20:44:13.023912229 +0100 +diff -up dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c +--- dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c 2022-02-09 09:27:15.888883345 +0100 @@ -85,15 +85,15 @@ imap_urlauth_internal_generate(const cha const unsigned char mailbox_key[IMAP_URLAUTH_KEY_LEN], size_t *token_len_r) @@ -629,10 +629,10 @@ diff -up dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot- *token_len_r = SHA1_RESULTLEN + 1; return token; -diff -up dovecot-2.3.14/src/lib/Makefile.am.opensslhmac dovecot-2.3.14/src/lib/Makefile.am ---- dovecot-2.3.14/src/lib/Makefile.am.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/lib/Makefile.am 2021-03-22 20:44:13.023912229 +0100 -@@ -352,6 +352,9 @@ headers = \ +diff -up dovecot-2.3.18/src/lib/Makefile.am.opensslhmac dovecot-2.3.18/src/lib/Makefile.am +--- dovecot-2.3.18/src/lib/Makefile.am.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/lib/Makefile.am 2022-02-09 09:27:15.889883331 +0100 +@@ -354,6 +354,9 @@ headers = \ wildcard-match.h \ write-full.h @@ -642,10 +642,10 @@ diff -up dovecot-2.3.14/src/lib/Makefile.am.opensslhmac dovecot-2.3.14/src/lib/M test_programs = test-lib noinst_PROGRAMS = $(test_programs) -diff -up dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c.opensslhmac dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c ---- dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c 2021-03-22 20:44:13.024912217 +0100 -@@ -106,14 +106,14 @@ oauth2_validate_hmac(const struct oauth2 +diff -up dovecot-2.3.18/src/lib-oauth2/oauth2-jwt.c.opensslhmac dovecot-2.3.18/src/lib-oauth2/oauth2-jwt.c +--- dovecot-2.3.18/src/lib-oauth2/oauth2-jwt.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/lib-oauth2/oauth2-jwt.c 2022-02-09 09:27:15.889883331 +0100 +@@ -144,14 +144,14 @@ oauth2_validate_hmac(const struct oauth2 if (oauth2_lookup_hmac_key(set, azp, alg, key_id, &key, error_r) < 0) return -1; @@ -666,10 +666,10 @@ diff -up dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c.opensslhmac dovecot-2.3.14/s buffer_t *their_digest = t_base64url_decode_str(BASE64_DECODE_FLAG_NO_PADDING, blobs[2]); -diff -up dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c ---- dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c 2021-03-22 20:46:09.524440794 +0100 -@@ -236,7 +236,7 @@ static void save_key_to(const char *algo +diff -up dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c +--- dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c 2022-02-09 09:27:15.889883331 +0100 +@@ -248,7 +248,7 @@ static void save_key_azp_to(const char * static void sign_jwt_token_hs256(buffer_t *tokenbuf, buffer_t *key) { i_assert(key != NULL); @@ -678,7 +678,7 @@ diff -up dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3 tokenbuf); buffer_append(tokenbuf, ".", 1); base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX, -@@ -246,7 +246,7 @@ static void sign_jwt_token_hs256(buffer_ +@@ -258,7 +258,7 @@ static void sign_jwt_token_hs256(buffer_ static void sign_jwt_token_hs384(buffer_t *tokenbuf, buffer_t *key) { i_assert(key != NULL); @@ -687,7 +687,7 @@ diff -up dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3 tokenbuf); buffer_append(tokenbuf, ".", 1); base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX, -@@ -256,7 +256,7 @@ static void sign_jwt_token_hs384(buffer_ +@@ -268,7 +268,7 @@ static void sign_jwt_token_hs384(buffer_ static void sign_jwt_token_hs512(buffer_t *tokenbuf, buffer_t *key) { i_assert(key != NULL); @@ -696,9 +696,9 @@ diff -up dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3 tokenbuf); buffer_append(tokenbuf, ".", 1); base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX, -diff -up dovecot-2.3.14/src/lib/pkcs5.c.opensslhmac dovecot-2.3.14/src/lib/pkcs5.c ---- dovecot-2.3.14/src/lib/pkcs5.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/lib/pkcs5.c 2021-03-22 20:44:13.024912217 +0100 +diff -up dovecot-2.3.18/src/lib/pkcs5.c.opensslhmac dovecot-2.3.18/src/lib/pkcs5.c +--- dovecot-2.3.18/src/lib/pkcs5.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/lib/pkcs5.c 2022-02-09 09:27:15.889883331 +0100 @@ -52,7 +52,7 @@ int pkcs5_pbkdf2(const struct hash_metho size_t l = (length + hash->digest_size - 1)/hash->digest_size; /* same as ceil(length/hash->digest_size) */ unsigned char dk[l * hash->digest_size]; @@ -733,9 +733,9 @@ diff -up dovecot-2.3.14/src/lib/pkcs5.c.opensslhmac dovecot-2.3.14/src/lib/pkcs5 for(i = 0; i < hash->digest_size; i++) block[i] ^= U_c[i]; } -diff -up dovecot-2.3.14/src/lib/test-hmac.c.opensslhmac dovecot-2.3.14/src/lib/test-hmac.c ---- dovecot-2.3.14/src/lib/test-hmac.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100 -+++ dovecot-2.3.14/src/lib/test-hmac.c 2021-03-22 20:44:13.024912217 +0100 +diff -up dovecot-2.3.18/src/lib/test-hmac.c.opensslhmac dovecot-2.3.18/src/lib/test-hmac.c +--- dovecot-2.3.18/src/lib/test-hmac.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 ++++ dovecot-2.3.18/src/lib/test-hmac.c 2022-02-09 09:27:15.889883331 +0100 @@ -206,11 +206,11 @@ static void test_hmac_rfc(void) test_begin("hmac sha256 rfc4231 vectors"); for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) { diff --git a/dovecot.spec b/dovecot.spec index 83c58e2..dbee79d 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -4,9 +4,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.17.1 +Version: 2.3.18 %global prever %{nil} -Release: 2%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -14,7 +14,7 @@ URL: https://www.dovecot.org/ Source: https://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.17.1 +%global pigeonholever 0.5.18 Source8: https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -43,7 +43,6 @@ Patch16: dovecot-2.3.6-opensslhmac.patch # FTBFS Patch17: dovecot-2.3.15-fixvalcond.patch Patch18: dovecot-2.3.15-valbasherr.patch -Patch19: dovecot-2.3.16-ftbfsbigend.patch Patch20: dovecot-2.3.14-opensslv3.patch Source15: prestartscript @@ -141,7 +140,6 @@ This package provides the development files for dovecot. %patch16 -p1 -b .opensslhmac %patch17 -p1 -b .fixvalcond %patch18 -p1 -b .valbasherr -%patch19 -p1 -b .ftbfsbigend %patch20 -p1 -b .opensslv3 cp run-test-valgrind.supp dovecot-2.3-pigeonhole-%{pigeonholever}/ # valgrind would fail with shell wrapper @@ -468,6 +466,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Feb 09 2022 Michal Hlavinka - 1:2.3.18-1 +- updated to 2.3.18, pigeonhole to 0.5.18 + * Thu Jan 20 2022 Fedora Release Engineering - 1:2.3.17.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild diff --git a/sources b/sources index 76a3cc8..d434056 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.17.1.tar.gz) = 976aa4f68e86f401e5766017e1702740d5b03892aff98f31f9ef0c6d242311d0f4b50d7faa426306bf1c902d7fc6d021438977bc887fa66ee360b069ec32ad79 -SHA512 (dovecot-2.3-pigeonhole-0.5.17.1.tar.gz) = 632a963d90a3fa052f314360d59ff25274d80952307ab5dd9193a2713ebf686500a7b2559b56f04b07e0a261066eed9b8525b14197f3be51728af09acb76e894 +SHA512 (dovecot-2.3.18.tar.gz) = b5eccf790a3960614876f122efb6296fe49ab7c523b08c10347fd4d10ed293fbd327279511c227b420f7c0786975186157eaa0fb5cd3aab1f3be9a4c5c3ad233 +SHA512 (dovecot-2.3-pigeonhole-0.5.18.tar.gz) = 44c3d945a5aebb8935e6e46751e44f505f2abd529c31e3efb689d3b5b9cdf9bca4f5231fc42a8d19837cb95c7618f5b64dfdf5964f40a0a6987144a37cdbaaec From 24321854aab9e7ad74f48e4106c54a8c05f850e6 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 9 Feb 2022 12:09:44 +0100 Subject: [PATCH 105/163] skip aarch64 check, it timeouts --- dovecot.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dovecot.spec b/dovecot.spec index dbee79d..770a174 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -317,9 +317,12 @@ rm -f %restart_flag fi %check +%ifnarch aarch64 +# some aarch64 tests timeout, skip for now make check cd dovecot-2*3-pigeonhole-%{pigeonholever} make check +%endif %files %doc docinstall/* AUTHORS ChangeLog COPYING COPYING.LGPL COPYING.MIT NEWS README From e62c64f4afb5123ba6be031febf626b7e5c2856c Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 30 May 2022 21:01:34 +0200 Subject: [PATCH 106/163] updated to 2.3.19, pigeonhole to 0.5.19 --- 30e69471792aec8.patch | 25 +++++++++++++++++++++++++ dovecot-2.3.15-fixvalcond.patch | 6 +++--- dovecot.spec | 9 +++++++-- sources | 4 ++-- 4 files changed, 37 insertions(+), 7 deletions(-) create mode 100644 30e69471792aec8.patch diff --git a/30e69471792aec8.patch b/30e69471792aec8.patch new file mode 100644 index 0000000..2f2c7cb --- /dev/null +++ b/30e69471792aec8.patch @@ -0,0 +1,25 @@ +From 30e69471792aec818dbbfa64adb868db14a6d8e2 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen +Date: Wed, 18 May 2022 11:31:44 +0300 +Subject: [PATCH] auth: Fix assert-crash in iterating multiple userdbs + +Broken by 501e17ba6b448ba3c88338596e0e8f99f0693f79 + +Fixes: +Panic: file userdb-blocking.c: line 125 (userdb_blocking_iter_next): assertion failed: (ctx->conn != NULL) +--- + src/auth/auth-master-connection.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/auth/auth-master-connection.c b/src/auth/auth-master-connection.c +index 02eb11d38e..3f439b861a 100644 +--- a/src/auth/auth-master-connection.c ++++ b/src/auth/auth-master-connection.c +@@ -514,7 +514,6 @@ static void master_input_list_callback(const char *user, void *context) + ctx->auth_request->userdb = userdb; + ctx->iter = userdb_blocking_iter_init(ctx->auth_request, + master_input_list_callback, ctx); +- userdb_blocking_iter_next(ctx->iter); + return; + } + diff --git a/dovecot-2.3.15-fixvalcond.patch b/dovecot-2.3.15-fixvalcond.patch index 6711010..fc37561 100644 --- a/dovecot-2.3.15-fixvalcond.patch +++ b/dovecot-2.3.15-fixvalcond.patch @@ -1,6 +1,6 @@ -diff -up dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.18/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.18/src/lib-sieve/storage/dict/sieve-dict-script.c ---- dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.18/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2021-11-02 21:51:36.109032050 +0100 -+++ dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.18/src/lib-sieve/storage/dict/sieve-dict-script.c 2021-11-02 21:52:28.409344118 +0100 +diff -up dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.19/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.19/src/lib-sieve/storage/dict/sieve-dict-script.c +--- dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.19/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2021-11-02 21:51:36.109032050 +0100 ++++ dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.19/src/lib-sieve/storage/dict/sieve-dict-script.c 2021-11-02 21:52:28.409344118 +0100 @@ -114,7 +114,7 @@ static int sieve_dict_script_get_stream (struct sieve_dict_script *)script; struct sieve_dict_storage *dstorage = diff --git a/dovecot.spec b/dovecot.spec index 770a174..c2d987d 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -4,7 +4,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.18 +Version: 2.3.19 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -14,7 +14,7 @@ URL: https://www.dovecot.org/ Source: https://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.18 +%global pigeonholever 0.5.19 Source8: https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -44,6 +44,7 @@ Patch16: dovecot-2.3.6-opensslhmac.patch Patch17: dovecot-2.3.15-fixvalcond.patch Patch18: dovecot-2.3.15-valbasherr.patch Patch20: dovecot-2.3.14-opensslv3.patch +Patch21: 30e69471792aec8.patch Source15: prestartscript @@ -141,6 +142,7 @@ This package provides the development files for dovecot. %patch17 -p1 -b .fixvalcond %patch18 -p1 -b .valbasherr %patch20 -p1 -b .opensslv3 +%patch21 -p1 -b .30e69471792aec8 cp run-test-valgrind.supp dovecot-2.3-pigeonhole-%{pigeonholever}/ # valgrind would fail with shell wrapper echo "testsuite" >dovecot-2.3-pigeonhole-%{pigeonholever}/run-test-valgrind.exclude @@ -469,6 +471,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon May 30 2022 Michal Hlavinka - 1:2.3.19-1 +- updated to 2.3.19, pigeonhole to 0.5.19 + * Wed Feb 09 2022 Michal Hlavinka - 1:2.3.18-1 - updated to 2.3.18, pigeonhole to 0.5.18 diff --git a/sources b/sources index d434056..5ee52a2 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.18.tar.gz) = b5eccf790a3960614876f122efb6296fe49ab7c523b08c10347fd4d10ed293fbd327279511c227b420f7c0786975186157eaa0fb5cd3aab1f3be9a4c5c3ad233 -SHA512 (dovecot-2.3-pigeonhole-0.5.18.tar.gz) = 44c3d945a5aebb8935e6e46751e44f505f2abd529c31e3efb689d3b5b9cdf9bca4f5231fc42a8d19837cb95c7618f5b64dfdf5964f40a0a6987144a37cdbaaec +SHA512 (dovecot-2.3.19.tar.gz) = a61ce88b53c4f24faddf4951f16cb75dfe52aa7057d072c727566a7c9a683cc487d26cea9a83ad8aca161a053949d2f2196ba6a58015e3d33be897094aabf887 +SHA512 (dovecot-2.3-pigeonhole-0.5.19.tar.gz) = 5b0a61c7711232ea3651b818a970b500b05bd340a04bcd5a5f0ea0529eda65f498912a845c8f3b3b80196d010bc22bd4a380e1f682cb42f62b80d2d43a94993a From 061b8c4d54bf9fd4ecf772078fe7fb8dc48aa38c Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 20 Jun 2022 23:10:22 +0200 Subject: [PATCH 107/163] updated to 2.3.19.1 --- 30e69471792aec8.patch | 25 ------------------------- dovecot.spec | 7 ++++--- sources | 2 +- 3 files changed, 5 insertions(+), 29 deletions(-) delete mode 100644 30e69471792aec8.patch diff --git a/30e69471792aec8.patch b/30e69471792aec8.patch deleted file mode 100644 index 2f2c7cb..0000000 --- a/30e69471792aec8.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 30e69471792aec818dbbfa64adb868db14a6d8e2 Mon Sep 17 00:00:00 2001 -From: Timo Sirainen -Date: Wed, 18 May 2022 11:31:44 +0300 -Subject: [PATCH] auth: Fix assert-crash in iterating multiple userdbs - -Broken by 501e17ba6b448ba3c88338596e0e8f99f0693f79 - -Fixes: -Panic: file userdb-blocking.c: line 125 (userdb_blocking_iter_next): assertion failed: (ctx->conn != NULL) ---- - src/auth/auth-master-connection.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/src/auth/auth-master-connection.c b/src/auth/auth-master-connection.c -index 02eb11d38e..3f439b861a 100644 ---- a/src/auth/auth-master-connection.c -+++ b/src/auth/auth-master-connection.c -@@ -514,7 +514,6 @@ static void master_input_list_callback(const char *user, void *context) - ctx->auth_request->userdb = userdb; - ctx->iter = userdb_blocking_iter_init(ctx->auth_request, - master_input_list_callback, ctx); -- userdb_blocking_iter_next(ctx->iter); - return; - } - diff --git a/dovecot.spec b/dovecot.spec index c2d987d..0274180 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -4,7 +4,7 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.19 +Version: 2.3.19.1 %global prever %{nil} Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 @@ -44,7 +44,6 @@ Patch16: dovecot-2.3.6-opensslhmac.patch Patch17: dovecot-2.3.15-fixvalcond.patch Patch18: dovecot-2.3.15-valbasherr.patch Patch20: dovecot-2.3.14-opensslv3.patch -Patch21: 30e69471792aec8.patch Source15: prestartscript @@ -142,7 +141,6 @@ This package provides the development files for dovecot. %patch17 -p1 -b .fixvalcond %patch18 -p1 -b .valbasherr %patch20 -p1 -b .opensslv3 -%patch21 -p1 -b .30e69471792aec8 cp run-test-valgrind.supp dovecot-2.3-pigeonhole-%{pigeonholever}/ # valgrind would fail with shell wrapper echo "testsuite" >dovecot-2.3-pigeonhole-%{pigeonholever}/run-test-valgrind.exclude @@ -471,6 +469,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Jun 20 2022 Michal Hlavinka - 1:2.3.19.1-1 +- updated to 2.3.19.1 + * Mon May 30 2022 Michal Hlavinka - 1:2.3.19-1 - updated to 2.3.19, pigeonhole to 0.5.19 diff --git a/sources b/sources index 5ee52a2..8250050 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.19.tar.gz) = a61ce88b53c4f24faddf4951f16cb75dfe52aa7057d072c727566a7c9a683cc487d26cea9a83ad8aca161a053949d2f2196ba6a58015e3d33be897094aabf887 +SHA512 (dovecot-2.3.19.1.tar.gz) = ceb87a5f76b6352d28fd030aae5ad2165a133e9a8a6309891e793911203fc0ada9fb254dc05d183eaaa7e2b9851d3f1755b33f08fa6ff5b4b415ac4272bfe150 SHA512 (dovecot-2.3-pigeonhole-0.5.19.tar.gz) = 5b0a61c7711232ea3651b818a970b500b05bd340a04bcd5a5f0ea0529eda65f498912a845c8f3b3b80196d010bc22bd4a380e1f682cb42f62b80d2d43a94993a From 3282577fa1e67fdcc83b96a98a114459d5963c39 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 6 Jul 2022 21:09:22 +0200 Subject: [PATCH 108/163] test could fail causing nonzero return value of whole post script --- dovecot.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 0274180..2f38ca7 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -291,7 +291,7 @@ install -d -m 0755 -g dovecot -d /run/dovecot install -d -m 0755 -d /run/dovecot/empty install -d -m 0750 -g dovenull -d /run/dovecot/login install -d -m 0750 -g dovenull -d /run/dovecot/token-login -[ -x /sbin/restorecon ] && /sbin/restorecon -R /run/dovecot +[ -x /sbin/restorecon ] && /sbin/restorecon -R /run/dovecot ||: %preun if [ $1 = 0 ]; then From 16f3f32fa2d7fd5e26a449a43d9510af895bff74 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 12 Jul 2022 23:02:43 +0200 Subject: [PATCH 109/163] fix possible privilege escalation when similar master and non-master passdbs are used --- dovecot-2.3.19.1-7bad6a24.patch | 131 ++++++++++++++++++++++++++++++++ dovecot.spec | 7 +- 2 files changed, 137 insertions(+), 1 deletion(-) create mode 100644 dovecot-2.3.19.1-7bad6a24.patch diff --git a/dovecot-2.3.19.1-7bad6a24.patch b/dovecot-2.3.19.1-7bad6a24.patch new file mode 100644 index 0000000..c980dde --- /dev/null +++ b/dovecot-2.3.19.1-7bad6a24.patch @@ -0,0 +1,131 @@ +From 7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen +Date: Mon, 9 May 2022 15:23:33 +0300 +Subject: [PATCH] auth: Fix handling passdbs with identical driver/args but + different mechanisms/username_filter + +The passdb was wrongly deduplicated in this situation, causing wrong +mechanisms or username_filter setting to be used. This would be a rather +unlikely configuration though. + +Fixed by moving mechanisms and username_filter from struct passdb_module +to struct auth_passdb, which is where they should have been in the first +place. +--- + src/auth/auth-request.c | 6 +++--- + src/auth/auth.c | 18 ++++++++++++++++++ + src/auth/auth.h | 5 +++++ + src/auth/passdb.c | 15 ++------------- + src/auth/passdb.h | 4 ---- + 5 files changed, 28 insertions(+), 20 deletions(-) + +diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c +index cd08b1fa02..0ca29f3674 100644 +--- a/src/auth/auth-request.c ++++ b/src/auth/auth-request.c +@@ -534,8 +534,8 @@ auth_request_want_skip_passdb(struct auth_request *request, + struct auth_passdb *passdb) + { + /* if mechanism is not supported, skip */ +- const char *const *mechs = passdb->passdb->mechanisms; +- const char *const *username_filter = passdb->passdb->username_filter; ++ const char *const *mechs = passdb->mechanisms; ++ const char *const *username_filter = passdb->username_filter; + const char *username; + + username = request->fields.user; +@@ -548,7 +548,7 @@ auth_request_want_skip_passdb(struct auth_request *request, + return TRUE; + } + +- if (passdb->passdb->username_filter != NULL && ++ if (passdb->username_filter != NULL && + !auth_request_username_accepted(username_filter, username)) { + auth_request_log_debug(request, + request->mech != NULL ? AUTH_SUBSYS_MECH +diff --git a/src/auth/auth.c b/src/auth/auth.c +index f2f3fda20c..9f6c4ba60c 100644 +--- a/src/auth/auth.c ++++ b/src/auth/auth.c +@@ -99,6 +99,24 @@ auth_passdb_preinit(struct auth *auth, const struct auth_passdb_settings *set, + auth_passdb->override_fields_tmpl = + passdb_template_build(auth->pool, set->override_fields); + ++ if (*set->mechanisms == '\0') { ++ auth_passdb->mechanisms = NULL; ++ } else if (strcasecmp(set->mechanisms, "none") == 0) { ++ auth_passdb->mechanisms = (const char *const[]){ NULL }; ++ } else { ++ auth_passdb->mechanisms = ++ (const char *const *)p_strsplit_spaces(auth->pool, ++ set->mechanisms, " ,"); ++ } ++ ++ if (*set->username_filter == '\0') { ++ auth_passdb->username_filter = NULL; ++ } else { ++ auth_passdb->username_filter = ++ (const char *const *)p_strsplit_spaces(auth->pool, ++ set->username_filter, " ,"); ++ } ++ + /* for backwards compatibility: */ + if (set->pass) + auth_passdb->result_success = AUTH_DB_RULE_CONTINUE; +diff --git a/src/auth/auth.h b/src/auth/auth.h +index f700e29d5c..460a179765 100644 +--- a/src/auth/auth.h ++++ b/src/auth/auth.h +@@ -41,6 +41,11 @@ struct auth_passdb { + struct passdb_template *default_fields_tmpl; + struct passdb_template *override_fields_tmpl; + ++ /* Supported authentication mechanisms, NULL is all, {NULL} is none */ ++ const char *const *mechanisms; ++ /* Username filter, NULL is no filter */ ++ const char *const *username_filter; ++ + enum auth_passdb_skip skip; + enum auth_db_rule result_success; + enum auth_db_rule result_failure; +diff --git a/src/auth/passdb.c b/src/auth/passdb.c +index eb4ac8ae82..f5eed1af4f 100644 +--- a/src/auth/passdb.c ++++ b/src/auth/passdb.c +@@ -224,19 +224,8 @@ passdb_preinit(pool_t pool, const struct auth_passdb_settings *set) + passdb->id = ++auth_passdb_id; + passdb->iface = *iface; + passdb->args = p_strdup(pool, set->args); +- if (*set->mechanisms == '\0') { +- passdb->mechanisms = NULL; +- } else if (strcasecmp(set->mechanisms, "none") == 0) { +- passdb->mechanisms = (const char *const[]){NULL}; +- } else { +- passdb->mechanisms = (const char* const*)p_strsplit_spaces(pool, set->mechanisms, " ,"); +- } +- +- if (*set->username_filter == '\0') { +- passdb->username_filter = NULL; +- } else { +- passdb->username_filter = (const char* const*)p_strsplit_spaces(pool, set->username_filter, " ,"); +- } ++ /* NOTE: if anything else than driver & args are added here, ++ passdb_find() also needs to be updated. */ + array_push_back(&passdb_modules, &passdb); + return passdb; + } +diff --git a/src/auth/passdb.h b/src/auth/passdb.h +index 2e95328e5c..e466a9fdb6 100644 +--- a/src/auth/passdb.h ++++ b/src/auth/passdb.h +@@ -63,10 +63,6 @@ struct passdb_module { + /* Default password scheme for this module. + If default_cache_key is set, must not be NULL. */ + const char *default_pass_scheme; +- /* Supported authentication mechanisms, NULL is all, [NULL] is none*/ +- const char *const *mechanisms; +- /* Username filter, NULL is no filter */ +- const char *const *username_filter; + + /* If blocking is set to TRUE, use child processes to access + this passdb. */ diff --git a/dovecot.spec b/dovecot.spec index 2f38ca7..956189c 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.3.19.1 %global prever %{nil} -Release: 1%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -44,6 +44,7 @@ Patch16: dovecot-2.3.6-opensslhmac.patch Patch17: dovecot-2.3.15-fixvalcond.patch Patch18: dovecot-2.3.15-valbasherr.patch Patch20: dovecot-2.3.14-opensslv3.patch +Patch21: dovecot-2.3.19.1-7bad6a24.patch Source15: prestartscript @@ -141,6 +142,7 @@ This package provides the development files for dovecot. %patch17 -p1 -b .fixvalcond %patch18 -p1 -b .valbasherr %patch20 -p1 -b .opensslv3 +%patch21 -p1 -b .7bad6a24 cp run-test-valgrind.supp dovecot-2.3-pigeonhole-%{pigeonholever}/ # valgrind would fail with shell wrapper echo "testsuite" >dovecot-2.3-pigeonhole-%{pigeonholever}/run-test-valgrind.exclude @@ -469,6 +471,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Jul 12 2022 Michal Hlavinka - 1:2.3.19.1-2 +- fix possible privilege escalation when similar master and non-master passdbs are used + * Mon Jun 20 2022 Michal Hlavinka - 1:2.3.19.1-1 - updated to 2.3.19.1 From ed8d027a72e7e7893d7756901d96d5d1ec273713 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 21 Jul 2022 00:51:53 +0000 Subject: [PATCH 110/163] Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 956189c..1b77960 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.3.19.1 %global prever %{nil} -Release: 2%{?dist} +Release: 3%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -471,6 +471,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Jul 21 2022 Fedora Release Engineering - 1:2.3.19.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + * Tue Jul 12 2022 Michal Hlavinka - 1:2.3.19.1-2 - fix possible privilege escalation when similar master and non-master passdbs are used From c18ffec6977b07116292f9e1e6d4104f15df6665 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Franti=C5=A1ek=20Zatloukal?= Date: Mon, 1 Aug 2022 15:03:38 +0200 Subject: [PATCH 111/163] Rebuilt for ICU 71.1 --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 1b77960..a87d765 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.3.19.1 %global prever %{nil} -Release: 3%{?dist} +Release: 4%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -471,6 +471,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Aug 01 2022 Frantisek Zatloukal - 1:2.3.19.1-4 +- Rebuilt for ICU 71.1 + * Thu Jul 21 2022 Fedora Release Engineering - 1:2.3.19.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild From dc8bf012af5887a23d7a1987b689bd1debfa531d Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 23 Aug 2022 23:25:38 +0200 Subject: [PATCH 112/163] spec file cleanup rhbz#2120072 --- dovecot.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index a87d765..fb8a3b8 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -69,6 +69,7 @@ BuildRequires: libstemmer-devel BuildRequires: multilib-rpm-config BuildRequires: flex, bison BuildRequires: systemd-devel +BuildRequires: systemd-rpm-macros %if %{?fedora}0 >= 350 #BuildRequires: glibc-gconv-extra %endif @@ -182,7 +183,6 @@ autoreconf -I . -fiv #required for aarch64 support --with-ssl=openssl \ --with-ssldir=%{ssldir} \ --with-solr \ - --with-systemdsystemunitdir=%{_unitdir} \ --with-docs sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10-ssl.conf From f7ac2e4adcde6edea4d02d1a381845496cf65673 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 24 Aug 2022 08:35:08 +0200 Subject: [PATCH 113/163] add unit dir variable --- dovecot.spec | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index fb8a3b8..0309be6 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -183,7 +183,9 @@ autoreconf -I . -fiv #required for aarch64 support --with-ssl=openssl \ --with-ssldir=%{ssldir} \ --with-solr \ - --with-docs + --with-docs \ + systemdsystemunitdir=%{_unitdir} + sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10-ssl.conf %make_build From 6c72b310bcbc737845ee2713369c94f5be08ebdf Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 11 Oct 2022 23:20:23 +0200 Subject: [PATCH 114/163] build with lua support (#2132420) --- dovecot.spec | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 0309be6..e89c6ba 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.3.19.1 %global prever %{nil} -Release: 4%{?dist} +Release: 5%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -62,6 +62,7 @@ BuildRequires: lz4-devel BuildRequires: libzstd-devel %if %{?rhel}0 == 0 BuildRequires: libsodium-devel +BuildRequires: lua-devel %endif BuildRequires: libicu-devel BuildRequires: libexttextcat-devel @@ -179,6 +180,9 @@ autoreconf -I . -fiv #required for aarch64 support --with-zstd \ --with-libcap \ --with-icu \ +%if %{?rhel}0 == 0 + --with-lua=plugin \ +%endif --with-lucene \ --with-ssl=openssl \ --with-ssldir=%{ssldir} \ @@ -393,6 +397,9 @@ make check %{_libdir}/dovecot/auth/lib20_auth_var_expand_crypt.so %{_libdir}/dovecot/auth/libauthdb_imap.so %{_libdir}/dovecot/auth/libauthdb_ldap.so +%if %{?rhel}0 == 0 +%{_libdir}/dovecot/auth/libauthdb_lua.so +%endif %{_libdir}/dovecot/auth/libmech_gssapi.so %{_libdir}/dovecot/auth/libdriver_sqlite.so %{_libdir}/dovecot/dict/libdriver_sqlite.so @@ -473,6 +480,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Oct 11 2022 Michal Hlavinka - 1:2.3.19.1-5 +- build with lua support (#2132420) + * Mon Aug 01 2022 Frantisek Zatloukal - 1:2.3.19.1-4 - Rebuilt for ICU 71.1 From 4990c863a92f96ea84156ee799a7a453781333d3 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 8 Nov 2022 22:15:18 +0100 Subject: [PATCH 115/163] use Wants=network-online.target instead of preexec nm-online (#2095949) --- dovecot-2.1.10-waitonline.patch | 16 ++++++++-------- dovecot-2.2.20-initbysystemd.patch | 2 +- dovecot.spec | 5 ++++- 3 files changed, 13 insertions(+), 10 deletions(-) diff --git a/dovecot-2.1.10-waitonline.patch b/dovecot-2.1.10-waitonline.patch index af3ce19..20daf40 100644 --- a/dovecot-2.1.10-waitonline.patch +++ b/dovecot-2.1.10-waitonline.patch @@ -1,11 +1,11 @@ -diff -up dovecot-2.3.15/dovecot.service.in.waitonline dovecot-2.3.15/dovecot.service.in ---- dovecot-2.3.15/dovecot.service.in.waitonline 2021-06-21 20:19:19.560494654 +0200 -+++ dovecot-2.3.15/dovecot.service.in 2021-06-21 20:21:17.443066248 +0200 -@@ -15,6 +15,7 @@ After=local-fs.target network-online.tar +diff -up dovecot-2.3.19.1/dovecot.service.in.waitonline dovecot-2.3.19.1/dovecot.service.in +--- dovecot-2.3.19.1/dovecot.service.in.waitonline 2022-06-14 08:55:03.000000000 +0200 ++++ dovecot-2.3.19.1/dovecot.service.in 2022-11-08 20:28:37.550081709 +0100 +@@ -12,6 +12,7 @@ Description=Dovecot IMAP/POP3 email serv + Documentation=man:dovecot(1) + Documentation=https://doc.dovecot.org/ + After=local-fs.target network-online.target ++Wants=network-online.target [Service] Type=@systemdservicetype@ -+ExecStartPre=/usr/libexec/dovecot/prestartscript - ExecStart=@sbindir@/dovecot -F - ExecReload=@bindir@/doveadm reload - ExecStop=@bindir@/doveadm stop diff --git a/dovecot-2.2.20-initbysystemd.patch b/dovecot-2.2.20-initbysystemd.patch index 313e26b..7099960 100644 --- a/dovecot-2.2.20-initbysystemd.patch +++ b/dovecot-2.2.20-initbysystemd.patch @@ -25,9 +25,9 @@ diff -up dovecot-2.3.15/dovecot.service.in.initbysystemd dovecot-2.3.15/dovecot. -After=local-fs.target network-online.target +After=local-fs.target network-online.target dovecot-init.service +Requires=dovecot-init.service + Wants=network-online.target [Service] - Type=@systemdservicetype@ diff -up dovecot-2.3.15/Makefile.am.initbysystemd dovecot-2.3.15/Makefile.am --- dovecot-2.3.15/Makefile.am.initbysystemd 2021-06-21 20:21:49.250680889 +0200 +++ dovecot-2.3.15/Makefile.am 2021-06-21 20:24:26.676765849 +0200 diff --git a/dovecot.spec b/dovecot.spec index e89c6ba..2fc0d48 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.3.19.1 %global prever %{nil} -Release: 5%{?dist} +Release: 6%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -480,6 +480,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Nov 08 2022 Michal Hlavinka - 1:2.3.19.1-6 +- use Wants=network-online.target instead of preexec nm-online (#2095949) + * Tue Oct 11 2022 Michal Hlavinka - 1:2.3.19.1-5 - build with lua support (#2132420) From f93b448621ba0bd5217ca57b413358e31bc148ac Mon Sep 17 00:00:00 2001 From: Pete Walter Date: Sat, 31 Dec 2022 02:36:22 +0000 Subject: [PATCH 116/163] Rebuild for ICU 72 --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 2fc0d48..3322958 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.3.19.1 %global prever %{nil} -Release: 6%{?dist} +Release: 7%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -480,6 +480,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Sat Dec 31 2022 Pete Walter - 1:2.3.19.1-7 +- Rebuild for ICU 72 + * Tue Nov 08 2022 Michal Hlavinka - 1:2.3.19.1-6 - use Wants=network-online.target instead of preexec nm-online (#2095949) From 76899ef8f2fc7c4a2a3542ab0fd9edf8c72ae75a Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Mon, 2 Jan 2023 10:55:17 +0100 Subject: [PATCH 117/163] Port configure script to C99 Related to: --- dovecot-configure-c99.patch | 25 +++++++++++++++++++++++++ dovecot.spec | 7 ++++++- 2 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 dovecot-configure-c99.patch diff --git a/dovecot-configure-c99.patch b/dovecot-configure-c99.patch new file mode 100644 index 0000000..17a49fe --- /dev/null +++ b/dovecot-configure-c99.patch @@ -0,0 +1,25 @@ +m4: crypt_xxpg6.m4: Define _DEFAULT_SOURCE for current glibc + +Current glibc no longer implements the CRYPT extension, so it does not +declare crypt in in strict standard modes. The check +defines _XOPEN_SOURCE, which enables one of these modes. Defining +_DEFAULT_SOURCE as well again makes available the crypt function +prototype. + +This avoids a configure check result change with compilers which do +not support implicit function declarations. + +Submitted upstream: + +diff --git a/m4/crypt_xpg6.m4 b/m4/crypt_xpg6.m4 +index 0085b2ac76..3a288a3713 100644 +--- a/m4/crypt_xpg6.m4 ++++ b/m4/crypt_xpg6.m4 +@@ -6,6 +6,7 @@ AC_DEFUN([DOVECOT_CRYPT_XPG6], [ + #define _XOPEN_SOURCE 4 + #define _XOPEN_SOURCE_EXTENDED 1 + #define _XOPEN_VERSION 4 ++ #define _DEFAULT_SOURCE + #define _XPG4_2 + #define _XPG6 + #include diff --git a/dovecot.spec b/dovecot.spec index 3322958..477cac5 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.3.19.1 %global prever %{nil} -Release: 7%{?dist} +Release: 8%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -45,6 +45,7 @@ Patch17: dovecot-2.3.15-fixvalcond.patch Patch18: dovecot-2.3.15-valbasherr.patch Patch20: dovecot-2.3.14-opensslv3.patch Patch21: dovecot-2.3.19.1-7bad6a24.patch +Patch22: dovecot-configure-c99.patch Source15: prestartscript @@ -145,6 +146,7 @@ This package provides the development files for dovecot. %patch18 -p1 -b .valbasherr %patch20 -p1 -b .opensslv3 %patch21 -p1 -b .7bad6a24 +%patch22 -p1 -b .c99 cp run-test-valgrind.supp dovecot-2.3-pigeonhole-%{pigeonholever}/ # valgrind would fail with shell wrapper echo "testsuite" >dovecot-2.3-pigeonhole-%{pigeonholever}/run-test-valgrind.exclude @@ -480,6 +482,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Jan 02 2023 Florian Weimer - 1:2.3.19.1-8 +- Port configure script to C99 + * Sat Dec 31 2022 Pete Walter - 1:2.3.19.1-7 - Rebuild for ICU 72 From bf9aef0f2163411ddcd58633142072e5596f07e3 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 2 Jan 2023 16:38:53 +0100 Subject: [PATCH 118/163] rebased to 2.3.20 --- dovecot.spec | 7 +++++-- sources | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 477cac5..4f61fe0 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -4,9 +4,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.19.1 +Version: 2.3.20 %global prever %{nil} -Release: 8%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -482,6 +482,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Jan 02 2023 Michal Hlavinka - 1:2.3.20-1 +- rebased to 2.3.20 + * Mon Jan 02 2023 Florian Weimer - 1:2.3.19.1-8 - Port configure script to C99 diff --git a/sources b/sources index 8250050..11eaf3c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.19.1.tar.gz) = ceb87a5f76b6352d28fd030aae5ad2165a133e9a8a6309891e793911203fc0ada9fb254dc05d183eaaa7e2b9851d3f1755b33f08fa6ff5b4b415ac4272bfe150 +SHA512 (dovecot-2.3.20.tar.gz) = 20c5a9cacf2c22d99d46400b666206e5b153c35286c205eec5df4d2ce0c88cf29ea15df81716794fd75837f6d67dfa4037096cf4bb66f524877a9a0a6bb282c8 SHA512 (dovecot-2.3-pigeonhole-0.5.19.tar.gz) = 5b0a61c7711232ea3651b818a970b500b05bd340a04bcd5a5f0ea0529eda65f498912a845c8f3b3b80196d010bc22bd4a380e1f682cb42f62b80d2d43a94993a From f701f57c30ad8d705ece1e3583e8de53e47cf48c Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 2 Jan 2023 21:16:51 +0100 Subject: [PATCH 119/163] update pigeonhole to 0.5.20 --- dovecot.spec | 2 +- sources | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 4f61fe0..769be44 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -483,7 +483,7 @@ make check %changelog * Mon Jan 02 2023 Michal Hlavinka - 1:2.3.20-1 -- rebased to 2.3.20 +- updated to 2.3.20, pigeonhole to 0.5.20 * Mon Jan 02 2023 Florian Weimer - 1:2.3.19.1-8 - Port configure script to C99 diff --git a/sources b/sources index 11eaf3c..baf5b10 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (dovecot-2.3.20.tar.gz) = 20c5a9cacf2c22d99d46400b666206e5b153c35286c205eec5df4d2ce0c88cf29ea15df81716794fd75837f6d67dfa4037096cf4bb66f524877a9a0a6bb282c8 -SHA512 (dovecot-2.3-pigeonhole-0.5.19.tar.gz) = 5b0a61c7711232ea3651b818a970b500b05bd340a04bcd5a5f0ea0529eda65f498912a845c8f3b3b80196d010bc22bd4a380e1f682cb42f62b80d2d43a94993a +SHA512 (dovecot-2.3-pigeonhole-0.5.20.tar.gz) = 45683e6bd678db00fc3e3c61d27a264d30d0e9aeb9ceb7ab55f94f0317d387056fa092e266062117cbe2a9dc2c90ddca03d154e78aad9c0d61fe8cf2c9187603 From ad6921078cc3347621745a3c1832977329437ca7 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 2 Jan 2023 22:48:15 +0100 Subject: [PATCH 120/163] update spec and patch for pigeonhole --- dovecot-2.3.15-fixvalcond.patch | 4 ++-- dovecot.spec | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/dovecot-2.3.15-fixvalcond.patch b/dovecot-2.3.15-fixvalcond.patch index fc37561..f20881a 100644 --- a/dovecot-2.3.15-fixvalcond.patch +++ b/dovecot-2.3.15-fixvalcond.patch @@ -1,6 +1,6 @@ diff -up dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.19/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.19/src/lib-sieve/storage/dict/sieve-dict-script.c ---- dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.19/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2021-11-02 21:51:36.109032050 +0100 -+++ dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.19/src/lib-sieve/storage/dict/sieve-dict-script.c 2021-11-02 21:52:28.409344118 +0100 +--- dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.20/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2021-11-02 21:51:36.109032050 +0100 ++++ dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.20/src/lib-sieve/storage/dict/sieve-dict-script.c 2021-11-02 21:52:28.409344118 +0100 @@ -114,7 +114,7 @@ static int sieve_dict_script_get_stream (struct sieve_dict_script *)script; struct sieve_dict_storage *dstorage = diff --git a/dovecot.spec b/dovecot.spec index 769be44..f8d4957 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -14,7 +14,7 @@ URL: https://www.dovecot.org/ Source: https://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.19 +%global pigeonholever 0.5.20 Source8: https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd From d427dc3561bc5ef696247a4165e962327d511f3e Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 19 Jan 2023 01:44:29 +0000 Subject: [PATCH 121/163] Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index f8d4957..4ef6d27 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.3.20 %global prever %{nil} -Release: 1%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -482,6 +482,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Jan 19 2023 Fedora Release Engineering - 1:2.3.20-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + * Mon Jan 02 2023 Michal Hlavinka - 1:2.3.20-1 - updated to 2.3.20, pigeonhole to 0.5.20 From 3327ce59b3405b8e597e8ffa8f07602bc0fc543c Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 14 Feb 2023 17:53:49 +0100 Subject: [PATCH 122/163] drop SHA1 OTP --- dovecot-2.3.20-nolibotp.patch | 295 ++++++++++++++++++++++++++++++++++ dovecot.spec | 15 +- 2 files changed, 308 insertions(+), 2 deletions(-) create mode 100644 dovecot-2.3.20-nolibotp.patch diff --git a/dovecot-2.3.20-nolibotp.patch b/dovecot-2.3.20-nolibotp.patch new file mode 100644 index 0000000..4ec0b78 --- /dev/null +++ b/dovecot-2.3.20-nolibotp.patch @@ -0,0 +1,295 @@ +diff -up dovecot-2.3.20/configure.ac.nolibotp dovecot-2.3.20/configure.ac +--- dovecot-2.3.20/configure.ac.nolibotp 2022-12-21 09:49:12.000000000 +0100 ++++ dovecot-2.3.20/configure.ac 2023-02-14 16:54:02.118531016 +0100 +@@ -854,7 +854,6 @@ src/lib-lua/Makefile + src/lib-mail/Makefile + src/lib-master/Makefile + src/lib-program-client/Makefile +-src/lib-otp/Makefile + src/lib-dovecot/Makefile + src/lib-sasl/Makefile + src/lib-settings/Makefile +diff -up dovecot-2.3.20/src/auth/main.c.nolibotp dovecot-2.3.20/src/auth/main.c +--- dovecot-2.3.20/src/auth/main.c.nolibotp 2022-12-21 09:49:12.000000000 +0100 ++++ dovecot-2.3.20/src/auth/main.c 2023-02-14 16:54:02.118531016 +0100 +@@ -19,8 +19,6 @@ + #include "password-scheme.h" + #include "passdb-cache.h" + #include "mech.h" +-#include "otp.h" +-#include "mech-otp-common.h" + #include "auth.h" + #include "auth-penalty.h" + #include "auth-token.h" +@@ -283,7 +281,6 @@ static void main_deinit(void) + + auth_policy_deinit(); + mech_register_deinit(&mech_reg); +- mech_otp_deinit(); + mech_deinit(global_auth_settings); + + /* allow modules to unregister their dbs/drivers/etc. before freeing +diff -up dovecot-2.3.20/src/auth/Makefile.am.nolibotp dovecot-2.3.20/src/auth/Makefile.am +--- dovecot-2.3.20/src/auth/Makefile.am.nolibotp 2022-12-21 09:49:12.000000000 +0100 ++++ dovecot-2.3.20/src/auth/Makefile.am 2023-02-14 16:54:02.118531016 +0100 +@@ -45,7 +45,6 @@ AM_CPPFLAGS = \ + -I$(top_srcdir)/src/lib-sql \ + -I$(top_srcdir)/src/lib-settings \ + -I$(top_srcdir)/src/lib-old-stats \ +- -I$(top_srcdir)/src/lib-otp \ + -I$(top_srcdir)/src/lib-master \ + -I$(top_srcdir)/src/lib-oauth2 \ + -I$(top_srcdir)/src/lib-ssl-iostream \ +@@ -67,7 +66,6 @@ libpassword_la_SOURCES = \ + password-scheme-crypt.c \ + password-scheme-md5crypt.c \ + password-scheme-scram.c \ +- password-scheme-otp.c \ + password-scheme-pbkdf2.c \ + password-scheme-sodium.c + libpassword_la_CFLAGS = $(AM_CPPFLAGS) $(LIBSODIUM_CFLAGS) +@@ -76,7 +74,6 @@ auth_libs = \ + libauth.la \ + libstats_auth.la \ + libpassword.la \ +- ../lib-otp/libotp.la \ + $(AUTH_LUA_LIBS) \ + $(LIBDOVECOT_SQL) + +@@ -95,7 +92,6 @@ libauth_la_SOURCES = \ + auth-client-connection.c \ + auth-master-connection.c \ + auth-policy.c \ +- mech-otp-common.c \ + mech-plain-common.c \ + auth-penalty.c \ + auth-request.c \ +@@ -122,7 +118,6 @@ libauth_la_SOURCES = \ + mech-digest-md5.c \ + mech-external.c \ + mech-gssapi.c \ +- mech-otp.c \ + mech-scram.c \ + mech-apop.c \ + mech-winbind.c \ +@@ -161,7 +156,6 @@ headers = \ + auth-client-connection.h \ + auth-common.h \ + auth-master-connection.h \ +- mech-otp-common.h \ + mech-plain-common.h \ + mech-digest-md5-private.h \ + mech-scram.h \ +@@ -260,7 +254,6 @@ test_libs = \ + test_libpassword_SOURCES = test-libpassword.c + test_libpassword_LDADD = \ + libpassword.la \ +- ../lib-otp/libotp.la \ + $(CRYPT_LIBS) \ + $(LIBDOVECOT_SQL) \ + $(LIBSODIUM_LIBS) \ +diff -up dovecot-2.3.20/src/auth/mech.c.nolibotp dovecot-2.3.20/src/auth/mech.c +--- dovecot-2.3.20/src/auth/mech.c.nolibotp 2023-02-14 16:55:38.421231797 +0100 ++++ dovecot-2.3.20/src/auth/mech.c 2023-02-14 16:55:38.434231892 +0100 +@@ -71,7 +71,6 @@ extern const struct mech_module mech_apo + extern const struct mech_module mech_cram_md5; + extern const struct mech_module mech_digest_md5; + extern const struct mech_module mech_external; +-extern const struct mech_module mech_otp; + extern const struct mech_module mech_scram_sha1; + extern const struct mech_module mech_scram_sha256; + extern const struct mech_module mech_anonymous; +@@ -206,7 +205,6 @@ void mech_init(const struct auth_setting + mech_register_module(&mech_gssapi_spnego); + #endif + } +- mech_register_module(&mech_otp); + mech_register_module(&mech_scram_sha1); + mech_register_module(&mech_scram_sha256); + mech_register_module(&mech_anonymous); +@@ -233,7 +231,6 @@ void mech_deinit(const struct auth_setti + mech_unregister_module(&mech_gssapi_spnego); + #endif + } +- mech_unregister_module(&mech_otp); + mech_unregister_module(&mech_scram_sha1); + mech_unregister_module(&mech_scram_sha256); + mech_unregister_module(&mech_anonymous); +diff -up dovecot-2.3.20/src/auth/password-scheme.c.nolibotp dovecot-2.3.20/src/auth/password-scheme.c +--- dovecot-2.3.20/src/auth/password-scheme.c.nolibotp 2023-02-14 16:54:02.109530950 +0100 ++++ dovecot-2.3.20/src/auth/password-scheme.c 2023-02-14 16:54:02.119531023 +0100 +@@ -13,7 +13,6 @@ + #include "randgen.h" + #include "sha1.h" + #include "sha2.h" +-#include "otp.h" + #include "str.h" + #include "password-scheme.h" + +@@ -709,32 +708,6 @@ plain_md5_generate(const char *plaintext + *size_r = MD5_RESULTLEN; + } + +-static int otp_verify(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, +- const unsigned char *raw_password, size_t size, +- const char **error_r) +-{ +- const char *password, *generated; +- +- password = t_strndup(raw_password, size); +- if (password_generate_otp(plaintext, password, UINT_MAX, &generated) < 0) { +- *error_r = "Invalid OTP data in passdb"; +- return -1; +- } +- +- return strcasecmp(password, generated) == 0 ? 1 : 0; +-} +- +-static void +-otp_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, +- const unsigned char **raw_password_r, size_t *size_r) +-{ +- const char *password; +- +- if (password_generate_otp(plaintext, NULL, OTP_HASH_SHA1, &password) < 0) +- i_unreached(); +- *raw_password_r = (const unsigned char *)password; +- *size_r = strlen(password); +-} + + static const struct password_scheme builtin_schemes[] = { + { "MD5", PW_ENCODING_NONE, 0, md5_verify, md5_crypt_generate }, +@@ -770,7 +743,6 @@ static const struct password_scheme buil + NULL, plain_md5_generate }, + { "LDAP-MD5", PW_ENCODING_BASE64, MD5_RESULTLEN, + NULL, plain_md5_generate }, +- { "OTP", PW_ENCODING_NONE, 0, otp_verify, otp_generate }, + { "PBKDF2", PW_ENCODING_NONE, 0, pbkdf2_verify, pbkdf2_generate }, + }; + +diff -up dovecot-2.3.20/src/auth/password-scheme.h.nolibotp dovecot-2.3.20/src/auth/password-scheme.h +--- dovecot-2.3.20/src/auth/password-scheme.h.nolibotp 2023-02-14 16:56:50.929759540 +0100 ++++ dovecot-2.3.20/src/auth/password-scheme.h 2023-02-14 16:56:50.947759671 +0100 +@@ -92,9 +92,6 @@ void password_set_encryption_rounds(unsi + /* INTERNAL: */ + const char *password_generate_salt(size_t len); + const char *password_generate_md5_crypt(const char *pw, const char *salt); +-int password_generate_otp(const char *pw, const char *state_data, +- unsigned int algo, const char **result_r) +- ATTR_NULL(2); + + int crypt_verify(const char *plaintext, + const struct password_generate_params *params, +diff -up dovecot-2.3.20/src/auth/test-libpassword.c.nolibotp dovecot-2.3.20/src/auth/test-libpassword.c +--- dovecot-2.3.20/src/auth/test-libpassword.c.nolibotp 2023-02-14 16:54:55.880922175 +0100 ++++ dovecot-2.3.20/src/auth/test-libpassword.c 2023-02-14 16:54:55.896922291 +0100 +@@ -106,7 +106,6 @@ static void test_password_schemes(void) + test_password_scheme("SHA512", "{SHA512}7iaw3Ur350mqGo7jwQrpkj9hiYB3Lkc/iBml1JQODbJ6wYX4oOHV+E+IvIh/1nsUNzLDBMxfqa2Ob1f1ACio/w==", "test"); + test_password_scheme("SSHA", "{SSHA}H/zrDv8FXUu1JmwvVYijfrYEF34jVZcO", "test"); + test_password_scheme("MD5-CRYPT", "{MD5-CRYPT}$1$GgvxyNz8$OjZhLh4P.gF1lxYEbLZ3e/", "test"); +- test_password_scheme("OTP", "{OTP}sha1 1024 ae6b49aa481f7233 f69fc7f98b8fbf54", "test"); + test_password_scheme("PBKDF2", "{PBKDF2}$1$bUnT4Pl7yFtYX0KU$5000$50a83cafdc517b9f46519415e53c6a858908680a", "test"); + test_password_scheme("CRAM-MD5", "{CRAM-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6", "test"); + test_password_scheme("DIGEST-MD5", "{DIGEST-MD5}77c1a8c437c9b08ba2f460fe5d58db5d", "test"); +diff -up dovecot-2.3.20/src/auth/test-mech.c.nolibotp dovecot-2.3.20/src/auth/test-mech.c +--- dovecot-2.3.20/src/auth/test-mech.c.nolibotp 2022-12-21 09:49:12.000000000 +0100 ++++ dovecot-2.3.20/src/auth/test-mech.c 2023-02-14 16:54:02.119531023 +0100 +@@ -8,8 +8,6 @@ + #include "auth-request-handler-private.h" + #include "auth-settings.h" + #include "mech-digest-md5-private.h" +-#include "otp.h" +-#include "mech-otp-common.h" + #include "settings-parser.h" + #include "password-scheme.h" + #include "auth-token.h" +@@ -27,7 +25,6 @@ extern const struct mech_module mech_dov + extern const struct mech_module mech_external; + extern const struct mech_module mech_login; + extern const struct mech_module mech_oauthbearer; +-extern const struct mech_module mech_otp; + extern const struct mech_module mech_plain; + extern const struct mech_module mech_scram_sha1; + extern const struct mech_module mech_scram_sha256; +@@ -65,10 +62,7 @@ request_handler_reply_mock_callback(stru + + if (request->passdb_result == PASSDB_RESULT_OK) + request->failed = FALSE; +- else if (request->mech == &mech_otp) { +- if (null_strcmp(request->fields.user, "otp_phase_2") == 0) +- request->failed = FALSE; +- } else if (request->mech == &mech_oauthbearer) { ++ else if (request->mech == &mech_oauthbearer) { + } + }; + +@@ -224,10 +218,6 @@ static void test_mechs(void) + {&mech_plain, UCHAR_LEN("\0testuser\0testpass"), "testuser", NULL, TRUE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("normaluser\0masteruser\0masterpass"), "masteruser", NULL, TRUE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("normaluser\0normaluser\0masterpass"), "normaluser", NULL, TRUE, FALSE, FALSE}, +- {&mech_otp, UCHAR_LEN("hex:5Bf0 75d9 959d 036f"), "otp_phase_2", NULL, TRUE, TRUE, FALSE}, +- {&mech_otp, UCHAR_LEN("word:BOND FOGY DRAB NE RISE MART"), "otp_phase_2", NULL, TRUE, TRUE, FALSE}, +- {&mech_otp, UCHAR_LEN("init-hex:f6bd 6b33 89b8 7203:md5 499 ke6118:23d1 b253 5ae0 2b7e"), "otp_phase_2", NULL, TRUE, TRUE, FALSE}, +- {&mech_otp, UCHAR_LEN("init-word:END KERN BALM NICK EROS WAVY:md5 499 ke1235:BABY FAIN OILY NIL TIDY DADE"), "otp_phase_2", NULL , TRUE, TRUE, FALSE}, + {&mech_oauthbearer, UCHAR_LEN("n,a=testuser,p=cHJvb2Y=,f=nonstandart\x01host=server\x01port=143\x01""auth=Bearer vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==\x01\x01"), "testuser", NULL, FALSE, TRUE, FALSE}, + {&mech_scram_sha1, UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", NULL, TRUE, FALSE, FALSE}, + {&mech_scram_sha256, UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", NULL, TRUE, FALSE, FALSE}, +@@ -242,8 +232,6 @@ static void test_mechs(void) + {&mech_external, UCHAR_LEN(""), "testuser", NULL, FALSE, TRUE, FALSE}, + {&mech_external, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_login, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, +- {&mech_otp, UCHAR_LEN(""), NULL, "invalid input", FALSE, FALSE, FALSE}, +- {&mech_otp, UCHAR_LEN(""), "testuser", "invalid input", FALSE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_oauthbearer, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_xoauth2, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, +@@ -255,7 +243,6 @@ static void test_mechs(void) + {&mech_apop, UCHAR_LEN("1.1.1\0testuser\0tooshort"), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_apop, UCHAR_LEN("1.1.1\0testuser\0responseoflen16-"), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_apop, UCHAR_LEN("1.1.1"), NULL, NULL, FALSE, FALSE, FALSE}, +- {&mech_otp, UCHAR_LEN("somebody\0testuser"), "testuser", "otp(testuser): unsupported response type", FALSE, TRUE, FALSE}, + {&mech_cram_md5, UCHAR_LEN("testuser\0response"), "testuser", NULL, FALSE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("testuser\0"), "testuser", NULL, FALSE, FALSE, FALSE}, + +@@ -297,9 +284,7 @@ static void test_mechs(void) + {&mech_plain, UCHAR_LEN("\0fa\0il\0ing\0withthis"), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("failingwiththis"), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("failing\0withthis"), NULL, NULL, FALSE, FALSE, FALSE}, +- {&mech_otp, UCHAR_LEN("someb\0ody\0testuser"), NULL, "invalid input", FALSE, FALSE, FALSE}, + /* phase 2 */ +- {&mech_otp, UCHAR_LEN("someb\0ody\0testuser"), "testuser", "otp(testuser): unsupported response type", FALSE, TRUE, FALSE}, + {&mech_scram_sha1, UCHAR_LEN("c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts="), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_scram_sha1, UCHAR_LEN("iws0X8v3Bz2T0CJGbJQyF0X+HI4Ts=,,,,"), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_scram_sha1, UCHAR_LEN("n,a=masteruser,,"), NULL, NULL, FALSE, FALSE, FALSE}, +@@ -387,7 +372,6 @@ static void test_mechs(void) + + test_end(); + } T_END; +- mech_otp_deinit(); + auths_deinit(); + auth_token_deinit(); + password_schemes_deinit(); +diff -up dovecot-2.3.20/src/doveadm/Makefile.am.nolibotp dovecot-2.3.20/src/doveadm/Makefile.am +--- dovecot-2.3.20/src/doveadm/Makefile.am.nolibotp 2022-12-21 09:49:12.000000000 +0100 ++++ dovecot-2.3.20/src/doveadm/Makefile.am 2023-02-14 16:54:02.119531023 +0100 +@@ -36,8 +36,7 @@ AM_CPPFLAGS = \ + $(BINARY_CFLAGS) + + cmd_pw_libs = \ +- ../auth/libpassword.la \ +- ../lib-otp/libotp.la ++ ../auth/libpassword.la + + libs = \ + dsync/libdsync.la \ +diff -up dovecot-2.3.20/src/Makefile.am.nolibotp dovecot-2.3.20/src/Makefile.am +--- dovecot-2.3.20/src/Makefile.am.nolibotp 2022-12-21 09:49:12.000000000 +0100 ++++ dovecot-2.3.20/src/Makefile.am 2023-02-14 16:54:02.119531023 +0100 +@@ -40,7 +40,6 @@ SUBDIRS = \ + lib-index \ + lib-storage \ + lib-sql \ +- lib-otp \ + lib-lda \ + lib-dict-backend \ + anvil \ diff --git a/dovecot.spec b/dovecot.spec index 4ef6d27..bcb7526 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.3.20 %global prever %{nil} -Release: 2%{?dist} +Release: 3%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -44,9 +44,12 @@ Patch16: dovecot-2.3.6-opensslhmac.patch Patch17: dovecot-2.3.15-fixvalcond.patch Patch18: dovecot-2.3.15-valbasherr.patch Patch20: dovecot-2.3.14-opensslv3.patch -Patch21: dovecot-2.3.19.1-7bad6a24.patch +Patch21: dovecot-2.3.19.1-7bad6a24.patch Patch22: dovecot-configure-c99.patch +# Fedora/RHEL specific, drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes +Patch23: dovecot-2.3.20-nolibotp.patch + Source15: prestartscript BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel @@ -147,6 +150,7 @@ This package provides the development files for dovecot. %patch20 -p1 -b .opensslv3 %patch21 -p1 -b .7bad6a24 %patch22 -p1 -b .c99 +%patch23 -p1 -b .nolibotp cp run-test-valgrind.supp dovecot-2.3-pigeonhole-%{pigeonholever}/ # valgrind would fail with shell wrapper echo "testsuite" >dovecot-2.3-pigeonhole-%{pigeonholever}/run-test-valgrind.exclude @@ -155,6 +159,10 @@ echo "testsuite" >dovecot-2.3-pigeonhole-%{pigeonholever}/run-test-valgrind.excl #popd sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in + +# drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes +rm -rf src/lib-otp + %build #required for fdpass.c line 125,190: dereferencing type-punned pointer will break strict-aliasing rules %global _hardened_build 1 @@ -482,6 +490,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Feb 14 2023 Michal Hlavinka - 1:2.3.20-3 +- drop SHA1 OTP + * Thu Jan 19 2023 Fedora Release Engineering - 1:2.3.20-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild From cfcfd288ac9ff5fda37af2b79fece5f53f7bccc2 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 26 Apr 2023 11:33:43 +0200 Subject: [PATCH 123/163] update license tag format (SPDX migration) for https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1 --- dovecot.spec | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index bcb7526..96426b3 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,9 +6,9 @@ Name: dovecot Epoch: 1 Version: 2.3.20 %global prever %{nil} -Release: 3%{?dist} +Release: 4%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 -License: MIT and LGPLv2 +License: MIT AND LGPL-2.1-only URL: https://www.dovecot.org/ Source: https://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz @@ -112,7 +112,7 @@ The SQL drivers and authentication plug-ins are in their subpackages. %package pigeonhole Requires: %{name} = %{epoch}:%{version}-%{release} Summary: Sieve and managesieve plug-in for dovecot -License: MIT and LGPLv2 +License: MIT AND LGPL-2.1-only %description pigeonhole This package provides sieve and managesieve plug-in for dovecot LDA. @@ -490,6 +490,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Apr 26 2023 Michal Hlavinka - 1:2.3.20-4 +- update license tag format (SPDX migration) for https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1 + * Tue Feb 14 2023 Michal Hlavinka - 1:2.3.20-3 - drop SHA1 OTP From f141104cec30d074f3e1af9205b6d4475f9cdae4 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 3 May 2023 12:21:11 +0200 Subject: [PATCH 124/163] use new patch macro format, with epel compatibility --- dovecot.spec | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 96426b3..6ec59b7 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -137,20 +137,20 @@ This package provides the development files for dovecot. %prep %setup -q -n %{name}-%{version}%{?prever} -a 8 -%patch1 -p1 -b .default-settings -%patch2 -p1 -b .mkcert-permissions -%patch3 -p1 -b .mkcert-paths -%patch6 -p1 -b .waitonline -%patch8 -p1 -b .initbysystemd -%patch9 -p1 -b .systemd_w_protectsystem -%patch15 -p1 -b .bigkey -%patch16 -p1 -b .opensslhmac -%patch17 -p1 -b .fixvalcond -%patch18 -p1 -b .valbasherr -%patch20 -p1 -b .opensslv3 -%patch21 -p1 -b .7bad6a24 -%patch22 -p1 -b .c99 -%patch23 -p1 -b .nolibotp +%patch -P1 -p1 -b .default-settings +%patch -P2 -p1 -b .mkcert-permissions +%patch -P3 -p1 -b .mkcert-paths +%patch -P6 -p1 -b .waitonline +%patch -P8 -p1 -b .initbysystemd +%patch -P9 -p1 -b .systemd_w_protectsystem +%patch -P15 -p1 -b .bigkey +%patch -P16 -p1 -b .opensslhmac +%patch -P17 -p1 -b .fixvalcond +%patch -P18 -p1 -b .valbasherr +%patch -P20 -p1 -b .opensslv3 +%patch -P21 -p1 -b .7bad6a24 +%patch -P22 -p1 -b .c99 +%patch -P23 -p1 -b .nolibotp cp run-test-valgrind.supp dovecot-2.3-pigeonhole-%{pigeonholever}/ # valgrind would fail with shell wrapper echo "testsuite" >dovecot-2.3-pigeonhole-%{pigeonholever}/run-test-valgrind.exclude From 9c80caab1f24630c0e5b8f71dacdde5f0c96d853 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Franti=C5=A1ek=20Zatloukal?= Date: Tue, 11 Jul 2023 22:14:19 +0200 Subject: [PATCH 125/163] Rebuilt for ICU 73.2 --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 6ec59b7..d8419ef 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.3.20 %global prever %{nil} -Release: 4%{?dist} +Release: 5%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -490,6 +490,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Jul 11 2023 František Zatloukal - 1:2.3.20-5 +- Rebuilt for ICU 73.2 + * Wed Apr 26 2023 Michal Hlavinka - 1:2.3.20-4 - update license tag format (SPDX migration) for https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1 From ab67f10b83a65d3aa425f9bc6b285eeed79693f4 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 19 Jul 2023 17:49:57 +0000 Subject: [PATCH 126/163] Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index d8419ef..dacd741 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.3.20 %global prever %{nil} -Release: 5%{?dist} +Release: 6%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -490,6 +490,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Jul 19 2023 Fedora Release Engineering - 1:2.3.20-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + * Tue Jul 11 2023 František Zatloukal - 1:2.3.20-5 - Rebuilt for ICU 73.2 From b0924ff71d51112e2286bf97a2426ad450d903cd Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 18 Sep 2023 16:44:20 +0200 Subject: [PATCH 127/163] update pigeonhole to 0.5.21 --- dovecot.spec | 2 +- sources | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index dacd741..4aa3c43 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -14,7 +14,7 @@ URL: https://www.dovecot.org/ Source: https://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.20 +%global pigeonholever 0.5.21 Source8: https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd diff --git a/sources b/sources index baf5b10..affa461 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (dovecot-2.3.20.tar.gz) = 20c5a9cacf2c22d99d46400b666206e5b153c35286c205eec5df4d2ce0c88cf29ea15df81716794fd75837f6d67dfa4037096cf4bb66f524877a9a0a6bb282c8 -SHA512 (dovecot-2.3-pigeonhole-0.5.20.tar.gz) = 45683e6bd678db00fc3e3c61d27a264d30d0e9aeb9ceb7ab55f94f0317d387056fa092e266062117cbe2a9dc2c90ddca03d154e78aad9c0d61fe8cf2c9187603 +SHA512 (dovecot-2.3-pigeonhole-0.5.21.tar.gz) = 5537444025a474ee1b79919a424e24530695aec639361c531257f25fac286673719d476906d99d47e348deb57baa75419bff7dd284c82d2b751334dedec96314 From 97e16a026d8809e49610603484347c8aa62cefec Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 18 Sep 2023 16:51:08 +0200 Subject: [PATCH 128/163] strip version for pigeonhole src dir for simplifying the rest of code/patches --- dovecot-2.3.15-fixvalcond.patch | 6 +++--- dovecot.spec | 16 ++++++++++------ 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/dovecot-2.3.15-fixvalcond.patch b/dovecot-2.3.15-fixvalcond.patch index f20881a..a064c26 100644 --- a/dovecot-2.3.15-fixvalcond.patch +++ b/dovecot-2.3.15-fixvalcond.patch @@ -1,6 +1,6 @@ -diff -up dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.19/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.19/src/lib-sieve/storage/dict/sieve-dict-script.c ---- dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.20/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2021-11-02 21:51:36.109032050 +0100 -+++ dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.20/src/lib-sieve/storage/dict/sieve-dict-script.c 2021-11-02 21:52:28.409344118 +0100 +diff -up dovecot-2.3.17/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.17/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c +--- dovecot-2.3.17/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2021-11-02 21:51:36.109032050 +0100 ++++ dovecot-2.3.17/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c 2021-11-02 21:52:28.409344118 +0100 @@ -114,7 +114,7 @@ static int sieve_dict_script_get_stream (struct sieve_dict_script *)script; struct sieve_dict_storage *dstorage = diff --git a/dovecot.spec b/dovecot.spec index 4aa3c43..351bc6b 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -137,6 +137,10 @@ This package provides the development files for dovecot. %prep %setup -q -n %{name}-%{version}%{?prever} -a 8 + +# standardize name, so we don't have to update patches and scripts +mv dovecot-2.3-pigeonhole-%{pigeonholever} dovecot-pigeonhole + %patch -P1 -p1 -b .default-settings %patch -P2 -p1 -b .mkcert-permissions %patch -P3 -p1 -b .mkcert-paths @@ -151,11 +155,11 @@ This package provides the development files for dovecot. %patch -P21 -p1 -b .7bad6a24 %patch -P22 -p1 -b .c99 %patch -P23 -p1 -b .nolibotp -cp run-test-valgrind.supp dovecot-2.3-pigeonhole-%{pigeonholever}/ +cp run-test-valgrind.supp dovecot-pigeonhole/ # valgrind would fail with shell wrapper -echo "testsuite" >dovecot-2.3-pigeonhole-%{pigeonholever}/run-test-valgrind.exclude +echo "testsuite" >dovecot-pigeonhole/run-test-valgrind.exclude -#pushd dovecot-2*3-pigeonhole-%{pigeonholever} +#pushd dovecot-pigeonhole #popd sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in @@ -205,7 +209,7 @@ sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10 %make_build #pigeonhole -pushd dovecot-2*3-pigeonhole-%{pigeonholever} +pushd dovecot-pigeonhole # required for snapshot [ -f configure ] || autoreconf -fiv @@ -231,7 +235,7 @@ mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/ # fix multilib issues %multilib_fix_c_header --file %{_includedir}/dovecot/config.h -pushd dovecot-2*3-pigeonhole-%{pigeonholever} +pushd dovecot-pigeonhole %make_install mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole @@ -338,7 +342,7 @@ fi %ifnarch aarch64 # some aarch64 tests timeout, skip for now make check -cd dovecot-2*3-pigeonhole-%{pigeonholever} +cd dovecot-pigeonhole make check %endif From a17c8bb9c38a8839932aa0b7b00ec9deef679119 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 18 Sep 2023 17:18:06 +0200 Subject: [PATCH 129/163] updated to 2.3.21(2239134) --- dovecot.spec | 7 +++++-- sources | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 351bc6b..9012161 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -4,9 +4,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.20 +Version: 2.3.21 %global prever %{nil} -Release: 6%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -494,6 +494,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Sep 18 2023 Michal Hlavinka - 1:2.3.21-1 +- updated to 2.3.21(2239134) + * Wed Jul 19 2023 Fedora Release Engineering - 1:2.3.20-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild diff --git a/sources b/sources index affa461..399a48e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.20.tar.gz) = 20c5a9cacf2c22d99d46400b666206e5b153c35286c205eec5df4d2ce0c88cf29ea15df81716794fd75837f6d67dfa4037096cf4bb66f524877a9a0a6bb282c8 +SHA512 (dovecot-2.3.21.tar.gz) = 2d463c38639c3fd3d617ee5b1a4e4d0c11362339c4d4d62a5a90164a8b10bc58919545679bbf379139bdb743fdb013033abfddc1fc6401eb8099463cdc2401ca SHA512 (dovecot-2.3-pigeonhole-0.5.21.tar.gz) = 5537444025a474ee1b79919a424e24530695aec639361c531257f25fac286673719d476906d99d47e348deb57baa75419bff7dd284c82d2b751334dedec96314 From be6ae59ea8042f982ce6c886be77663bd5a49dee Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Thu, 5 Oct 2023 08:54:11 +0200 Subject: [PATCH 130/163] rebuild for new libsodium --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 9012161..662dd5e 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.3.21 %global prever %{nil} -Release: 1%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -494,6 +494,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Oct 05 2023 Remi Collet - 1:2.3.21-2 +- rebuild for new libsodium + * Mon Sep 18 2023 Michal Hlavinka - 1:2.3.21-1 - updated to 2.3.21(2239134) From 87aba78b82d390aab08295759d6aa27423c0bc4e Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 24 Oct 2023 13:23:03 +0200 Subject: [PATCH 131/163] drop lucene to reduce dependency, use solr for fts instead --- dovecot.spec | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 662dd5e..2f9b6f4 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.3.21 %global prever %{nil} -Release: 2%{?dist} +Release: 3%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -69,15 +69,15 @@ BuildRequires: libsodium-devel BuildRequires: lua-devel %endif BuildRequires: libicu-devel +%if 0%{?rhel} == 0 && 0%{?fedora}0 < 38 BuildRequires: libexttextcat-devel +BuildRequires: clucene-core-devel +%endif BuildRequires: libstemmer-devel BuildRequires: multilib-rpm-config BuildRequires: flex, bison BuildRequires: systemd-devel BuildRequires: systemd-rpm-macros -%if %{?fedora}0 >= 350 -#BuildRequires: glibc-gconv-extra -%endif # gettext-devel is needed for running autoconf because of the # presence of AM_ICONV @@ -93,8 +93,6 @@ Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units -BuildRequires: clucene-core-devel - %global ssldir %{_sysconfdir}/pki/%{name} BuildRequires: libcurl-devel expat-devel @@ -161,7 +159,9 @@ echo "testsuite" >dovecot-pigeonhole/run-test-valgrind.exclude #pushd dovecot-pigeonhole #popd +%if 0%{?rhel} == 0 && 0%{?fedora}0 < 38 sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in +%endif # drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes @@ -197,7 +197,13 @@ autoreconf -I . -fiv #required for aarch64 support %if %{?rhel}0 == 0 --with-lua=plugin \ %endif +%if 0%{?rhel} == 0 && 0%{?fedora}0 < 38 --with-lucene \ + --with-exttextcat \ +%else + --without-lucene \ + --without-exttextcat \ +%endif --with-ssl=openssl \ --with-ssldir=%{ssldir} \ --with-solr \ @@ -494,6 +500,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Oct 24 2023 Michal Hlavinka - 1:2.3.21-3 +- drop lucene to reduce dependency, use solr for fts instead + * Thu Oct 05 2023 Remi Collet - 1:2.3.21-2 - rebuild for new libsodium From 3d400774ff844ec32c4ecf95b0a9eb0091137a7c Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 19 Jan 2024 17:29:59 +0000 Subject: [PATCH 132/163] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 2f9b6f4..a0e234c 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.3.21 %global prever %{nil} -Release: 3%{?dist} +Release: 4%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -500,6 +500,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Fri Jan 19 2024 Fedora Release Engineering - 1:2.3.21-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Tue Oct 24 2023 Michal Hlavinka - 1:2.3.21-3 - drop lucene to reduce dependency, use solr for fts instead From 010a512bd0731e160012a49cd297778485c4b3d8 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 24 Jan 2024 09:46:23 +0000 Subject: [PATCH 133/163] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index a0e234c..43ddfe1 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.3.21 %global prever %{nil} -Release: 4%{?dist} +Release: 5%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -500,6 +500,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Jan 24 2024 Fedora Release Engineering - 1:2.3.21-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Fri Jan 19 2024 Fedora Release Engineering - 1:2.3.21-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild From 79a5cb2d9f4b55b50731c9eea2eada66b0dda4fe Mon Sep 17 00:00:00 2001 From: Pete Walter Date: Wed, 31 Jan 2024 19:23:26 +0000 Subject: [PATCH 134/163] Rebuild for ICU 74 --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 43ddfe1..9d747ec 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.3.21 %global prever %{nil} -Release: 5%{?dist} +Release: 6%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -500,6 +500,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Jan 31 2024 Pete Walter - 1:2.3.21-6 +- Rebuild for ICU 74 + * Wed Jan 24 2024 Fedora Release Engineering - 1:2.3.21-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild From cd7e39531b15a322fbb0e92cd854d631b6881d35 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 19 Feb 2024 17:42:39 +0100 Subject: [PATCH 135/163] allow dtpath for plugins --- rpminspect.yaml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 rpminspect.yaml diff --git a/rpminspect.yaml b/rpminspect.yaml new file mode 100644 index 0000000..15a5d00 --- /dev/null +++ b/rpminspect.yaml @@ -0,0 +1,7 @@ +--- +runpath: + allowed_paths: + # dovecot only plugins + - /usr/lib/dovecot/old-stats + - /usr/lib64/dovecot/old-stats + From cf9c7c9c6b756ee48c32ab358cafcab1032b37a5 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 26 Mar 2024 22:20:59 +0100 Subject: [PATCH 136/163] drop i686 build as per https://fedoraproject.org/wiki/Changes/EncourageI686LeafRemoval --- dovecot.spec | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 9d747ec..09a9e2f 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.3.21 %global prever %{nil} -Release: 6%{?dist} +Release: 7%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -98,6 +98,11 @@ Requires(postun): systemd-units BuildRequires: libcurl-devel expat-devel BuildRequires: make +%if 0%{?fedora} > 39 +# as per https://fedoraproject.org/wiki/Changes/EncourageI686LeafRemoval +ExcludeArch: %{ix86} +%endif + %global restart_flag /run/%{name}/%{name}-restart-after-rpm-install %description @@ -500,6 +505,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Mar 26 2024 Michal Hlavinka - 1:2.3.21-7 +- drop i686 build as per https://fedoraproject.org/wiki/Changes/EncourageI686LeafRemoval + * Wed Jan 31 2024 Pete Walter - 1:2.3.21-6 - Rebuild for ICU 74 From f3cea215ee06d57897f264ec79f8f8696785a4f5 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 18 Jun 2024 16:15:36 +0200 Subject: [PATCH 137/163] fix sieve crash when there are two missing optional scripts --- dovecot-2.0-defaultconfig.patch | 23 ++++++++++----- dovecot-2.3-ph_optglob.patch | 48 ++++++++++++++++++++++++++++++ dovecot-2.3-ph_scriptcmp.patch | 12 ++++++++ dovecot.spec | 52 ++++++++++++++++++--------------- 4 files changed, 104 insertions(+), 31 deletions(-) create mode 100644 dovecot-2.3-ph_optglob.patch create mode 100644 dovecot-2.3-ph_scriptcmp.patch diff --git a/dovecot-2.0-defaultconfig.patch b/dovecot-2.0-defaultconfig.patch index c18dd47..21f00ec 100644 --- a/dovecot-2.0-defaultconfig.patch +++ b/dovecot-2.0-defaultconfig.patch @@ -1,6 +1,15 @@ -diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf ---- dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings 2018-02-28 15:28:57.000000000 +0100 -+++ dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf 2018-03-01 10:29:38.208368555 +0100 +diff -up dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf +--- dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf.default-settings 2021-08-06 11:25:51.000000000 +0200 ++++ dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf 2021-10-27 11:13:45.666956339 +0200 +@@ -175,7 +175,7 @@ namespace inbox { + # to make sure that users can't log in as daemons or other system users. + # Note that denying root logins is hardcoded to dovecot binary and can't + # be done even if first_valid_uid is set to 0. +-#first_valid_uid = 500 ++first_valid_uid = 1000 + #last_valid_uid = 0 + + # Valid GID range for users, defaults to non-root/wheel. Users having @@ -322,6 +322,7 @@ protocol !indexer-worker { # them simultaneously. #mbox_read_locks = fcntl @@ -9,9 +18,9 @@ diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings # Maximum time to wait for lock (all of them) before aborting. #mbox_lock_timeout = 5 mins -diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf ---- dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings 2018-02-28 15:28:57.000000000 +0100 -+++ dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf 2018-03-01 10:33:54.779499044 +0100 +diff -up dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf +--- dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf.default-settings 2021-08-06 11:25:51.000000000 +0200 ++++ dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf 2021-10-27 11:13:02.834533975 +0200 @@ -3,7 +3,9 @@ ## @@ -23,7 +32,7 @@ diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but -@@ -57,6 +59,7 @@ ssl_key = script), sieve_script_location(included->script), + ((flags & EXT_INCLUDE_FLAG_ONCE) != 0 ? "(once) " : ""), + ((flags & EXT_INCLUDE_FLAG_OPTIONAL) != 0 ? "(optional) " : ""), +- include_id, sieve_binary_block_get_id(included->block)); ++ (included->block == NULL ? "(missing) " : ""), ++ include_id, ++ (included->block == NULL ? -1 : sieve_binary_block_get_id(included->block))); + + return TRUE; + } +diff -up dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c.ph_optglob dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c +--- dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c.ph_optglob 2023-09-14 15:18:26.000000000 +0200 ++++ dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c 2024-06-04 09:10:45.187823805 +0200 +@@ -693,6 +693,25 @@ int ext_include_execute_include(const st + } + + ctx = ext_include_get_interpreter_context(this_ext, renv->interp); ++ if (included->block == NULL) { ++ if ((flags & EXT_INCLUDE_FLAG_OPTIONAL) != 0) { ++ sieve_runtime_trace( ++ renv, SIEVE_TRLVL_NONE, ++ "include: skipped include for script '%s' " ++ "[inc id: %d, block: NULL]; optional and unavailable", ++ sieve_script_name(included->script), ++ include_id); ++ return result; ++ } else { ++ sieve_runtime_trace( ++ renv, SIEVE_TRLVL_NONE, ++ "include: unavailable script '%s' " ++ "[inc id: %d, block: NULL]", ++ sieve_script_name(included->script), ++ include_id); ++ return SIEVE_EXEC_BIN_CORRUPT; ++ } ++ } + block_id = sieve_binary_block_get_id(included->block); + + /* If :once modifier is specified, check for duplicate include */ diff --git a/dovecot-2.3-ph_scriptcmp.patch b/dovecot-2.3-ph_scriptcmp.patch new file mode 100644 index 0000000..2bcaade --- /dev/null +++ b/dovecot-2.3-ph_scriptcmp.patch @@ -0,0 +1,12 @@ +diff -up dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/storage/file/sieve-file-script.c.testfix4 dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/storage/file/sieve-file-script.c +--- dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/storage/file/sieve-file-script.c.testfix4 2024-06-03 13:35:24.408858593 +0200 ++++ dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/storage/file/sieve-file-script.c 2024-06-03 13:35:24.434858849 +0200 +@@ -800,7 +800,7 @@ static bool sieve_file_script_equals + (struct sieve_file_script *)other; + + return ( CMP_DEV_T(fscript->st.st_dev, fother->st.st_dev) && +- fscript->st.st_ino == fother->st.st_ino ); ++ fscript->st.st_ino == fother->st.st_ino && (fscript->st.st_ino != 0 || script->location != NULL && other->location != NULL && strcmp(script->location, other->location) == 0)); + } + + /* diff --git a/dovecot.spec b/dovecot.spec index 09a9e2f..4a60551 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.3.21 %global prever %{nil} -Release: 7%{?dist} +Release: 8%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -21,6 +21,8 @@ Source10: dovecot.tmpfilesd #our own Source14: dovecot.conf.5 +Source15: prestartscript +Source16: dovecot.sysusers # 3x Fedora/RHEL specific Patch1: dovecot-2.0-defaultconfig.patch @@ -49,8 +51,8 @@ Patch22: dovecot-configure-c99.patch # Fedora/RHEL specific, drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes Patch23: dovecot-2.3.20-nolibotp.patch - -Source15: prestartscript +Patch24: dovecot-2.3-ph_optglob.patch +Patch25: dovecot-2.3-ph_scriptcmp.patch BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel BuildRequires: libtool, autoconf, automake, pkgconfig @@ -144,20 +146,22 @@ This package provides the development files for dovecot. # standardize name, so we don't have to update patches and scripts mv dovecot-2.3-pigeonhole-%{pigeonholever} dovecot-pigeonhole -%patch -P1 -p1 -b .default-settings -%patch -P2 -p1 -b .mkcert-permissions -%patch -P3 -p1 -b .mkcert-paths -%patch -P6 -p1 -b .waitonline -%patch -P8 -p1 -b .initbysystemd -%patch -P9 -p1 -b .systemd_w_protectsystem -%patch -P15 -p1 -b .bigkey -%patch -P16 -p1 -b .opensslhmac -%patch -P17 -p1 -b .fixvalcond -%patch -P18 -p1 -b .valbasherr -%patch -P20 -p1 -b .opensslv3 -%patch -P21 -p1 -b .7bad6a24 -%patch -P22 -p1 -b .c99 -%patch -P23 -p1 -b .nolibotp +%patch -P 1 -p1 -b .default-settings +%patch -P 2 -p1 -b .mkcert-permissions +%patch -P 3 -p1 -b .mkcert-paths +%patch -P 6 -p1 -b .waitonline +%patch -P 8 -p1 -b .initbysystemd +%patch -P 9 -p1 -b .systemd_w_protectsystem +%patch -P 15 -p1 -b .bigkey +%patch -P 16 -p1 -b .opensslhmac +%patch -P 17 -p1 -b .fixvalcond +%patch -P 18 -p1 -b .valbasherr +%patch -P 20 -p1 -b .opensslv3 +%patch -P 21 -p1 -b .7bad6a24 +%patch -P 22 -p1 -b .c99 +%patch -P 23 -p1 -b .nolibotp +%patch -P 24 -p1 -b .ph_optglob +%patch -P 25 -p1 -b .ph_scriptcmp cp run-test-valgrind.supp dovecot-pigeonhole/ # valgrind would fail with shell wrapper echo "testsuite" >dovecot-pigeonhole/run-test-valgrind.exclude @@ -262,6 +266,8 @@ install -p -D -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{_mandir}/man5/dovecot.conf.5 #install waitonline script install -p -D -m 755 %{SOURCE15} $RPM_BUILD_ROOT%{_libexecdir}/dovecot/prestartscript +install -p -D -m 0644 %{SOURCE16} $RPM_BUILD_ROOT%{_sysusersdir}/dovecot.sysusers + # generate ghost .pem files mkdir -p $RPM_BUILD_ROOT%{ssldir}/certs mkdir -p $RPM_BUILD_ROOT%{ssldir}/private @@ -299,13 +305,7 @@ popd %pre #dovecot uid and gid are reserved, see /usr/share/doc/setup-*/uidgid -getent group dovecot >/dev/null || groupadd -r --gid 97 dovecot -getent passwd dovecot >/dev/null || \ -useradd -r --uid 97 -g dovecot -d /usr/libexec/dovecot -s /sbin/nologin -c "Dovecot IMAP server" dovecot - -getent group dovenull >/dev/null || groupadd -r dovenull -getent passwd dovenull >/dev/null || \ -useradd -r -g dovenull -d /usr/libexec/dovecot -s /sbin/nologin -c "Dovecot's unauthorized user" dovenull +%sysusers_create_compat %{SOURCE16} # do not let dovecot run during upgrade rhbz#134325 if [ "$1" = "2" ]; then @@ -368,6 +368,7 @@ make check %_tmpfilesdir/dovecot.conf +%{_sysusersdir}/dovecot.sysusers %{_unitdir}/dovecot.service %{_unitdir}/dovecot-init.service %{_unitdir}/dovecot.socket @@ -505,6 +506,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Jun 18 2024 Michal Hlavinka - 1:2.3.21-8 +- fix sieve crash when there are two missing optional scripts + * Tue Mar 26 2024 Michal Hlavinka - 1:2.3.21-7 - drop i686 build as per https://fedoraproject.org/wiki/Changes/EncourageI686LeafRemoval From 363bc31d1b1910e5aba1fac4496d79e8d67e8a3f Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Fri, 5 Jul 2024 11:27:29 -0400 Subject: [PATCH 138/163] Import sysusers file This was missing from the previous commit. --- dovecot.sysusers | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 dovecot.sysusers diff --git a/dovecot.sysusers b/dovecot.sysusers new file mode 100644 index 0000000..c286ee4 --- /dev/null +++ b/dovecot.sysusers @@ -0,0 +1,9 @@ +#Type Name ID GECOS Home directory Shell +g dovecot 97 +u dovecot 97 "Dovecot IMAP server" /usr/libexec/dovecot /sbin/nologin +m dovecot dovecot + +g dovenull - +u dovenull - "Dovecot - unauthorized user" /usr/libexec/dovecot /sbin/nologin +m dovenull dovenull + From 8262f7803f607681105c1b51ad50efad796c6a4e Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Fri, 5 Jul 2024 13:29:03 -0400 Subject: [PATCH 139/163] Fix tests with RPM 4.20 RPM 4.20 added a build-specific path to %_builddir, which resulted in the socket path used in test-imap-client-hibernate to become too long. This upstream commit shortens the socket path: https://github.com/dovecot/core/commit/9a3e0d099044d3a7478c3a24ccb8990181767f7c --- dovecot-2.3.21-test-socket-path.patch | 22 ++++++++++++++++++++++ dovecot.spec | 4 ++++ 2 files changed, 26 insertions(+) create mode 100644 dovecot-2.3.21-test-socket-path.patch diff --git a/dovecot-2.3.21-test-socket-path.patch b/dovecot-2.3.21-test-socket-path.patch new file mode 100644 index 0000000..8132244 --- /dev/null +++ b/dovecot-2.3.21-test-socket-path.patch @@ -0,0 +1,22 @@ +From 9a3e0d099044d3a7478c3a24ccb8990181767f7c Mon Sep 17 00:00:00 2001 +From: Duncan Bellamy +Date: Sat, 6 Mar 2021 14:25:29 +0000 +Subject: [PATCH] imap: Shorten test-imap-client-hibernate socket path length + +--- + src/imap/test-imap-client-hibernate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/imap/test-imap-client-hibernate.c b/src/imap/test-imap-client-hibernate.c +index 9b90e1bd9a..c5392fa3fc 100644 +--- a/src/imap/test-imap-client-hibernate.c ++++ b/src/imap/test-imap-client-hibernate.c +@@ -19,7 +19,7 @@ + + #include + +-#define TEMP_DIRNAME ".test-imap-client-hibernate" ++#define TEMP_DIRNAME ".test-ich" + + #define EVILSTR "\t\r\n\001" + diff --git a/dovecot.spec b/dovecot.spec index 4a60551..72637af 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -54,6 +54,9 @@ Patch23: dovecot-2.3.20-nolibotp.patch Patch24: dovecot-2.3-ph_optglob.patch Patch25: dovecot-2.3-ph_scriptcmp.patch +# imap: Shorten test-imap-client-hibernate socket path length +Patch26: dovecot-2.3.21-test-socket-path.patch + BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel BuildRequires: libtool, autoconf, automake, pkgconfig BuildRequires: sqlite-devel @@ -162,6 +165,7 @@ mv dovecot-2.3-pigeonhole-%{pigeonholever} dovecot-pigeonhole %patch -P 23 -p1 -b .nolibotp %patch -P 24 -p1 -b .ph_optglob %patch -P 25 -p1 -b .ph_scriptcmp +%patch -P 26 -p1 -b .test-socket-path cp run-test-valgrind.supp dovecot-pigeonhole/ # valgrind would fail with shell wrapper echo "testsuite" >dovecot-pigeonhole/run-test-valgrind.exclude From e757cf8512365b4736bbc375384bc7bb59a88707 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Fri, 5 Jul 2024 13:34:28 -0400 Subject: [PATCH 140/163] Do not use deprecated OpenSSL v3 ENGINE API Based on c10s with one addition for lib-dcrypt: https://gitlab.com/redhat/centos-stream/rpms/dovecot/-/commit/3a1bfe8d5daf89ff5c22ad8232fc1202241bd173 --- dovecot-2.3.21-noengine.patch | 201 ++++++++++++++++++++++++++++++++++ dovecot.spec | 5 + 2 files changed, 206 insertions(+) create mode 100644 dovecot-2.3.21-noengine.patch diff --git a/dovecot-2.3.21-noengine.patch b/dovecot-2.3.21-noengine.patch new file mode 100644 index 0000000..c3bb50e --- /dev/null +++ b/dovecot-2.3.21-noengine.patch @@ -0,0 +1,201 @@ +diff -up dovecot-2.3.21/m4/ssl.m4.noengine dovecot-2.3.21/m4/ssl.m4 +--- dovecot-2.3.21/m4/ssl.m4.noengine 2024-05-06 17:39:59.362886891 +0200 ++++ dovecot-2.3.21/m4/ssl.m4 2024-05-06 17:42:17.945312656 +0200 +@@ -233,6 +233,27 @@ AC_DEFUN([DOVECOT_SSL], [ + AC_CHECK_LIB(ssl, ECDSA_SIG_set0, [ + AC_DEFINE(HAVE_ECDSA_SIG_SET0,, [Build with ECDSA_SIG_set0 support]) + ],, $SSL_LIBS) ++ AC_CHECK_LIB(ssl, OSSL_PROVIDER_try_load, [ ++ AC_DEFINE(HAVE_OSSL_PROVIDER_try_load,, [Build with OSSL_PROVIDER_try_load support]) ++ ],, $SSL_LIBS) ++ AC_CHECK_LIB(ssl, OPENSSL_init_ssl, [ ++ AC_DEFINE(HAVE_OPENSSL_init_ssl,, [Build with OPENSSL_init_ssl support]) ++ ],, $SSL_LIBS) ++ AC_CHECK_LIB(ssl, OPENSSL_cleanup, [ ++ AC_DEFINE(HAVE_OPENSSL_cleanup,, [OpenSSL supports OPENSSL_cleanup()]) ++ ],, $SSL_LIBS) ++ AC_CHECK_LIB(ssl, OPENSSL_thread_stop, [ ++ AC_DEFINE(HAVE_OPENSSL_thread_stop,, [OpenSSL supports OPENSSL_thread_stop()]) ++ ],, $SSL_LIBS) ++ AC_CHECK_LIB(ssl, ERR_remove_thread_state, [ ++ AC_DEFINE(HAVE_ERR_remove_thread_state,, [OpenSSL supports ERR_remove_thread_state()]) ++ ],, $SSL_LIBS) ++ AC_CHECK_LIB(ssl, ERR_remove_state, [ ++ AC_DEFINE(HAVE_ERR_remove_state,, [OpenSSL supports ERR_remove_state()]) ++ ],, $SSL_LIBS) ++ AC_CHECK_LIB(ssl, ENGINE_by_id_DISABLED, [ ++ AC_DEFINE(HAVE_ENGINE_by_id,, [OpenSSL supports ENGINE_by_id() - !!!EXPLICITELY DISABLED!!! ]) ++ ],, $SSL_LIBS) + AC_CHECK_LIB(ssl, EC_GROUP_order_bits, [ + AC_DEFINE(HAVE_EC_GROUP_order_bits,, [Build with EC_GROUP_order_bits support]) + ],, $SSL_LIBS) +diff --git dovecot-2.3.21/src/lib-dcrypt/dcrypt-openssl.c.noengine dovecot-2.3.21/src/lib-dcrypt/dcrypt-openssl.c +index 1cbe352541..239a981251 100644 +--- dovecot-2.3.21/src/lib-dcrypt/dcrypt-openssl.c.noengine ++++ dovecot-2.3.21/src/lib-dcrypt/dcrypt-openssl.c +@@ -20,7 +20,6 @@ + #include + #include + #include +-#include + #include + #include + #include +diff -up dovecot-2.3.21/src/lib-ssl-iostream/dovecot-openssl-common.c.noengine dovecot-2.3.21/src/lib-ssl-iostream/dovecot-openssl-common.c +--- dovecot-2.3.21/src/lib-ssl-iostream/dovecot-openssl-common.c.noengine 2023-09-14 15:17:46.000000000 +0200 ++++ dovecot-2.3.21/src/lib-ssl-iostream/dovecot-openssl-common.c 2024-05-06 17:39:59.363886901 +0200 +@@ -3,13 +3,23 @@ + #include "lib.h" + #include "randgen.h" + #include "dovecot-openssl-common.h" ++#include "iostream-openssl.h" + + #include +-#include ++#include ++#ifdef HAVE_OSSL_PROVIDER_try_load ++# include ++#else ++# include ++#endif + #include + + static int openssl_init_refcount = 0; +-static ENGINE *dovecot_openssl_engine; ++#ifdef HAVE_OSSL_PROVIDER_try_load ++static OSSL_PROVIDER *dovecot_openssl_engine = NULL; ++#else ++static ENGINE *dovecot_openssl_engine = NULL; ++#endif + + #ifdef HAVE_SSL_NEW_MEM_FUNCS + static void *dovecot_openssl_malloc(size_t size, const char *u0 ATTR_UNUSED, int u1 ATTR_UNUSED) +@@ -17,12 +27,14 @@ static void *dovecot_openssl_malloc(size + static void *dovecot_openssl_malloc(size_t size) + #endif + { ++ if (size == 0) ++ return NULL; + /* this may be performance critical, so don't use + i_malloc() or calloc() */ + void *mem = malloc(size); +- if (mem == NULL) { ++ if (unlikely(mem == NULL)) { + i_fatal_status(FATAL_OUTOFMEM, +- "OpenSSL: malloc(%zu): Out of memory", size); ++ "OpenSSL: malloc(%zu): Out of memory", size); + } + return mem; + } +@@ -33,10 +45,14 @@ static void *dovecot_openssl_realloc(voi + static void *dovecot_openssl_realloc(void *ptr, size_t size) + #endif + { ++ if (size == 0) { ++ free(ptr); ++ return NULL; ++ } + void *mem = realloc(ptr, size); +- if (mem == NULL) { ++ if (unlikely(mem == NULL)) { + i_fatal_status(FATAL_OUTOFMEM, +- "OpenSSL: realloc(%zu): Out of memory", size); ++ "OpenSSL: realloc(%zu): Out of memory", size); + } + return mem; + } +@@ -63,9 +79,13 @@ void dovecot_openssl_common_global_ref(v + /*i_warning("CRYPTO_set_mem_functions() was called too late");*/ + } + ++#ifdef HAVE_OPENSSL_init_ssl ++ OPENSSL_init_ssl(0, NULL); ++#else + SSL_library_init(); + SSL_load_error_strings(); + OpenSSL_add_all_algorithms(); ++#endif + } + + bool dovecot_openssl_common_global_unref(void) +@@ -76,30 +96,35 @@ bool dovecot_openssl_common_global_unref + return TRUE; + + if (dovecot_openssl_engine != NULL) { ++#ifdef HAVE_OSSL_PROVIDER_try_load ++ OSSL_PROVIDER_unload(dovecot_openssl_engine); ++#else + ENGINE_finish(dovecot_openssl_engine); ++#endif + dovecot_openssl_engine = NULL; + } ++#ifdef HAVE_OPENSSL_cleanup ++ OPENSSL_cleanup(); ++#else + /* OBJ_cleanup() is called automatically by EVP_cleanup() in + newer versions. Doesn't hurt to call it anyway. */ + OBJ_cleanup(); +-#ifdef HAVE_SSL_COMP_FREE_COMPRESSION_METHODS ++# if !defined(OPENSSL_NO_COMP) + SSL_COMP_free_compression_methods(); +-#endif ++# endif + ENGINE_cleanup(); + EVP_cleanup(); + CRYPTO_cleanup_all_ex_data(); +-#ifdef HAVE_OPENSSL_AUTO_THREAD_DEINIT ++# ifdef HAVE_OPENSSL_thread_stop + /* no cleanup needed */ +-#elif defined(HAVE_OPENSSL_ERR_REMOVE_THREAD_STATE) ++# elif defined(HAVE_ERR_remove_thread_state) + /* This was marked as deprecated in v1.1. */ + ERR_remove_thread_state(NULL); +-#else ++# elif defined(HAVE_ERR_remove_state) + /* This was deprecated by ERR_remove_thread_state(NULL) in v1.0.0. */ + ERR_remove_state(0); +-#endif ++# endif + ERR_free_strings(); +-#ifdef HAVE_OPENSSL_CLEANUP +- OPENSSL_cleanup(); + #endif + return FALSE; + } +@@ -110,6 +135,7 @@ int dovecot_openssl_common_global_set_en + if (dovecot_openssl_engine != NULL) + return 1; + ++#ifdef HAVE_ENGINE_by_id + ENGINE_load_builtin_engines(); + dovecot_openssl_engine = ENGINE_by_id(engine); + if (dovecot_openssl_engine == NULL) { +@@ -128,5 +154,15 @@ int dovecot_openssl_common_global_set_en + dovecot_openssl_engine = NULL; + return -1; + } ++#elif defined(HAVE_OSSL_PROVIDER_try_load) ++ if ((dovecot_openssl_engine = OSSL_PROVIDER_try_load(NULL, engine, 1)) == NULL) { ++ *error_r = t_strdup_printf("Cannot load '%s': %s", engine, ++ openssl_iostream_error()); ++ return 0; ++ } ++ return 1; ++#else ++ *error_r = t_strdup_printf("Cannot load '%s': No engine/provider support available", engine); ++#endif + return 1; + } +diff -up dovecot-2.3.21/src/lib-ssl-iostream/Makefile.am.noengine dovecot-2.3.21/src/lib-ssl-iostream/Makefile.am +--- dovecot-2.3.21/src/lib-ssl-iostream/Makefile.am.noengine 2023-09-14 15:17:46.000000000 +0200 ++++ dovecot-2.3.21/src/lib-ssl-iostream/Makefile.am 2024-05-06 17:39:59.363886901 +0200 +@@ -5,7 +5,8 @@ NOPLUGIN_LDFLAGS = + AM_CPPFLAGS = \ + -I$(top_srcdir)/src/lib \ + -I$(top_srcdir)/src/lib-test \ +- -DMODULE_DIR=\""$(moduledir)"\" ++ -DMODULE_DIR=\""$(moduledir)"\" \ ++ $(SSL_CFLAGS) + + if BUILD_OPENSSL + module_LTLIBRARIES = libssl_iostream_openssl.la diff --git a/dovecot.spec b/dovecot.spec index 72637af..7bc2fb2 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -57,6 +57,9 @@ Patch25: dovecot-2.3-ph_scriptcmp.patch # imap: Shorten test-imap-client-hibernate socket path length Patch26: dovecot-2.3.21-test-socket-path.patch +# Compile without OpenSSL ENGINE, adapted from 2.4 dovecot, issue #RHEL-33733 +Patch27: dovecot-2.3.21-noengine.patch + BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel BuildRequires: libtool, autoconf, automake, pkgconfig BuildRequires: sqlite-devel @@ -166,6 +169,7 @@ mv dovecot-2.3-pigeonhole-%{pigeonholever} dovecot-pigeonhole %patch -P 24 -p1 -b .ph_optglob %patch -P 25 -p1 -b .ph_scriptcmp %patch -P 26 -p1 -b .test-socket-path +%patch -P 27 -p1 -b .noengine cp run-test-valgrind.supp dovecot-pigeonhole/ # valgrind would fail with shell wrapper echo "testsuite" >dovecot-pigeonhole/run-test-valgrind.exclude @@ -512,6 +516,7 @@ make check %changelog * Tue Jun 18 2024 Michal Hlavinka - 1:2.3.21-8 - fix sieve crash when there are two missing optional scripts +- Do not use deprecated OpenSSL v3 ENGINE API * Tue Mar 26 2024 Michal Hlavinka - 1:2.3.21-7 - drop i686 build as per https://fedoraproject.org/wiki/Changes/EncourageI686LeafRemoval From 341d1956fc601e2e54d8b01c711b0a506552247d Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Fri, 5 Jul 2024 13:37:08 -0400 Subject: [PATCH 141/163] Drop dependency on libstemmer on RHEL libstemmer is being dropped from RHEL 10; based on c10s: https://gitlab.com/redhat/centos-stream/rpms/dovecot/-/commit/457d2d7eff114504dc895f9db6d976c2f0396cbd --- dovecot.spec | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/dovecot.spec b/dovecot.spec index 7bc2fb2..4133291 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -81,7 +81,9 @@ BuildRequires: libicu-devel BuildRequires: libexttextcat-devel BuildRequires: clucene-core-devel %endif +%if %{?rhel}0 == 0 BuildRequires: libstemmer-devel +%endif BuildRequires: multilib-rpm-config BuildRequires: flex, bison BuildRequires: systemd-devel @@ -212,7 +214,11 @@ autoreconf -I . -fiv #required for aarch64 support --with-libcap \ --with-icu \ %if %{?rhel}0 == 0 + --with-libstemmer \ --with-lua=plugin \ +%else + --without-libstemmer \ + --without-lua \ %endif %if 0%{?rhel} == 0 && 0%{?fedora}0 < 38 --with-lucene \ @@ -517,6 +523,7 @@ make check * Tue Jun 18 2024 Michal Hlavinka - 1:2.3.21-8 - fix sieve crash when there are two missing optional scripts - Do not use deprecated OpenSSL v3 ENGINE API +- Drop dependency on libstemmer on RHEL * Tue Mar 26 2024 Michal Hlavinka - 1:2.3.21-7 - drop i686 build as per https://fedoraproject.org/wiki/Changes/EncourageI686LeafRemoval From fa1cc5039f457b38f1bb26d0c7f7a762e598f86e Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 17 Jul 2024 21:19:55 +0000 Subject: [PATCH 142/163] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 4133291..b2a432d 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.3.21 %global prever %{nil} -Release: 8%{?dist} +Release: 9%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -520,6 +520,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Jul 17 2024 Fedora Release Engineering - 1:2.3.21-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + * Tue Jun 18 2024 Michal Hlavinka - 1:2.3.21-8 - fix sieve crash when there are two missing optional scripts - Do not use deprecated OpenSSL v3 ENGINE API From 5abbf370d553db7af43943676c8ac232a6eeab13 Mon Sep 17 00:00:00 2001 From: Gordon Messmer Date: Thu, 1 Aug 2024 11:53:24 -0700 Subject: [PATCH 143/163] Examine the server process GOT for signs of tampering. --- .fmf/version | 1 + plans/main.fmf | 6 +++++ tests/got-audit/got-audit.gdb | 2 ++ tests/got-audit/main.fmf | 10 +++++++++ tests/got-audit/runtest.sh | 41 +++++++++++++++++++++++++++++++++++ tests/main.fmf | 2 ++ 6 files changed, 62 insertions(+) create mode 100644 .fmf/version create mode 100644 plans/main.fmf create mode 100644 tests/got-audit/got-audit.gdb create mode 100644 tests/got-audit/main.fmf create mode 100755 tests/got-audit/runtest.sh create mode 100644 tests/main.fmf diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/plans/main.fmf b/plans/main.fmf new file mode 100644 index 0000000..ae0c305 --- /dev/null +++ b/plans/main.fmf @@ -0,0 +1,6 @@ +summary: Run all tests +execute: + how: tmt +discover: + how: fmf + diff --git a/tests/got-audit/got-audit.gdb b/tests/got-audit/got-audit.gdb new file mode 100644 index 0000000..6661297 --- /dev/null +++ b/tests/got-audit/got-audit.gdb @@ -0,0 +1,2 @@ +gef config gef.disable_color True +got-audit --all diff --git a/tests/got-audit/main.fmf b/tests/got-audit/main.fmf new file mode 100644 index 0000000..a90b249 --- /dev/null +++ b/tests/got-audit/main.fmf @@ -0,0 +1,10 @@ +summary: Audit the GOT for signs of tampering +description: | + Pointers in the server process GOT will be checked to ensure that + each function pointer's value is within a shared object file + that exports a symbol of that name, and that no shared object + files export conflicting symbols. +contact: Gordon Messmer +require+: + - gdb-gef # needed to test got-audit + diff --git a/tests/got-audit/runtest.sh b/tests/got-audit/runtest.sh new file mode 100755 index 0000000..0c98471 --- /dev/null +++ b/tests/got-audit/runtest.sh @@ -0,0 +1,41 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/dovecot/Sanity/got-audit +# Description: Check pointers in the server process GOT for signs of tampering +# Author: Gordon Messmer +# + +# Include Beaker environment +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +rlJournalStart + rlPhaseStartSetup + rlServiceStart dovecot + rlRun "TestDir=\$(pwd)" + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "auditfile=\$(mktemp --tmpdir=${TmpDir})" + rlPhaseEnd + + rlPhaseStartTest "Run GEF got-audit" + rlRun "SERVICE_PID=\$( systemctl show --property=MainPID dovecot.service | cut -f2 -d= )" + rlRun "echo SERVICE_PID is '$SERVICE_PID'" + [ -n "$SERVICE_PID" ] || rlFail "No service pid was found" + rlRun "gdb-gef --pid '$SERVICE_PID' --command='$TestDir'/got-audit.gdb --batch > '$auditfile'" + # Basic test: ensure that at least one symbol is found in libc.so, + # to verify that the report looks plausible. + rlAssertGrep " : /.*/libc.so" "$auditfile" + # Ensure the got-audit did not report any errors + rlAssertNotGrep " :: ERROR" "$auditfile" + rlRun "cp '$auditfile' '$TMT_TEST_DATA'/got-audit.txt" + rlPhaseEnd + + rlPhaseStartCleanup + rlServiceRestore dovecot + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/main.fmf b/tests/main.fmf new file mode 100644 index 0000000..f225a72 --- /dev/null +++ b/tests/main.fmf @@ -0,0 +1,2 @@ +test: ./runtest.sh +framework: beakerlib From 6f7ee4008d5c89c19de6520d72491c3d69c6538e Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 19 Aug 2024 14:15:04 +0200 Subject: [PATCH 144/163] updated to 2.3.21.1(2304907) --- dovecot.spec | 7 +++++-- sources | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index b2a432d..89f7fc5 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -4,9 +4,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.21 +Version: 2.3.21.1 %global prever %{nil} -Release: 9%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -520,6 +520,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Aug 19 2024 Michal Hlavinka - 1:2.3.21.1-1 +- updated to 2.3.21.1(2304907) + * Wed Jul 17 2024 Fedora Release Engineering - 1:2.3.21-9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild diff --git a/sources b/sources index 399a48e..794598b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.21.tar.gz) = 2d463c38639c3fd3d617ee5b1a4e4d0c11362339c4d4d62a5a90164a8b10bc58919545679bbf379139bdb743fdb013033abfddc1fc6401eb8099463cdc2401ca +SHA512 (dovecot-2.3.21.1.tar.gz) = 9de6ce3a579ef2040248b692874a6d64a732bb735a9cee3144604927cad49690c4b0e29f7ecf3af23190d56f30956d955d13acd5d352534df62fbdfde4b60f9f SHA512 (dovecot-2.3-pigeonhole-0.5.21.tar.gz) = 5537444025a474ee1b79919a424e24530695aec639361c531257f25fac286673719d476906d99d47e348deb57baa75419bff7dd284c82d2b751334dedec96314 From 209b81316bbbf49d07202abbab688f981a02d88c Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 2 Oct 2024 13:28:08 +0200 Subject: [PATCH 145/163] pigeonhole updated to 0.5.21.1 --- dovecot.spec | 7 +++++-- sources | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 89f7fc5..43e0724 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.3.21.1 %global prever %{nil} -Release: 1%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -14,7 +14,7 @@ URL: https://www.dovecot.org/ Source: https://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.21 +%global pigeonholever 0.5.21.1 Source8: https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -520,6 +520,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Oct 02 2024 Michal Hlavinka - 1:2.3.21.1-2 +- pigeonhole updated to 0.5.21.1 + * Mon Aug 19 2024 Michal Hlavinka - 1:2.3.21.1-1 - updated to 2.3.21.1(2304907) diff --git a/sources b/sources index 794598b..a62fbdb 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (dovecot-2.3.21.1.tar.gz) = 9de6ce3a579ef2040248b692874a6d64a732bb735a9cee3144604927cad49690c4b0e29f7ecf3af23190d56f30956d955d13acd5d352534df62fbdfde4b60f9f -SHA512 (dovecot-2.3-pigeonhole-0.5.21.tar.gz) = 5537444025a474ee1b79919a424e24530695aec639361c531257f25fac286673719d476906d99d47e348deb57baa75419bff7dd284c82d2b751334dedec96314 +SHA512 (dovecot-2.3-pigeonhole-0.5.21.1.tar.gz) = 7387b417611599fe70d1a83d3b408321e66f5a883bf78a9d55c7496b1a17220677daebaefde2061e0d7064fe07c410ecfc64662878bb253ddcd9e128dd83fbaa From 3df7c90635ed3969564fc622d511d347d69aec17 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 16 Jan 2025 16:10:22 +0000 Subject: [PATCH 146/163] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 43e0724..9c6b883 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.3.21.1 %global prever %{nil} -Release: 2%{?dist} +Release: 3%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -520,6 +520,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Jan 16 2025 Fedora Release Engineering - 1:2.3.21.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + * Wed Oct 02 2024 Michal Hlavinka - 1:2.3.21.1-2 - pigeonhole updated to 0.5.21.1 From 4c5334294744b552c6c5b4fc023f71fa35273e00 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 29 Jan 2025 11:06:17 +0100 Subject: [PATCH 147/163] fix ftbfs fix ftbfs fix ftbfs fix ftbfs fix ftbfs --- dovecot-2.3.21.1-fixicu.patch | 13 +++++++++++++ dovecot.spec | 7 ++++++- 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 dovecot-2.3.21.1-fixicu.patch diff --git a/dovecot-2.3.21.1-fixicu.patch b/dovecot-2.3.21.1-fixicu.patch new file mode 100644 index 0000000..19f0658 --- /dev/null +++ b/dovecot-2.3.21.1-fixicu.patch @@ -0,0 +1,13 @@ +diff -up dovecot-2.3.20/m4/want_icu.m4.fixicu dovecot-2.3.20/m4/want_icu.m4 +--- dovecot-2.3.20/m4/want_icu.m4.fixicu 2022-12-21 09:49:12.000000000 +0100 ++++ dovecot-2.3.20/m4/want_icu.m4 2025-01-29 10:47:25.765768562 +0100 +@@ -1,7 +1,7 @@ + AC_DEFUN([DOVECOT_WANT_ICU], [ + if test "$want_icu" != "no"; then +- if test "$PKG_CONFIG" != "" && $PKG_CONFIG --exists icu-i18n 2>/dev/null; then +- PKG_CHECK_MODULES(LIBICU, icu-i18n) ++ if test "$PKG_CONFIG" != "" && $PKG_CONFIG --exists icu-i18n icu-uc 2>/dev/null; then ++ PKG_CHECK_MODULES(LIBICU, icu-i18n icu-uc) + have_icu=yes + AC_DEFINE(HAVE_LIBICU,, [Define if you want ICU normalization support for FTS]) + elif test "$want_icu" = "yes"; then diff --git a/dovecot.spec b/dovecot.spec index 9c6b883..fb794a0 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.3.21.1 %global prever %{nil} -Release: 3%{?dist} +Release: 4%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -59,6 +59,7 @@ Patch26: dovecot-2.3.21-test-socket-path.patch # Compile without OpenSSL ENGINE, adapted from 2.4 dovecot, issue #RHEL-33733 Patch27: dovecot-2.3.21-noengine.patch +Patch28: dovecot-2.3.21.1-fixicu.patch BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel BuildRequires: libtool, autoconf, automake, pkgconfig @@ -172,6 +173,7 @@ mv dovecot-2.3-pigeonhole-%{pigeonholever} dovecot-pigeonhole %patch -P 25 -p1 -b .ph_scriptcmp %patch -P 26 -p1 -b .test-socket-path %patch -P 27 -p1 -b .noengine +%patch -P 28 -p1 -b .fixicu cp run-test-valgrind.supp dovecot-pigeonhole/ # valgrind would fail with shell wrapper echo "testsuite" >dovecot-pigeonhole/run-test-valgrind.exclude @@ -520,6 +522,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Jan 29 2025 Michal Hlavinka - 1:2.3.21.1-4 +- fix ftbfs + * Thu Jan 16 2025 Fedora Release Engineering - 1:2.3.21.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From b2ca856c570be1eeed7f1a98939b111eecc7664c Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 29 Jan 2025 11:27:22 +0100 Subject: [PATCH 148/163] fix failing test --- dovecot-2.3.21.1-fixtestdatastack.patch | 16 ++++++++++++++++ dovecot.spec | 4 ++++ 2 files changed, 20 insertions(+) create mode 100644 dovecot-2.3.21.1-fixtestdatastack.patch diff --git a/dovecot-2.3.21.1-fixtestdatastack.patch b/dovecot-2.3.21.1-fixtestdatastack.patch new file mode 100644 index 0000000..dc7bac8 --- /dev/null +++ b/dovecot-2.3.21.1-fixtestdatastack.patch @@ -0,0 +1,16 @@ +diff --git a/src/lib/test-data-stack.c b/src/lib/test-data-stack.c +index 3c33597685..03f97b4a50 100644 +--- a/src/lib/test-data-stack.c ++++ b/src/lib/test-data-stack.c +@@ -98,9 +98,9 @@ static void test_ds_get_bytes_available(void) + if (i > 0) + t_malloc_no0(i); + avail1 = t_get_bytes_available(); +- t_malloc_no0(avail1); ++ (void)t_malloc_no0(avail1); + test_assert_idx(t_get_bytes_available() == 0, i); +- t_malloc_no0(1); ++ (void)t_malloc_no0(1); + test_assert_idx(t_get_bytes_available() > 0, i); + } T_END; + T_BEGIN { diff --git a/dovecot.spec b/dovecot.spec index fb794a0..3da99a7 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -61,6 +61,9 @@ Patch26: dovecot-2.3.21-test-socket-path.patch Patch27: dovecot-2.3.21-noengine.patch Patch28: dovecot-2.3.21.1-fixicu.patch +# from upstream, for <= 2.3.21.1 +Patch29: dovecot-2.3.21.1-fixtestdatastack.patch + BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel BuildRequires: libtool, autoconf, automake, pkgconfig BuildRequires: sqlite-devel @@ -174,6 +177,7 @@ mv dovecot-2.3-pigeonhole-%{pigeonholever} dovecot-pigeonhole %patch -P 26 -p1 -b .test-socket-path %patch -P 27 -p1 -b .noengine %patch -P 28 -p1 -b .fixicu +%patch -P 29 -p1 -b .fixtestdatastack cp run-test-valgrind.supp dovecot-pigeonhole/ # valgrind would fail with shell wrapper echo "testsuite" >dovecot-pigeonhole/run-test-valgrind.exclude From 87cbd4abfcc3cbb0b9314f847344d69d8a82a245 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 29 Jan 2025 12:39:49 +0100 Subject: [PATCH 149/163] more fixes needed --- dovecot-2.3.21.1-fixtestdatastack.patch | 8 ++++++++ dovecot.spec | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/dovecot-2.3.21.1-fixtestdatastack.patch b/dovecot-2.3.21.1-fixtestdatastack.patch index dc7bac8..7a02167 100644 --- a/dovecot-2.3.21.1-fixtestdatastack.patch +++ b/dovecot-2.3.21.1-fixtestdatastack.patch @@ -14,3 +14,11 @@ index 3c33597685..03f97b4a50 100644 test_assert_idx(t_get_bytes_available() > 0, i); } T_END; T_BEGIN { +@@ -188,7 +188,6 @@ static void test_ds_buffers(void) + void *b = t_buffer_get(1000); + void *a = t_malloc_no0(1); + void *b2 = t_buffer_get(1001); +- test_assert(a == b); /* expected, not guaranteed */ + test_assert(b2 != b); + } T_END; + test_end(); diff --git a/dovecot.spec b/dovecot.spec index 3da99a7..4bce7c3 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -61,7 +61,7 @@ Patch26: dovecot-2.3.21-test-socket-path.patch Patch27: dovecot-2.3.21-noengine.patch Patch28: dovecot-2.3.21.1-fixicu.patch -# from upstream, for <= 2.3.21.1 +# from upstream PR#229, for < 2.4 Patch29: dovecot-2.3.21.1-fixtestdatastack.patch BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel From 3addd9914fc93da19f8b7a8ff567fd3d961a596b Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 5 Feb 2025 13:00:03 +0100 Subject: [PATCH 150/163] fix sysusers config file name --- dovecot.spec | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index 4bce7c3..cd44759 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.3.21.1 %global prever %{nil} -Release: 4%{?dist} +Release: 5%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -286,7 +286,7 @@ install -p -D -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{_mandir}/man5/dovecot.conf.5 #install waitonline script install -p -D -m 755 %{SOURCE15} $RPM_BUILD_ROOT%{_libexecdir}/dovecot/prestartscript -install -p -D -m 0644 %{SOURCE16} $RPM_BUILD_ROOT%{_sysusersdir}/dovecot.sysusers +install -p -D -m 0644 %{SOURCE16} $RPM_BUILD_ROOT%{_sysusersdir}/dovecot.conf # generate ghost .pem files mkdir -p $RPM_BUILD_ROOT%{ssldir}/certs @@ -388,7 +388,7 @@ make check %_tmpfilesdir/dovecot.conf -%{_sysusersdir}/dovecot.sysusers +%{_sysusersdir}/dovecot.conf %{_unitdir}/dovecot.service %{_unitdir}/dovecot-init.service %{_unitdir}/dovecot.socket @@ -526,6 +526,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Feb 05 2025 Michal Hlavinka - 1:2.3.21.1-5 +- fix sysusers config file name + * Wed Jan 29 2025 Michal Hlavinka - 1:2.3.21.1-4 - fix ftbfs From 185ca6506af62223398098e1905752468bfb8ba1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 11 Feb 2025 17:03:17 +0100 Subject: [PATCH 151/163] Drop call to %sysusers_create_compat After https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers, rpm will handle account creation automatically. --- dovecot.spec | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/dovecot.spec b/dovecot.spec index cd44759..a48827d 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.3.21.1 %global prever %{nil} -Release: 5%{?dist} +Release: 6%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -101,7 +101,6 @@ BuildRequires: gettext-devel Requires: openssl >= 0.9.7f-4 # Package includes an initscript service file, needs to require initscripts package -Requires(pre): shadow-utils Requires: systemd Requires(post): systemd-units Requires(preun): systemd-units @@ -324,9 +323,6 @@ popd %pre -#dovecot uid and gid are reserved, see /usr/share/doc/setup-*/uidgid -%sysusers_create_compat %{SOURCE16} - # do not let dovecot run during upgrade rhbz#134325 if [ "$1" = "2" ]; then rm -f %restart_flag @@ -526,6 +522,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Feb 11 2025 Zbigniew Jędrzejewski-Szmek - 1:2.3.21.1-6 +- Drop call to %sysusers_create_compat + * Wed Feb 05 2025 Michal Hlavinka - 1:2.3.21.1-5 - fix sysusers config file name From 307379e46319db47b6d583eea0426d9ecfc63fea Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 5 Jun 2025 17:02:02 +0200 Subject: [PATCH 152/163] update to new major version 2.4 and trim changelog --- dovecot-2.0-defaultconfig.patch | 118 +- dovecot-2.1.10-waitonline.patch | 8 +- dovecot-2.2.20-initbysystemd.patch | 34 +- dovecot-2.3-ph_optglob.patch | 30 +- dovecot-2.3.0.1-libxcrypt.patch | 11 - dovecot-2.3.14-opensslv3.patch | 34 - dovecot-2.3.15-fixvalcond.patch | 20 +- dovecot-2.3.19.1-7bad6a24.patch | 131 - dovecot-2.3.21-noengine.patch | 201 -- dovecot-2.3.21-test-socket-path.patch | 22 - dovecot-2.3.21.1-fixtestdatastack.patch | 24 - ....patch => dovecot-2.4.1-opensslhmac3.patch | 559 +++-- dovecot-configure-c99.patch | 25 - dovecot.spec | 2195 +---------------- sources | 4 +- 15 files changed, 559 insertions(+), 2857 deletions(-) delete mode 100644 dovecot-2.3.0.1-libxcrypt.patch delete mode 100644 dovecot-2.3.14-opensslv3.patch delete mode 100644 dovecot-2.3.19.1-7bad6a24.patch delete mode 100644 dovecot-2.3.21-noengine.patch delete mode 100644 dovecot-2.3.21-test-socket-path.patch delete mode 100644 dovecot-2.3.21.1-fixtestdatastack.patch rename dovecot-2.3.6-opensslhmac.patch => dovecot-2.4.1-opensslhmac3.patch (59%) delete mode 100644 dovecot-configure-c99.patch diff --git a/dovecot-2.0-defaultconfig.patch b/dovecot-2.0-defaultconfig.patch index 21f00ec..1fcc276 100644 --- a/dovecot-2.0-defaultconfig.patch +++ b/dovecot-2.0-defaultconfig.patch @@ -1,42 +1,88 @@ -diff -up dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf ---- dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf.default-settings 2021-08-06 11:25:51.000000000 +0200 -+++ dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf 2021-10-27 11:13:45.666956339 +0200 -@@ -175,7 +175,7 @@ namespace inbox { - # to make sure that users can't log in as daemons or other system users. - # Note that denying root logins is hardcoded to dovecot binary and can't - # be done even if first_valid_uid is set to 0. --#first_valid_uid = 500 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in.default-settings dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in +--- dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in.default-settings 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in 2025-06-03 16:50:19.632050332 +0200 +@@ -24,16 +24,13 @@ protocols { + lmtp = yes + } + +-mail_home = /srv/mail/%{user} +-mail_driver = sdbox ++mail_home = /home/%{user} ++mail_driver = maildir + mail_path = ~/mail + +-mail_uid = vmail +-mail_gid = vmail +- +-# By default first_valid_uid is 500. If your vmail user's UID is smaller, ++# By default first_valid_uid is 1000. If your vmail user's UID is smaller, + # you need to modify this: +-#first_valid_uid = uid-number-of-vmail-user +first_valid_uid = 1000 - #last_valid_uid = 0 - # Valid GID range for users, defaults to non-root/wheel. Users having -@@ -322,6 +322,7 @@ protocol !indexer-worker { - # them simultaneously. - #mbox_read_locks = fcntl - #mbox_write_locks = dotlock fcntl -+mbox_write_locks = fcntl + namespace inbox { + inbox = yes +@@ -44,7 +41,13 @@ namespace inbox { + passdb pam { + } - # Maximum time to wait for lock (all of them) before aborting. - #mbox_lock_timeout = 5 mins -diff -up dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf ---- dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf.default-settings 2021-08-06 11:25:51.000000000 +0200 -+++ dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf 2021-10-27 11:13:02.834533975 +0200 -@@ -3,7 +3,9 @@ - ## - - # SSL/TLS support: yes, no, required. --#ssl = yes -+# disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps -+# plain imap and pop3 are still allowed for local connections ++userdb passwd { ++} ++ +ssl = required - - # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before - # dropping root privileges, so keep the key file unreadable by anyone but -@@ -64,6 +66,7 @@ ssl_key = &1;\ +fi' + -diff -up dovecot-2.3.15/dovecot.service.in.initbysystemd dovecot-2.3.15/dovecot.service.in ---- dovecot-2.3.15/dovecot.service.in.initbysystemd 2021-06-21 20:21:49.250680889 +0200 -+++ dovecot-2.3.15/dovecot.service.in 2021-06-21 20:22:46.935981920 +0200 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot.service.in.initbysystemd dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot.service.in +--- dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot.service.in.initbysystemd 2025-06-02 23:32:10.685195261 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot.service.in 2025-06-02 23:34:03.123174934 +0200 @@ -11,7 +11,8 @@ Description=Dovecot IMAP/POP3 email server Documentation=man:dovecot(1) Documentation=https://doc.dovecot.org/ --After=local-fs.target network-online.target -+After=local-fs.target network-online.target dovecot-init.service +-After=local-fs.target network-online.target remote-fs.target time-sync.target ++After=local-fs.target network-online.target remote-fs.target time-sync.target dovecot-init.service +Requires=dovecot-init.service Wants=network-online.target [Service] -diff -up dovecot-2.3.15/Makefile.am.initbysystemd dovecot-2.3.15/Makefile.am ---- dovecot-2.3.15/Makefile.am.initbysystemd 2021-06-21 20:21:49.250680889 +0200 -+++ dovecot-2.3.15/Makefile.am 2021-06-21 20:24:26.676765849 +0200 -@@ -21,6 +21,7 @@ EXTRA_DIST = \ +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/Makefile.am.initbysystemd dovecot-2.4.1-build/dovecot-2.4.1-4/Makefile.am +--- dovecot-2.4.1-build/dovecot-2.4.1-4/Makefile.am.initbysystemd 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/Makefile.am 2025-06-02 23:33:22.221675050 +0200 +@@ -19,6 +19,7 @@ EXTRA_DIST = \ + update-version.sh \ run-test-valgrind.supp \ dovecot.service.in \ - dovecot.socket \ + dovecot-init.service \ - $(conf_DATA) - - noinst_DATA = dovecot-config -@@ -69,7 +70,8 @@ dovecot-config: dovecot-config.in Makefi + dovecot.socket \ + version \ + build-aux/git-abi-version-gen \ +@@ -67,7 +68,8 @@ dovecot-config: dovecot-config.in Makefi if WANT_SYSTEMD systemdsystemunit_DATA = \ dovecot.socket \ diff --git a/dovecot-2.3-ph_optglob.patch b/dovecot-2.3-ph_optglob.patch index d31527c..55bf77a 100644 --- a/dovecot-2.3-ph_optglob.patch +++ b/dovecot-2.3-ph_optglob.patch @@ -1,26 +1,26 @@ -diff -up dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/cmd-include.c.ph_optglob dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/cmd-include.c ---- dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/cmd-include.c.ph_optglob 2024-06-04 09:11:28.514189662 +0200 -+++ dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/cmd-include.c 2024-06-04 09:18:23.219809778 +0200 -@@ -368,11 +368,13 @@ static bool opc_include_dump - return FALSE; +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/plugins/include/cmd-include.c.ph_optglob dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/plugins/include/cmd-include.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/plugins/include/cmd-include.c.ph_optglob 2025-06-03 23:43:09.773363279 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/plugins/include/cmd-include.c 2025-06-03 23:47:49.234931325 +0200 +@@ -361,11 +361,13 @@ static bool opc_include_dump(const struc sieve_code_descend(denv); -- sieve_code_dumpf(denv, "script: `%s' from %s %s%s[ID: %d, BLOCK: %d]", -+ sieve_code_dumpf(denv, "script: `%s' from %s %s%s%s[ID: %d, BLOCK: %d]", - sieve_script_name(included->script), sieve_script_location(included->script), - ((flags & EXT_INCLUDE_FLAG_ONCE) != 0 ? "(once) " : ""), + sieve_code_dumpf( +- denv, "script: '%s' %s%s[ID: %d, BLOCK: %d]", ++ denv, "script: '%s' %s%s%s[ID: %d, BLOCK: %d]", + sieve_script_label(included->script), + ((flags & EXT_INCLUDE_FLAG_ONCE) != 0 ? "(once) " : ""), ((flags & EXT_INCLUDE_FLAG_OPTIONAL) != 0 ? "(optional) " : ""), - include_id, sieve_binary_block_get_id(included->block)); -+ (included->block == NULL ? "(missing) " : ""), -+ include_id, ++ (included->block == NULL ? "(missing) " : ""), ++ include_id, + (included->block == NULL ? -1 : sieve_binary_block_get_id(included->block))); return TRUE; } -diff -up dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c.ph_optglob dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c ---- dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c.ph_optglob 2023-09-14 15:18:26.000000000 +0200 -+++ dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c 2024-06-04 09:10:45.187823805 +0200 -@@ -693,6 +693,25 @@ int ext_include_execute_include(const st +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c.ph_optglob dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c.ph_optglob 2025-01-24 08:09:43.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c 2025-06-03 23:43:09.773531445 +0200 +@@ -715,6 +715,25 @@ int ext_include_execute_include(const st } ctx = ext_include_get_interpreter_context(this_ext, renv->interp); diff --git a/dovecot-2.3.0.1-libxcrypt.patch b/dovecot-2.3.0.1-libxcrypt.patch deleted file mode 100644 index a8c33bf..0000000 --- a/dovecot-2.3.0.1-libxcrypt.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up dovecot-2.3.0.1/src/auth/mycrypt.c.libxcrypt dovecot-2.3.0.1/src/auth/mycrypt.c ---- dovecot-2.3.0.1/src/auth/mycrypt.c.libxcrypt 2018-02-28 15:28:58.000000000 +0100 -+++ dovecot-2.3.0.1/src/auth/mycrypt.c 2018-03-27 10:57:38.447769201 +0200 -@@ -14,6 +14,7 @@ - # define _XPG6 /* Some Solaris versions require this, some break with this */ - #endif - #include -+#include - - #include "mycrypt.h" - diff --git a/dovecot-2.3.14-opensslv3.patch b/dovecot-2.3.14-opensslv3.patch deleted file mode 100644 index fa6c44f..0000000 --- a/dovecot-2.3.14-opensslv3.patch +++ /dev/null @@ -1,34 +0,0 @@ -diff -up dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3 dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c ---- dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3 2021-06-03 18:56:52.573174433 +0200 -+++ dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c 2021-06-03 18:56:52.585174274 +0200 -@@ -73,10 +73,30 @@ - 2key algo oid1symmetric algo namesalthash algoroundsE(RSA = i2d_PrivateKey, EC=Private Point)key id - **/ - -+#if OPENSSL_VERSION_MAJOR == 3 -+static EC_KEY *EVP_PKEY_get0_EC_KEYv3(EVP_PKEY *key) -+{ -+ EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key); -+ EVP_PKEY_set1_EC_KEY(key, eck); -+ EC_KEY_free(eck); -+ return eck; -+} -+ -+static EC_KEY *EVP_PKEY_get1_EC_KEYv3(EVP_PKEY *key) -+{ -+ EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key); -+ EVP_PKEY_set1_EC_KEY(key, eck); -+ return eck; -+} -+ -+#define EVP_PKEY_get0_EC_KEY EVP_PKEY_get0_EC_KEYv3 -+#define EVP_PKEY_get1_EC_KEY EVP_PKEY_get1_EC_KEYv3 -+#else - #ifndef HAVE_EVP_PKEY_get0 - #define EVP_PKEY_get0_EC_KEY(x) x->pkey.ec - #define EVP_PKEY_get0_RSA(x) x->pkey.rsa - #endif -+#endif - - #ifndef HAVE_OBJ_LENGTH - #define OBJ_length(o) ((o)->length) diff --git a/dovecot-2.3.15-fixvalcond.patch b/dovecot-2.3.15-fixvalcond.patch index a064c26..4ef5447 100644 --- a/dovecot-2.3.15-fixvalcond.patch +++ b/dovecot-2.3.15-fixvalcond.patch @@ -1,19 +1,19 @@ -diff -up dovecot-2.3.17/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.17/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c ---- dovecot-2.3.17/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2021-11-02 21:51:36.109032050 +0100 -+++ dovecot-2.3.17/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c 2021-11-02 21:52:28.409344118 +0100 -@@ -114,7 +114,7 @@ static int sieve_dict_script_get_stream - (struct sieve_dict_script *)script; +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2025-06-02 23:36:21.897399891 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c 2025-06-02 23:38:13.748569461 +0200 +@@ -102,7 +102,7 @@ sieve_dict_script_get_stream(struct siev + container_of(script, struct sieve_dict_script, script); struct sieve_dict_storage *dstorage = - (struct sieve_dict_storage *)script->storage; + container_of(storage, struct sieve_dict_storage, storage); - const char *path, *name = script->name, *data, *error; + const char *path, *name = script->name, *data, *error = NULL; int ret; dscript->data_pool = -diff -up dovecot-2.3.17/src/lib-storage/index/index-attribute.c.fixvalcond dovecot-2.3.17/src/lib-storage/index/index-attribute.c ---- dovecot-2.3.17/src/lib-storage/index/index-attribute.c.fixvalcond 2021-10-27 13:09:04.000000000 +0200 -+++ dovecot-2.3.17/src/lib-storage/index/index-attribute.c 2021-11-02 21:51:36.109032050 +0100 -@@ -248,7 +248,7 @@ int index_storage_attribute_get(struct m +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-storage/index/index-attribute.c.fixvalcond dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-storage/index/index-attribute.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-storage/index/index-attribute.c.fixvalcond 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-storage/index/index-attribute.c 2025-06-02 23:36:21.897571934 +0200 +@@ -250,7 +250,7 @@ int index_storage_attribute_get(struct m struct mail_attribute_value *value_r) { struct dict *dict; diff --git a/dovecot-2.3.19.1-7bad6a24.patch b/dovecot-2.3.19.1-7bad6a24.patch deleted file mode 100644 index c980dde..0000000 --- a/dovecot-2.3.19.1-7bad6a24.patch +++ /dev/null @@ -1,131 +0,0 @@ -From 7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904 Mon Sep 17 00:00:00 2001 -From: Timo Sirainen -Date: Mon, 9 May 2022 15:23:33 +0300 -Subject: [PATCH] auth: Fix handling passdbs with identical driver/args but - different mechanisms/username_filter - -The passdb was wrongly deduplicated in this situation, causing wrong -mechanisms or username_filter setting to be used. This would be a rather -unlikely configuration though. - -Fixed by moving mechanisms and username_filter from struct passdb_module -to struct auth_passdb, which is where they should have been in the first -place. ---- - src/auth/auth-request.c | 6 +++--- - src/auth/auth.c | 18 ++++++++++++++++++ - src/auth/auth.h | 5 +++++ - src/auth/passdb.c | 15 ++------------- - src/auth/passdb.h | 4 ---- - 5 files changed, 28 insertions(+), 20 deletions(-) - -diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c -index cd08b1fa02..0ca29f3674 100644 ---- a/src/auth/auth-request.c -+++ b/src/auth/auth-request.c -@@ -534,8 +534,8 @@ auth_request_want_skip_passdb(struct auth_request *request, - struct auth_passdb *passdb) - { - /* if mechanism is not supported, skip */ -- const char *const *mechs = passdb->passdb->mechanisms; -- const char *const *username_filter = passdb->passdb->username_filter; -+ const char *const *mechs = passdb->mechanisms; -+ const char *const *username_filter = passdb->username_filter; - const char *username; - - username = request->fields.user; -@@ -548,7 +548,7 @@ auth_request_want_skip_passdb(struct auth_request *request, - return TRUE; - } - -- if (passdb->passdb->username_filter != NULL && -+ if (passdb->username_filter != NULL && - !auth_request_username_accepted(username_filter, username)) { - auth_request_log_debug(request, - request->mech != NULL ? AUTH_SUBSYS_MECH -diff --git a/src/auth/auth.c b/src/auth/auth.c -index f2f3fda20c..9f6c4ba60c 100644 ---- a/src/auth/auth.c -+++ b/src/auth/auth.c -@@ -99,6 +99,24 @@ auth_passdb_preinit(struct auth *auth, const struct auth_passdb_settings *set, - auth_passdb->override_fields_tmpl = - passdb_template_build(auth->pool, set->override_fields); - -+ if (*set->mechanisms == '\0') { -+ auth_passdb->mechanisms = NULL; -+ } else if (strcasecmp(set->mechanisms, "none") == 0) { -+ auth_passdb->mechanisms = (const char *const[]){ NULL }; -+ } else { -+ auth_passdb->mechanisms = -+ (const char *const *)p_strsplit_spaces(auth->pool, -+ set->mechanisms, " ,"); -+ } -+ -+ if (*set->username_filter == '\0') { -+ auth_passdb->username_filter = NULL; -+ } else { -+ auth_passdb->username_filter = -+ (const char *const *)p_strsplit_spaces(auth->pool, -+ set->username_filter, " ,"); -+ } -+ - /* for backwards compatibility: */ - if (set->pass) - auth_passdb->result_success = AUTH_DB_RULE_CONTINUE; -diff --git a/src/auth/auth.h b/src/auth/auth.h -index f700e29d5c..460a179765 100644 ---- a/src/auth/auth.h -+++ b/src/auth/auth.h -@@ -41,6 +41,11 @@ struct auth_passdb { - struct passdb_template *default_fields_tmpl; - struct passdb_template *override_fields_tmpl; - -+ /* Supported authentication mechanisms, NULL is all, {NULL} is none */ -+ const char *const *mechanisms; -+ /* Username filter, NULL is no filter */ -+ const char *const *username_filter; -+ - enum auth_passdb_skip skip; - enum auth_db_rule result_success; - enum auth_db_rule result_failure; -diff --git a/src/auth/passdb.c b/src/auth/passdb.c -index eb4ac8ae82..f5eed1af4f 100644 ---- a/src/auth/passdb.c -+++ b/src/auth/passdb.c -@@ -224,19 +224,8 @@ passdb_preinit(pool_t pool, const struct auth_passdb_settings *set) - passdb->id = ++auth_passdb_id; - passdb->iface = *iface; - passdb->args = p_strdup(pool, set->args); -- if (*set->mechanisms == '\0') { -- passdb->mechanisms = NULL; -- } else if (strcasecmp(set->mechanisms, "none") == 0) { -- passdb->mechanisms = (const char *const[]){NULL}; -- } else { -- passdb->mechanisms = (const char* const*)p_strsplit_spaces(pool, set->mechanisms, " ,"); -- } -- -- if (*set->username_filter == '\0') { -- passdb->username_filter = NULL; -- } else { -- passdb->username_filter = (const char* const*)p_strsplit_spaces(pool, set->username_filter, " ,"); -- } -+ /* NOTE: if anything else than driver & args are added here, -+ passdb_find() also needs to be updated. */ - array_push_back(&passdb_modules, &passdb); - return passdb; - } -diff --git a/src/auth/passdb.h b/src/auth/passdb.h -index 2e95328e5c..e466a9fdb6 100644 ---- a/src/auth/passdb.h -+++ b/src/auth/passdb.h -@@ -63,10 +63,6 @@ struct passdb_module { - /* Default password scheme for this module. - If default_cache_key is set, must not be NULL. */ - const char *default_pass_scheme; -- /* Supported authentication mechanisms, NULL is all, [NULL] is none*/ -- const char *const *mechanisms; -- /* Username filter, NULL is no filter */ -- const char *const *username_filter; - - /* If blocking is set to TRUE, use child processes to access - this passdb. */ diff --git a/dovecot-2.3.21-noengine.patch b/dovecot-2.3.21-noengine.patch deleted file mode 100644 index c3bb50e..0000000 --- a/dovecot-2.3.21-noengine.patch +++ /dev/null @@ -1,201 +0,0 @@ -diff -up dovecot-2.3.21/m4/ssl.m4.noengine dovecot-2.3.21/m4/ssl.m4 ---- dovecot-2.3.21/m4/ssl.m4.noengine 2024-05-06 17:39:59.362886891 +0200 -+++ dovecot-2.3.21/m4/ssl.m4 2024-05-06 17:42:17.945312656 +0200 -@@ -233,6 +233,27 @@ AC_DEFUN([DOVECOT_SSL], [ - AC_CHECK_LIB(ssl, ECDSA_SIG_set0, [ - AC_DEFINE(HAVE_ECDSA_SIG_SET0,, [Build with ECDSA_SIG_set0 support]) - ],, $SSL_LIBS) -+ AC_CHECK_LIB(ssl, OSSL_PROVIDER_try_load, [ -+ AC_DEFINE(HAVE_OSSL_PROVIDER_try_load,, [Build with OSSL_PROVIDER_try_load support]) -+ ],, $SSL_LIBS) -+ AC_CHECK_LIB(ssl, OPENSSL_init_ssl, [ -+ AC_DEFINE(HAVE_OPENSSL_init_ssl,, [Build with OPENSSL_init_ssl support]) -+ ],, $SSL_LIBS) -+ AC_CHECK_LIB(ssl, OPENSSL_cleanup, [ -+ AC_DEFINE(HAVE_OPENSSL_cleanup,, [OpenSSL supports OPENSSL_cleanup()]) -+ ],, $SSL_LIBS) -+ AC_CHECK_LIB(ssl, OPENSSL_thread_stop, [ -+ AC_DEFINE(HAVE_OPENSSL_thread_stop,, [OpenSSL supports OPENSSL_thread_stop()]) -+ ],, $SSL_LIBS) -+ AC_CHECK_LIB(ssl, ERR_remove_thread_state, [ -+ AC_DEFINE(HAVE_ERR_remove_thread_state,, [OpenSSL supports ERR_remove_thread_state()]) -+ ],, $SSL_LIBS) -+ AC_CHECK_LIB(ssl, ERR_remove_state, [ -+ AC_DEFINE(HAVE_ERR_remove_state,, [OpenSSL supports ERR_remove_state()]) -+ ],, $SSL_LIBS) -+ AC_CHECK_LIB(ssl, ENGINE_by_id_DISABLED, [ -+ AC_DEFINE(HAVE_ENGINE_by_id,, [OpenSSL supports ENGINE_by_id() - !!!EXPLICITELY DISABLED!!! ]) -+ ],, $SSL_LIBS) - AC_CHECK_LIB(ssl, EC_GROUP_order_bits, [ - AC_DEFINE(HAVE_EC_GROUP_order_bits,, [Build with EC_GROUP_order_bits support]) - ],, $SSL_LIBS) -diff --git dovecot-2.3.21/src/lib-dcrypt/dcrypt-openssl.c.noengine dovecot-2.3.21/src/lib-dcrypt/dcrypt-openssl.c -index 1cbe352541..239a981251 100644 ---- dovecot-2.3.21/src/lib-dcrypt/dcrypt-openssl.c.noengine -+++ dovecot-2.3.21/src/lib-dcrypt/dcrypt-openssl.c -@@ -20,7 +20,6 @@ - #include - #include - #include --#include - #include - #include - #include -diff -up dovecot-2.3.21/src/lib-ssl-iostream/dovecot-openssl-common.c.noengine dovecot-2.3.21/src/lib-ssl-iostream/dovecot-openssl-common.c ---- dovecot-2.3.21/src/lib-ssl-iostream/dovecot-openssl-common.c.noengine 2023-09-14 15:17:46.000000000 +0200 -+++ dovecot-2.3.21/src/lib-ssl-iostream/dovecot-openssl-common.c 2024-05-06 17:39:59.363886901 +0200 -@@ -3,13 +3,23 @@ - #include "lib.h" - #include "randgen.h" - #include "dovecot-openssl-common.h" -+#include "iostream-openssl.h" - - #include --#include -+#include -+#ifdef HAVE_OSSL_PROVIDER_try_load -+# include -+#else -+# include -+#endif - #include - - static int openssl_init_refcount = 0; --static ENGINE *dovecot_openssl_engine; -+#ifdef HAVE_OSSL_PROVIDER_try_load -+static OSSL_PROVIDER *dovecot_openssl_engine = NULL; -+#else -+static ENGINE *dovecot_openssl_engine = NULL; -+#endif - - #ifdef HAVE_SSL_NEW_MEM_FUNCS - static void *dovecot_openssl_malloc(size_t size, const char *u0 ATTR_UNUSED, int u1 ATTR_UNUSED) -@@ -17,12 +27,14 @@ static void *dovecot_openssl_malloc(size - static void *dovecot_openssl_malloc(size_t size) - #endif - { -+ if (size == 0) -+ return NULL; - /* this may be performance critical, so don't use - i_malloc() or calloc() */ - void *mem = malloc(size); -- if (mem == NULL) { -+ if (unlikely(mem == NULL)) { - i_fatal_status(FATAL_OUTOFMEM, -- "OpenSSL: malloc(%zu): Out of memory", size); -+ "OpenSSL: malloc(%zu): Out of memory", size); - } - return mem; - } -@@ -33,10 +45,14 @@ static void *dovecot_openssl_realloc(voi - static void *dovecot_openssl_realloc(void *ptr, size_t size) - #endif - { -+ if (size == 0) { -+ free(ptr); -+ return NULL; -+ } - void *mem = realloc(ptr, size); -- if (mem == NULL) { -+ if (unlikely(mem == NULL)) { - i_fatal_status(FATAL_OUTOFMEM, -- "OpenSSL: realloc(%zu): Out of memory", size); -+ "OpenSSL: realloc(%zu): Out of memory", size); - } - return mem; - } -@@ -63,9 +79,13 @@ void dovecot_openssl_common_global_ref(v - /*i_warning("CRYPTO_set_mem_functions() was called too late");*/ - } - -+#ifdef HAVE_OPENSSL_init_ssl -+ OPENSSL_init_ssl(0, NULL); -+#else - SSL_library_init(); - SSL_load_error_strings(); - OpenSSL_add_all_algorithms(); -+#endif - } - - bool dovecot_openssl_common_global_unref(void) -@@ -76,30 +96,35 @@ bool dovecot_openssl_common_global_unref - return TRUE; - - if (dovecot_openssl_engine != NULL) { -+#ifdef HAVE_OSSL_PROVIDER_try_load -+ OSSL_PROVIDER_unload(dovecot_openssl_engine); -+#else - ENGINE_finish(dovecot_openssl_engine); -+#endif - dovecot_openssl_engine = NULL; - } -+#ifdef HAVE_OPENSSL_cleanup -+ OPENSSL_cleanup(); -+#else - /* OBJ_cleanup() is called automatically by EVP_cleanup() in - newer versions. Doesn't hurt to call it anyway. */ - OBJ_cleanup(); --#ifdef HAVE_SSL_COMP_FREE_COMPRESSION_METHODS -+# if !defined(OPENSSL_NO_COMP) - SSL_COMP_free_compression_methods(); --#endif -+# endif - ENGINE_cleanup(); - EVP_cleanup(); - CRYPTO_cleanup_all_ex_data(); --#ifdef HAVE_OPENSSL_AUTO_THREAD_DEINIT -+# ifdef HAVE_OPENSSL_thread_stop - /* no cleanup needed */ --#elif defined(HAVE_OPENSSL_ERR_REMOVE_THREAD_STATE) -+# elif defined(HAVE_ERR_remove_thread_state) - /* This was marked as deprecated in v1.1. */ - ERR_remove_thread_state(NULL); --#else -+# elif defined(HAVE_ERR_remove_state) - /* This was deprecated by ERR_remove_thread_state(NULL) in v1.0.0. */ - ERR_remove_state(0); --#endif -+# endif - ERR_free_strings(); --#ifdef HAVE_OPENSSL_CLEANUP -- OPENSSL_cleanup(); - #endif - return FALSE; - } -@@ -110,6 +135,7 @@ int dovecot_openssl_common_global_set_en - if (dovecot_openssl_engine != NULL) - return 1; - -+#ifdef HAVE_ENGINE_by_id - ENGINE_load_builtin_engines(); - dovecot_openssl_engine = ENGINE_by_id(engine); - if (dovecot_openssl_engine == NULL) { -@@ -128,5 +154,15 @@ int dovecot_openssl_common_global_set_en - dovecot_openssl_engine = NULL; - return -1; - } -+#elif defined(HAVE_OSSL_PROVIDER_try_load) -+ if ((dovecot_openssl_engine = OSSL_PROVIDER_try_load(NULL, engine, 1)) == NULL) { -+ *error_r = t_strdup_printf("Cannot load '%s': %s", engine, -+ openssl_iostream_error()); -+ return 0; -+ } -+ return 1; -+#else -+ *error_r = t_strdup_printf("Cannot load '%s': No engine/provider support available", engine); -+#endif - return 1; - } -diff -up dovecot-2.3.21/src/lib-ssl-iostream/Makefile.am.noengine dovecot-2.3.21/src/lib-ssl-iostream/Makefile.am ---- dovecot-2.3.21/src/lib-ssl-iostream/Makefile.am.noengine 2023-09-14 15:17:46.000000000 +0200 -+++ dovecot-2.3.21/src/lib-ssl-iostream/Makefile.am 2024-05-06 17:39:59.363886901 +0200 -@@ -5,7 +5,8 @@ NOPLUGIN_LDFLAGS = - AM_CPPFLAGS = \ - -I$(top_srcdir)/src/lib \ - -I$(top_srcdir)/src/lib-test \ -- -DMODULE_DIR=\""$(moduledir)"\" -+ -DMODULE_DIR=\""$(moduledir)"\" \ -+ $(SSL_CFLAGS) - - if BUILD_OPENSSL - module_LTLIBRARIES = libssl_iostream_openssl.la diff --git a/dovecot-2.3.21-test-socket-path.patch b/dovecot-2.3.21-test-socket-path.patch deleted file mode 100644 index 8132244..0000000 --- a/dovecot-2.3.21-test-socket-path.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 9a3e0d099044d3a7478c3a24ccb8990181767f7c Mon Sep 17 00:00:00 2001 -From: Duncan Bellamy -Date: Sat, 6 Mar 2021 14:25:29 +0000 -Subject: [PATCH] imap: Shorten test-imap-client-hibernate socket path length - ---- - src/imap/test-imap-client-hibernate.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/imap/test-imap-client-hibernate.c b/src/imap/test-imap-client-hibernate.c -index 9b90e1bd9a..c5392fa3fc 100644 ---- a/src/imap/test-imap-client-hibernate.c -+++ b/src/imap/test-imap-client-hibernate.c -@@ -19,7 +19,7 @@ - - #include - --#define TEMP_DIRNAME ".test-imap-client-hibernate" -+#define TEMP_DIRNAME ".test-ich" - - #define EVILSTR "\t\r\n\001" - diff --git a/dovecot-2.3.21.1-fixtestdatastack.patch b/dovecot-2.3.21.1-fixtestdatastack.patch deleted file mode 100644 index 7a02167..0000000 --- a/dovecot-2.3.21.1-fixtestdatastack.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff --git a/src/lib/test-data-stack.c b/src/lib/test-data-stack.c -index 3c33597685..03f97b4a50 100644 ---- a/src/lib/test-data-stack.c -+++ b/src/lib/test-data-stack.c -@@ -98,9 +98,9 @@ static void test_ds_get_bytes_available(void) - if (i > 0) - t_malloc_no0(i); - avail1 = t_get_bytes_available(); -- t_malloc_no0(avail1); -+ (void)t_malloc_no0(avail1); - test_assert_idx(t_get_bytes_available() == 0, i); -- t_malloc_no0(1); -+ (void)t_malloc_no0(1); - test_assert_idx(t_get_bytes_available() > 0, i); - } T_END; - T_BEGIN { -@@ -188,7 +188,6 @@ static void test_ds_buffers(void) - void *b = t_buffer_get(1000); - void *a = t_malloc_no0(1); - void *b2 = t_buffer_get(1001); -- test_assert(a == b); /* expected, not guaranteed */ - test_assert(b2 != b); - } T_END; - test_end(); diff --git a/dovecot-2.3.6-opensslhmac.patch b/dovecot-2.4.1-opensslhmac3.patch similarity index 59% rename from dovecot-2.3.6-opensslhmac.patch rename to dovecot-2.4.1-opensslhmac3.patch index 53f3321..20b26a2 100644 --- a/dovecot-2.3.6-opensslhmac.patch +++ b/dovecot-2.4.1-opensslhmac3.patch @@ -1,7 +1,7 @@ -diff -up dovecot-2.3.18/src/auth/auth-token.c.opensslhmac dovecot-2.3.18/src/auth/auth-token.c ---- dovecot-2.3.18/src/auth/auth-token.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/auth/auth-token.c 2022-02-09 09:27:15.887883359 +0100 -@@ -161,17 +161,17 @@ void auth_token_deinit(void) +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c 2025-06-03 22:53:40.039980828 +0200 +@@ -162,17 +162,17 @@ void auth_token_deinit(void) const char *auth_token_get(const char *service, const char *session_pid, const char *username, const char *session_id) { @@ -26,19 +26,19 @@ diff -up dovecot-2.3.18/src/auth/auth-token.c.opensslhmac dovecot-2.3.18/src/aut return binary_to_hex(result, sizeof(result)); } -diff -up dovecot-2.3.18/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.18/src/auth/mech-cram-md5.c ---- dovecot-2.3.18/src/auth/mech-cram-md5.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/auth/mech-cram-md5.c 2022-02-09 09:27:15.887883359 +0100 -@@ -51,7 +51,7 @@ static bool verify_credentials(struct cr +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c 2025-06-03 22:53:40.040125680 +0200 +@@ -50,7 +50,7 @@ static bool verify_credentials(struct cr + const unsigned char *credentials, size_t size) { - unsigned char digest[MD5_RESULTLEN]; - struct hmac_context ctx; + struct orig_hmac_context ctx; const char *response_hex; if (size != CRAM_MD5_CONTEXTLEN) { -@@ -60,10 +60,10 @@ static bool verify_credentials(struct cr +@@ -59,10 +59,10 @@ static bool verify_credentials(struct cr return FALSE; } @@ -52,82 +52,82 @@ diff -up dovecot-2.3.18/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.18/src/ response_hex = binary_to_hex(digest, sizeof(digest)); -diff -up dovecot-2.3.18/src/auth/mech-scram.c.opensslhmac dovecot-2.3.18/src/auth/mech-scram.c ---- dovecot-2.3.18/src/auth/mech-scram.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/auth/mech-scram.c 2022-02-09 09:31:50.927146858 +0100 -@@ -93,7 +93,7 @@ get_scram_server_first(struct scram_auth - static const char *get_scram_server_final(struct scram_auth_request *request) - { - const struct hash_method *hmethod = request->hash_method; -- struct hmac_context ctx; -+ struct openssl_hmac_context ctx; - const char *auth_message; - unsigned char server_signature[hmethod->digest_size]; - string_t *str; -@@ -109,9 +109,9 @@ static const char *get_scram_server_fina - request->server_first_message, ",", - request->client_final_message_without_proof, NULL); - -- hmac_init(&ctx, request->server_key, hmethod->digest_size, hmethod); -- hmac_update(&ctx, auth_message, strlen(auth_message)); -- hmac_final(&ctx, server_signature); -+ openssl_hmac_init(&ctx, request->server_key, hmethod->digest_size, hmethod); -+ openssl_hmac_update(&ctx, auth_message, strlen(auth_message)); -+ openssl_hmac_final(&ctx, server_signature); - - /* RFC 5802, Section 7: - -@@ -292,7 +292,7 @@ parse_scram_client_first(struct scram_au - static bool verify_credentials(struct scram_auth_request *request) - { - const struct hash_method *hmethod = request->hash_method; -- struct hmac_context ctx; -+ struct openssl_hmac_context ctx; - const char *auth_message; - unsigned char client_key[hmethod->digest_size]; +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c 2025-06-03 22:59:21.239579904 +0200 +@@ -248,7 +248,7 @@ static string_t *auth_scram_get_client_f unsigned char client_signature[hmethod->digest_size]; -@@ -310,9 +310,9 @@ static bool verify_credentials(struct sc - request->server_first_message, ",", - request->client_final_message_without_proof, NULL); + unsigned char client_proof[hmethod->digest_size]; + unsigned char server_key[hmethod->digest_size]; +- struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + const void *cbind_input; + size_t cbind_input_size; + string_t *auth_message, *str; +@@ -307,9 +307,9 @@ static string_t *auth_scram_get_client_f + client->iter, salted_password); -- hmac_init(&ctx, request->stored_key, hmethod->digest_size, hmethod); -- hmac_update(&ctx, auth_message, strlen(auth_message)); + /* ClientKey := HMAC(SaltedPassword, "Client Key") */ +- hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); +- hmac_update(&ctx, "Client Key", 10); +- hmac_final(&ctx, client_key); ++ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); ++ openssl_hmac_update(&ctx, "Client Key", 10); ++ openssl_hmac_final(&ctx, client_key); + + /* StoredKey := H(ClientKey) */ + hash_method_get_digest(hmethod, client_key, sizeof(client_key), +@@ -327,9 +327,9 @@ static string_t *auth_scram_get_client_f + str_append_str(auth_message, str); + + /* ClientSignature := HMAC(StoredKey, AuthMessage) */ +- hmac_init(&ctx, stored_key, sizeof(stored_key), hmethod); +- hmac_update(&ctx, str_data(auth_message), str_len(auth_message)); - hmac_final(&ctx, client_signature); -+ openssl_hmac_init(&ctx, request->stored_key, hmethod->digest_size, hmethod); -+ openssl_hmac_update(&ctx, auth_message, strlen(auth_message)); ++ openssl_hmac_init(&ctx, stored_key, sizeof(stored_key), hmethod); ++ openssl_hmac_update(&ctx, str_data(auth_message), str_len(auth_message)); + openssl_hmac_final(&ctx, client_signature); /* ClientProof := ClientKey XOR ClientSignature */ - const unsigned char *proof_data = request->proof->data; -diff -up dovecot-2.3.18/src/auth/password-scheme.c.opensslhmac dovecot-2.3.18/src/auth/password-scheme.c ---- dovecot-2.3.18/src/auth/password-scheme.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/auth/password-scheme.c 2022-02-09 09:27:15.888883345 +0100 -@@ -639,11 +639,11 @@ static void - cram_md5_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, - const unsigned char **raw_password_r, size_t *size_r) - { -- struct hmac_context ctx; -+ struct orig_hmac_context ctx; - unsigned char *context_digest; + for (k = 0; k < hmethod->digest_size; k++) +@@ -340,16 +340,16 @@ static string_t *auth_scram_get_client_f + safe_memset(client_signature, 0, sizeof(client_signature)); - context_digest = t_malloc_no0(CRAM_MD5_CONTEXTLEN); -- hmac_init(&ctx, (const unsigned char *)plaintext, -+ orig_hmac_init(&ctx, (const unsigned char *)plaintext, - strlen(plaintext), &hash_method_md5); - hmac_md5_get_cram_context(&ctx, context_digest); + /* ServerKey := HMAC(SaltedPassword, "Server Key") */ +- hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); +- hmac_update(&ctx, "Server Key", 10); +- hmac_final(&ctx, server_key); ++ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); ++ openssl_hmac_update(&ctx, "Server Key", 10); ++ openssl_hmac_final(&ctx, server_key); -diff -up dovecot-2.3.18/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3.18/src/auth/password-scheme-scram.c ---- dovecot-2.3.18/src/auth/password-scheme-scram.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/auth/password-scheme-scram.c 2022-02-09 09:27:15.888883345 +0100 -@@ -30,23 +30,23 @@ Hi(const struct hash_method *hmethod, co - const unsigned char *salt, size_t salt_size, unsigned int i, - unsigned char *result) + /* ServerSignature := HMAC(ServerKey, AuthMessage) */ + client->server_signature = + p_malloc(client->pool, hmethod->digest_size); +- hmac_init(&ctx, server_key, sizeof(server_key), hmethod); +- hmac_update(&ctx, str_data(auth_message), str_len(auth_message)); +- hmac_final(&ctx, client->server_signature); ++ openssl_hmac_init(&ctx, server_key, sizeof(server_key), hmethod); ++ openssl_hmac_update(&ctx, str_data(auth_message), str_len(auth_message)); ++ openssl_hmac_final(&ctx, client->server_signature); + + safe_memset(salted_password, 0, sizeof(salted_password)); + +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c 2025-06-03 22:53:40.040441433 +0200 +@@ -31,7 +31,7 @@ void auth_scram_hi(const struct hash_met + const unsigned char *salt, size_t salt_size, unsigned int i, + unsigned char *result) { - struct hmac_context ctx; + struct openssl_hmac_context ctx; unsigned char U[hmethod->digest_size]; unsigned int j, k; +@@ -51,18 +51,18 @@ void auth_scram_hi(const struct hash_met + */ + /* Calculate U1 */ - hmac_init(&ctx, str, str_size, hmethod); - hmac_update(&ctx, salt, salt_size); @@ -151,7 +151,108 @@ diff -up dovecot-2.3.18/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3 for (k = 0; k < hmethod->digest_size; k++) result[k] ^= U[k]; } -@@ -102,7 +102,7 @@ int scram_verify(const struct hash_metho +@@ -75,7 +75,7 @@ void auth_scram_generate_key_data(const + unsigned char stored_key_r[], + unsigned char server_key_r[]) + { +- struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + unsigned char salt[16]; + unsigned char salted_password[hmethod->digest_size]; + unsigned char client_key[hmethod->digest_size]; +@@ -97,18 +97,18 @@ void auth_scram_generate_key_data(const + salt, sizeof(salt), rounds, salted_password); + + /* Calculate ClientKey */ +- hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); +- hmac_update(&ctx, "Client Key", 10); +- hmac_final(&ctx, client_key); ++ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); ++ openssl_hmac_update(&ctx, "Client Key", 10); ++ openssl_hmac_final(&ctx, client_key); + + /* Calculate StoredKey */ + hash_method_get_digest(hmethod, client_key, sizeof(client_key), + stored_key_r); + + /* Calculate ServerKey */ +- hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); +- hmac_update(&ctx, "Server Key", 10); +- hmac_final(&ctx, server_key_r); ++ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); ++ openssl_hmac_update(&ctx, "Server Key", 10); ++ openssl_hmac_final(&ctx, server_key_r); + + safe_memset(salted_password, 0, sizeof(salted_password)); + safe_memset(client_key, 0, sizeof(client_key)); +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c 2025-06-03 23:01:21.982844336 +0200 +@@ -342,7 +342,7 @@ auth_scram_server_verify_credentials(str + { + const struct hash_method *hmethod = server->set.hash_method; + struct auth_scram_key_data *kdata = &server->key_data; +- struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + const char *auth_message; + unsigned char client_key[hmethod->digest_size]; + unsigned char client_signature[hmethod->digest_size]; +@@ -363,9 +363,9 @@ auth_scram_server_verify_credentials(str + server->server_first_message, ",", + server->client_final_message_without_proof, NULL); + +- hmac_init(&ctx, kdata->stored_key, hmethod->digest_size, hmethod); +- hmac_update(&ctx, auth_message, strlen(auth_message)); +- hmac_final(&ctx, client_signature); ++ openssl_hmac_init(&ctx, kdata->stored_key, hmethod->digest_size, hmethod); ++ openssl_hmac_update(&ctx, auth_message, strlen(auth_message)); ++ openssl_hmac_final(&ctx, client_signature); + + /* ClientProof := ClientKey XOR ClientSignature */ + const unsigned char *proof_data = server->proof->data; +@@ -494,7 +494,7 @@ auth_scram_get_server_final(struct auth_ + { + const struct hash_method *hmethod = server->set.hash_method; + struct auth_scram_key_data *kdata = &server->key_data; +- struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + const char *auth_message; + unsigned char server_signature[hmethod->digest_size]; + string_t *str; +@@ -510,9 +510,9 @@ auth_scram_get_server_final(struct auth_ + server->server_first_message, ",", + server->client_final_message_without_proof, NULL); + +- hmac_init(&ctx, kdata->server_key, hmethod->digest_size, hmethod); +- hmac_update(&ctx, auth_message, strlen(auth_message)); +- hmac_final(&ctx, server_signature); ++ openssl_hmac_init(&ctx, kdata->server_key, hmethod->digest_size, hmethod); ++ openssl_hmac_update(&ctx, auth_message, strlen(auth_message)); ++ openssl_hmac_final(&ctx, server_signature); + + /* RFC 5802, Section 7: + +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c 2025-06-03 22:53:40.040746416 +0200 +@@ -631,11 +631,11 @@ static void + cram_md5_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, + const unsigned char **raw_password_r, size_t *size_r) + { +- struct hmac_context ctx; ++ struct orig_hmac_context ctx; + unsigned char *context_digest; + + context_digest = t_malloc_no0(CRAM_MD5_CONTEXTLEN); +- hmac_init(&ctx, (const unsigned char *)plaintext, ++ orig_hmac_init(&ctx, (const unsigned char *)plaintext, + strlen(plaintext), &hash_method_md5); + hmac_md5_get_cram_context(&ctx, context_digest); + +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram.c 2025-06-03 22:53:40.040877783 +0200 +@@ -69,7 +69,7 @@ int scram_verify(const struct hash_metho const char *plaintext, const unsigned char *raw_password, size_t size, const char **error_r) { @@ -160,8 +261,8 @@ diff -up dovecot-2.3.18/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3 const char *salt_base64; unsigned int iter_count; const unsigned char *salt; -@@ -126,9 +126,9 @@ int scram_verify(const struct hash_metho - salt, salt_len, iter_count, salted_password); +@@ -94,9 +94,9 @@ int scram_verify(const struct hash_metho + salt, salt_len, iter_count, salted_password); /* Calculate ClientKey */ - hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); @@ -173,44 +274,9 @@ diff -up dovecot-2.3.18/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3 /* Calculate StoredKey */ hash_method_get_digest(hmethod, client_key, sizeof(client_key), -@@ -147,7 +147,7 @@ void scram_generate(const struct hash_me - const unsigned char **raw_password_r, size_t *size_r) - { - string_t *str; -- struct hmac_context ctx; -+ struct openssl_hmac_context ctx; - unsigned char salt[16]; - unsigned char salted_password[hmethod->digest_size]; - unsigned char client_key[hmethod->digest_size]; -@@ -165,9 +165,9 @@ void scram_generate(const struct hash_me - sizeof(salt), SCRAM_DEFAULT_ITERATE_COUNT, salted_password); - - /* Calculate ClientKey */ -- hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); -- hmac_update(&ctx, "Client Key", 10); -- hmac_final(&ctx, client_key); -+ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); -+ openssl_hmac_update(&ctx, "Client Key", 10); -+ openssl_hmac_final(&ctx, client_key); - - /* Calculate StoredKey */ - hash_method_get_digest(hmethod, client_key, sizeof(client_key), -@@ -176,9 +176,9 @@ void scram_generate(const struct hash_me - base64_encode(stored_key, sizeof(stored_key), str); - - /* Calculate ServerKey */ -- hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); -- hmac_update(&ctx, "Server Key", 10); -- hmac_final(&ctx, server_key); -+ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); -+ openssl_hmac_update(&ctx, "Server Key", 10); -+ openssl_hmac_final(&ctx, server_key); - str_append_c(str, ','); - base64_encode(server_key, sizeof(server_key), str); - -diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c ---- dovecot-2.3.18/src/lib/hmac.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/lib/hmac.c 2022-02-09 09:27:15.888883345 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c 2025-06-03 22:53:40.041060556 +0200 @@ -7,6 +7,10 @@ * This software is released under the MIT license. */ @@ -222,7 +288,7 @@ diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c #include "lib.h" #include "hmac.h" #include "safe-memset.h" -@@ -14,10 +18,65 @@ +@@ -14,10 +18,103 @@ #include "hex-binary.h" @@ -239,11 +305,48 @@ diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c +#endif + + -+void openssl_hmac_init(struct openssl_hmac_context *_ctx, const unsigned char *key, ++void openssl_hmac_init(struct openssl_hmac_context *_ctx, const unsigned char *key, //DONE size_t key_len, const struct hash_method *meth) { - struct hmac_context_priv *ctx = &_ctx->u.priv; -+ struct openssl_hmac_context_priv *ctx = &_ctx->u.priv; ++#ifdef USE_OPENSSL3_METHODS ++ struct openssl_hmac_context_priv *ctx = &_ctx->u.priv; ++ ++ ++ const EVP_MD *md; ++ const char *ebuf = NULL; ++ const char **error_r = &ebuf; ++ OSSL_PARAM params[2]; ++ ++ md = EVP_get_digestbyname(meth->name); ++ if(md == NULL) { ++ if (error_r != NULL) { ++ *error_r = t_strdup_printf("Invalid digest %s", ++ meth->name); ++ } ++ //return FALSE; ++ } ++ ++ ctx->mac = EVP_MAC_fetch(NULL, "HMAC", NULL); ++ ++ ctx->ctx = EVP_MAC_CTX_new(ctx->mac); ++ if (ctx->ctx == NULL) { ++ EVP_MAC_free(ctx->mac); ++ } ++ ++ params[0] = OSSL_PARAM_construct_utf8_string("digest", (char *)meth->name, 0); ++ params[1] = OSSL_PARAM_construct_end(); ++ ++ if (EVP_MAC_init(ctx->ctx, key, key_len, ++ params) == 0) { ++ if (error_r != NULL) { ++ *error_r = t_strdup_printf("Invalid digest %s", ++ meth->name); ++ } ++ } ++ ++#else ++ struct openssl_hmac_context_priv *ctx = &_ctx->u.priv; + + const EVP_MD *md; + const char *ebuf = NULL; @@ -267,9 +370,10 @@ diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c + dcrypt_openssl_error(error_r);*/ +#endif + /*ec = */HMAC_Init_ex(ctx->ctx, key, key_len, md, NULL); ++#endif +} + -+void orig_hmac_init(struct orig_hmac_context *_ctx, const unsigned char *key, ++void orig_hmac_init(struct orig_hmac_context *_ctx, const unsigned char *key, //DONE + size_t key_len, const struct hash_method *meth) +{ + static int no_fips = -1; @@ -290,22 +394,29 @@ diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c unsigned int i; unsigned char k_ipad[meth->block_size]; unsigned char k_opad[meth->block_size]; -@@ -53,9 +112,27 @@ void hmac_init(struct hmac_context *_ctx +@@ -54,9 +151,33 @@ void hmac_init(struct hmac_context *_ctx safe_memset(k_opad, 0, meth->block_size); } -void hmac_final(struct hmac_context *_ctx, unsigned char *digest) -+void openssl_hmac_final(struct openssl_hmac_context *_ctx, unsigned char *digest) -+{ ++void openssl_hmac_final(struct openssl_hmac_context *_ctx, unsigned char *digest) //FIXME + { +- struct hmac_context_priv *ctx = &_ctx->u.priv; + int ec; -+ unsigned char buf[HMAC_MAX_MD_CBLOCK]; -+ unsigned int outl; ++ unsigned char buf[EVP_MAX_MD_SIZE]; ++ size_t outl; +// const char *ebuf = NULL; +// const char **error_r = &ebuf; + + struct openssl_hmac_context_priv *ctx = &_ctx->u.priv; ++#ifdef USE_OPENSSL3_METHODS ++ ec = EVP_MAC_final(ctx->ctx, buf, &outl, sizeof buf); ++ EVP_MAC_CTX_free(ctx->ctx); ++ EVP_MAC_free(ctx->mac); ++#else + ec = HMAC_Final(ctx->ctx, buf, &outl); + HMAC_CTX_free(ctx->ctx); ++#endif + if (ec == 1) + memcpy(digest, buf, outl); +// else @@ -313,19 +424,18 @@ diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c + +} + -+void orig_hmac_final(struct orig_hmac_context *_ctx, unsigned char *digest) - { -- struct hmac_context_priv *ctx = &_ctx->u.priv; ++void orig_hmac_final(struct orig_hmac_context *_ctx, unsigned char *digest) //DONE ++{ + struct orig_hmac_context_priv *ctx = &_ctx->u.priv; ctx->hash->result(ctx->ctx, digest); -@@ -63,53 +140,50 @@ void hmac_final(struct hmac_context *_ct +@@ -64,53 +185,50 @@ void hmac_final(struct hmac_context *_ct ctx->hash->result(ctx->ctxo, digest); } -buffer_t *t_hmac_data(const struct hash_method *meth, -+buffer_t *openssl_t_hmac_data(const struct hash_method *meth, ++buffer_t *openssl_t_hmac_data(const struct hash_method *meth, //FIXME const unsigned char *key, size_t key_len, const void *data, size_t data_len) { @@ -348,7 +458,7 @@ diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c } -buffer_t *t_hmac_buffer(const struct hash_method *meth, -+buffer_t *openssl_t_hmac_buffer(const struct hash_method *meth, ++buffer_t *openssl_t_hmac_buffer(const struct hash_method *meth, //DONE const unsigned char *key, size_t key_len, const buffer_t *data) { @@ -357,7 +467,7 @@ diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c } -buffer_t *t_hmac_str(const struct hash_method *meth, -+buffer_t *openssl_t_hmac_str(const struct hash_method *meth, ++buffer_t *openssl_t_hmac_str(const struct hash_method *meth, //DONE const unsigned char *key, size_t key_len, const char *data) { @@ -366,7 +476,7 @@ diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c } -void hmac_hkdf(const struct hash_method *method, -+void openssl_hmac_hkdf(const struct hash_method *method, ++void openssl_hmac_hkdf(const struct hash_method *method, //FIXME const unsigned char *salt, size_t salt_len, const unsigned char *ikm, size_t ikm_len, const unsigned char *info, size_t info_len, @@ -388,7 +498,7 @@ diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c /* salt and info can be NULL */ i_assert(salt != NULL || salt_len == 0); -@@ -118,35 +192,30 @@ void hmac_hkdf(const struct hash_method +@@ -119,35 +237,30 @@ void hmac_hkdf(const struct hash_method i_assert(ikm != NULL && ikm_len > 0); i_assert(okm_r != NULL && okm_len > 0); @@ -448,9 +558,9 @@ diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c - safe_memset(prk, 0, sizeof(prk)); - safe_memset(okm, 0, sizeof(okm)); } -diff -up dovecot-2.3.18/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.18/src/lib/hmac-cram-md5.c ---- dovecot-2.3.18/src/lib/hmac-cram-md5.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/lib/hmac-cram-md5.c 2022-02-09 09:27:15.888883345 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c 2025-06-03 22:53:40.041190220 +0200 @@ -9,10 +9,10 @@ #include "md5.h" #include "hmac-cram-md5.h" @@ -477,9 +587,9 @@ diff -up dovecot-2.3.18/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.18/src/l const unsigned char *cdp; struct md5_context *ctx = (void*)hmac_ctx->ctx; -diff -up dovecot-2.3.18/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.18/src/lib/hmac-cram-md5.h ---- dovecot-2.3.18/src/lib/hmac-cram-md5.h.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/lib/hmac-cram-md5.h 2022-02-09 09:27:15.888883345 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h 2025-06-03 22:53:40.041283645 +0200 @@ -5,9 +5,9 @@ #define CRAM_MD5_CONTEXTLEN 32 @@ -492,10 +602,10 @@ diff -up dovecot-2.3.18/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.18/src/l const unsigned char context_digest[CRAM_MD5_CONTEXTLEN]); -diff -up dovecot-2.3.18/src/lib/hmac.h.opensslhmac dovecot-2.3.18/src/lib/hmac.h ---- dovecot-2.3.18/src/lib/hmac.h.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/lib/hmac.h 2022-02-09 09:27:15.888883345 +0100 -@@ -4,60 +4,97 @@ +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h 2025-06-03 22:53:40.041401056 +0200 +@@ -4,60 +4,108 @@ #include "hash-method.h" #include "sha1.h" #include "sha2.h" @@ -507,15 +617,22 @@ diff -up dovecot-2.3.18/src/lib/hmac.h.opensslhmac dovecot-2.3.18/src/lib/hmac.h #define HMAC_MAX_CONTEXT_SIZE sizeof(struct sha512_ctx) -struct hmac_context_priv { ++ ++#define USE_OPENSSL3_METHODS 1 ++ +struct openssl_hmac_context_priv { ++#ifdef USE_OPENSSL3_METHODS ++ EVP_MAC *mac; ++ EVP_MAC_CTX *ctx; ++#else +#ifdef HAVE_HMAC_CTX_NEW + HMAC_CTX *ctx; +#else + HMAC_CTX ctx; +#endif ++#endif + const struct hash_method *hash; +}; -+ +struct orig_hmac_context_priv { char ctx[HMAC_MAX_CONTEXT_SIZE]; char ctxo[HMAC_MAX_CONTEXT_SIZE]; @@ -524,21 +641,21 @@ diff -up dovecot-2.3.18/src/lib/hmac.h.opensslhmac dovecot-2.3.18/src/lib/hmac.h -struct hmac_context { +struct openssl_hmac_context { -+ union { -+ struct openssl_hmac_context_priv priv; -+ uint64_t padding_requirement; -+ } u; -+}; -+ -+struct orig_hmac_context { union { - struct hmac_context_priv priv; -+ struct orig_hmac_context_priv priv; ++ struct openssl_hmac_context_priv priv; uint64_t padding_requirement; } u; }; -void hmac_init(struct hmac_context *ctx, const unsigned char *key, ++struct orig_hmac_context { ++ union { ++ struct orig_hmac_context_priv priv; ++ uint64_t padding_requirement; ++ } u; ++}; ++ +void openssl_hmac_init(struct openssl_hmac_context *ctx, const unsigned char *key, + size_t key_len, const struct hash_method *meth); +void openssl_hmac_final(struct openssl_hmac_context *ctx, unsigned char *digest); @@ -547,7 +664,11 @@ diff -up dovecot-2.3.18/src/lib/hmac.h.opensslhmac dovecot-2.3.18/src/lib/hmac.h +openssl_hmac_update(struct openssl_hmac_context *_ctx, const void *data, size_t size) +{ + struct openssl_hmac_context_priv *ctx = &_ctx->u.priv; ++#ifdef USE_OPENSSL3_METHODS ++ EVP_MAC_update(ctx->ctx, data, size); ++#else + HMAC_Update(ctx->ctx, data, size); ++#endif +/* if (ec != 1) + { + const char *ebuf = NULL; @@ -606,12 +727,12 @@ diff -up dovecot-2.3.18/src/lib/hmac.h.opensslhmac dovecot-2.3.18/src/lib/hmac.h okm_buffer, okm_len); return okm_buffer; } -diff -up dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c ---- dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c 2022-02-09 09:27:15.888883345 +0100 -@@ -85,15 +85,15 @@ imap_urlauth_internal_generate(const cha - const unsigned char mailbox_key[IMAP_URLAUTH_KEY_LEN], - size_t *token_len_r) +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c 2025-06-03 22:53:40.041513908 +0200 +@@ -87,15 +87,15 @@ imap_urlauth_internal_generate( + const unsigned char mailbox_key[IMAP_URLAUTH_KEY_LEN], + size_t *token_len_r) { - struct hmac_context hmac; + struct openssl_hmac_context hmac; @@ -629,10 +750,10 @@ diff -up dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot- *token_len_r = SHA1_RESULTLEN + 1; return token; -diff -up dovecot-2.3.18/src/lib/Makefile.am.opensslhmac dovecot-2.3.18/src/lib/Makefile.am ---- dovecot-2.3.18/src/lib/Makefile.am.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/lib/Makefile.am 2022-02-09 09:27:15.889883331 +0100 -@@ -354,6 +354,9 @@ headers = \ +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am 2025-06-03 22:53:40.041626579 +0200 +@@ -359,6 +359,9 @@ headers = \ wildcard-match.h \ write-full.h @@ -642,34 +763,34 @@ diff -up dovecot-2.3.18/src/lib/Makefile.am.opensslhmac dovecot-2.3.18/src/lib/M test_programs = test-lib noinst_PROGRAMS = $(test_programs) -diff -up dovecot-2.3.18/src/lib-oauth2/oauth2-jwt.c.opensslhmac dovecot-2.3.18/src/lib-oauth2/oauth2-jwt.c ---- dovecot-2.3.18/src/lib-oauth2/oauth2-jwt.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/lib-oauth2/oauth2-jwt.c 2022-02-09 09:27:15.889883331 +0100 -@@ -144,14 +144,14 @@ oauth2_validate_hmac(const struct oauth2 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c 2025-06-03 22:53:40.041749500 +0200 +@@ -210,14 +210,14 @@ oauth2_validate_hmac(const struct oauth2 if (oauth2_lookup_hmac_key(set, azp, alg, key_id, &key, error_r) < 0) return -1; - struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + unsigned char digest[method->digest_size]; + - hmac_init(&ctx, key->data, key->used, method); - hmac_update(&ctx, blobs[0], strlen(blobs[0])); - hmac_update(&ctx, ".", 1); - hmac_update(&ctx, blobs[1], strlen(blobs[1])); -+ struct openssl_hmac_context ctx; +- hmac_final(&ctx, digest); + openssl_hmac_init(&ctx, key->data, key->used, method); + openssl_hmac_update(&ctx, blobs[0], strlen(blobs[0])); + openssl_hmac_update(&ctx, ".", 1); + openssl_hmac_update(&ctx, blobs[1], strlen(blobs[1])); - unsigned char digest[method->digest_size]; - -- hmac_final(&ctx, digest); + openssl_hmac_final(&ctx, digest); buffer_t *their_digest = t_base64url_decode_str(BASE64_DECODE_FLAG_NO_PADDING, blobs[2]); -diff -up dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c ---- dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c 2022-02-09 09:27:15.889883331 +0100 -@@ -248,7 +248,7 @@ static void save_key_azp_to(const char * +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c 2025-06-03 22:53:40.041891667 +0200 +@@ -250,7 +250,7 @@ static void save_key_azp_to(const char * static void sign_jwt_token_hs256(buffer_t *tokenbuf, buffer_t *key) { i_assert(key != NULL); @@ -678,7 +799,7 @@ diff -up dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3 tokenbuf); buffer_append(tokenbuf, ".", 1); base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX, -@@ -258,7 +258,7 @@ static void sign_jwt_token_hs256(buffer_ +@@ -260,7 +260,7 @@ static void sign_jwt_token_hs256(buffer_ static void sign_jwt_token_hs384(buffer_t *tokenbuf, buffer_t *key) { i_assert(key != NULL); @@ -687,7 +808,7 @@ diff -up dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3 tokenbuf); buffer_append(tokenbuf, ".", 1); base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX, -@@ -268,7 +268,7 @@ static void sign_jwt_token_hs384(buffer_ +@@ -270,7 +270,7 @@ static void sign_jwt_token_hs384(buffer_ static void sign_jwt_token_hs512(buffer_t *tokenbuf, buffer_t *key) { i_assert(key != NULL); @@ -696,9 +817,9 @@ diff -up dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3 tokenbuf); buffer_append(tokenbuf, ".", 1); base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX, -diff -up dovecot-2.3.18/src/lib/pkcs5.c.opensslhmac dovecot-2.3.18/src/lib/pkcs5.c ---- dovecot-2.3.18/src/lib/pkcs5.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/lib/pkcs5.c 2022-02-09 09:27:15.889883331 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c 2025-06-03 22:53:40.042033283 +0200 @@ -52,7 +52,7 @@ int pkcs5_pbkdf2(const struct hash_metho size_t l = (length + hash->digest_size - 1)/hash->digest_size; /* same as ceil(length/hash->digest_size) */ unsigned char dk[l * hash->digest_size]; @@ -733,9 +854,9 @@ diff -up dovecot-2.3.18/src/lib/pkcs5.c.opensslhmac dovecot-2.3.18/src/lib/pkcs5 for(i = 0; i < hash->digest_size; i++) block[i] ^= U_c[i]; } -diff -up dovecot-2.3.18/src/lib/test-hmac.c.opensslhmac dovecot-2.3.18/src/lib/test-hmac.c ---- dovecot-2.3.18/src/lib/test-hmac.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/lib/test-hmac.c 2022-02-09 09:27:15.889883331 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c 2025-06-03 22:53:40.042135125 +0200 @@ -206,11 +206,11 @@ static void test_hmac_rfc(void) test_begin("hmac sha256 rfc4231 vectors"); for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) { @@ -811,3 +932,81 @@ diff -up dovecot-2.3.18/src/lib/test-hmac.c.opensslhmac dovecot-2.3.18/src/lib/t vec->ikm_len, vec->info, vec->info_len, vec->okm_len); test_assert(tmp->used == vec->okm_len && +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am.opensslhmac3 2025-06-04 12:40:11.891062419 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am 2025-06-04 12:40:11.907575156 +0200 +@@ -30,13 +30,13 @@ test_libs = \ + $(DLLIB) + + test_var_expand_crypt_SOURCES = test-var-expand-crypt.c +-test_var_expand_crypt_LDADD = $(test_libs) ++test_var_expand_crypt_LDADD = $(test_libs) $(SSL_LIBS) + test_var_expand_crypt_DEPENDENCIES = $(module_LTLIBRARIES) + if HAVE_WHOLE_ARCHIVE + test_var_expand_crypt_LDFLAGS = -export-dynamic -Wl,$(LD_WHOLE_ARCHIVE),../lib/.libs/liblib.a,../lib-json/.libs/libjson.a,../lib-ssl-iostream/.libs/libssl_iostream.a,$(LD_NO_WHOLE_ARCHIVE) + endif + +-test_var_expand_crypt_CFLAGS = $(AM_CPPFLAGS) \ ++test_var_expand_crypt_CFLAGS = $(AM_CPPFLAGS) $(SSL_CFLAGS) \ + -DDCRYPT_BUILD_DIR=\"$(top_builddir)/src/lib-dcrypt\" + + check-local: +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am.opensslhmac3 2025-06-04 20:00:36.614009610 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am 2025-06-04 20:00:36.627577639 +0200 +@@ -65,6 +65,7 @@ auth_LDFLAGS = -export-dynamic + auth_libs = \ + ../lib-auth/libauth-crypt.la \ + $(AUTH_LUA_LIBS) \ ++ $(SSL_LIBS) \ + $(LIBDOVECOT_SQL) + + auth_CPPFLAGS = $(AM_CPPFLAGS) $(BINARY_CFLAGS) +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am.opensslhmac3 2025-06-04 21:58:25.496716279 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am 2025-06-04 23:14:17.353832049 +0200 +@@ -21,11 +21,13 @@ AM_CPPFLAGS = \ + $(BINARY_CFLAGS) + + imap_LDFLAGS = -export-dynamic \ ++ $(SSL_LIBS) \ + $(BINARY_LDFLAGS) + + imap_LDADD = \ + ../lib-imap-urlauth/libimap-urlauth.la \ + ../lib-compression/libcompression.la \ ++ $(SSL_LIBS) \ + $(LIBDOVECOT_STORAGE) \ + $(LIBDOVECOT) + imap_DEPENDENCIES = \ +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am.opensslhmac3 2025-06-05 11:34:56.817495906 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am 2025-06-05 11:34:56.830938840 +0200 +@@ -22,6 +22,7 @@ imap_urlauth_CPPFLAGS = \ + imap_urlauth_LDFLAGS = -export-dynamic + + imap_urlauth_LDADD = $(LIBDOVECOT) \ ++ $(SSL_LIBS) + $(BINARY_LDFLAGS) + + imap_urlauth_DEPENDENCIES = $(LIBDOVECOT_DEPS) +@@ -52,7 +53,7 @@ imap_urlauth_worker_LDFLAGS = -export-dy + urlauth_libs = \ + $(top_builddir)/src/lib-imap-urlauth/libimap-urlauth.la + +-imap_urlauth_worker_LDADD = $(urlauth_libs) $(LIBDOVECOT_STORAGE) $(LIBDOVECOT) ++imap_urlauth_worker_LDADD = $(urlauth_libs) $(SSL_LIBS) $(LIBDOVECOT_STORAGE) $(LIBDOVECOT) + imap_urlauth_worker_DEPENDENCIES = $(urlauth_libs) $(LIBDOVECOT_STORAGE_DEPS) $(LIBDOVECOT_DEPS) + + imap_urlauth_worker_SOURCES = \ +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am.opensslhmac3 2025-06-05 12:53:50.410853506 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am 2025-06-05 12:53:50.424176491 +0200 +@@ -29,6 +29,7 @@ submission_LDADD = \ + $(urlauth_libs) \ + $(LIBDOVECOT_STORAGE) \ + $(LIBDOVECOT) \ ++ $(SSL_LIBS) \ + $(MODULE_LIBS) + submission_DEPENDENCIES = \ + $(urlauth_libs) \ diff --git a/dovecot-configure-c99.patch b/dovecot-configure-c99.patch deleted file mode 100644 index 17a49fe..0000000 --- a/dovecot-configure-c99.patch +++ /dev/null @@ -1,25 +0,0 @@ -m4: crypt_xxpg6.m4: Define _DEFAULT_SOURCE for current glibc - -Current glibc no longer implements the CRYPT extension, so it does not -declare crypt in in strict standard modes. The check -defines _XOPEN_SOURCE, which enables one of these modes. Defining -_DEFAULT_SOURCE as well again makes available the crypt function -prototype. - -This avoids a configure check result change with compilers which do -not support implicit function declarations. - -Submitted upstream: - -diff --git a/m4/crypt_xpg6.m4 b/m4/crypt_xpg6.m4 -index 0085b2ac76..3a288a3713 100644 ---- a/m4/crypt_xpg6.m4 -+++ b/m4/crypt_xpg6.m4 -@@ -6,6 +6,7 @@ AC_DEFUN([DOVECOT_CRYPT_XPG6], [ - #define _XOPEN_SOURCE 4 - #define _XOPEN_SOURCE_EXTENDED 1 - #define _XOPEN_VERSION 4 -+ #define _DEFAULT_SOURCE - #define _XPG4_2 - #define _XPG6 - #include diff --git a/dovecot.spec b/dovecot.spec index a48827d..8df09a7 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -4,18 +4,18 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.21.1 -%global prever %{nil} -Release: 6%{?dist} +Version: 2.4.1 +%global prever -4 +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only URL: https://www.dovecot.org/ -Source: https://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz +Source: https://www.dovecot.org/releases/2.4/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.21.1 -Source8: https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz +%global pigeonholever %{version}%{?prever} +Source8: https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -34,36 +34,20 @@ Patch6: dovecot-2.1.10-waitonline.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch -Patch10: dovecot-2.3.0.1-libxcrypt.patch Patch15: dovecot-2.3.11-bigkey.patch # do not use own implementation of HMAC, use OpenSSL for certification purposes # not sent upstream as proper fix would use dovecot's lib-dcrypt but it introduces # hard to break circular dependency between lib and lib-dcrypt -Patch16: dovecot-2.3.6-opensslhmac.patch +Patch16: dovecot-2.4.1-opensslhmac3.patch # FTBFS Patch17: dovecot-2.3.15-fixvalcond.patch Patch18: dovecot-2.3.15-valbasherr.patch -Patch20: dovecot-2.3.14-opensslv3.patch -Patch21: dovecot-2.3.19.1-7bad6a24.patch -Patch22: dovecot-configure-c99.patch -# Fedora/RHEL specific, drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes -Patch23: dovecot-2.3.20-nolibotp.patch Patch24: dovecot-2.3-ph_optglob.patch Patch25: dovecot-2.3-ph_scriptcmp.patch -# imap: Shorten test-imap-client-hibernate socket path length -Patch26: dovecot-2.3.21-test-socket-path.patch - -# Compile without OpenSSL ENGINE, adapted from 2.4 dovecot, issue #RHEL-33733 -Patch27: dovecot-2.3.21-noengine.patch -Patch28: dovecot-2.3.21.1-fixicu.patch - -# from upstream PR#229, for < 2.4 -Patch29: dovecot-2.3.21.1-fixtestdatastack.patch - BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel BuildRequires: libtool, autoconf, automake, pkgconfig BuildRequires: sqlite-devel @@ -79,17 +63,15 @@ BuildRequires: libzstd-devel %if %{?rhel}0 == 0 BuildRequires: libsodium-devel BuildRequires: lua-devel +BuildRequires: lua-json %endif BuildRequires: libicu-devel -%if 0%{?rhel} == 0 && 0%{?fedora}0 < 38 -BuildRequires: libexttextcat-devel -BuildRequires: clucene-core-devel -%endif %if %{?rhel}0 == 0 BuildRequires: libstemmer-devel %endif BuildRequires: multilib-rpm-config BuildRequires: flex, bison +BuildRequires: perl-version BuildRequires: systemd-devel BuildRequires: systemd-rpm-macros @@ -101,6 +83,7 @@ BuildRequires: gettext-devel Requires: openssl >= 0.9.7f-4 # Package includes an initscript service file, needs to require initscripts package +Requires(pre): shadow-utils Requires: systemd Requires(post): systemd-units Requires(preun): systemd-units @@ -155,41 +138,32 @@ This package provides the development files for dovecot. %setup -q -n %{name}-%{version}%{?prever} -a 8 # standardize name, so we don't have to update patches and scripts -mv dovecot-2.3-pigeonhole-%{pigeonholever} dovecot-pigeonhole +mv dovecot-pigeonhole-%{pigeonholever} dovecot-pigeonhole -%patch -P 1 -p1 -b .default-settings +%patch -P 1 -p2 -b .default-settings %patch -P 2 -p1 -b .mkcert-permissions %patch -P 3 -p1 -b .mkcert-paths -%patch -P 6 -p1 -b .waitonline -%patch -P 8 -p1 -b .initbysystemd +%patch -P 6 -p2 -b .waitonline +%patch -P 8 -p2 -b .initbysystemd %patch -P 9 -p1 -b .systemd_w_protectsystem %patch -P 15 -p1 -b .bigkey -%patch -P 16 -p1 -b .opensslhmac -%patch -P 17 -p1 -b .fixvalcond +%patch -P 16 -p2 -b .opensslhmac3 +%patch -P 17 -p2 -b .fixvalcond %patch -P 18 -p1 -b .valbasherr -%patch -P 20 -p1 -b .opensslv3 -%patch -P 21 -p1 -b .7bad6a24 -%patch -P 22 -p1 -b .c99 -%patch -P 23 -p1 -b .nolibotp -%patch -P 24 -p1 -b .ph_optglob -%patch -P 25 -p1 -b .ph_scriptcmp -%patch -P 26 -p1 -b .test-socket-path -%patch -P 27 -p1 -b .noengine -%patch -P 28 -p1 -b .fixicu -%patch -P 29 -p1 -b .fixtestdatastack +#patch -P 24 -p2 -b .ph_optglob +#patch -P 25 -p1 -b .ph_scriptcmp cp run-test-valgrind.supp dovecot-pigeonhole/ # valgrind would fail with shell wrapper echo "testsuite" >dovecot-pigeonhole/run-test-valgrind.exclude -#pushd dovecot-pigeonhole -#popd -%if 0%{?rhel} == 0 && 0%{?fedora}0 < 38 -sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in -%endif - - # drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes -rm -rf src/lib-otp +#rm -rf src/lib-otp +pushd src/lib-otp +for f in *.c *.h +do + echo >$f +done +popd %build #required for fdpass.c line 125,190: dereferencing type-punned pointer will break strict-aliasing rules @@ -197,7 +171,15 @@ rm -rf src/lib-otp export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none" export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}" mkdir -p m4 -autoreconf -I . -fiv #required for aarch64 support +if [ -d /usr/share/gettext/m4 ] +then + #required for aarch64 support + # point to gettext explicitely, autoreconf cant find iconv.m4 otherwise + autoreconf -I . -I /usr/share/gettext/m4 +else + autoreconf -I . -fiv #required for aarch64 support +fi + %configure \ INSTALL_DATA="install -c -p -m644" \ --with-rundir=%{_rundir}/%{name} \ @@ -225,20 +207,15 @@ autoreconf -I . -fiv #required for aarch64 support --without-libstemmer \ --without-lua \ %endif -%if 0%{?rhel} == 0 && 0%{?fedora}0 < 38 - --with-lucene \ - --with-exttextcat \ -%else --without-lucene \ --without-exttextcat \ -%endif --with-ssl=openssl \ --with-ssldir=%{ssldir} \ --with-solr \ --with-docs \ systemdsystemunitdir=%{_unitdir} -sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10-ssl.conf +sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh # doc/example-config/conf.d/10-ssl.conf %make_build @@ -301,10 +278,7 @@ mkdir -p $RPM_BUILD_ROOT/run/dovecot/{login,empty,token-login} # Install dovecot configuration and dovecot-openssl.cnf mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d -install -p -m 644 docinstall/example-config/dovecot.conf $RPM_BUILD_ROOT%{_sysconfdir}/dovecot -install -p -m 644 docinstall/example-config/conf.d/*.conf $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d install -p -m 644 $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole/example-config/conf.d/*.conf $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d -install -p -m 644 docinstall/example-config/conf.d/*.conf.ext $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d install -p -m 644 $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole/example-config/conf.d/*.conf.ext $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d ||: install -p -m 644 doc/dovecot-openssl.cnf $RPM_BUILD_ROOT%{ssldir}/dovecot-openssl.cnf @@ -323,6 +297,11 @@ popd %pre +%if 0%{?fedora} < 42 +#dovecot uid and gid are reserved, see /usr/share/doc/setup-*/uidgid +%sysusers_create_compat %{SOURCE16} +%endif + # do not let dovecot run during upgrade rhbz#134325 if [ "$1" = "2" ]; then rm -f %restart_flag @@ -374,15 +353,13 @@ make check %endif %files -%doc docinstall/* AUTHORS ChangeLog COPYING COPYING.LGPL COPYING.MIT NEWS README +%doc docinstall/* AUTHORS ChangeLog COPYING COPYING.LGPL COPYING.MIT INSTALL.md NEWS README.md SECURITY.md %{_sbindir}/dovecot %{_bindir}/doveadm %{_bindir}/doveconf -%{_bindir}/dsync %{_bindir}/dovecot-sysreport - %_tmpfilesdir/dovecot.conf %{_sysusersdir}/dovecot.conf %{_unitdir}/dovecot.service @@ -392,32 +369,6 @@ make check %dir %{_sysconfdir}/dovecot %dir %{_sysconfdir}/dovecot/conf.d %config(noreplace) %{_sysconfdir}/dovecot/dovecot.conf -#list all so we'll be noticed if upstream changes anything -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-auth.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-director.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-logging.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-mail.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-master.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-metrics.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-ssl.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/15-lda.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/15-mailboxes.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-imap.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-lmtp.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-pop3.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-submission.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/90-acl.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/90-quota.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/90-plugin.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-checkpassword.conf.ext -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-deny.conf.ext -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-dict.conf.ext -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-ldap.conf.ext -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-master.conf.ext -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-passwdfile.conf.ext -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-sql.conf.ext -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-static.conf.ext -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-system.conf.ext %config(noreplace) %{_sysconfdir}/pam.d/dovecot %config(noreplace) %{ssldir}/dovecot-openssl.cnf @@ -436,7 +387,6 @@ make check #these (*.so files) are plugins, not devel files %{_libdir}/dovecot/*_plugin.so %exclude %{_libdir}/dovecot/*_sieve_plugin.so -%{_libdir}/dovecot/auth/lib20_auth_var_expand_crypt.so %{_libdir}/dovecot/auth/libauthdb_imap.so %{_libdir}/dovecot/auth/libauthdb_ldap.so %if %{?rhel}0 == 0 @@ -450,11 +400,8 @@ make check %{_libdir}/dovecot/libssl_iostream_openssl.so %{_libdir}/dovecot/libfs_compress.so %{_libdir}/dovecot/libfs_crypt.so -%{_libdir}/dovecot/libfs_mail_crypt.so %{_libdir}/dovecot/libdcrypt_openssl.so -%{_libdir}/dovecot/lib20_var_expand_crypt.so -%{_libdir}/dovecot/old-stats/libold_stats_mail.so -%{_libdir}/dovecot/old-stats/libstats_auth.so +%{_libdir}/dovecot//var_expand_crypt.so %dir %{_libdir}/dovecot/settings @@ -474,7 +421,6 @@ make check %{_mandir}/man1/doveadm*.1* %{_mandir}/man1/doveconf.1* %{_mandir}/man1/dovecot*.1* -%{_mandir}/man1/dsync.1* %{_mandir}/man5/dovecot.conf.5* %{_mandir}/man7/doveadm-search-query.7* @@ -522,8 +468,14 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Jun 03 2025 Michal Hlavinka - 1:2.4.1-1 +- updated to 2.4.1 release +- note: configuration is incompatible with 2.3.x version +- trim changelog +- revert previous change, only if-guard it + * Tue Feb 11 2025 Zbigniew Jędrzejewski-Szmek - 1:2.3.21.1-6 -- Drop call to %sysusers_create_compat +- Drop call to %%sysusers_create_compat * Wed Feb 05 2025 Michal Hlavinka - 1:2.3.21.1-5 - fix sysusers config file name @@ -701,2056 +653,9 @@ make check information. - Metric filter and global event filter variable syntax changed to a SQL-like format. -- auth: Added new aliases for %{variables}. Usage of the old ones is +- auth: Added new aliases for %%{variables}. Usage of the old ones is possible, but discouraged. - auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth mechanism and related password schemes. - auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail. - auth: Removed postfix postmap socket - -* Wed Oct 21 2020 Michal Hlavinka - 1:2.3.11.3-7 -- change run directory from /var/run to /run (#1777922) - -* Wed Oct 21 2020 Michal Hlavinka - 1:2.3.11.3-6 -- use bigger default key size (#1882939) - -* Wed Sep 02 2020 Michal Hlavinka - 1:2.3.11.3-5 -- fix gssapi issue - -* Wed Aug 26 2020 Michal Hlavinka - 1:2.3.11.3-4 -- fix FTBFS on 32bit systems - -* Mon Aug 17 2020 Jeff Law - 1:2.3.11.3-2 -- Disable LTO - -* Sat Aug 15 2020 Michal Hlavinka - 1:2.3.11.3-1 -- CVE-2020-12100: Parsing mails with a large number of MIME parts could - have resulted in excessive CPU usage or a crash due to running out of - stack memory. -- CVE-2020-12673: Dovecot's NTLM implementation does not correctly check - message buffer size, which leads to reading past allocation which can - lead to crash. -- CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an - address that has the empty quoted string as local-part causes the lmtp - service to crash. -- CVE-2020-12674: Dovecot's RPA mechanism implementation accepts - zero-length message, which leads to assert-crash later on. - -* Sat Aug 01 2020 Fedora Release Engineering - 1:2.3.10.1-3 -- Second attempt - Rebuilt for - https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Mon Jul 27 2020 Fedora Release Engineering - 1:2.3.10.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Mon May 18 2020 Michal Hlavinka - 1:2.3.10.1-1 -- dovecot updated to 2.3.10.1 -- fixes CVE-2020-10967, CVE-2020-10958, CVE-2020-10957 - -* Tue Apr 21 2020 Michal Hlavinka - 1:2.3.10-1 -- dovecot updated to 2.3.10, pigeonhole updated to 0.5.10 - -* Wed Feb 12 2020 Michal Hlavinka - 1:2.3.9.3-1 -- dovecot updated to 2.3.9.3 -- fixes CVE-2020-7046: Truncated UTF-8 can be used to DoS - submission-login and lmtp processes. -- fixes CVE-2020-7957: Specially crafted mail can crash snippet generation. - - -* Tue Jan 28 2020 Fedora Release Engineering - 1:2.3.9.2-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Thu Dec 19 2019 Michal Hlavinka - 1:2.3.9.2-1 -- CVE-2019-19722: Mails with group addresses in From or To fields - caused crash in push notification drivers. - -* Wed Dec 04 2019 Michal Hlavinka - 1:2.3.9-1 -- dovecot updated to 2.3.9, pigeonhole updated to 0.5.9 - -* Thu Oct 10 2019 Michal Hlavinka - 1:2.3.8-1 -- dovecot updated to 2.3.8, pigeonhole 0.5.8 - -* Thu Aug 29 2019 Michal Hlavinka - 1:2.3.7.2-1 -- dovecot updated to 2.3.7.2, pigeonhole 0.5.7.2 -- fixes CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte - when scanning data in quoted strings, leading to out of bounds heap - memory writes - -* Mon Aug 19 2019 Michal Hlavinka - 1:1-2.3.7.1 -- dovecot updated to 2.3.7.1, pigeonhole updated to 0.5.7.1 - -* Wed Jul 24 2019 Fedora Release Engineering - 1:2.3.6-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Fri May 31 2019 Michal Hlavinka - 1:2.3.6-3 -- disable gcc 9 stack reuse temporarily - -* Mon May 13 2019 Michal Hlavinka - 1:2.3.6-2 -- use /run instead of /var/run (#1706372) - -* Thu May 02 2019 Michal Hlavinka - 1:2.3.6-1 -- dovecot updated to 2.3.6, pigeonhole updated to 0.5.6 - -* Thu Apr 18 2019 Michal Hlavinka - 1:2.3.5.2-1 -- dovecot updated to 2.3.5.2 -- fixes CVE-2019-10691: Trying to login with 8bit username containing - invalid UTF8 input causes auth process to crash if auth policy is enabled. - -* Thu Mar 28 2019 Michal Hlavinka - 1:2.3.5.1-1 -- dovecot updated to 2.3.5.1 -- CVE-2019-7524: Missing input buffer size validation leads into - arbitrary buffer overflow when reading fts or pop3 uidl header - from Dovecot index. - -* Wed Mar 06 2019 Michal Hlavinka - 1:2.3.5-1 -- dovecot updated to 2.3.5, pigeonhole updated to 0.5.5 - -* Thu Jan 31 2019 Fedora Release Engineering - 1:2.3.4-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Mon Jan 14 2019 Björn Esser - 1:2.3.4-2 -- Rebuilt for libcrypt.so.2 (#1666033) - -* Wed Jan 09 2019 Michal Hlavinka - 1:2.3.4-1 -- dovecot updated to 2.3.4, pigeonhole updated to 0.5.4 - -* Tue Oct 02 2018 Michal Hlavinka - 1:2.3.3-1 -- dovecot updated to 2.3.3, pigeonhole pdated to 0.5.3 -- doveconf hides more secrets now in the default output -- NUL bytes in mail headers can cause truncated replies when fetched. -- virtual plugin: Some searches used 100% CPU for many seconds -- dsync assert-crashed with acl plugin in some situations. -- imapc: Fixed various assert-crashes when reconnecting to server. - - -* Tue Oct 02 2018 Michal Hlavinka - 1:2.3.2.1-4 -- fix dovecot-init service syntax error (#1635017) - -* Mon Aug 13 2018 Michal Hlavinka - 1:2.3.2.1-3 -- do not try to generate ssl-params as its obsolete (#1614640) - -* Thu Jul 12 2018 Fedora Release Engineering - 1:2.3.2.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Tue Jul 10 2018 Michal Hlavinka - 1:2.3.2.1-1 -- SSL/TLS servers may have crashed during client disconnection - -* Mon Jul 09 2018 Michal Hlavinka - 1:2.3.2-1 -- dovecot updated to 2.3.2, pigeonhole to 0.5.2 - -* Wed Mar 28 2018 Michal Hlavinka - 1:2.3.1-2 -- fix ftbfs - murmurhash3 check fail - -* Wed Mar 28 2018 Michal Hlavinka - 1:2.3.1-1 -- dovecot updated to 2.3.1, pigeonhole updated to 0.5.1 - -* Tue Mar 27 2018 Michal Hlavinka - 1:2.3.0.1-3 -- use libxcrypt for Fedora >= 28, part of ftbfs fix (#1548520) - -* Wed Mar 07 2018 Michal Hlavinka - 1:2.3.0.1-2 -- add gcc buildrequire - -* Thu Mar 01 2018 Michal Hlavinka - 1:2.3.0.1-1 -- dovecot updated to 2.3.0.1, pigeonhole updated to 0.5.0.1 - -* Fri Feb 09 2018 Igor Gnatenko - 1:2.2.33.2-5 -- Escape macros in %%changelog - -* Wed Feb 07 2018 Fedora Release Engineering - 1:2.2.33.2-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Sat Jan 20 2018 Björn Esser - 1:2.2.33.2-3 -- Rebuilt for switch to libxcrypt - -* Mon Jan 08 2018 Michal Hlavinka - 1:2.2.33.2-2 -- remove tcp_wrappers on Fedora 28 and later (#1518761) -- use use mariadb-connector-c-devel instead of mysql-devel on Fedora 28 and later (#1493624) - -* Tue Oct 24 2017 Michal Hlavinka - 1:2.2.33.2-1 -- dovecot updated to 2.2.33.2 -- doveadm: Fix crash in proxying (or dsync replication) if remote is - running older than v2.2.33 -- auth: Fix memory leak in %%{ldap_dn} -- dict-sql: Fix data types to work correctly with Cassandra - -* Wed Oct 18 2017 Michal Hlavinka - 1:2.2.33.1-1 -- dovecot updated to 2.2.33.1, pigeonhole updated to -- Added %%{if}, see https://wiki2.dovecot.org/Variables#Conditionals -- sdbox: Mails were always opened when expunging, unless - mail_attachment_fs was explicitly set to empty. -- lmtp/doveadm proxy: hostip passdb field was ignored, which caused - unnecessary DNS lookups if host field wasn't an IP -- lmtp proxy: Fix crash when receiving unexpected reply in RCPT TO -- quota_clone: Update also when quota is unlimited (broken in v2.2.31) -- mbox, zlib: Fix assert-crash when accessing compressed mbox -- doveadm director kick -f parameter didn't work -- doveadm director flush resulted flushing all hosts, if - wasn't an IP address. -- director: Various fixes to handling backend/director changes at - abnormal times, especially while ring was unsynced. -- director: Use less CPU in imap-login processes when moving/kicking - many users. -- lmtp: Session IDs were duplicated/confusing with multiple RCPT TOs - when lmtp_rcpt_check_quota=yes -- LDA Sieve plugin: Fixed sequential execution of LDAP-based scripts. A - missing LDAP-based script could cause the script sequence to exit earlier. -- sieve-filter: Removed the (now) duplicate utf8 to mutf7 mailbox name - conversion. This caused problems with mailbox names containing UTF-8 - characters. - -* Mon Aug 28 2017 Michal Hlavinka - 1:2.2.32-2 -- pigeonhole updated to 0.4.20 -- Made the retention period for redirect duplicate identifiers - configurable. Changed the default retention period from 24 to 12 hours. -- sieve-filter: Fixed memory leak: forgot to clean up script binary at - end of execution -- managesieve-login: Fixed handling of AUTHENTICATE command. A second - authenticate command would be parsed wrong. - -* Fri Aug 25 2017 Michal Hlavinka - 1:2.2.32-1 -- dovecot updated to 2.2.32 -- Modseq tracking didn't always work correctly. This could have caused - imap unhibernation to fail or IMAP QRESYNC/CONDSTORE extensions to - not work perfectly. -- mdbox: "Inconsistency in map index" wasn't fixed automatically -- dict-ldap: %%variable values used in the LDAP filter weren't escaped. -- quota=count: quota_warning = -storage=.. was never executed (try #2). -- imapc: >= 32 kB mail bodies were supposed to be cached for subsequent - FETCHes, but weren't. -- quota-status service didn't support recipient_delimiter -- acl: Don't access dovecot-acl-list files with acl_globals_only=yes -- mail_location: If INDEX dir is set, mailbox deletion deletes its - childrens' indexes. -- director: v2.2.31 caused rapid reconnection loops to directors - that were down. - -* Wed Aug 02 2017 Fedora Release Engineering - 1:2.2.31-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Wed Jul 26 2017 Fedora Release Engineering - 1:2.2.31-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Tue Jul 11 2017 Michal Hlavinka - 1:2.2.31-3 -- enable tcpwrap support (#1450587) - -* Tue Jul 04 2017 Michal Hlavinka - 1:2.2.31-2 -- revert commit breaking NOTIFY support - -* Tue Jun 27 2017 Michal Hlavinka - 1:2.2.31-1 -- dovecot updated to 2.2.31 -- Various fixes to handling mailbox listing. Especially related to - handling nonexistent autocreated/autosubscribed mailboxes and ACLs. -- Global ACL file was parsed as if it was local ACL file. This caused - some of the ACL rule interactions to not work exactly as intended. -- Using mail_sort_max_read_count may have caused very high CPU usage. -- Message address parsing could have crashed on invalid input. -- imapc_features=fetch-headers wasn't always working correctly and - caused the full header to be fetched. -- imapc: Various bugfixes related to connection failure handling. -- quota=count: quota_warning = -storage=.. was never executed -- quota=count: Add support for "ns" parameter -- dsync: Fix incremental syncing for mails that don't have Date or - Message-ID headers. -- imap: Fix hang when client sends pipelined SEARCH + - EXPUNGE/CLOSE/LOGOUT. -- oauth2: Token validation didn't accept empty server responses. -- imap: NOTIFY command has been almost completely broken since the - beginning. -- pigeonhole updated to 0.4.19 -- Fixed bug in handling of implicit keep in some cases. -- include extension: Fixed segfault that (sometimes) occurred when the - global script location was left unconfigured. - -* Wed Jun 07 2017 Michal Hlavinka - 1:2.2.30.2-1 -- dovecot updated to 2.2.30.2 -- auth: Multiple failed authentications within short time caused crashes -- push-notification: OX driver crashed at deinit - -* Thu Jun 01 2017 Michal Hlavinka - 1:2.2.30.1-1 -- dovecot updated to 2.2.30.1 -- More fixes to automatically fix corruption in dovecot.list.index -- dsync-server: Fix support for dsync_features=empty-header-workaround -- imapc: Various bugfixes, including infinite loops on some errors -- IMAP NOTIFY wasn't working for non-INBOX if IMAP client hadn't - enabled modseq tracking via CONDSTORE/QRESYNC. -- fts-lucene: Fix it to work again with mbox format -- Some internal error messages may have contained garbage in v2.2.29 -- mail-crypt: Re-encrypt when copying/moving mails and per-mailbox keys - are used. Otherwise the copied mails can't be opened. - -* Wed Apr 12 2017 Michal Hlavinka - 1:2.2.29.1-1 -- dovecot updated to 2.2.29.1 -- dict-sql: Merging multiple UPDATEs to a single statement wasn't - actually working. -- pigeonhole updated to 0.4.18 -- imapsieve plugin: Implemented the copy_source_after rule action. When this - is enabled for a mailbox rule, the specified Sieve script is executed for - the message in the source mailbox during a "COPY" event. This happens only - after the Sieve script that is executed for the corresponding message in the - destination mailbox finishes running successfully. -- imapsieve plugin: Added non-standard Sieve environment items for the source - and destination mailbox. -- multiscript: The execution of the discard script had an implicit "keep", - rather than an implicit "discard". - -* Tue Apr 11 2017 Michal Hlavinka - 1:2.2.29-1 -- dovecot updated to 2.2.29 -- fts-tika: Fixed crash when parsing attachment without - Content-Disposition header. Broken by 2.2.28. -- trash plugin was broken in 2.2.28 -- auth: When passdb/userdb lookups were done via auth-workers, too much - data was added to auth cache. This could have resulted in wrong - replies when using multiple passdbs/userdbs. -- auth: passdb { skip & mechanisms } were ignored for the first passdb -- oauth2: Various fixes, including fixes to crashes -- dsync: Large Sieve scripts (or other large metadata) weren't always - synced. -- Index rebuild (e.g. doveadm force-resync) set all mails as \Recent -- imap-hibernate: %%{userdb:*} wasn't expanded in mail_log_prefix -- doveadm: Exit codes weren't preserved when proxying commands via - doveadm-server. Almost all errors used exit code 75 (tempfail). -- ACLs weren't applied to not-yet-existing autocreated mailboxes. -- Fixed a potential crash when parsing a broken message header. -- cassandra: Fallback consistency settings weren't working correctly. -- doveadm director status : "Initial config" was always empty -- imapc: Various reconnection fixes. - -* Mon Feb 27 2017 Michal Hlavinka - 1:2.2.28-1 -- dovecot updated to 2.2.28, pigeonhole to 0.4.17 -- auth: Support OAUTHBEARER and XOAUTH2 mechanisms. Also support them - in lib-dsasl for client side. -- imap: SEARCH/SORT may have assert-crashed in - client_check_command_hangs -- imap: FETCH X-MAILBOX may have assert-crashed in virtual mailboxes. -- search: Using NOT n:* or NOT UID n:* wasn't handled correctly -- fts: fts_autoindex_exclude = \Special-use caused crashes -- doveadm-server: Fix leaks and other problems when process is reused - for multiple requests (service_count != 1) -- sdbox: Fix assert-crash on mailbox create race -- lda/lmtp: deliver_log_format values weren't entirely correct if Sieve - was used. especially %%{storage_id} was broken. -- imapsieve plugin: Fixed assert failure occurring when used with virtual - mailboxes. -- doveadm sieve plugin: Fixed crash when setting Sieve script via attribute's - string value. - -* Fri Feb 10 2017 Fedora Release Engineering - 1:2.2.27-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Wed Dec 14 2016 Than Ngo - 1:2.2.27-2 -- fixed bz#1403760, big endian issue - -* Mon Dec 05 2016 Michal Hlavinka - 1:2.2.27-1 -- Fixed crash in auth process when auth-policy was configured and - authentication was aborted/failed without a username set. -- director: If two users had different tags but the same hash, - the users may have been redirected to the wrong tag's hosts. -- Index files may have been thought incorrectly lost, causing - "Missing middle file seq=.." to be logged and index rebuild. - This happened more easily with IMAP hibernation enabled. -- Various fixes to restoring state correctly in un-hibernation. -- dovecot.index files were commonly 4 bytes per email too large. This - is because 3 bytes per email were being wasted that could have been - used for IMAP keywords. -- Various fixes to handle dovecot.list.index corruption better. -- lib-fts: Fixed assert-crash in address tokenizer with specific input. -- Fixed assert-crash in HTML to text parsing with specific input - (e.g. for FTS indexing or snippet generation) -- doveadm sync -1: Fixed handling mailbox GUID conflicts. -- sdbox, mdbox: Perform full index rebuild if corruption is detected - inside lib-index, which runs index fsck. -- quota: Don't skip quota checks when moving mails between different - quota roots. -- search: Multiple sequence sets or UID sets in search parameters - weren't handled correctly. They were incorrectly merged together. - -* Fri Dec 02 2016 Michal Hlavinka - 1:2.2.26.0-2 -- fix remote crash when auth-policy component is activated (CVE-2016-8652,#1401025) - -* Mon Oct 31 2016 Michal Hlavinka - 1:2.2.26.0-1 -- dovecot updated to 2.2.26.0, pigeonhole updated to 0.4.16 -- master process's listener socket was leaked to all child processes. - This might have allowed untrusted processes to capture and prevent - "doveadm service stop" comands from working. -- login proxy: Fixed crash when outgoing SSL connections were hanging. -- auth: userdb fields weren't passed to auth-workers, so %%{userdb:*} - from previous userdbs didn't work there. -- auth: Fixed auth_bind=yes + sasl_bind=yes to work together -- lmtp: %%{userdb:*} variables didn't work in mail_log_prefix -- Fixed writing >2GB to iostream-temp files (used by fs-compress, - fs-metawrap, doveadm-http) -- fts-solr: Fixed searching multiple mailboxes -- and more... - -* Mon Jul 04 2016 Michal Hlavinka - 1:2.2.25-1 -- dovecot updated to 2.2.25 -- doveadm backup was sometimes deleting entire mailboxes unnecessarily. -- doveadm: Command -parameters weren't being sent to doveadm-server. -- if dovecot.index read failed e.g. because mmap() reached VSZ limit, - an empty index could have been opened instead, corrupting the - mailbox state. -- lazy-expunge: Fixed a crash when copying failed. Various other fixes. -- fts-lucene: Fixed crash on index rescan. -- dict-ldap: Various fixes -- dict-sql: NULL values crashed. Now they're treated as "not found". - - -* Wed Apr 27 2016 Michal Hlavinka - 1:2.2.24-1 -- dovecot updated to 2.2.24 -- Huge header lines could have caused Dovecot to use too much memory -- dsync: Detect and handle invalid/stale -s state string better. -- dsync: Fixed crash caused by specific mailbox renames -- auth: Auth cache is now disabled passwd-file. -- fts-tika: Don't crash if it returns 500 error -- dict-redis: Fixed timeout handling -- SEARCH INTHREAD was crashing -- stats: Only a single fifo_listeners was supported, making it impossible to - use both auth_stats=yes and mail stats plugin. -- SSL errors were logged in separate "Stacked error" log lines instead of as - part of the disconnection reason. -- MIME body parser didn't handle properly when a child MIME part's --boundary - had the same prefix as the parent. -- pigeonhole updated to 0.4.14 -- extprograms plugin: Fixed epoll() panic caused by closing the output - FD before the output stream. -- Made sure that the local part of a mail address is encoded properly - using quoted string syntax when it is not a dot-atom. - -* Thu Mar 31 2016 Michal Hlavinka - 1:2.2.23-1 -- dovecot updated to 2.2.23, pigeonhole updated to 0.4.13 -- Various fixes to doveadm. Especially running commands via - doveadm-server was broken. -- director: Fixed user weakness getting stuck in some situations -- director: Fixed a situation where directors keep re-sending - different states to each others and never becoming synced. -- director: Fixed assert-crash related to a slow "user killed" reply -- Fixed assert-crash related to istream-concat, which could have - been triggered at least by a Sieve script. - -* Wed Mar 16 2016 Michal Hlavinka - 1:2.2.22-1 -- dovecot updated to 2.2.22 -- auth: Auth caching was done too aggressively when %%variables were - used in default_fields, override_fields or LDAP pass/user_attrs. - userdb result_* were also ignored when user was found from cache. -- imap: Fixed various assert-crashes caused v2.2.20+. Some of them - caught actual hangs or otherwise unwanted behavior towards IMAP - clients. -- Expunges were forgotten in some situations, for example when - pipelining multiple IMAP MOVE commands. -- quota: Per-namespaces quota were broken for dict and count backends - in v2.2.20+ -- fts-solr: Search queries were using OR instead of AND as the - separator for multi-token search queries in v2.2.20+. -- Single instance storage support wasn't really working in v2.2.16+ -- dbox: POP3 message ordering wasn't working correctly. -- virtual plugin: Fixed crashes related to backend mailbox deletions. - -* Mon Feb 08 2016 Michal Hlavinka - 1:2.2.21-4 -- pigeonhole updated to 0.4.12 -- multiscript: Fixed bug in handling of (implicit) keep; final keep action was - always executed as though there was a failure. -- managesieve-login: Fixed proxy to allow SASL mechanisms other than PLAIN. -- ldap storage: Prevent segfault occurring when assigning certain (global) - configuration options. - -* Wed Feb 03 2016 Fedora Release Engineering - 1:2.2.21-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Thu Jan 28 2016 Michal Hlavinka - 1:2.2.21-2 -- pigeonhole updated to 0.4.11 -- Sieve mime extension: Fixed the header :mime :anychild test to work properly - outside a foreverypart loop. -- Fixed assert failure occurring when text extraction is attempted on a - empty or broken text part. -- Fixed assert failure in handling of body parts that are converted to text. -- Fixed header unfolding for (mime) headers parsed from any mime part. -- Fixed trimming for (mime) headers parsed from any mime part. -- Fixed erroneous changes to the message part tree structure performed when - re-parsing the message. -- LDA Sieve plugin: Fixed bug in error handling of script storage initialization -- Fixed duplication of discard actions in the script result. -- Made sure that quota errors never get logged as errors in syslog. - -* Wed Dec 16 2015 Michal Hlavinka - 1:2.2.21-1 -- dovecot updated to 2.2.21 -- doveadm mailbox list (and some others) were broken in v2.2.20 -- director: Fixed making backend changes when running with only a - single director server. -- virtual plugin: Fixed crash when trying to open nonexistent - autocreated backend mailbox. -- pigeonhole updated to 0.4.10 -- implemented the Sieve mime and foreverypart extensions (RFC 5703). -+ sieve body extension: Properly implemented the `:text' body - transform. It now extracts text for HTML message parts. -- variables extension: Fixed handling of empty string by the `:length' - set modifier. An empty string yielded an empty string rather than "0". -- Fixed memory leak in the Sieve script byte code dumping facility. - Extension contexts were never actually freed. -- doveadm sieve plugin: Fixed crashes caused by incorrect context - allocation in the sieve command implementations. - -* Tue Dec 08 2015 Michal Hlavinka - 1:2.2.20-2 -- move ssl initialization from %%post to dovecot-init.service - -* Tue Dec 08 2015 Michal Hlavinka - 1:2.2.20-1 -- dovecot updated to 2.2.20 -- director: Backend tags weren't working correctly. -- ldap: tls_* settings weren't used for ldaps URIs. -- ldap, mysql: Fixed setting connect timeout. -- auth: userdb lookups via auth-worker couldn't change username -- dsync: Fixed handling deleted directories. Make sure we don't go to - infinite mailbox renaming loop. -- imap: Fixed crash in NOTIFY when there were watched namespaces that - didn't support NOTIFY. -- imap: After SETMETADATA was used, various commands (especially FETCH) - could have started hanging when their output was large. -- stats: Idle sessions weren't refreshed often enough, causing stats - process to forget them and log errors about unknown sessions when - they were updated later. -- stats: Fixed "Duplicate session ID" errors when LMTP delivered to - multiple recipients and fts_autoindex=yes. -- zlib plugin: Fixed copying causing cache corruption when zlib_save - wasn't set, but the source message was compressed. -- fts-solr: Fixed escaping Solr query parameters. -- lmtp: quota_full_tempfail=yes was ignored with - lmtp_rcpt_check_quota=yes - -* Mon Oct 05 2015 Michal Hlavinka - 1:2.2.19-1 -- dovecot updated to 2.2.19 -- mdbox: Rebuilding could have caused message's reference count to - overflow the 16bit number in some situations, causing problems when - trying to expunge the duplicates. -- Various search fixes (fts, solr, tika, lib-charset, indexer) -- Various virtual plugin fixes -- Various fixes and optimizations to dsync, imapc and pop3-migration -- imap: Various RFC compliancy and crash fixes to NOTIFY -- pigeonhole updated to 0.4.9 -- ManageSieve: Fixed an assert failure occurring when a client - disconnects during the GETSCRIPT command. -- doveadm sieve plugin: Fixed incorrect initialization (mem leaks) of mail user. -- sieve-filter command line tool: Fixed handling of failure-related - implicit keep when there is an explicit default destination folder. -- lib-sieve: Fixed bug in RFC5322 header folding. - -* Mon Aug 24 2015 Michal Hlavinka - 1:2.2.18-5 -- use the system crypto policy (#1109114) - -* Fri Jun 19 2015 Michal Hlavinka - 1:2.2.18-4 -- fix build for s390x and ppc64 (#1232650) - -* Wed Jun 17 2015 Fedora Release Engineering - 1:2.2.18-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Mon May 18 2015 Michal Hlavinka - 1:2.2.18-2 -- update pigeonhole to 0.4.8 -- Fixed problem in address test: erroneously decoded mime-encoded words in - address headers. -- extprograms plugin: Fixed failure occurring when connecting to script - service without the need to read back the output from the external program. -- Fixed bug in script storage path normalization occurring with relative - symbolic links below root. - -* Fri May 15 2015 Michal Hlavinka - 1:2.2.18-1 -- director: Login UNIX sockets were normally detected as doveadm or - director ring sockets, causing it to break in existing installations. -- sdbox: When copying a mail in alt storage, place the destination to - alt storage as well. - -* Thu May 14 2015 Michal Hlavinka - 1:2.2.17-1 -- dovecot updated to 2.2.17 -- pigeonhole updated to 0.4.7 -- auth: If auth_master_user_separator was set, auth process could be - crashed by trying to log in with empty master username. -- imap-login, pop3-login: Fixed crash on handshake failures with new - OpenSSL versions (v1.0.2) when SSLv3 was disabled. -- auth: If one passdb fails allow_nets check, it shouldn't have failed - all the other passdb checks later on. -- imap: Server METADATA couldn't be accessed -- imapc: Fixed \Muted label handling in gmail-migration. -- imapc: Various bugfixes and improvements. -- Trash plugin fixes by Alexei Gradinari -- mbox: Fixed crash/corruption in some situations - -* Tue Apr 28 2015 Michal Hlavinka - 1:2.2.16-2 -- fix CVE-2015-3420: SSL/TLS handshake failures leading to a crash of the login process - -* Mon Mar 16 2015 Michal Hlavinka - 1:2.2.16-1 -- dovecot updated to 2.2.16 -- auth: Don't crash if master user login is attempted without - any configured master=yes passdbs -- Parsing UTF-8 text for mails could have caused broken results - sometimes if buffering was split in the middle of a UTF-8 character. - This affected at least searching messages. -- String sanitization for some logged output wasn't done properly: - UTF-8 text could have been truncated wrongly or the truncation may - not have happened at all. -- fts-lucene: Lookups from virtual mailbox consisting of over 32 - physical mailboxes could have caused crashes. - -* Thu Feb 05 2015 Michal Hlavinka - 1:2.2.15-3 -- fix mbox istream crashes (#1189198, #1186504) - -* Mon Jan 05 2015 Michal Hlavinka - 1:2.2.15-2 -- fix crash related to logging BYE notifications (#1176282) -- update pigeonhole to 0.4.6 - -* Thu Oct 30 2014 Michal Hlavinka - 1:2.2.15-1 -- dovecot updated to 2.2.15 -- various race condition fixes to LAYOUT=index -- v2.2.14 virtual plugin crashed in some situations - -* Fri Oct 17 2014 Michal Hlavinka - 1:2.2.14-1 -- dovecot updated to 2.2.14, pigeonhole updated to 0.4.3 -- fixed several race conditions with dovecot.index.cache handling that - may have caused unnecessary "cache is corrupted" errors. -- auth: If auth client listed userdb and disconnected before finishing, - the auth worker process got stuck -- imap-login, pop3-login: Fixed potential crashes when client - disconnected unexpectedly. -- imap proxy: The connection was hanging in some usage patterns. - -* Thu Aug 21 2014 Michal Hlavinka - 1:2.2.13-4 -- use network-online target instead of just network (#1119814) - -* Sat Aug 16 2014 Fedora Release Engineering - 1:2.2.13-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - -* Sat Jun 07 2014 Fedora Release Engineering - 1:2.2.13-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Mon May 12 2014 Michal Hlavinka - 1:2.2.13-1 -- dovecot updated to 2.2.13 -- fixes CVE-2014-3430: denial of service through maxxing out SSL connections -- pop3 server was still crashing in v2.2.12 -- maildir: Various fixes and improvements to handling compressed mails -- fts-lucene, fts-solr: Fixed crash on search when the index contained - duplicate entries. -- mail_attachment_dir: Attachments with the last base64-encoded line - longer than the rest wasn't handled correctly. -- IMAP: SEARCH/SORT PARTIAL was handled completely wrong in v2.2.11+ -- acl: Global ACL file handling was broken when multiple entries - matched the mailbox name - -* Sun Mar 30 2014 John Morris - 1:2.2.12-2 -- el6 build fixes (#1082384): -- el6 autoconf too old to regen; use packaged files -- fix compile error when __global_ldflags macro undefined - -* Fri Feb 14 2014 Michal Hlavinka - 1:2.2.12-1 -- dovecot updated to 2.2.12 -- fixes pop3 crash - -* Thu Feb 13 2014 Michal Hlavinka - 1:2.2.11-1 -- dovecot updated to 2.2.11 -- imap: SEARCH/SORT PARTIAL reponses may have been too large. -- doveadm backup: Fixed assert-crash when syncing mailbox deletion. - -* Thu Jan 02 2014 Michal Hlavinka - 1:2.2.10-1 -- dovecot updated to 2.2.10 -- quota-status: quota_grace was ignored -- ldap: Fixed memory leak with auth_bind=yes and without - auth_bind_userdn. -- imap: Don't send HIGHESTMODSEQ anymore on SELECT/EXAMINE when - CONDSTORE/QRESYNC has never before been enabled for the mailbox. -- imap: Fixes to handling mailboxes without permanent modseqs. - (When [NOMODSEQ] is returned by SELECT, mainly with in-memory - indexes.) -- imap: Various fixes to METADATA support. -- stats plugin: Processes that only temporarily dropped privileges - (e.g. indexer-worker) may have been logging errors about not being - able to open /proc/self/io. - -* Mon Nov 25 2013 Michal Hlavinka - 1:2.2.9-1 -- improved cache file handling exposed several old bugs related to fetching - mail headers. -- iostream handling changes were causing some connections to be disconnected - before flushing their output - -* Wed Nov 20 2013 Michal Hlavinka - 1:2.2.8-1 -- Fixed infinite loop in message parsing if message ends with - "--boundary" and CR (without LF). Messages saved via SMTP/LMTP can't - trigger this, because messages must end with an "LF.". A user could - trigger this for him/herself though. -- lmtp: Client was sometimes disconnected before all the output was - sent to it. -- replicator: Database wasn't being exported to disk every 15 minutes - as it should have. Instead it was being imported, causing "doveadm - replicator remove" commands to not work very well. - -* Thu Nov 14 2013 Michal Hlavinka - 1:2.2.7-2 -- fix ostream infinite loop (#1029906) - -* Mon Nov 04 2013 Michal Hlavinka - 1:2.2.7-1 -- dovecot updated to 2.2.7 -- master process was doing a hostname.domain lookup for each created - process, which may have caused a lot of unnecessary DNS lookups. -- dsync: Syncing over 100 messages at once caused problems in some - situations, causing messages to get new UIDs. -- fts-solr: Different Solr hosts for different users didn't work. - -* Tue Oct 01 2013 Michal Hlavinka - 1:2.2.6-1 -- dovecot updated to 2.2.6, pigeonhole updated to 0.4.2 -- director: v2.2.5 changes caused "SYNC lost" errors -- dsync: Many fixes and error handling improvements -- doveadm -A: Don't waste CPU by doing a separate config lookup - for each user -- Long-running ssl-params process no longer prevents Dovecot restart -- mbox: Fixed mailbox_list_index=yes to work correctly - -* Thu Aug 08 2013 Michal Hlavinka - 1:2.2.5-2 -- use unversioned doc dir (#993731) - -* Wed Aug 07 2013 Michal Hlavinka - 1:2.2.5-1 -- dovecot updated to 2.2.5 -- added some missing man pages (by Pascal Volk) -- director: Users near expiration could have been redirected to - different servers at the same time. -- pop3: Avoid assert-crash if client disconnects during LIST. -- mdbox: Corrupted index header still wasn't automatically fixed. -- dsync: Various fixes to work better with imapc and pop3c storages. -- ldap: sasl_bind=yes caused crashes, because Dovecot's lib-sasl - symbols conflicted with Cyrus SASL library. - -* Tue Jul 30 2013 Michal Hlavinka - 1:2.2.4-3 -- dovecot pigeonhole updated to 0.4.1 - -* Wed Jul 10 2013 Michal Hlavinka - 1:2.2.4-2 -- fix name conflict with cyrus-sasl (#975869) - -* Tue Jun 25 2013 Michal Hlavinka - 1:2.2.4-1 -- dovecot updated to 2.2.4 -- imap/pop3 proxy: Master user logins were broken in v2.2.3 -- sdbox/mdbox: A corrupted index header with wrong size was never - automatically fixed in v2.2.3. -- mbox: Fixed assert-crashes related to locking. - -* Mon Jun 17 2013 Michal Hlavinka - 1:2.2.3-1 -- dovecot updated to 2.2.3 -- IMAP: If subject contained only whitespace, Dovecot returned an - ENVELOPE reply with a huge literal value, effectively causing the - IMAP client to wait for more data forever. -- IMAP: Various URLAUTH fixes. -- imapc: Various bugfixes and improvements -- pop3c: Various fixes to make it work in dsync (without imapc) -- dsync: Fixes to syncing subscriptions. Fixes to syncing mailbox - renames. - -* Tue May 21 2013 Michal Hlavinka - 1:2.2.2-2 -- fix location of tmpfiles configuration (#964448) - -* Mon May 20 2013 Michal Hlavinka - 1:2.2.2-1 -- dovecot updated to 2.2.2 -- IMAP: Various URLAUTH fixes. -- IMAP: Fixed a hang with invalid APPEND parameters. -- IMAP LIST-EXTENDED: INBOX was never listed with \Subscribed flag. -- mailbox_list_index=yes still caused crashes. -- maildir: Fixed a crash after dovecot-keywords file was re-read. -- maildir: If files had reappeared unexpectedly to a Maildir, they - were ignored until index files were deleted. -- Maildir: Fixed handling over 26 keywords in a mailbox. -- imap/pop3-login proxying: Fixed a crash if TCP connection succeeded, - but the remote login timed out. - -* Thu May 16 2013 Michal Hlavinka - 1:2.2.1-4 -- update pigeonhole to 0.4.0 - -* Mon Apr 29 2013 Michal Hlavinka - 1:2.2.1-3 -- revert last change and use different fix - -* Wed Apr 24 2013 Kalev Lember - 1:2.2.1-2 -- Filter out autogenerated perl deps (#956194) - -* Fri Apr 19 2013 Michal Hlavinka - 1:2.2.1-1 -- dovecot updated to 2.2.1 -- mailbox_list_index=yes was broken. -- LAYOUT=index didn't list subscriptions. -- auth: Multiple master passdbs didn't work. -- Message parsing (e.g. during search) crashed when multipart message - didn't actually contain any parts. -- dovecot updated to 2.2.1 - -* Mon Apr 15 2013 Michal Hlavinka - 1:2.2.0-1 -- dovecot updated to 2.2.0 -- Mailbox list indexes weren't using proper file permissions based - on the root directory. -- replicator: doveadm commands and user list export may have skipped - some users. -- Various fixes to mailbox_list_index=yes - -* Fri Apr 05 2013 Michal Hlavinka - 1:2.2-0.4 -- dovecot updated to 2.2 RC4 -- various bugfixes to LDAP changes in rc3 - -* Wed Mar 27 2013 Michal Hlavinka - 1:2.2-0.3 -- dovecot updated to 2.2 RC3 -- Fixed a crash when decoding quoted-printable content. -- dsync: Various bugfixes - -* Thu Feb 28 2013 Michal Hlavinka - 1:2.2-0.2 -- do not print error when NetworkManager is not installed (#916456) - -* Wed Feb 27 2013 Michal Hlavinka - 1:2.2-0.1 -- major update to dovecot 2.2 RC2 - -* Mon Feb 11 2013 Michal Hlavinka - 1:2.1.15-1 -- dovecot updated to 2.1.15 -- v2.1.14's dovecot.index.cache fixes caused Dovecot to use more disk I/O - and memory than was necessary. - -* Tue Feb 05 2013 Michal Hlavinka - 1:2.1.14-2 -- spec clean up - -* Thu Jan 31 2013 Michal Hlavinka - 1:2.1.14-1 -- dovecot updated to 2.1.14 -- v2.1.11+ had a race condition where it sometimes overwrote data in - dovecot.index.cache file. This could have caused Dovecot to return - the same cached data to two different messages. -- mdbox: Fixes to handling duplicate GUIDs during index rebuild - -* Tue Jan 15 2013 Michal Hlavinka - 1:2.1.13-1 -- dovecot updated to 2.1.13 -- Some fixes to cache file changes in v2.1.11. -- virtual storage: Sorting mailbox by from/to/cc/bcc didn't work. - -* Mon Dec 03 2012 Michal Hlavinka - 1:2.1.12-1 -- dovecot updated to 2.1.12 -- lmtp proxy: Fixed hanging if remote server was down. -- doveadm: Various fixes to handling doveadm-server connections. -- auth: passdb imap was broken in v2.1.10. - -* Thu Nov 08 2012 Michal Hlavinka - 1:2.1.10-3 -- fix network still not ready race condition (#871623) - -* Fri Nov 02 2012 Michal Hlavinka - 1:2.1.10-2 -- add reload command to service file - -* Wed Sep 19 2012 Michal Hlavinka - 1:2.1.10-1 -- dovecot updated to 2.1.10, pigeonhole updated to 0.3.3 -- director: In some conditions director may have disconnected from - another director (without logging about it), thinking it was sending - invalid data. -- imap: Various fixes to listing mailboxes. -- login processes crashed if there were a lot of local {} or remote {} - settings blocks. - -* Fri Aug 24 2012 Michal Hlavinka - 1:2.1.9-2 -- use new systemd rpm macros (#851238) - -* Thu Aug 02 2012 Michal Hlavinka - 1:2.1.9-1 -- dovecot updated to 2.1.9 -- Full text search indexing might have failed for some messages, - always causing indexer-worker process to run out of memory. -- fts-lucene: Fixed handling SEARCH HEADER FROM/TO/SUBJECT/CC/BCC when - the header wasn't lowercased. -- fts-squat: Fixed crash when searching a virtual mailbox. -- pop3: Fixed assert crash when doing UIDL on empty mailbox on some - setups. -- auth: GSSAPI RFC compliancy and error handling fixes. -- Various fixes related to handling shared namespaces - -* Wed Jul 18 2012 Fedora Release Engineering - 1:2.1.8-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Tue Jul 03 2012 Michal Hlavinka - 1:2.1.8-2 -- pigeonhole updated to 0.3.1 -- Fixed several small issues, including a few potential segfault bugs, based - on static source code analysis. - -* Tue Jul 03 2012 Michal Hlavinka - 1:2.1.8-1 -- dovecot updated to 2.1.8 -- imap: Mailbox names were accidentally sent as UTF-8 instead of mUTF-7 - in previous v2.1.x releases for STATUS, MYRIGHTS and GETQUOTAROOT commands. -- lmtp proxy: Don't timeout connections too early when mail has a lot of RCPT TOs. -- director: Don't crash if the director is working alone. -- shared mailboxes: Avoid doing "@domain" userdb lookups. -- doveadm: Fixed crash with proxying some commands. -- fts-squat: Fixed handling multiple SEARCH parameters. -- imapc: Fixed a crash when message had more than 8 keywords. -- imapc: Don't crash on APPEND/COPY if server doesn't support UIDPLUS. - - -* Mon Jul 02 2012 Michal Hlavinka - 1:2.1.7-5 -- make quota work with NFS mounted mailboxes - -* Fri Jun 22 2012 Michal Hlavinka - 1:2.1.7-4 -- posttrans argument is always zero - -* Fri Jun 15 2012 Michal Hlavinka - 1:2.1.7-3 -- do not let dovecot run during upgrade (#134325) - -* Wed May 30 2012 Michal Hlavinka - 1:2.1.7-2 -- fix changelog, 2.1.7-1 had copy-pasted upstream changelog, which was wrong -- director: Don't crash with quickly disconnecting incoming director - connections. -- mdbox: If mail was originally saved to non-INBOX, and namespace - prefix is non-empty, don't assert-crash when rebuilding indexes. -- sdbox: Don't use more fds than necessary when copying mails. -- auth: Fixed crash with DIGEST-MD5 when attempting to do master user - login without master passdbs. -- Several fixes to mail_shared_explicit_inbox=no -- imapc: Use imapc_list_prefix also for listing subscriptions. - -* Wed May 30 2012 Michal Hlavinka - 1:2.1.7-1 -- updated to 2.1.7 -- v2.1.5: Using "~/" as mail_location or elsewhere failed to actually - expand it to home directory. -- dbox: Fixed potential assert-crash when reading dbox files. -- trash plugin: Fixed behavior when quota is already over limit. -- mail_log plugin: Logging "copy" event didn't work. -- Proxying to backend server with SSL: Verifying server certificate - name always failed, because it was compared to an IP address. - -* Wed May 09 2012 Michal Hlavinka - 1:2.1.6-2 -- fix socket activation again, fix in 2.1.6 is incomplete - -* Wed May 09 2012 Michal Hlavinka - 1:2.1.6-1 -- v2.1.5: Using "~/" as mail_location or elsewhere failed to actually - expand it to home directory. -- dbox: Fixed potential assert-crash when reading dbox files. -- trash plugin: Fixed behavior when quota is already over limit. -- Proxying to backend server with SSL: Verifying server certificate - name always failed, because it was compared to an IP address. - -* Tue Apr 24 2012 Michal Hlavinka - 1:2.1.5-1 -- IMAP: Several fixes related to mailbox listing in some configs -- director: A lot of fixes and performance improvements -- mbox: Deleting a mailbox didn't delete its index files. -- pop3c: TOP command was sent incorrectly -- trash plugin didn't work properly -- LMTP: Don't add a duplicate Return-Path: header when proxying. -- listescape: Don't unescape namespace prefixes. - -* Tue Apr 24 2012 Michal Hlavinka - 1:2.1.4-2 -- close systemd extra sockets that are not configured - -* Tue Apr 10 2012 Michal Hlavinka - 1:2.1.4-1 -- dovecot updated to 2.1.4 -- Proxying SSL connections crashed in v2.1.[23] -- fts-solr: Indexing mail bodies was broken. -- director: Several changes to significantly improve error handling -- doveadm import didn't import messages' flags -- mail_full_filesystem_access=yes was broken -- Make sure IMAP clients can't create directories when accessing - nonexistent users' mailboxes via shared namespace. -- Dovecot auth clients authenticating via TCP socket could have failed - with bogus "PID already in use" errors. - -* Mon Mar 19 2012 Michal Hlavinka - 1:2.1.3-1 -- dovecot updated to 2.1.3 -- multi-dbox format in dovecot 2.1.2 was broken -- temporarily disable check phase until bug #798968 is fixed - -* Fri Mar 16 2012 Michal Hlavinka - 1:2.1.2-1 -- dovecot updated to 2.1.2 -- doveadm sync: If mailbox was expunged empty, messages may have - become back instead of also being expunged in the other side. -- imap_id_* settings were ignored before login. -- Several fixes to mailbox_list_index=yes -- Previous v2.1.x didn't log all messages at shutdown. - -* Thu Mar 01 2012 Michal Hlavinka - 1:2.1.1-2 -- enable fts_lucene plugin (#798661) - -* Fri Feb 24 2012 Michal Hlavinka - 1:2.1.1-1 -- dovecot updated to 2.1.1 -- acl plugin + autocreated mailboxes crashed when listing mailboxes -- doveadm force-resync: Don't skip autocreated mailboxes (especially - INBOX). -- If process runs out of fds, stop listening for new connections only - temporarily, not permanently (avoids hangs with process_limit=1 - services) -- auth: passdb imap crashed for non-login authentication (e.g. smtp). - - -* Mon Feb 20 2012 Michal Hlavinka - 1:2.1.0-1 -- updated to 2.1.0 (no major changes since .rc6) -- include pigeonhole doc files (NEWS, README, ...) - -* Tue Feb 14 2012 Michal Hlavinka - 1:2.1-0.7.rc6 -- updated to 2.1.rc6 -- dbox: Fixed error handling when saving failed or was aborted -- IMAP: Using COMPRESS extension may have caused assert-crashes -- IMAP: THREAD REFS sometimes returned invalid (0) nodes. -- dsync: Fixed handling non-ASCII characters in mailbox names. - -* Tue Feb 07 2012 Michal Hlavinka - 1:2.1-0.6.rc5 -- use PrivateTmp in systemd unit file - -* Tue Feb 07 2012 Michal Hlavinka - 1:2.1-0.5.rc5 -- updated to 2.1.rc5 -- director: With >2 directors ring syncing might have stalled during - director connect/disconnect, causing logins to fail. -- LMTP client/proxy: Fixed potential hanging when sending (big) mails -- Compressed mails with external attachments (dbox + SIS + zlib) failed - sometimes with bogus "cached message size wrong" errors. - -* Mon Jan 09 2012 Michal Hlavinka - 1:2.1-0.4.rc3 -- updated to 2.1.rc3 -- dsync was merged into doveadm -- added pop3c (= POP3 client) storage backend - -* Wed Dec 14 2011 Michal Hlavinka - 1:2.1-0.3.rc1 -- allow imap+TLS and pop3+TLS by default - -* Fri Dec 02 2011 Michal Hlavinka - 1:2.1-0.2.rc1 -- call systemd reload in postun - -* Wed Nov 30 2011 Michal Hlavinka - 1:2.1-0.1.rc1 -- updated to 2.1.rc1 -- major changes since 2.0.x: -- plugins now use UTF-8 mailbox names rather than mUTF-7 -- auth_username_format default changed to %%Lu -- solr full text search backend changed to use mailbox GUIDs instead of - mailbox names, requiring reindexing everything - -* Mon Nov 21 2011 Michal Hlavinka - 1:2.0.16-1 -- dovecot updated to 2.0.16 - -* Mon Oct 24 2011 Michal Hlavinka - 1:2.0.15-2 -- do not use obsolete settings in default configuration (#743444) - -* Mon Sep 19 2011 Michal Hlavinka - 1:2.0.15-1 -- dovecot updated to 2.0.15 -- v2.0.14: Index reading could have eaten a lot of memory in some - situations -- mbox: Fixed crash during mail delivery when mailbox didn't yet have - GUID assigned to it. -- zlib+mbox: Fetching last message from compressed mailboxes crashed. - -* Tue Sep 13 2011 Michal Hlavinka - 1:2.0.14-2 -- do not enable insecure connections by default - -* Mon Aug 29 2011 Michal Hlavinka - 1:2.0.14-1 -- dovecot updated to 2.0.14 -- userdb extra fields can now return name+=value to append to an - existing name -- script-login attempted an unnecessary config lookup, which usually - failed with "Permission denied". -- lmtp: Fixed parsing quoted strings with spaces as local-part for - MAIL FROM and RCPT TO. -- imap: FETCH BODY[HEADER.FIELDS (..)] may have crashed or not - returned all data sometimes. -- ldap: Fixed random assert-crashing with with sasl_bind=yes. -- Fixes to handling mail chroots -- Fixed renaming mailboxes under different parent with FS layout when - using separate ALT, INDEX or CONTROL paths. -- zlib: Fixed reading concatenated .gz files. - -* Fri Jul 15 2011 Michal Hlavinka - 1:2.0.13-2 -- do not include sysv init script - -* Thu May 12 2011 Michal Hlavinka - 1:2.0.13-1 -- dovecot updated to 2.0.13 -- mdbox purge: Fixed wrong warning about corrupted extrefs. -- script-login binary wasn't actually dropping privileges to the - user/group/chroot specified by its service settings. -- Fixed potential crashes and other problems when parsing header names - that contained NUL characters. - -* Fri Apr 15 2011 Michal Hlavinka - 1:2.0.12-2 -- pigeonhole updated to 0.2.3, which includes: -- managesieve: fixed bug in UTF-8 checking of string values -- sieve command line tools now avoid initializing the mail store unless necessary -- removed header MIME-decoding to fix erroneous address parsing -- fixed segfault bug in extension configuration, triggered when unknown - extension is mentioned in sieve_extensions setting. - -* Wed Apr 13 2011 Michal Hlavinka - 1:2.0.12-1 -- dbox: Fixes to handling external attachments -- dsync: More fixes to avoid hanging with remote syncs -- dsync: Many other syncing/correctness fixes -- doveconf: v2.0.10 and v2.0.11 didn't output plugin {} section right - -* Mon Mar 28 2011 Michal Hlavinka - 1:2.0.11-5 -- rebuild with new patch - -* Mon Mar 28 2011 Michal Hlavinka - 1:2.0.11-4 -- fix regression in config file parsing (#690401) - -* Wed Mar 23 2011 Dan Horák - 1:2.0.11-3 -- rebuilt for mysql 5.5.10 (soname bump in libmysqlclient) - -* Wed Mar 23 2011 Michal Hlavinka - 1:2.0.11-2 -- rebuild because of updated dependencies - -* Mon Mar 07 2011 Michal Hlavinka - 1:2.0.11-1 -- IMAP: Fixed hangs with COMPRESS extension -- IMAP: Fixed a hang when trying to COPY to a nonexistent mailbox. -- IMAP: Fixed hang/crash with SEARCHRES + pipelining $. -- IMAP: Fixed assert-crash if IDLE+DONE is sent in same TCP packet. - -* Thu Feb 17 2011 Michal Hlavinka - 1:2.0.9-3 -- add missing section to dovecot's systemd service file - -* Tue Feb 08 2011 Fedora Release Engineering - 1:2.0.9-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild - -* Thu Jan 13 2011 Michal Hlavinka - 1:2.0.9-1 -- dovecot updated to 2.0.9 -- fixed a high system CPU usage / high context switch count performance problem -- lda: Fixed a crash when trying to send "out of quota" reply - -* Mon Dec 20 2010 Michal Hlavinka - 1:2.0.8-3 -- add full path and check to restorecon in post - -* Tue Dec 07 2010 Michal Hlavinka - 1:2.0.8-2 -- fix s/foobar/dovecot/ typo in post script - -* Tue Dec 07 2010 Michal Hlavinka - 1:2.0.8-1 -- dovecot updated to 2.0.8, pigeonhole updated to 0.2.2 -- services' default vsz_limits weren't being enforced correctly -- added systemd support -- dbox: Fixes to handling external mail attachments -- imap, pop3: When service { client_count } was larger than 1, the - log messages didn't use the correct prefix -- MySQL: Only the first specified host was ever used - -* Mon Nov 29 2010 Michal Hlavinka - 1:2.0.7-3 -- make it work with /var/run on tmpfs (#656577) - -* Tue Nov 23 2010 Michal Hlavinka - 1:2.0.7-2 -- fix regression with valid_chroot_dirs being ignored (#654083) - -* Tue Nov 09 2010 Michal Hlavinka - 1:2.0.7-1 -- dovecot updated to 2.0.7 -- IMAP: Fixed LIST-STATUS when listing subscriptions with subscriptions=no namespaces. -- IMAP: Fixed SELECT QRESYNC not to crash on mailbox close if a lot of changes were being sent. -- quota: Don't count virtual mailboxes in quota -- doveadm expunge didn't always actually do the physical expunging -- Fixed some index reading optimizations introduced by v2.0.5. -- LMTP proxying fixes - -* Fri Oct 22 2010 Michal Hlavinka - 1:2.0.6-1 -- dovecot updated to 2.0.6 -- Pre-login CAPABILITY includes IDLE again. Mainly to make Blackberry - servers happy. -- auth: auth_cache_negative_ttl default was 0 in earlier v2.0.x, but it - was supposed to be 1 hour as in v1.x. Changed it back to 1h. -- doveadm: Added import command for importing mails from other storages. -- Reduced NFS I/O operations for index file accesses -- dbox, Maildir: When copying messages, copy also already cached fields - from dovecot.index.cache -- Maildir: LDA/LMTP assert-crashed sometimes when saving a mail. -- Fixed leaking fds when writing to dovecot.mailbox.log. -- Fixed rare dovecot.index.cache corruption -- IMAP: SEARCH YOUNGER/OLDER wasn't working correctly - -* Mon Oct 04 2010 Michal Hlavinka - 1:2.0.5-1 -- dovecot updated to 2.0.5 -- acl: Fixed the logic of merging multiple ACL entries -- sdbox: Fixed memory leak when copying messages with hard links. -- zlib: Fixed several crashes, which mainly showed up with mbox. -- quota: Don't crash if user has quota disabled, but plugin loaded. -- acl: Fixed crashing when sometimes listing shared mailboxes via dict proxy. - -* Tue Sep 28 2010 Michal Hlavinka - 1:2.0.4-1 -- dovecot updated to 2.0.4 -- multi-dbox: If :INDEX=path is specified, keep storage/dovecot.map.index* - files also in the index path rather than in the main storage directory. -- dsync: POP3 UIDLs weren't copied with Maildir -- dict file: Fixed fd leak (showed up easily with LMTP + quota) - -* Mon Sep 20 2010 Michal Hlavinka - 1:2.0.3-1 -- dovecot updated to 2.0.3 -- dovecot-lda: Removed use of non-standard Envelope-To: header as - a default for -a -- dsync: Fixed handling \Noselect mailboxes -- Fixed an infinite loop introduced by v2.0.2's message parser changes. -- Fixed a crash introduced by v2.0.2's istream-crlf changes. - -* Thu Sep 16 2010 Michal Hlavinka - 1:2.0.2-1 -- dovecot updated -- vpopmail support is disabled for now, since it's broken. You can use - it via checkpassword support or its sql/ldap database directly. -- maildir: Fixed "duplicate uidlist entry" errors that happened at - least with LMTP when mail was delivered to multiple recipients -- Deleting ACLs didn't cause entries to be removed from acl_shared_dict -- mail_max_lock_timeout setting wasn't working with all locks - -* Wed Aug 25 2010 Michal Hlavinka - 1:2.0.1-1 -- dovecot and pigeonhole updated -- sieve: sieved renamed to sieve-dump -- when dsync is started as root, remote dsync command is now also executed - as root instead of with dropped privileges. -- IMAP: QRESYNC parameters for SELECT weren't handled correctly. -- UTF-8 string validity checking wasn't done correctly -- dsync: Fixed a random assert-crash with remote dsyncing - -* Tue Aug 17 2010 Michal Hlavinka - 1:2.0-1 -- dovecot and pigeonhole updated -- dict quota didn't always decrease quota when messages were expunged -- Shared INBOX wasn't always listed with FS layout - -* Wed Aug 11 2010 Michal Hlavinka - 1:2.0-0.21.rc5 -- dovecot and pigeonhole updated -- Using more than 2 plugins could have caused broken behavior -- Listescape plugin fixes -- mbox: Fixed a couple of assert-crashes -- mdbox: Fixed potential assert-crash when saving multiple messages - in one transaction - -* Thu Aug 05 2010 Michal Hlavinka - 1:2.0-0.20.rc4 -- dovecot and pigeonhole updated -- doveadm mailbox status: Fixed listing non-ASCII mailbox names. -- doveadm fetch: Fixed output when fetching message header or body -- doveadm director map/add/remove: Fixed handling IP address as parameter. -- dsync: A few more fixes - -* Wed Jul 21 2010 Michal Hlavinka - 1:2.0-0.19.rc3 -- dovecot and pigeonhole updated -- fixed lda + sieve crash -- added mail_temp_dir setting, used by deliver and lmtp for creating - temporary mail files. Default is /tmp. -- imap: Fixed checking if list=children namespace has children. -- mdbox: Race condition fixes related to copying and purging - -* Fri Jul 16 2010 Michal Hlavinka - 1:2.0-0.18.rc2.20100716 -- dovecot and pigeonhole updated -- enabled pigeonhole's build time test suite -- acl: Fixed crashon FS layout with non-default hierarchy separator -- dbox renamed to sdbox -- dsync fixes and improvements - -* Mon Jul 12 2010 Michal Hlavinka - 1:2.0-0.17.rc2.20100712 -- dovecot and pigeonhole updated -- fixed a crash with empty mail_plugins -- fixed sharing INBOX to other users -- director+LMTP proxy wasn't working correctly -- v1.x config parser failed with some settings if pigeonhole wasn't installed. -- virtual: If non-matching messages weren't expunged within same session, - they never got expunged. - -* Wed Jul 07 2010 Michal Hlavinka - 1:2.0-0.16.rc1.20100707 -- updated dovecot and pigeonhole -- a lot of dsync fixes -- improved (m)dbox recovery - -* Mon Jun 28 2010 Michal Hlavinka - 1:2.0-0.15.beta6.20100626 -- updated dovecot, pigeonhole and man pages -- moved disable_plaintext_auth to 10-auth.conf -- mdbox: Fixed assert-crash on storage rebuild if file got lost -- lib-charset: Don't assert-crash when iconv() skips lots of invalid input -- master: Fixed crash on deinit (maybe also on reload) - -* Thu Jun 10 2010 Michal Hlavinka - 1:2.0-0.14.beta5.20100610 -- dovecot updated -- lib-storage: Fixed accessing uncommitted saved mails with dsync -- example-config: Moved ACL and quota settings to a separate .conf files -- dbox, mdbox: Fixed race conditions when creating mailboxes - -* Mon May 31 2010 Michal Hlavinka - 1:2.0-0.13.beta5.20100529 -- dovecot and pigeonhole updated -- enable solr fulltext search -- master: Fixed crash on config reload -- lib-storage: Don't assert-crash when copying a mail fails - -* Tue May 18 2010 Michal Hlavinka - 1:2.0-0.12.beta5.20100515 -- dovenull is unauthorized user, needs own dovenull group - -* Tue May 18 2010 Michal Hlavinka - 1:2.0-0.11.beta5.20100515 -- fix typo in dovenull username - -* Mon May 17 2010 Michal Hlavinka - 1:2.0-0.9.beta5.20100515 -- pigeonhole and dovecot updated to snapshot 20100515 -- fix crash for THREAD command - -* Wed May 05 2010 Michal Hlavinka - 1:2.0-0.8.beta4.20100505 -- pigeonhole and dovecot updated to snapshot 20100505 -- mdbox: Avoid rebuilding storage if another process already did it -- lib-storage: Fixed () sublists in IMAP SEARCH parser -- example-config: auth-checkpassword include wasn't listed in 10-auth.conf -- doveadm: Added search command -- lib-master: Don't crash after timeouting an auth-master request -- master: If inet listener uses DNS name, which returns multiple IPs, - listen in all of them - -* Wed Apr 28 2010 Michal Hlavinka - 1:2.0-0.7.beta4.20100427 -- updated to snapshot 20100427 -- doveconf now prints only the one setting's value -- mdbox: Automatically delete old temp.* files from storage/ directory -- mdbox: use flock locking by default - -* Wed Apr 21 2010 Michal Hlavinka - 1:2.0-0.6.beta4.20100421 -- updated to snapshot 20100421 -- mdbox: Purge crashed if it purged all messages from a file -- lib-storage: Shared namespace's prefix_len wasn't updated after prefix was truncated -- imap-quota: Iterate quota roots only once when replying to GETQUOTAROOT -- idle: Do cork/uncork when sending "OK Still here" notification -- login: If proxy returns ssl=yes and no port, switch port to imaps/pop3s - -* Wed Apr 14 2010 Michal Hlavinka - 1:2.0-0.5.beta4.20100414 -- add make check -- updated to snapshot 20100414 -- config: Added nn- prefix to *.conf files so the sort ordering makes more sense -- lib-master: Log an error if login client disconnects too early -- mdbox: If purging found corrupted files, it didn't auto-rebuild storage -- lib-storage: Added support for searching save date -- and more... -- pigeonhole updated: -- Mailbox extension: fixed memory leak in the mailboxexists test -- added login failure handler - -* Tue Apr 06 2010 Michal Hlavinka - 1:2.0-0.4.beta4.20100406 -- updated to snapshot 20100406 -- auth: If userdb lookup fails internally, don't cache the result. -- Added support for userdb lookup to fail with a reason -- sdbox: mailbox_update() could have changed UIDVALIDITY incorrectly -- layout=maildir++: Fixed deleting mailboxes with mailbox=file storages -- Fixed potential problems with parsing invalid address groups. -- dsync: Don't repeatedly try to keep opening the same failing mailbox -- lib-storage: Don't crash if root mail directory isn't given. - -* Tue Mar 30 2010 Michal Hlavinka - 1:2.0-0.3.beta4.20100330 -- fix certs location in ssl.conf - -* Mon Mar 29 2010 Michal Hlavinka - 1:2.0-0.2.beta4.aefa279e2c70 -- update to snapshot aefa279e2c70 from 2010-03-27 -- fixes complains about missing tcpwrap (#577426) - -* Thu Mar 25 2010 Michal Hlavinka - 1:2.0-0.1.beta4 -- dovecot updated to 2.0 beta 4 - -* Fri Mar 12 2010 Michal Hlavinka - 1:1.2.11-2 -- fix missing bzip2 support in zlib plugin (#572797) - -* Tue Mar 09 2010 Michal Hlavinka - 1:1.2.11-1 -- updated to 1.2.11 -- mbox: Message header reading was unnecessarily slow. Fetching a - huge header could have resulted in Dovecot eating a lot of CPU. - Also searching messages was much slower than necessary. -- maildir: Reading uidlist could have ended up in an infinite loop. -- IMAP IDLE: v1.2.7+ caused extra load by checking changes every - 0.5 seconds after a change had occurred in mailbox - -* Tue Feb 23 2010 Michal Hlavinka - 1:1.2.10-4 -- move libs to correct package - -* Fri Feb 19 2010 Michal Hlavinka - 1:1.2.10-3 -- merged dovecot-sieve and dovecot-managesieve into dovecot-pigeonhole -- merged dovecot-sqlite, dovecot-gssapi and dovecot-ldap into dovecot - -* Mon Jan 25 2010 Michal Hlavinka - 1:1.2.10-2 -- updated sive and managesieve -- Added preliminary support for Sieve plugins and added support for - installing Sieve development headers -- Variables extension: added support for variable namespaces. -- Added configurable script size limit. Compiler will refuse to - compile files larger than sieve_max_script_size. -- Fixed a bug in the i;ascii-numeric comparator. If one of the - strings started with a non-digit character, the comparator would - always yield less-than. -- Imap4flags extension: fixed bug in removeflag: removing a single - flag failed due to off-by-one error (bug report by Julian Cowley). -- Fixed parser recovery. In particular cases it would trigger spurious - errors after an initial valid error and sometimes additional errors - were inappropriately ignored. -- Implemented ManageSieve QUOTA enforcement. -- Added MAXREDIRECTS capability after login. -- Implemented new script name rules specified in most recent - ManageSieve draft. -- Fixed assertion failure occuring with challenge-response SASL - mechanisms. - -* Mon Jan 25 2010 Michal Hlavinka - 1:1.2.10-1 -- updated to 1.2.10 -- %%variables now support %%{host}, %%{pid} and %%{env:ENVIRONMENT_NAME} - everywhere. -- LIST-STATUS capability is now advertised -- maildir: Fixed several assert-crashes. -- imap: LIST "" inbox shouldn't crash when using namespace with - "INBOX." prefix. -- lazy_expunge now ignores non-private namespaces. - -* Tue Dec 22 2009 Michal Hlavinka - 1:1.2.9-2 -- sieve updated to 0.1.14 -- managesieve updated to 0.11.10 - -* Fri Dec 18 2009 Michal Hlavinka - 1:1.2.9-1 -- updated to 1.2.9 -- maildir: When saving, filenames now always contain ,S=. - Previously this was done only when quota plugin was loaded. It's - required for zlib plugin and may be useful for other things too. -- maildir: v1.2.7 and v1.2.8 caused assert-crashes in - maildir_uidlist_records_drop_expunges() -- maildir_copy_preserve_filename=yes could have caused crashes. -- Maildir++ quota: % limits weren't updated when limits were read - from maildirsize. -- virtual: v1.2.8 didn't fully fix the "lots of mailboxes" bug -- virtual: Fixed updating virtual mailbox based on flag changes. -- fts-squat: Fixed searching multi-byte characters. - -* Wed Nov 25 2009 Michal Hlavinka - 1:1.2.8-4 -- spec cleanup - -* Tue Nov 24 2009 Michal Hlavinka - 1:1.2.8-3 -- fix dovecot's restart after update (#518753) - -* Tue Nov 24 2009 Michal Hlavinka - 1:1.2.8-2 -- fix initdddir typo (for rhel rebuilds) - -* Fri Nov 20 2009 Michal Hlavinka - 1:1.2.8-1 -- update to dovecot 1.2.8 - -* Mon Nov 16 2009 Michal Hlavinka - 1:1.2.7-2 -- use originall managesieve to dovecot diff -- EPEL-ize spec for rhel5 rebuilds (#537666) - -* Fri Nov 13 2009 Michal Hlavinka - 1:1.2.7-1 -- updated to dovecot 1.2.7 -- add man pages -- IMAP: IDLE now sends "Still here" notifications to same user's - connections at the same time. This hopefully reduces power usage - of some mobile clients that use multiple IDLEing connections. -- IMAP: If imap_capability is set, show it in the login banner. -- IMAP: Implemented SORT=DISPLAY extension. -- Login process creation could have sometimes failed with epoll_ctl() - errors or without epoll probably some other strange things could - have happened. -- Maildir: Fixed some performance issues -- Maildir: Fixed crash when using a lot of keywords. -- Several fixes to QRESYNC extension and modseq handling -- mbox: Make sure failed saves get rolled back with NFS. -- dbox: Several fixes. - -* Mon Nov 02 2009 Michal Hlavinka - 1:1.2.6-5 -- spec cleanup - -* Wed Oct 21 2009 Michal Hlavinka - 1:1.2.6-4 -- imap-login: If imap_capability is set, show it in the banner - instead of the default (#524485) - -* Mon Oct 19 2009 Michal Hlavinka - 1:1.2.6-3 -- sieve updated to 0.1.13 which brings these changes: -- Body extension: implemented proper handling of the :raw transform - and added various new tests to the test suite. However, :content - "multipart" and :content "message/rfc822" are still not working. -- Fixed race condition occuring when multiple instances are saving the - same binary (patch by Timo Sirainen). -- Body extension: don't give SKIP_BODY_BLOCK flag to message parser, - we want the body! -- Fixed bugs in multiscript support; subsequent keep actions were not - always merged correctly and implicit side effects were not always - handled correctly. -- Fixed a segfault bug in the sieve-test tool occuring when compile - fails. -- Fixed segfault bug in action procesing. It was triggered while - merging side effects in duplicate actions. -- Fixed bug in the Sieve plugin that caused it to try to stat() a NULL - path, yielding a 'Bad address' error. - -* Fri Oct 09 2009 Michal Hlavinka - 1:1.2.6-2 -- fix init script for case when no action was specified - -* Tue Oct 06 2009 Michal Hlavinka - 1:1.2.6-1 -- dovecot updated to 1.2.6 -- Added authtest utility for doing passdb and userdb lookups. -- login: ssl_security string now also shows the used compression. -- quota: Don't crash with non-Maildir++ quota backend. -- imap proxy: Fixed crashing with some specific password characters. -- fixed broken dovecot --exec-mail. -- Avoid assert-crashing when two processes try to create index at the - same time. - -* Tue Sep 29 2009 Michal Hlavinka - 1:1.2.5-2 -- build with libcap enabled - -* Thu Sep 17 2009 Michal Hlavinka - 1:1.2.5-1 -- updated to dovecot 1.2.5 -- Authentication: DIGEST-MD5 and RPA mechanisms no longer require - user's login realm to be listed in auth_realms. It only made - configuration more difficult without really providing extra security. -- zlib plugin: Don't allow clients to save compressed data directly. - This prevents users from exploiting (most of the) potential security - holes in zlib/bzlib. -- fix index file handling that could have caused an assert-crash -- IMAP: Fixes to QRESYNC extension. -- deliver: Don't send rejects to any messages that have Auto-Submitted - header. This avoids emails loops. - -* Wed Sep 16 2009 Tomas Mraz - 1:1.2.4-3 -- use password-auth common PAM configuration instead of system-auth - -* Fri Aug 21 2009 Tomas Mraz - 1:1.2.4-2 -- rebuilt with new openssl - -* Fri Aug 21 2009 Michal Hlavinka - 1:1.2.4-1 -- updated: dovecot 1.2.4, managesieve 0.11.9, sieve 0.1.12 -- fixed a crash in index file handling -- fixed a crash in saving messages where message contained a CR - character that wasn't followed by LF -- fixed a crash when listing shared namespace prefix -- sieve: implemented the new date extension. This allows matching - against date values in header fields and the current date at - the time of script evaluation -- managesieve: reintroduced ability to abort SASL with "*" response - -* Mon Aug 10 2009 Michal Hlavinka - 1:1.2.3-1 -- updated: dovecot 1.2.3, managesieve 0.11.8, sieve 0.1.11 -- Mailbox names with control characters can't be created anymore. - Existing mailboxes can still be accessed though. -- Allow namespace prefix to be opened as mailbox, if a mailbox - already exists in the root dir. -- Maildir: dovecot-uidlist was being recreated every time a mailbox - was accessed, even if nothing changed. -- listescape plugin was somewhat broken -- ldap: Fixed hang when >128 requests were sent at once. -- fts_squat: Fixed crashing when searching virtual mailbox. -- imap: Fixed THREAD .. INTHREAD crashing. - -* Tue Jul 28 2009 Michal Hlavinka - 1:1.2.2-1.20090728snap -- updated to post 1.2.2 snapshot (including post release GSSAPI fix) -- Fixed "corrupted index cache file" errors -- IMAP: FETCH X-* parameters weren't working. -- Maildir++ quota: Quota was sometimes updated wrong -- Dovecot master process could hang if it received signals too rapidly - -* Fri Jul 24 2009 Fedora Release Engineering - 1:1.2.1-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - -* Thu Jul 23 2009 Michal Hlavinka - 1:1.2.1-2 -- updated sieve plugin to 0.1.9 - -* Mon Jul 13 2009 Michal Hlavinka - 1:1.2.1-1 -- updated to 1.2.1 -- GSSAPI authentication is fixed (#506782) -- logins now fail if home directory path is relative, because it was - not working correctly and never was expected to work -- sieve and managesieve update - -* Mon Apr 20 2009 Michal Hlavinka - 1:1.2-0.rc3.1 -- updated to 1.2.rc3 - -* Mon Apr 06 2009 Michal Hlavinka - 1:1.2-0.rc2.1 -- updated to 1.2.rc2 - -* Mon Mar 30 2009 Michal Hlavinka - 1:1.2-0.beta4.2 -- fix typo and rebuild - -* Mon Mar 30 2009 Michal Hlavinka - 1:1.2-0.beta4.1 -- spec clean-up -- updated to 1.2.beta4 - -* Tue Feb 24 2009 Fedora Release Engineering - 1:1.1.11-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - -* Wed Feb 11 2009 Michal Hlavinka - 1:1.1.11-1 -- updated to 1.1.11 -- IMAP: PERMANENTFLAGS list didn't contain \*, causing some clients - not to save keywords. -- auth: Using "username" or "domain" passdb fields caused problems - with cache and blocking passdbs in v1.1.8 .. v1.1.10. -- userdb prefetch + blocking passdbs was broken with non-plaintext - auth in v1.1.8 .. v1.1.10. - -* Tue Jan 27 2009 Michal Hlavinka - 1:1.1.10-1 -- updated to 1.1.10 - -* Sat Jan 24 2009 Dan Horak - 1:1.1.8-3 -- rebuild with new mysql - -* Tue Jan 13 2009 Michal Hlavinka - 1:1.1.8-2 -- added managesieve support (thanks Helmut K. C. Tessarek) - -* Thu Jan 8 2009 Michal Hlavinka - 1:1.1.8-1 -- dovecot updated to 1.1.8 -- sieve-plugin updated to 1.1.6 - -* Tue Dec 2 2008 Michal Hlavinka - 1:1.1.7-2 -- revert changes from 1:1.1.6-2 and 1:1.1.6-1 -- password can be stored in different file readable only for root - via !include_try directive - -* Tue Dec 2 2008 Michal Hlavinka - 1:1.1.7-1 -- update to upstream version 1.1.7 - -* Mon Nov 3 2008 Michal Hlavinka - 1:1.1.6-2 -- changed comment in sysconfig to match actual state - -* Mon Nov 3 2008 Michal Hlavinka - 1:1.1.6-1 -- update to upstream version 1.1.6 -- change permissions of deliver and dovecot.conf to prevent possible password exposure - -* Wed Oct 29 2008 Michal Hlavinka - 1:1.1.5-1 -- update to upstream version 1.1.5 (Resolves: CVE-2008-4577, CVE-2008-4578) - -* Tue Sep 2 2008 Dan Horak - 1:1.1.3-1 -- update to upstream version 1.1.3 - -* Tue Jul 29 2008 Dan Horak - 1:1.1.2-2 -- really ask for the password during start-up - -* Tue Jul 29 2008 Dan Horak - 1:1.1.2-1 -- update to upstream version 1.1.2 -- final solution for #445200 (add /etc/sysconfig/dovecot for start-up options) - -* Fri Jun 27 2008 Dan Horak - 1:1.1.1-2 -- update default settings to listen on both IPv4 and IPv6 instead of IPv6 only - -* Sun Jun 22 2008 Dan Horak - 1:1.1.1-1 -- update to upstream version 1.1.1 - -* Sat Jun 21 2008 Dan Horak - 1:1.1.0-1 -- update to upstream version 1.1.0 -- update sieve plugin to 1.1.5 -- remove unnecessary patches -- enable ldap and gssapi plugins -- change ownership of dovecot.conf (Resolves: #452088) - -* Wed Jun 18 2008 Dan Horak - 1:1.0.14-4 -- update init script (Resolves: #451838) - -* Fri Jun 6 2008 Dan Horak - 1:1.0.14-3 -- build devel subpackage (Resolves: #306881) - -* Thu Jun 5 2008 Dan Horak - 1:1.0.14-2 -- install convert-tool (Resolves: #450010) - -* Tue Jun 3 2008 Dan Horak - 1:1.0.14-1 -- update to upstream version 1.0.14 -- remove setcred patch (use of setcred must be explictly enabled in config) - -* Thu May 29 2008 Dan Horak - 1:1.0.13-8 -- update scriptlets to follow UsersAndGroups guideline -- remove support for upgrading from version < 1.0 from scriptlets -- Resolves: #448095 - -* Tue May 20 2008 Dan Horak - 1:1.0.13-7 -- spec file cleanup -- update sieve plugin to 1.0.3 -- Resolves: #445200, #238018 - -* Sun Mar 09 2008 Tomas Janousek - 1:1.0.13-6 -- update to latest upstream stable (1.0.13) - -* Wed Feb 20 2008 Fedora Release Engineering - 1:1.0.10-5 -- Autorebuild for GCC 4.3 - -* Mon Jan 07 2008 Tomas Janousek - 1:1.0.10-4 -- update to latest upstream stable (1.0.10) - -* Wed Dec 05 2007 Jesse Keating - 1:1.0.7-3 -- Bump for deps - -* Mon Nov 05 2007 Tomas Janousek - 1:1.0.7-2 -- update to latest upstream stable (1.0.7) -- added the winbind patch (#286351) - -* Tue Sep 25 2007 Tomas Janousek - 1:1.0.5-1 -- downgraded to lastest upstream stable (1.0.5) - -* Wed Aug 22 2007 Tomas Janousek - 1.1-16.1.alpha3 -- updated license tags - -* Mon Aug 13 2007 Tomas Janousek - 1.1-16.alpha3 -- updated to latest upstream alpha -- update dovecot-sieve to 0367450c9382 from hg - -* Fri Aug 10 2007 Tomas Janousek - 1.1-15.alpha2 -- updated to latest upstream alpha -- split ldap and gssapi plugins to subpackages - -* Wed Jul 25 2007 Tomas Janousek - 1.1-14.6.hg.a744ae38a9e1 -- update to a744ae38a9e1 from hg -- update dovecot-sieve to 131e25f6862b from hg and enable it again - -* Thu Jul 19 2007 Tomas Janousek - 1.1-14.5.alpha1 -- update to latest upstream alpha -- don't build dovecot-sieve, it's only for 1.0 - -* Sun Jul 15 2007 Tomas Janousek - 1.0.2-13.5 -- update to latest upstream - -* Mon Jun 18 2007 Tomas Janousek - 1.0.1-12.5 -- update to latest upstream - -* Fri Jun 08 2007 Tomas Janousek - 1.0.0-11.7 -- specfile merge from 145241 branch - - new sql split patch - - support for not building all sql modules - - split sql libraries to separate packages - -* Sat Apr 14 2007 Tomas Janousek - 1.0.0-11.1 -- dovecot-1.0.beta2-pam-tty.patch is no longer needed - -* Fri Apr 13 2007 Tomas Janousek - 1.0.0-11 -- update to latest upstream - -* Tue Apr 10 2007 Tomas Janousek - 1.0-10.rc31 -- update to latest upstream - -* Fri Apr 06 2007 Tomas Janousek - 1.0-9.rc30 -- update to latest upstream - -* Fri Mar 30 2007 Tomas Janousek - 1.0-8.1.rc28 -- spec file cleanup (fixes docs path) - -* Fri Mar 23 2007 Tomas Janousek - 1.0-8.rc28 -- update to latest upstream - -* Mon Mar 19 2007 Tomas Janousek - 1.0-7.rc27 -- use dovecot-sieve's version for the package - -* Mon Mar 19 2007 Tomas Janousek - 1.0-6.rc27 -- update to latest upstream -- added dovecot-sieve - -* Fri Mar 02 2007 Tomas Janousek - 1.0-5.rc25 -- update to latest upstream - -* Sun Feb 25 2007 Jef Spaleta - 1.0-4.rc22 -- Merge review changes - -* Thu Feb 08 2007 Tomas Janousek - 1.0-3.rc22 -- update to latest upstream, fixes a few bugs - -* Mon Jan 08 2007 Tomas Janousek - 1.0-2.rc17 -- update to latest upstream, fixes a few bugs - -* Thu Dec 21 2006 Tomas Janousek - 1.0-1.1.rc15 -- reenabled GSSAPI (#220377) - -* Tue Dec 05 2006 Tomas Janousek - 1.0-1.rc15 -- update to latest upstream, fixes a few bugs, plus a security - vulnerability (#216508, CVE-2006-5973) - -* Tue Oct 10 2006 Petr Rockai - 1.0-0.3.rc7 -- fix few inconsistencies in specfile, fixes #198940 - -* Wed Oct 04 2006 Petr Rockai - 1.0-0.2.rc7 -- fix default paths in the example mkcert.sh to match configuration - defaults (fixes #183151) - -* Sun Oct 01 2006 Jesse Keating - 1.0-0.1.rc7 -- rebuilt for unwind info generation, broken in gcc-4.1.1-21 - -* Fri Sep 22 2006 Petr Rockai - 1.0-0.rc7 -- update to latest upstream release candidate, should fix occasional - hangs and mbox issues... INBOX. namespace is still broken though -- do not run over symlinked certificates in new locations on upgrade - -* Tue Aug 15 2006 Petr Rockai - 1.0-0.rc2.2 -- include /var/lib/dovecot in the package, prevents startup failure - on new installs - -* Mon Jul 17 2006 Petr Rockai - 1.0-0.rc2.1 -- reenable inotify and see what happens - -* Thu Jul 13 2006 Petr Rockai - 1.0-0.rc2 -- update to latest upstream release candidate -- disable inotify for now, doesn't build -- this needs fixing though - -* Wed Jul 12 2006 Jesse Keating - 1.0-0.beta8.2.1 -- rebuild - -* Thu Jun 08 2006 Petr Rockai - 1.0-0.beta8.2 -- put back pop3_uidl_format default that got lost - in the beta2->beta7 upgrade (would cause pop3 to not work - at all in many situations) - -* Thu May 04 2006 Petr Rockai - 1.0-0.beta8.1 -- upgrade to latest upstream beta release (beta8) -- contains a security fix in mbox handling - -* Thu May 04 2006 Petr Rockai - 1.0-0.beta7.1 -- upgrade to latest upstream beta release -- fixed BR 173048 - -* Fri Mar 17 2006 Petr Rockai - 1.0-0.beta2.8 -- fix sqlite detection in upstream configure checks, second part - of #182240 - -* Wed Mar 8 2006 Bill Nottingham - 1.0-0.beta2.7 -- fix scriplet noise some more - -* Mon Mar 6 2006 Jeremy Katz - 1.0-0.beta2.6 -- fix scriptlet error (mitr, #184151) - -* Mon Feb 27 2006 Petr Rockai - 1.0-0.beta2.5 -- fix #182240 by looking in lib64 for libs first and then lib -- fix comment #1 in #182240 by copying over the example config files - to documentation directory - -* Fri Feb 10 2006 Jesse Keating - 1.0-0.beta2.4.1 -- bump again for double-long bug on ppc(64) - -* Thu Feb 09 2006 Petr Rockai - 1.0-0.beta2.4 -- enable inotify as it should work now (#179431) - -* Tue Feb 07 2006 Jesse Keating - 1.0-0.beta2.3.1 -- rebuilt for new gcc4.1 snapshot and glibc changes - -* Thu Feb 02 2006 Petr Rockai - 1.0-0.beta2.3 -- change the compiled-in defaults and adjust the default's configfile - commented-out example settings to match compiled-in defaults, - instead of changing the defaults only in the configfile, as per #179432 -- fix #179574 by providing a default uidl_format for pop3 -- half-fix #179620 by having plaintext auth enabled by default... this - needs more thinking (which one we really want) and documentation - either way - -* Tue Jan 31 2006 Petr Rockai - 1.0-0.beta2.2 -- update URL in description -- call dovecot --build-ssl-parameters in postinst as per #179430 - -* Mon Jan 30 2006 Petr Rockai - 1.0-0.beta2.1 -- fix spec to work with BUILD_DIR != SOURCE_DIR -- forward-port and split pam-nocred patch - -* Mon Jan 23 2006 Petr Rockai - 1.0-0.beta2 -- new upstream version, hopefully fixes #173928, #163550 -- fix #168866, use install -p to install documentation - -* Fri Dec 09 2005 Jesse Keating -- rebuilt - -* Sat Nov 12 2005 Tom Lane - 0.99.14-10.fc5 -- Rebuild due to mysql update. - -* Wed Nov 9 2005 Tomas Mraz - 0.99.14-9.fc5 -- rebuilt with new openssl - -* Fri Sep 30 2005 Tomas Mraz - 0.99.14-8.fc5 -- use include instead of pam_stack in pam config - -* Wed Jul 27 2005 John Dennis - 0.99.14-7.fc5 -- fix bug #150888, log authenication failures with ip address - -* Fri Jul 22 2005 John Dennis - 0.99.14-6.fc5 -- fix bug #149673, add dummy PAM_TTY - -* Thu Apr 28 2005 John Dennis - 0.99.14-5.fc4 -- fix bug #156159 insecure location of restart flag file - -* Fri Apr 22 2005 John Dennis - 0.99.14-4.fc4 -- openssl moved its certs, CA, etc. from /usr/share/ssl to /etc/pki - -* Tue Apr 12 2005 Tom Lane 0.99.14-3.fc4 -- Rebuild for Postgres 8.0.2 (new libpq major version). - -* Mon Mar 7 2005 John Dennis 0.99.14-2.fc4 -- bump rev for gcc4 build - -* Mon Feb 14 2005 John Dennis - 0.99.14-1.fc4 -- fix bug #147874, update to 0.99.14 release - v0.99.14 2005-02-11 Timo Sirainen - - Message address fields are now parsed differently, fixing some - issues with spaces. Affects only clients which use FETCH ENVELOPE - command. - - Message MIME parser was somewhat broken with missing MIME boundaries - - mbox: Don't allow X-UID headers in mails to override the UIDs we - would otherwise set. Too large values can break some clients and - cause other trouble. - - passwd-file userdb wasn't working - - PAM crashed with 64bit systems - - non-SSL inetd startup wasn't working - - If UID FETCH notices and skips an expunged message, don't return - a NO reply. It's not needed and only makes clients give error - messages. - -* Wed Feb 2 2005 John Dennis - 0.99.13-4.devel -- fix bug #146198, clean up temp kerberos tickets - -* Mon Jan 17 2005 John Dennis 0.99.13-3.devel -- fix bug #145214, force mbox_locks to fcntl only -- fix bug #145241, remove prereq on postgres and mysql, allow rpm auto - dependency generator to pick up client lib dependency if needed. - -* Thu Jan 13 2005 John Dennis 0.99.13-2.devel -- make postgres & mysql conditional build -- remove execute bit on migration example scripts so rpm does not pull - in additional dependences on perl and perl modules that are not present - in dovecot proper. -- add REDHAT-FAQ.txt to doc directory - -* Thu Jan 6 2005 John Dennis 0.99.13-1.devel -- bring up to date with latest upstream, 0.99.13, bug #143707 - also fix bug #14462, bad dovecot-uid macro name - -* Thu Jan 6 2005 John Dennis 0.99.11-10.devel -- fix bug #133618, removed LITERAL+ capability from capability string - -* Wed Jan 5 2005 John Dennis 0.99.11-9.devel -- fix bug #134325, stop dovecot during installation - -* Wed Jan 5 2005 John Dennis 0.99.11-8.devel -- fix bug #129539, dovecot starts too early, - set chkconfig to 65 35 to match cyrus-imapd -- also delete some old commented out code from SSL certificate creation - -* Thu Dec 23 2004 John Dennis 0.99.11-7.devel -- add UW to Dovecot migration documentation and scripts, bug #139954 - fix SSL documentation and scripts, add missing documentation, bug #139276 - -* Mon Nov 15 2004 Warren Togami 0.99.11-2.FC4.1 -- rebuild against MySQL4 - -* Thu Oct 21 2004 John Dennis -- fix bug #136623 - Change License field from GPL to LGPL to reflect actual license - -* Thu Sep 30 2004 John Dennis 0.99.11-1.FC3.3 -- fix bug #124786, listen to ipv6 as well as ipv4 - -* Wed Sep 8 2004 John Dennis 0.99.11-1.FC3.1 -- bring up to latest upstream, - comments from Timo Sirainen on release v0.99.11 2004-09-04 - + 127.* and ::1 IP addresses are treated as secured with - disable_plaintext_auth = yes - + auth_debug setting for extra authentication debugging - + Some documentation and error message updates - + Create PID file in /var/run/dovecot/master.pid - + home setting is now optional in static userdb - + Added mail setting to static userdb - - After APPENDing to selected mailbox Dovecot didn't always notice the - new mail immediately which broke some clients - - THREAD and SORT commands crashed with some mails - - If APPENDed mail ended with CR character, Dovecot aborted the saving - - Output streams sometimes sent data duplicated and lost part of it. - This could have caused various strange problems, but looks like in - practise it rarely caused real problems. - -* Wed Aug 4 2004 John Dennis -- change release field separator from comma to dot, bump build number - -* Mon Aug 2 2004 John Dennis 0.99.10.9-1,FC3,1 -- bring up to date with latest upstream, fixes include: -- LDAP support compiles now with Solaris LDAP library -- IMAP BODY and BODYSTRUCTURE replies were wrong for MIME parts which - didn't contain Content-Type header. -- MySQL and PostgreSQL auth didn't reconnect if connection was lost - to SQL server -- Linking fixes for dovecot-auth with some systems -- Last fix for disconnecting client when downloading mail longer than - 30 seconds actually made it never disconnect client. Now it works - properly: disconnect when client hasn't read _any_ data for 30 - seconds. -- MySQL compiling got broken in last release -- More PostgreSQL reconnection fixing - - -* Mon Jul 26 2004 John Dennis 0.99.10.7-1,FC3,1 -- enable postgres and mySQL in build -- fix configure to look for mysql in alternate locations -- nuke configure script in tar file, recreate from configure.in using autoconf - -- bring up to latest upstream, which included: -- Added outlook-pop3-no-nuls workaround to fix Outlook hang in mails with NULs. -- Config file lines can now contain quoted strings ("value ") -- If client didn't finish downloading a single mail in 30 seconds, - Dovecot closed the connection. This was supposed to work so that - if client hasn't read data at all in 30 seconds, it's disconnected. -- Maildir: LIST now doesn't skip symlinks - - -* Wed Jun 30 2004 John Dennis -- bump rev for build -- change rev for FC3 build - -* Fri Jun 25 2004 John Dennis - 0.99.10.6-1 -- bring up to date with upstream, - recent change log comments from Timo Sirainen were: - SHA1 password support using OpenSSL crypto library - mail_extra_groups setting - maildir_stat_dirs setting - Added NAMESPACE capability and command - Autocreate missing maildirs (instead of crashing) - Fixed occational crash in maildir synchronization - Fixed occational assertion crash in ioloop.c - Fixed FreeBSD compiling issue - Fixed issues with 64bit Solaris binary - -* Tue Jun 15 2004 Elliot Lee -- rebuilt - -* Thu May 27 2004 David Woodhouse 0.99.10.5-1 -- Update to 0.99.10.5 to fix maildir segfaults (#123022) - -* Fri May 07 2004 Warren Togami 0.99.10.4-4 -- default auth config that is actually usable -- Timo Sirainen (author) suggested functionality fixes - maildir, imap-fetch-body-section, customflags-fix - -* Mon Feb 23 2004 Tim Waugh -- Use ':' instead of '.' as separator for chown. - -* Tue Feb 17 2004 Jeremy Katz - 0.99.10.4-3 -- restart properly if it dies (#115594) - -* Fri Feb 13 2004 Elliot Lee -- rebuilt - -* Mon Nov 24 2003 Jeremy Katz 0.99.10.4-1 -- update to 0.99.10.4 - -* Mon Oct 6 2003 Jeremy Katz 0.99.10-7 -- another patch from upstream to fix returning invalid data on partial - BODY[part] fetches -- patch to avoid confusion of draft/deleted in indexes - -* Tue Sep 23 2003 Jeremy Katz 0.99.10-6 -- add some patches from upstream (#104288) - -* Thu Sep 4 2003 Jeremy Katz 0.99.10-5 -- fix startup with 2.6 with patch from upstream (#103801) - -* Tue Sep 2 2003 Jeremy Katz 0.99.10-4 -- fix assert in search code (#103383) - -* Tue Jul 22 2003 Nalin Dahyabhai 0.99.10-3 -- rebuild - -* Thu Jul 17 2003 Bill Nottingham 0.99.10-2 -- don't run by default - -* Thu Jun 26 2003 Jeremy Katz 0.99.10-1 -- 0.99.10 - -* Mon Jun 23 2003 Jeremy Katz 0.99.10-0.2 -- 0.99.10-rc2 (includes ssl detection fix) -- a few tweaks from fedora - - noreplace the config file - - configure --with-ldap to get LDAP enabled - -* Mon Jun 23 2003 Jeremy Katz 0.99.10-0.1 -- 0.99.10-rc1 -- add fix for ssl detection -- add zlib-devel to BuildRequires -- change pam service name to dovecot -- include pam config - -* Thu May 8 2003 Jeremy Katz 0.99.9.1-1 -- update to 0.99.9.1 -- add patch from upstream to fix potential bug when fetching with - CR+LF linefeeds -- tweak some things in the initscript and config file noticed by the - fedora folks - -* Sun Mar 16 2003 Jeremy Katz 0.99.8.1-2 -- fix ssl dir -- own /var/run/dovecot/login with the correct perms -- fix chmod/chown in post - -* Fri Mar 14 2003 Jeremy Katz 0.99.8.1-1 -- update to 0.99.8.1 - -* Tue Mar 11 2003 Jeremy Katz 0.99.8-2 -- add a patch to fix quoting problem from CVS - -* Mon Mar 10 2003 Jeremy Katz 0.99.8-1 -- 0.99.8 -- add some buildrequires -- fixup to build with openssl 0.9.7 -- now includes a pop3 daemon (off by default) -- clean up description and %%preun -- add dovecot user (uid/gid of 97) -- add some buildrequires -- move the ssl cert to %%{_datadir}/ssl/certs -- create a dummy ssl cert in %%post -- own /var/run/dovecot -- make the config file a source so we get default mbox locks of fcntl - -* Sun Dec 1 2002 Seth Vidal -- 0.99.4 and fix startup so it starts imap-master not vsftpd :) - -* Tue Nov 26 2002 Seth Vidal -- first build diff --git a/sources b/sources index a62fbdb..490e720 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.21.1.tar.gz) = 9de6ce3a579ef2040248b692874a6d64a732bb735a9cee3144604927cad49690c4b0e29f7ecf3af23190d56f30956d955d13acd5d352534df62fbdfde4b60f9f -SHA512 (dovecot-2.3-pigeonhole-0.5.21.1.tar.gz) = 7387b417611599fe70d1a83d3b408321e66f5a883bf78a9d55c7496b1a17220677daebaefde2061e0d7064fe07c410ecfc64662878bb253ddcd9e128dd83fbaa +SHA512 (dovecot-2.4.1-4.tar.gz) = 4915e9282898a4bce4dc3c9781f9aa849e8a2d5bb89dffc2222b417560eaa0135d66342ef342098a86dd5e9b4e76d41145381b7264144411cf45a6f88ca36698 +SHA512 (dovecot-pigeonhole-2.4.1-4.tar.gz) = 47b9cc62b13d710123389c47d13c104e70b815d683dc6b957e86b57b2f175101d07f462d0fdb0488d6dcdcfbbc137c926825ba9a0d798551576aa7f3c9082100 From dc0e5473d5122d64754550e37a96cc9e349ac437 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 5 Jun 2025 21:06:03 +0200 Subject: [PATCH 153/163] nolibotp patch is still needed --- ...botp.patch => dovecot-2.4.1-nolibotp.patch | 94 ------------------- dovecot.spec | 4 + 2 files changed, 4 insertions(+), 94 deletions(-) rename dovecot-2.3.20-nolibotp.patch => dovecot-2.4.1-nolibotp.patch (77%) diff --git a/dovecot-2.3.20-nolibotp.patch b/dovecot-2.4.1-nolibotp.patch similarity index 77% rename from dovecot-2.3.20-nolibotp.patch rename to dovecot-2.4.1-nolibotp.patch index 4ec0b78..78edc49 100644 --- a/dovecot-2.3.20-nolibotp.patch +++ b/dovecot-2.4.1-nolibotp.patch @@ -1,14 +1,3 @@ -diff -up dovecot-2.3.20/configure.ac.nolibotp dovecot-2.3.20/configure.ac ---- dovecot-2.3.20/configure.ac.nolibotp 2022-12-21 09:49:12.000000000 +0100 -+++ dovecot-2.3.20/configure.ac 2023-02-14 16:54:02.118531016 +0100 -@@ -854,7 +854,6 @@ src/lib-lua/Makefile - src/lib-mail/Makefile - src/lib-master/Makefile - src/lib-program-client/Makefile --src/lib-otp/Makefile - src/lib-dovecot/Makefile - src/lib-sasl/Makefile - src/lib-settings/Makefile diff -up dovecot-2.3.20/src/auth/main.c.nolibotp dovecot-2.3.20/src/auth/main.c --- dovecot-2.3.20/src/auth/main.c.nolibotp 2022-12-21 09:49:12.000000000 +0100 +++ dovecot-2.3.20/src/auth/main.c 2023-02-14 16:54:02.118531016 +0100 @@ -29,65 +18,6 @@ diff -up dovecot-2.3.20/src/auth/main.c.nolibotp dovecot-2.3.20/src/auth/main.c mech_deinit(global_auth_settings); /* allow modules to unregister their dbs/drivers/etc. before freeing -diff -up dovecot-2.3.20/src/auth/Makefile.am.nolibotp dovecot-2.3.20/src/auth/Makefile.am ---- dovecot-2.3.20/src/auth/Makefile.am.nolibotp 2022-12-21 09:49:12.000000000 +0100 -+++ dovecot-2.3.20/src/auth/Makefile.am 2023-02-14 16:54:02.118531016 +0100 -@@ -45,7 +45,6 @@ AM_CPPFLAGS = \ - -I$(top_srcdir)/src/lib-sql \ - -I$(top_srcdir)/src/lib-settings \ - -I$(top_srcdir)/src/lib-old-stats \ -- -I$(top_srcdir)/src/lib-otp \ - -I$(top_srcdir)/src/lib-master \ - -I$(top_srcdir)/src/lib-oauth2 \ - -I$(top_srcdir)/src/lib-ssl-iostream \ -@@ -67,7 +66,6 @@ libpassword_la_SOURCES = \ - password-scheme-crypt.c \ - password-scheme-md5crypt.c \ - password-scheme-scram.c \ -- password-scheme-otp.c \ - password-scheme-pbkdf2.c \ - password-scheme-sodium.c - libpassword_la_CFLAGS = $(AM_CPPFLAGS) $(LIBSODIUM_CFLAGS) -@@ -76,7 +74,6 @@ auth_libs = \ - libauth.la \ - libstats_auth.la \ - libpassword.la \ -- ../lib-otp/libotp.la \ - $(AUTH_LUA_LIBS) \ - $(LIBDOVECOT_SQL) - -@@ -95,7 +92,6 @@ libauth_la_SOURCES = \ - auth-client-connection.c \ - auth-master-connection.c \ - auth-policy.c \ -- mech-otp-common.c \ - mech-plain-common.c \ - auth-penalty.c \ - auth-request.c \ -@@ -122,7 +118,6 @@ libauth_la_SOURCES = \ - mech-digest-md5.c \ - mech-external.c \ - mech-gssapi.c \ -- mech-otp.c \ - mech-scram.c \ - mech-apop.c \ - mech-winbind.c \ -@@ -161,7 +156,6 @@ headers = \ - auth-client-connection.h \ - auth-common.h \ - auth-master-connection.h \ -- mech-otp-common.h \ - mech-plain-common.h \ - mech-digest-md5-private.h \ - mech-scram.h \ -@@ -260,7 +254,6 @@ test_libs = \ - test_libpassword_SOURCES = test-libpassword.c - test_libpassword_LDADD = \ - libpassword.la \ -- ../lib-otp/libotp.la \ - $(CRYPT_LIBS) \ - $(LIBDOVECOT_SQL) \ - $(LIBSODIUM_LIBS) \ diff -up dovecot-2.3.20/src/auth/mech.c.nolibotp dovecot-2.3.20/src/auth/mech.c --- dovecot-2.3.20/src/auth/mech.c.nolibotp 2023-02-14 16:55:38.421231797 +0100 +++ dovecot-2.3.20/src/auth/mech.c 2023-02-14 16:55:38.434231892 +0100 @@ -269,27 +199,3 @@ diff -up dovecot-2.3.20/src/auth/test-mech.c.nolibotp dovecot-2.3.20/src/auth/te auths_deinit(); auth_token_deinit(); password_schemes_deinit(); -diff -up dovecot-2.3.20/src/doveadm/Makefile.am.nolibotp dovecot-2.3.20/src/doveadm/Makefile.am ---- dovecot-2.3.20/src/doveadm/Makefile.am.nolibotp 2022-12-21 09:49:12.000000000 +0100 -+++ dovecot-2.3.20/src/doveadm/Makefile.am 2023-02-14 16:54:02.119531023 +0100 -@@ -36,8 +36,7 @@ AM_CPPFLAGS = \ - $(BINARY_CFLAGS) - - cmd_pw_libs = \ -- ../auth/libpassword.la \ -- ../lib-otp/libotp.la -+ ../auth/libpassword.la - - libs = \ - dsync/libdsync.la \ -diff -up dovecot-2.3.20/src/Makefile.am.nolibotp dovecot-2.3.20/src/Makefile.am ---- dovecot-2.3.20/src/Makefile.am.nolibotp 2022-12-21 09:49:12.000000000 +0100 -+++ dovecot-2.3.20/src/Makefile.am 2023-02-14 16:54:02.119531023 +0100 -@@ -40,7 +40,6 @@ SUBDIRS = \ - lib-index \ - lib-storage \ - lib-sql \ -- lib-otp \ - lib-lda \ - lib-dict-backend \ - anvil \ diff --git a/dovecot.spec b/dovecot.spec index 8df09a7..0e5b19d 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -45,6 +45,9 @@ Patch16: dovecot-2.4.1-opensslhmac3.patch Patch17: dovecot-2.3.15-fixvalcond.patch Patch18: dovecot-2.3.15-valbasherr.patch +# Fedora/RHEL specific, drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes +Patch23: dovecot-2.4.1-nolibotp.patch + Patch24: dovecot-2.3-ph_optglob.patch Patch25: dovecot-2.3-ph_scriptcmp.patch @@ -150,6 +153,7 @@ mv dovecot-pigeonhole-%{pigeonholever} dovecot-pigeonhole %patch -P 16 -p2 -b .opensslhmac3 %patch -P 17 -p2 -b .fixvalcond %patch -P 18 -p1 -b .valbasherr +%patch -P 23 -p1 -b .nolibotp #patch -P 24 -p2 -b .ph_optglob #patch -P 25 -p1 -b .ph_scriptcmp cp run-test-valgrind.supp dovecot-pigeonhole/ From 4c4f414ae9d1b7362f2b3014de25f74a4c4fc53e Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 5 Jun 2025 21:18:14 +0200 Subject: [PATCH 154/163] but actuall updated patch is needed --- dovecot-2.4.1-nolibotp.patch | 226 +++++++++++++++++------------------ dovecot.spec | 2 +- 2 files changed, 109 insertions(+), 119 deletions(-) diff --git a/dovecot-2.4.1-nolibotp.patch b/dovecot-2.4.1-nolibotp.patch index 78edc49..42e62ba 100644 --- a/dovecot-2.4.1-nolibotp.patch +++ b/dovecot-2.4.1-nolibotp.patch @@ -1,7 +1,7 @@ -diff -up dovecot-2.3.20/src/auth/main.c.nolibotp dovecot-2.3.20/src/auth/main.c ---- dovecot-2.3.20/src/auth/main.c.nolibotp 2022-12-21 09:49:12.000000000 +0100 -+++ dovecot-2.3.20/src/auth/main.c 2023-02-14 16:54:02.118531016 +0100 -@@ -19,8 +19,6 @@ +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c.nolibotp 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c 2025-06-05 21:08:46.902918388 +0200 +@@ -20,8 +20,6 @@ #include "password-scheme.h" #include "passdb-cache.h" #include "mech.h" @@ -10,44 +10,105 @@ diff -up dovecot-2.3.20/src/auth/main.c.nolibotp dovecot-2.3.20/src/auth/main.c #include "auth.h" #include "auth-penalty.h" #include "auth-token.h" -@@ -283,7 +281,6 @@ static void main_deinit(void) +@@ -272,7 +270,6 @@ static void main_deinit(void) auth_policy_deinit(); mech_register_deinit(&mech_reg); - mech_otp_deinit(); + db_oauth2_deinit(); mech_deinit(global_auth_settings); - - /* allow modules to unregister their dbs/drivers/etc. before freeing -diff -up dovecot-2.3.20/src/auth/mech.c.nolibotp dovecot-2.3.20/src/auth/mech.c ---- dovecot-2.3.20/src/auth/mech.c.nolibotp 2023-02-14 16:55:38.421231797 +0100 -+++ dovecot-2.3.20/src/auth/mech.c 2023-02-14 16:55:38.434231892 +0100 + settings_free(global_auth_settings); +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c.nolibotp 2025-06-05 21:06:36.218750400 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c 2025-06-05 21:09:55.056067262 +0200 @@ -71,7 +71,6 @@ extern const struct mech_module mech_apo extern const struct mech_module mech_cram_md5; extern const struct mech_module mech_digest_md5; extern const struct mech_module mech_external; -extern const struct mech_module mech_otp; extern const struct mech_module mech_scram_sha1; + extern const struct mech_module mech_scram_sha1_plus; extern const struct mech_module mech_scram_sha256; - extern const struct mech_module mech_anonymous; -@@ -206,7 +205,6 @@ void mech_init(const struct auth_setting +@@ -217,7 +216,6 @@ void mech_init(const struct auth_setting mech_register_module(&mech_gssapi_spnego); #endif } - mech_register_module(&mech_otp); mech_register_module(&mech_scram_sha1); + mech_register_module(&mech_scram_sha1_plus); mech_register_module(&mech_scram_sha256); - mech_register_module(&mech_anonymous); -@@ -233,7 +231,6 @@ void mech_deinit(const struct auth_setti +@@ -247,7 +245,6 @@ void mech_deinit(const struct auth_setti mech_unregister_module(&mech_gssapi_spnego); #endif } - mech_unregister_module(&mech_otp); mech_unregister_module(&mech_scram_sha1); + mech_unregister_module(&mech_scram_sha1_plus); mech_unregister_module(&mech_scram_sha256); - mech_unregister_module(&mech_anonymous); -diff -up dovecot-2.3.20/src/auth/password-scheme.c.nolibotp dovecot-2.3.20/src/auth/password-scheme.c ---- dovecot-2.3.20/src/auth/password-scheme.c.nolibotp 2023-02-14 16:54:02.109530950 +0100 -+++ dovecot-2.3.20/src/auth/password-scheme.c 2023-02-14 16:54:02.119531023 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c.nolibotp 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c 2025-06-05 21:11:55.124524758 +0200 +@@ -24,7 +24,6 @@ extern const struct mech_module mech_dig + extern const struct mech_module mech_external; + extern const struct mech_module mech_login; + extern const struct mech_module mech_oauthbearer; +-extern const struct mech_module mech_otp; + extern const struct mech_module mech_plain; + extern const struct mech_module mech_scram_sha1; + extern const struct mech_module mech_scram_sha256; +@@ -60,10 +59,7 @@ request_handler_reply_mock_callback(stru + + if (request->passdb_result == PASSDB_RESULT_OK) + request->failed = FALSE; +- else if (request->mech == &mech_otp) { +- if (null_strcmp(request->fields.user, "otp_phase_2") == 0) +- request->failed = FALSE; +- } else if (request->mech == &mech_oauthbearer) { ++ else if (request->mech == &mech_oauthbearer) { + } + }; + +@@ -181,10 +177,6 @@ static void test_mechs(void) + {&mech_plain, UCHAR_LEN("\0testuser\0testpass"), "testuser", NULL, TRUE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("normaluser\0masteruser\0masterpass"), "masteruser", NULL, TRUE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("normaluser\0normaluser\0masterpass"), "normaluser", NULL, TRUE, FALSE, FALSE}, +- {&mech_otp, UCHAR_LEN("hex:5Bf0 75d9 959d 036f"), "otp_phase_2", NULL, TRUE, TRUE, FALSE}, +- {&mech_otp, UCHAR_LEN("word:BOND FOGY DRAB NE RISE MART"), "otp_phase_2", NULL, TRUE, TRUE, FALSE}, +- {&mech_otp, UCHAR_LEN("init-hex:f6bd 6b33 89b8 7203:md5 499 ke6118:23d1 b253 5ae0 2b7e"), "otp_phase_2", NULL, TRUE, TRUE, FALSE}, +- {&mech_otp, UCHAR_LEN("init-word:END KERN BALM NICK EROS WAVY:md5 499 ke1235:BABY FAIN OILY NIL TIDY DADE"), "otp_phase_2", NULL , TRUE, TRUE, FALSE}, + {&mech_oauthbearer, UCHAR_LEN("n,a=testuser,p=cHJvb2Y=,f=nonstandart\x01host=server\x01port=143\x01""auth=Bearer vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==\x01\x01"), "testuser", NULL, FALSE, TRUE, FALSE}, + {&mech_scram_sha1, UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", NULL, TRUE, FALSE, FALSE}, + {&mech_scram_sha256, UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", NULL, TRUE, FALSE, FALSE}, +@@ -199,8 +191,6 @@ static void test_mechs(void) + {&mech_external, UCHAR_LEN(""), "testuser", NULL, FALSE, TRUE, FALSE}, + {&mech_external, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_login, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, +- {&mech_otp, UCHAR_LEN(""), NULL, "invalid input", FALSE, FALSE, FALSE}, +- {&mech_otp, UCHAR_LEN(""), "testuser", "invalid input", FALSE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_oauthbearer, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_xoauth2, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, +@@ -212,7 +202,6 @@ static void test_mechs(void) + {&mech_apop, UCHAR_LEN("1.1.1\0testuser\0tooshort"), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_apop, UCHAR_LEN("1.1.1\0testuser\0responseoflen16-"), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_apop, UCHAR_LEN("1.1.1"), NULL, NULL, FALSE, FALSE, FALSE}, +- {&mech_otp, UCHAR_LEN("somebody\0testuser"), "testuser", "unsupported response type", FALSE, TRUE, FALSE}, + {&mech_cram_md5, UCHAR_LEN("testuser\0response"), "testuser", NULL, FALSE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("testuser\0"), "testuser", NULL, FALSE, FALSE, FALSE}, + +@@ -254,9 +243,7 @@ static void test_mechs(void) + {&mech_plain, UCHAR_LEN("\0fa\0il\0ing\0withthis"), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("failingwiththis"), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("failing\0withthis"), NULL, NULL, FALSE, FALSE, FALSE}, +- {&mech_otp, UCHAR_LEN("someb\0ody\0testuser"), NULL, "invalid input", FALSE, FALSE, FALSE}, + /* phase 2 */ +- {&mech_otp, UCHAR_LEN("someb\0ody\0testuser"), "testuser", "unsupported response type", FALSE, TRUE, FALSE}, + {&mech_scram_sha1, UCHAR_LEN("c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts="), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_scram_sha1, UCHAR_LEN("iws0X8v3Bz2T0CJGbJQyF0X+HI4Ts=,,,,"), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_scram_sha1, UCHAR_LEN("n,a=masteruser,,"), NULL, NULL, FALSE, FALSE, FALSE}, +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.nolibotp 2025-06-05 21:15:38.089454364 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c 2025-06-05 21:15:38.102747365 +0200 @@ -13,7 +13,6 @@ #include "randgen.h" #include "sha1.h" @@ -55,8 +116,8 @@ diff -up dovecot-2.3.20/src/auth/password-scheme.c.nolibotp dovecot-2.3.20/src/a -#include "otp.h" #include "str.h" #include "password-scheme.h" - -@@ -709,32 +708,6 @@ plain_md5_generate(const char *plaintext + #include "password-scheme-private.h" +@@ -701,33 +700,6 @@ plain_md5_generate(const char *plaintext *size_r = MD5_RESULTLEN; } @@ -86,21 +147,28 @@ diff -up dovecot-2.3.20/src/auth/password-scheme.c.nolibotp dovecot-2.3.20/src/a - *raw_password_r = (const unsigned char *)password; - *size_r = strlen(password); -} - +- static const struct password_scheme builtin_schemes[] = { - { "MD5", PW_ENCODING_NONE, 0, md5_verify, md5_crypt_generate }, -@@ -770,7 +743,6 @@ static const struct password_scheme buil - NULL, plain_md5_generate }, - { "LDAP-MD5", PW_ENCODING_BASE64, MD5_RESULTLEN, - NULL, plain_md5_generate }, -- { "OTP", PW_ENCODING_NONE, 0, otp_verify, otp_generate }, - { "PBKDF2", PW_ENCODING_NONE, 0, pbkdf2_verify, pbkdf2_generate }, - }; - -diff -up dovecot-2.3.20/src/auth/password-scheme.h.nolibotp dovecot-2.3.20/src/auth/password-scheme.h ---- dovecot-2.3.20/src/auth/password-scheme.h.nolibotp 2023-02-14 16:56:50.929759540 +0100 -+++ dovecot-2.3.20/src/auth/password-scheme.h 2023-02-14 16:56:50.947759671 +0100 -@@ -92,9 +92,6 @@ void password_set_encryption_rounds(unsi + { + .name = "MD5", +@@ -891,13 +863,6 @@ static const struct password_scheme buil + .password_generate = plain_md5_generate, + }, + { +- .name = "OTP", +- .default_encoding = PW_ENCODING_NONE, +- .raw_password_len = 0, +- .password_verify = otp_verify, +- .password_generate = otp_generate, +- }, +- { + .name = "PBKDF2", + .default_encoding = PW_ENCODING_NONE, + .raw_password_len = 0, +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h.nolibotp 2025-06-05 21:16:12.241545079 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h 2025-06-05 21:16:12.249776307 +0200 +@@ -98,9 +98,6 @@ void password_set_encryption_rounds(unsi /* INTERNAL: */ const char *password_generate_salt(size_t len); const char *password_generate_md5_crypt(const char *pw, const char *salt); @@ -108,12 +176,12 @@ diff -up dovecot-2.3.20/src/auth/password-scheme.h.nolibotp dovecot-2.3.20/src/a - unsigned int algo, const char **result_r) - ATTR_NULL(2); - int crypt_verify(const char *plaintext, - const struct password_generate_params *params, -diff -up dovecot-2.3.20/src/auth/test-libpassword.c.nolibotp dovecot-2.3.20/src/auth/test-libpassword.c ---- dovecot-2.3.20/src/auth/test-libpassword.c.nolibotp 2023-02-14 16:54:55.880922175 +0100 -+++ dovecot-2.3.20/src/auth/test-libpassword.c 2023-02-14 16:54:55.896922291 +0100 -@@ -106,7 +106,6 @@ static void test_password_schemes(void) + int scram_scheme_parse(const struct hash_method *hmethod, const char *name, + const unsigned char *credentials, size_t size, +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c.nolibotp 2025-06-05 21:16:40.122669090 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c 2025-06-05 21:16:40.136347538 +0200 +@@ -107,7 +107,6 @@ static void test_password_schemes(void) test_password_scheme("SHA512", "{SHA512}7iaw3Ur350mqGo7jwQrpkj9hiYB3Lkc/iBml1JQODbJ6wYX4oOHV+E+IvIh/1nsUNzLDBMxfqa2Ob1f1ACio/w==", "test"); test_password_scheme("SSHA", "{SSHA}H/zrDv8FXUu1JmwvVYijfrYEF34jVZcO", "test"); test_password_scheme("MD5-CRYPT", "{MD5-CRYPT}$1$GgvxyNz8$OjZhLh4P.gF1lxYEbLZ3e/", "test"); @@ -121,81 +189,3 @@ diff -up dovecot-2.3.20/src/auth/test-libpassword.c.nolibotp dovecot-2.3.20/src/ test_password_scheme("PBKDF2", "{PBKDF2}$1$bUnT4Pl7yFtYX0KU$5000$50a83cafdc517b9f46519415e53c6a858908680a", "test"); test_password_scheme("CRAM-MD5", "{CRAM-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6", "test"); test_password_scheme("DIGEST-MD5", "{DIGEST-MD5}77c1a8c437c9b08ba2f460fe5d58db5d", "test"); -diff -up dovecot-2.3.20/src/auth/test-mech.c.nolibotp dovecot-2.3.20/src/auth/test-mech.c ---- dovecot-2.3.20/src/auth/test-mech.c.nolibotp 2022-12-21 09:49:12.000000000 +0100 -+++ dovecot-2.3.20/src/auth/test-mech.c 2023-02-14 16:54:02.119531023 +0100 -@@ -8,8 +8,6 @@ - #include "auth-request-handler-private.h" - #include "auth-settings.h" - #include "mech-digest-md5-private.h" --#include "otp.h" --#include "mech-otp-common.h" - #include "settings-parser.h" - #include "password-scheme.h" - #include "auth-token.h" -@@ -27,7 +25,6 @@ extern const struct mech_module mech_dov - extern const struct mech_module mech_external; - extern const struct mech_module mech_login; - extern const struct mech_module mech_oauthbearer; --extern const struct mech_module mech_otp; - extern const struct mech_module mech_plain; - extern const struct mech_module mech_scram_sha1; - extern const struct mech_module mech_scram_sha256; -@@ -65,10 +62,7 @@ request_handler_reply_mock_callback(stru - - if (request->passdb_result == PASSDB_RESULT_OK) - request->failed = FALSE; -- else if (request->mech == &mech_otp) { -- if (null_strcmp(request->fields.user, "otp_phase_2") == 0) -- request->failed = FALSE; -- } else if (request->mech == &mech_oauthbearer) { -+ else if (request->mech == &mech_oauthbearer) { - } - }; - -@@ -224,10 +218,6 @@ static void test_mechs(void) - {&mech_plain, UCHAR_LEN("\0testuser\0testpass"), "testuser", NULL, TRUE, FALSE, FALSE}, - {&mech_plain, UCHAR_LEN("normaluser\0masteruser\0masterpass"), "masteruser", NULL, TRUE, FALSE, FALSE}, - {&mech_plain, UCHAR_LEN("normaluser\0normaluser\0masterpass"), "normaluser", NULL, TRUE, FALSE, FALSE}, -- {&mech_otp, UCHAR_LEN("hex:5Bf0 75d9 959d 036f"), "otp_phase_2", NULL, TRUE, TRUE, FALSE}, -- {&mech_otp, UCHAR_LEN("word:BOND FOGY DRAB NE RISE MART"), "otp_phase_2", NULL, TRUE, TRUE, FALSE}, -- {&mech_otp, UCHAR_LEN("init-hex:f6bd 6b33 89b8 7203:md5 499 ke6118:23d1 b253 5ae0 2b7e"), "otp_phase_2", NULL, TRUE, TRUE, FALSE}, -- {&mech_otp, UCHAR_LEN("init-word:END KERN BALM NICK EROS WAVY:md5 499 ke1235:BABY FAIN OILY NIL TIDY DADE"), "otp_phase_2", NULL , TRUE, TRUE, FALSE}, - {&mech_oauthbearer, UCHAR_LEN("n,a=testuser,p=cHJvb2Y=,f=nonstandart\x01host=server\x01port=143\x01""auth=Bearer vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==\x01\x01"), "testuser", NULL, FALSE, TRUE, FALSE}, - {&mech_scram_sha1, UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", NULL, TRUE, FALSE, FALSE}, - {&mech_scram_sha256, UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", NULL, TRUE, FALSE, FALSE}, -@@ -242,8 +232,6 @@ static void test_mechs(void) - {&mech_external, UCHAR_LEN(""), "testuser", NULL, FALSE, TRUE, FALSE}, - {&mech_external, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, - {&mech_login, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, -- {&mech_otp, UCHAR_LEN(""), NULL, "invalid input", FALSE, FALSE, FALSE}, -- {&mech_otp, UCHAR_LEN(""), "testuser", "invalid input", FALSE, FALSE, FALSE}, - {&mech_plain, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, - {&mech_oauthbearer, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, - {&mech_xoauth2, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, -@@ -255,7 +243,6 @@ static void test_mechs(void) - {&mech_apop, UCHAR_LEN("1.1.1\0testuser\0tooshort"), NULL, NULL, FALSE, FALSE, FALSE}, - {&mech_apop, UCHAR_LEN("1.1.1\0testuser\0responseoflen16-"), NULL, NULL, FALSE, FALSE, FALSE}, - {&mech_apop, UCHAR_LEN("1.1.1"), NULL, NULL, FALSE, FALSE, FALSE}, -- {&mech_otp, UCHAR_LEN("somebody\0testuser"), "testuser", "otp(testuser): unsupported response type", FALSE, TRUE, FALSE}, - {&mech_cram_md5, UCHAR_LEN("testuser\0response"), "testuser", NULL, FALSE, FALSE, FALSE}, - {&mech_plain, UCHAR_LEN("testuser\0"), "testuser", NULL, FALSE, FALSE, FALSE}, - -@@ -297,9 +284,7 @@ static void test_mechs(void) - {&mech_plain, UCHAR_LEN("\0fa\0il\0ing\0withthis"), NULL, NULL, FALSE, FALSE, FALSE}, - {&mech_plain, UCHAR_LEN("failingwiththis"), NULL, NULL, FALSE, FALSE, FALSE}, - {&mech_plain, UCHAR_LEN("failing\0withthis"), NULL, NULL, FALSE, FALSE, FALSE}, -- {&mech_otp, UCHAR_LEN("someb\0ody\0testuser"), NULL, "invalid input", FALSE, FALSE, FALSE}, - /* phase 2 */ -- {&mech_otp, UCHAR_LEN("someb\0ody\0testuser"), "testuser", "otp(testuser): unsupported response type", FALSE, TRUE, FALSE}, - {&mech_scram_sha1, UCHAR_LEN("c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts="), NULL, NULL, FALSE, FALSE, FALSE}, - {&mech_scram_sha1, UCHAR_LEN("iws0X8v3Bz2T0CJGbJQyF0X+HI4Ts=,,,,"), NULL, NULL, FALSE, FALSE, FALSE}, - {&mech_scram_sha1, UCHAR_LEN("n,a=masteruser,,"), NULL, NULL, FALSE, FALSE, FALSE}, -@@ -387,7 +372,6 @@ static void test_mechs(void) - - test_end(); - } T_END; -- mech_otp_deinit(); - auths_deinit(); - auth_token_deinit(); - password_schemes_deinit(); diff --git a/dovecot.spec b/dovecot.spec index 0e5b19d..1e9a1a2 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -153,7 +153,7 @@ mv dovecot-pigeonhole-%{pigeonholever} dovecot-pigeonhole %patch -P 16 -p2 -b .opensslhmac3 %patch -P 17 -p2 -b .fixvalcond %patch -P 18 -p1 -b .valbasherr -%patch -P 23 -p1 -b .nolibotp +%patch -P 23 -p2 -b .nolibotp #patch -P 24 -p2 -b .ph_optglob #patch -P 25 -p1 -b .ph_scriptcmp cp run-test-valgrind.supp dovecot-pigeonhole/ From c7cc256e1a6dd95858e75c653db042235fb9598d Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 5 Jun 2025 23:17:39 +0200 Subject: [PATCH 155/163] but updated patch is needed --- dovecot-2.4.1-nolibotp.patch | 31 +++++++++++++++++++++---------- dovecot.spec | 4 ++++ 2 files changed, 25 insertions(+), 10 deletions(-) diff --git a/dovecot-2.4.1-nolibotp.patch b/dovecot-2.4.1-nolibotp.patch index 42e62ba..6c8dad5 100644 --- a/dovecot-2.4.1-nolibotp.patch +++ b/dovecot-2.4.1-nolibotp.patch @@ -1,6 +1,6 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c --- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c.nolibotp 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c 2025-06-05 21:08:46.902918388 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c 2025-06-05 22:36:50.148155427 +0200 @@ -20,8 +20,6 @@ #include "password-scheme.h" #include "passdb-cache.h" @@ -19,8 +19,8 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c.nolibotp dovecot-2. mech_deinit(global_auth_settings); settings_free(global_auth_settings); diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c.nolibotp 2025-06-05 21:06:36.218750400 +0200 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c 2025-06-05 21:09:55.056067262 +0200 +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c.nolibotp 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c 2025-06-05 22:36:50.148435422 +0200 @@ -71,7 +71,6 @@ extern const struct mech_module mech_apo extern const struct mech_module mech_cram_md5; extern const struct mech_module mech_digest_md5; @@ -45,9 +45,20 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c.nolibotp dovecot-2. mech_unregister_module(&mech_scram_sha1); mech_unregister_module(&mech_scram_sha1_plus); mech_unregister_module(&mech_scram_sha256); +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-auth.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-auth.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-auth.c.nolibotp 2025-06-05 23:11:23.428522162 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-auth.c 2025-06-05 23:11:23.443511259 +0200 +@@ -72,7 +72,6 @@ void test_auth_init(void) + void test_auth_deinit(void) + { + auth_penalty_deinit(&auth_penalty); +- mech_otp_deinit(); + db_oauth2_deinit(); + auths_deinit(); + auth_token_deinit(); diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c --- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c.nolibotp 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c 2025-06-05 21:11:55.124524758 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c 2025-06-05 22:36:50.148639214 +0200 @@ -24,7 +24,6 @@ extern const struct mech_module mech_dig extern const struct mech_module mech_external; extern const struct mech_module mech_login; @@ -107,8 +118,8 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c.nolibotp dovec {&mech_scram_sha1, UCHAR_LEN("iws0X8v3Bz2T0CJGbJQyF0X+HI4Ts=,,,,"), NULL, NULL, FALSE, FALSE, FALSE}, {&mech_scram_sha1, UCHAR_LEN("n,a=masteruser,,"), NULL, NULL, FALSE, FALSE, FALSE}, diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.nolibotp 2025-06-05 21:15:38.089454364 +0200 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c 2025-06-05 21:15:38.102747365 +0200 +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.nolibotp 2025-06-05 22:36:50.142606171 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c 2025-06-05 22:36:50.148822418 +0200 @@ -13,7 +13,6 @@ #include "randgen.h" #include "sha1.h" @@ -166,8 +177,8 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.noli .default_encoding = PW_ENCODING_NONE, .raw_password_len = 0, diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h.nolibotp 2025-06-05 21:16:12.241545079 +0200 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h 2025-06-05 21:16:12.249776307 +0200 +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h.nolibotp 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h 2025-06-05 22:36:50.148942954 +0200 @@ -98,9 +98,6 @@ void password_set_encryption_rounds(unsi /* INTERNAL: */ const char *password_generate_salt(size_t len); @@ -179,8 +190,8 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h.noli int scram_scheme_parse(const struct hash_method *hmethod, const char *name, const unsigned char *credentials, size_t size, diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c.nolibotp 2025-06-05 21:16:40.122669090 +0200 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c 2025-06-05 21:16:40.136347538 +0200 +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c.nolibotp 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c 2025-06-05 22:36:50.149077275 +0200 @@ -107,7 +107,6 @@ static void test_password_schemes(void) test_password_scheme("SHA512", "{SHA512}7iaw3Ur350mqGo7jwQrpkj9hiYB3Lkc/iBml1JQODbJ6wYX4oOHV+E+IvIh/1nsUNzLDBMxfqa2Ob1f1ACio/w==", "test"); test_password_scheme("SSHA", "{SSHA}H/zrDv8FXUu1JmwvVYijfrYEF34jVZcO", "test"); diff --git a/dovecot.spec b/dovecot.spec index 1e9a1a2..69cda61 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -162,6 +162,10 @@ echo "testsuite" >dovecot-pigeonhole/run-test-valgrind.exclude # drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes #rm -rf src/lib-otp +echo >src/auth/mech-otp-common.c +echo >src/auth/mech-otp-common.h +echo >src/auth/mech-otp.c +echo >src/lib-auth/password-scheme-otp.c pushd src/lib-otp for f in *.c *.h do From 1b30785ce51a19f0f9dc02ae50bec37daf4c427d Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 24 Jun 2025 14:27:16 +0200 Subject: [PATCH 156/163] fix dovecot 2.4 gssapi regression (rhbz#2374419) --- dovecot-2.3-ph_optglob.patch | 48 ---------------------------------- dovecot-2.3-ph_scriptcmp.patch | 12 --------- dovecot-2.4.1-gssapi.patch | 12 +++++++++ dovecot.spec | 12 ++++----- 4 files changed, 18 insertions(+), 66 deletions(-) delete mode 100644 dovecot-2.3-ph_optglob.patch delete mode 100644 dovecot-2.3-ph_scriptcmp.patch create mode 100644 dovecot-2.4.1-gssapi.patch diff --git a/dovecot-2.3-ph_optglob.patch b/dovecot-2.3-ph_optglob.patch deleted file mode 100644 index 55bf77a..0000000 --- a/dovecot-2.3-ph_optglob.patch +++ /dev/null @@ -1,48 +0,0 @@ -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/plugins/include/cmd-include.c.ph_optglob dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/plugins/include/cmd-include.c ---- dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/plugins/include/cmd-include.c.ph_optglob 2025-06-03 23:43:09.773363279 +0200 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/plugins/include/cmd-include.c 2025-06-03 23:47:49.234931325 +0200 -@@ -361,11 +361,13 @@ static bool opc_include_dump(const struc - - sieve_code_descend(denv); - sieve_code_dumpf( -- denv, "script: '%s' %s%s[ID: %d, BLOCK: %d]", -+ denv, "script: '%s' %s%s%s[ID: %d, BLOCK: %d]", - sieve_script_label(included->script), - ((flags & EXT_INCLUDE_FLAG_ONCE) != 0 ? "(once) " : ""), - ((flags & EXT_INCLUDE_FLAG_OPTIONAL) != 0 ? "(optional) " : ""), -- include_id, sieve_binary_block_get_id(included->block)); -+ (included->block == NULL ? "(missing) " : ""), -+ include_id, -+ (included->block == NULL ? -1 : sieve_binary_block_get_id(included->block))); - - return TRUE; - } -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c.ph_optglob dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c ---- dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c.ph_optglob 2025-01-24 08:09:43.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c 2025-06-03 23:43:09.773531445 +0200 -@@ -715,6 +715,25 @@ int ext_include_execute_include(const st - } - - ctx = ext_include_get_interpreter_context(this_ext, renv->interp); -+ if (included->block == NULL) { -+ if ((flags & EXT_INCLUDE_FLAG_OPTIONAL) != 0) { -+ sieve_runtime_trace( -+ renv, SIEVE_TRLVL_NONE, -+ "include: skipped include for script '%s' " -+ "[inc id: %d, block: NULL]; optional and unavailable", -+ sieve_script_name(included->script), -+ include_id); -+ return result; -+ } else { -+ sieve_runtime_trace( -+ renv, SIEVE_TRLVL_NONE, -+ "include: unavailable script '%s' " -+ "[inc id: %d, block: NULL]", -+ sieve_script_name(included->script), -+ include_id); -+ return SIEVE_EXEC_BIN_CORRUPT; -+ } -+ } - block_id = sieve_binary_block_get_id(included->block); - - /* If :once modifier is specified, check for duplicate include */ diff --git a/dovecot-2.3-ph_scriptcmp.patch b/dovecot-2.3-ph_scriptcmp.patch deleted file mode 100644 index 2bcaade..0000000 --- a/dovecot-2.3-ph_scriptcmp.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/storage/file/sieve-file-script.c.testfix4 dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/storage/file/sieve-file-script.c ---- dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/storage/file/sieve-file-script.c.testfix4 2024-06-03 13:35:24.408858593 +0200 -+++ dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/storage/file/sieve-file-script.c 2024-06-03 13:35:24.434858849 +0200 -@@ -800,7 +800,7 @@ static bool sieve_file_script_equals - (struct sieve_file_script *)other; - - return ( CMP_DEV_T(fscript->st.st_dev, fother->st.st_dev) && -- fscript->st.st_ino == fother->st.st_ino ); -+ fscript->st.st_ino == fother->st.st_ino && (fscript->st.st_ino != 0 || script->location != NULL && other->location != NULL && strcmp(script->location, other->location) == 0)); - } - - /* diff --git a/dovecot-2.4.1-gssapi.patch b/dovecot-2.4.1-gssapi.patch new file mode 100644 index 0000000..9765eb9 --- /dev/null +++ b/dovecot-2.4.1-gssapi.patch @@ -0,0 +1,12 @@ +diff -up dovecot-2.4.1-4/src/auth/mech-gssapi.c.gssapi dovecot-2.4.1-4/src/auth/mech-gssapi.c +--- dovecot-2.4.1-4/src/auth/mech-gssapi.c.gssapi 2025-06-24 00:07:54.720275640 +0200 ++++ dovecot-2.4.1-4/src/auth/mech-gssapi.c 2025-06-24 00:10:04.541651871 +0200 +@@ -672,7 +672,7 @@ mech_gssapi_auth_initial(struct auth_req + + if (data_size == 0) { + /* The client should go first */ +- auth_request_handler_reply_continue(request, NULL, 0); ++ auth_request_handler_reply_continue(request, uchar_empty_ptr, 0); + } else { + mech_gssapi_auth_continue(request, data, data_size); + } diff --git a/dovecot.spec b/dovecot.spec index 69cda61..2cfe5b7 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.4.1 %global prever -4 -Release: 1%{?dist} +Release: 2%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -47,9 +47,7 @@ Patch18: dovecot-2.3.15-valbasherr.patch # Fedora/RHEL specific, drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes Patch23: dovecot-2.4.1-nolibotp.patch - -Patch24: dovecot-2.3-ph_optglob.patch -Patch25: dovecot-2.3-ph_scriptcmp.patch +Patch24: dovecot-2.4.1-gssapi.patch BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel BuildRequires: libtool, autoconf, automake, pkgconfig @@ -154,8 +152,7 @@ mv dovecot-pigeonhole-%{pigeonholever} dovecot-pigeonhole %patch -P 17 -p2 -b .fixvalcond %patch -P 18 -p1 -b .valbasherr %patch -P 23 -p2 -b .nolibotp -#patch -P 24 -p2 -b .ph_optglob -#patch -P 25 -p1 -b .ph_scriptcmp +%patch -P 24 -p1 -b .gssapi cp run-test-valgrind.supp dovecot-pigeonhole/ # valgrind would fail with shell wrapper echo "testsuite" >dovecot-pigeonhole/run-test-valgrind.exclude @@ -476,6 +473,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Tue Jun 24 2025 Michal Hlavinka - 1:2.4.1-2 +- fix dovecot 2.4 gssapi regression (rhbz#2374419) + * Tue Jun 03 2025 Michal Hlavinka - 1:2.4.1-1 - updated to 2.4.1 release - note: configuration is incompatible with 2.3.x version From ce9db32f706366baeb9bbc8b38e3a9131aeb54af Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 23 Jul 2025 19:29:40 +0000 Subject: [PATCH 157/163] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index 2cfe5b7..65a7b29 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.4.1 %global prever -4 -Release: 2%{?dist} +Release: 3%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -473,6 +473,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Jul 23 2025 Fedora Release Engineering - 1:2.4.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + * Tue Jun 24 2025 Michal Hlavinka - 1:2.4.1-2 - fix dovecot 2.4 gssapi regression (rhbz#2374419) From 46c0ff966fe154a1208380e69b2e57effc19e06e Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 30 Jul 2025 12:09:04 +0200 Subject: [PATCH 158/163] fix compatibility with latest openssl (#2383209) --- dovecot-2.4.1-opensslhmac3.patch | 162 +++++++++++++++---------------- dovecot.spec | 5 +- 2 files changed, 81 insertions(+), 86 deletions(-) diff --git a/dovecot-2.4.1-opensslhmac3.patch b/dovecot-2.4.1-opensslhmac3.patch index 20b26a2..d5e8a92 100644 --- a/dovecot-2.4.1-opensslhmac3.patch +++ b/dovecot-2.4.1-opensslhmac3.patch @@ -1,6 +1,6 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c --- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c 2025-06-03 22:53:40.039980828 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c 2025-07-30 11:45:19.801515296 +0200 @@ -162,17 +162,17 @@ void auth_token_deinit(void) const char *auth_token_get(const char *service, const char *session_pid, const char *username, const char *session_id) @@ -26,9 +26,20 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c.opensslhmac3 return binary_to_hex(result, sizeof(result)); } +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am 2025-07-30 11:45:19.803705887 +0200 +@@ -66,6 +66,7 @@ auth_LDFLAGS = -export-dynamic + auth_libs = \ + ../lib-auth/libauth-crypt.la \ + $(AUTH_LUA_LIBS) \ ++ $(SSL_LIBS) \ + $(LIBDOVECOT_SQL) + + auth_CPPFLAGS = $(AM_CPPFLAGS) $(BINARY_CFLAGS) diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c --- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c 2025-06-03 22:53:40.040125680 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c 2025-07-30 11:45:19.801656370 +0200 @@ -50,7 +50,7 @@ static bool verify_credentials(struct cr const unsigned char *credentials, size_t size) { @@ -52,9 +63,46 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c.opensslhma response_hex = binary_to_hex(digest, sizeof(digest)); +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am 2025-07-30 11:45:19.803805844 +0200 +@@ -21,11 +21,13 @@ AM_CPPFLAGS = \ + $(BINARY_CFLAGS) + + imap_LDFLAGS = -export-dynamic \ ++ $(SSL_LIBS) \ + $(BINARY_LDFLAGS) + + imap_LDADD = \ + ../lib-imap-urlauth/libimap-urlauth.la \ + ../lib-compression/libcompression.la \ ++ $(SSL_LIBS) \ + $(LIBDOVECOT_STORAGE) \ + $(LIBDOVECOT) + imap_DEPENDENCIES = \ +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am 2025-07-30 11:45:19.803904279 +0200 +@@ -22,6 +22,7 @@ imap_urlauth_CPPFLAGS = \ + imap_urlauth_LDFLAGS = -export-dynamic + + imap_urlauth_LDADD = $(LIBDOVECOT) \ ++ $(SSL_LIBS) + $(BINARY_LDFLAGS) + + imap_urlauth_DEPENDENCIES = $(LIBDOVECOT_DEPS) +@@ -52,7 +53,7 @@ imap_urlauth_worker_LDFLAGS = -export-dy + urlauth_libs = \ + $(top_builddir)/src/lib-imap-urlauth/libimap-urlauth.la + +-imap_urlauth_worker_LDADD = $(urlauth_libs) $(LIBDOVECOT_STORAGE) $(LIBDOVECOT) ++imap_urlauth_worker_LDADD = $(urlauth_libs) $(SSL_LIBS) $(LIBDOVECOT_STORAGE) $(LIBDOVECOT) + imap_urlauth_worker_DEPENDENCIES = $(urlauth_libs) $(LIBDOVECOT_STORAGE_DEPS) $(LIBDOVECOT_DEPS) + + imap_urlauth_worker_SOURCES = \ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c --- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c 2025-06-03 22:59:21.239579904 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c 2025-07-30 11:45:19.801788468 +0200 @@ -248,7 +248,7 @@ static string_t *auth_scram_get_client_f unsigned char client_signature[hmethod->digest_size]; unsigned char client_proof[hmethod->digest_size]; @@ -115,7 +163,7 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c.op diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c --- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c 2025-06-03 22:53:40.040441433 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c 2025-07-30 11:45:19.801918022 +0200 @@ -31,7 +31,7 @@ void auth_scram_hi(const struct hash_met const unsigned char *salt, size_t salt_size, unsigned int i, unsigned char *result) @@ -187,7 +235,7 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c.opensslhm safe_memset(client_key, 0, sizeof(client_key)); diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c --- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c 2025-06-03 23:01:21.982844336 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c 2025-07-30 11:45:19.802027357 +0200 @@ -342,7 +342,7 @@ auth_scram_server_verify_credentials(str { const struct hash_method *hmethod = server->set.hash_method; @@ -234,7 +282,7 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c.op diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c --- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c 2025-06-03 22:53:40.040746416 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c 2025-07-30 11:45:19.802166177 +0200 @@ -631,11 +631,11 @@ static void cram_md5_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, const unsigned char **raw_password_r, size_t *size_r) @@ -251,7 +299,7 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.open diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram.c --- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram.c 2025-06-03 22:53:40.040877783 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram.c 2025-07-30 11:45:19.802285591 +0200 @@ -69,7 +69,7 @@ int scram_verify(const struct hash_metho const char *plaintext, const unsigned char *raw_password, size_t size, const char **error_r) @@ -276,7 +324,7 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram. hash_method_get_digest(hmethod, client_key, sizeof(client_key), diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c --- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c 2025-06-03 22:53:40.041060556 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c 2025-07-30 11:46:43.346310291 +0200 @@ -7,6 +7,10 @@ * This software is released under the MIT license. */ @@ -306,9 +354,8 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c.opensslhmac3 dovecot + + +void openssl_hmac_init(struct openssl_hmac_context *_ctx, const unsigned char *key, //DONE - size_t key_len, const struct hash_method *meth) - { -- struct hmac_context_priv *ctx = &_ctx->u.priv; ++ size_t key_len, const struct hash_method *meth) ++{ +#ifdef USE_OPENSSL3_METHODS + struct openssl_hmac_context_priv *ctx = &_ctx->u.priv; + @@ -374,8 +421,9 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c.opensslhmac3 dovecot +} + +void orig_hmac_init(struct orig_hmac_context *_ctx, const unsigned char *key, //DONE -+ size_t key_len, const struct hash_method *meth) -+{ + size_t key_len, const struct hash_method *meth) + { +- struct hmac_context_priv *ctx = &_ctx->u.priv; + static int no_fips = -1; + if (no_fips == -1) { + int fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY); @@ -498,17 +546,10 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c.opensslhmac3 dovecot /* salt and info can be NULL */ i_assert(salt != NULL || salt_len == 0); -@@ -119,35 +237,30 @@ void hmac_hkdf(const struct hash_method - i_assert(ikm != NULL && ikm_len > 0); - i_assert(okm_r != NULL && okm_len > 0); +@@ -126,28 +244,29 @@ void hmac_hkdf(const struct hash_method + if (info == NULL) + info = &uchar_nul; -- /* but they still need valid pointer, reduces -- complains from static analysers */ -- if (salt == NULL) -- salt = &uchar_nul; -- if (info == NULL) -- info = &uchar_nul; -- - /* extract */ - hmac_init(&key_mac, salt, salt_len, method); - hmac_update(&key_mac, ikm, ikm_len); @@ -529,7 +570,6 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c.opensslhmac3 dovecot - hmac_final(&info_mac, okm); - buffer_append(okm_r, okm, amt); - remain -= amt; -+ + md = EVP_get_digestbyname(method->name); + pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); + unsigned char *okm_buf = buffer_get_space_unsafe(okm_r, 0, okm_len); @@ -560,7 +600,7 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c.opensslhmac3 dovecot } diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c --- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c 2025-06-03 22:53:40.041190220 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c 2025-07-30 11:45:19.802547733 +0200 @@ -9,10 +9,10 @@ #include "md5.h" #include "hmac-cram-md5.h" @@ -589,7 +629,7 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c.opensslhmac struct md5_context *ctx = (void*)hmac_ctx->ctx; diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h --- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h 2025-06-03 22:53:40.041283645 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h 2025-07-30 11:45:19.802643613 +0200 @@ -5,9 +5,9 @@ #define CRAM_MD5_CONTEXTLEN 32 @@ -604,7 +644,7 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h.opensslhmac diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h --- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h 2025-06-03 22:53:40.041401056 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h 2025-07-30 11:45:19.802751766 +0200 @@ -4,60 +4,108 @@ #include "hash-method.h" #include "sha1.h" @@ -729,7 +769,7 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h.opensslhmac3 dovecot } diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c --- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c 2025-06-03 22:53:40.041513908 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c 2025-07-30 11:45:19.802862354 +0200 @@ -87,15 +87,15 @@ imap_urlauth_internal_generate( const unsigned char mailbox_key[IMAP_URLAUTH_KEY_LEN], size_t *token_len_r) @@ -752,7 +792,7 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c return token; diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am --- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am 2025-06-03 22:53:40.041626579 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am 2025-07-30 11:45:19.802976508 +0200 @@ -359,6 +359,9 @@ headers = \ wildcard-match.h \ write-full.h @@ -765,7 +805,7 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am.opensslhmac3 do diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c --- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c 2025-06-03 22:53:40.041749500 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c 2025-07-30 11:45:19.803097425 +0200 @@ -210,14 +210,14 @@ oauth2_validate_hmac(const struct oauth2 if (oauth2_lookup_hmac_key(set, azp, alg, key_id, &key, error_r) < 0) return -1; @@ -789,7 +829,7 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c.openssl t_base64url_decode_str(BASE64_DECODE_FLAG_NO_PADDING, blobs[2]); diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c --- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c 2025-06-03 22:53:40.041891667 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c 2025-07-30 11:45:19.803224443 +0200 @@ -250,7 +250,7 @@ static void save_key_azp_to(const char * static void sign_jwt_token_hs256(buffer_t *tokenbuf, buffer_t *key) { @@ -819,7 +859,7 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c.op base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX, diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c --- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c 2025-06-03 22:53:40.042033283 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c 2025-07-30 11:45:19.803357132 +0200 @@ -52,7 +52,7 @@ int pkcs5_pbkdf2(const struct hash_metho size_t l = (length + hash->digest_size - 1)/hash->digest_size; /* same as ceil(length/hash->digest_size) */ unsigned char dk[l * hash->digest_size]; @@ -856,7 +896,7 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c.opensslhmac3 doveco } diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c --- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c 2025-06-03 22:53:40.042135125 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c 2025-07-30 11:45:19.803460807 +0200 @@ -206,11 +206,11 @@ static void test_hmac_rfc(void) test_begin("hmac sha256 rfc4231 vectors"); for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) { @@ -933,8 +973,8 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c.opensslhmac3 do vec->okm_len); test_assert(tmp->used == vec->okm_len && diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am.opensslhmac3 2025-06-04 12:40:11.891062419 +0200 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am 2025-06-04 12:40:11.907575156 +0200 +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am 2025-07-30 11:45:19.803606280 +0200 @@ -30,13 +30,13 @@ test_libs = \ $(DLLIB) @@ -951,57 +991,9 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.a -DDCRYPT_BUILD_DIR=\"$(top_builddir)/src/lib-dcrypt\" check-local: -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am.opensslhmac3 2025-06-04 20:00:36.614009610 +0200 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am 2025-06-04 20:00:36.627577639 +0200 -@@ -65,6 +65,7 @@ auth_LDFLAGS = -export-dynamic - auth_libs = \ - ../lib-auth/libauth-crypt.la \ - $(AUTH_LUA_LIBS) \ -+ $(SSL_LIBS) \ - $(LIBDOVECOT_SQL) - - auth_CPPFLAGS = $(AM_CPPFLAGS) $(BINARY_CFLAGS) -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am.opensslhmac3 2025-06-04 21:58:25.496716279 +0200 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am 2025-06-04 23:14:17.353832049 +0200 -@@ -21,11 +21,13 @@ AM_CPPFLAGS = \ - $(BINARY_CFLAGS) - - imap_LDFLAGS = -export-dynamic \ -+ $(SSL_LIBS) \ - $(BINARY_LDFLAGS) - - imap_LDADD = \ - ../lib-imap-urlauth/libimap-urlauth.la \ - ../lib-compression/libcompression.la \ -+ $(SSL_LIBS) \ - $(LIBDOVECOT_STORAGE) \ - $(LIBDOVECOT) - imap_DEPENDENCIES = \ -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am.opensslhmac3 2025-06-05 11:34:56.817495906 +0200 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am 2025-06-05 11:34:56.830938840 +0200 -@@ -22,6 +22,7 @@ imap_urlauth_CPPFLAGS = \ - imap_urlauth_LDFLAGS = -export-dynamic - - imap_urlauth_LDADD = $(LIBDOVECOT) \ -+ $(SSL_LIBS) - $(BINARY_LDFLAGS) - - imap_urlauth_DEPENDENCIES = $(LIBDOVECOT_DEPS) -@@ -52,7 +53,7 @@ imap_urlauth_worker_LDFLAGS = -export-dy - urlauth_libs = \ - $(top_builddir)/src/lib-imap-urlauth/libimap-urlauth.la - --imap_urlauth_worker_LDADD = $(urlauth_libs) $(LIBDOVECOT_STORAGE) $(LIBDOVECOT) -+imap_urlauth_worker_LDADD = $(urlauth_libs) $(SSL_LIBS) $(LIBDOVECOT_STORAGE) $(LIBDOVECOT) - imap_urlauth_worker_DEPENDENCIES = $(urlauth_libs) $(LIBDOVECOT_STORAGE_DEPS) $(LIBDOVECOT_DEPS) - - imap_urlauth_worker_SOURCES = \ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am.opensslhmac3 2025-06-05 12:53:50.410853506 +0200 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am 2025-06-05 12:53:50.424176491 +0200 +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am 2025-07-30 11:45:19.804003916 +0200 @@ -29,6 +29,7 @@ submission_LDADD = \ $(urlauth_libs) \ $(LIBDOVECOT_STORAGE) \ diff --git a/dovecot.spec b/dovecot.spec index 65a7b29..a2b3419 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.4.1 %global prever -4 -Release: 3%{?dist} +Release: 4%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -473,6 +473,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Jul 30 2025 Michal Hlavinka - 1:2.4.1-4 +- fix compatibility with latest openssl (#2383209) + * Wed Jul 23 2025 Fedora Release Engineering - 1:2.4.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From 23bb7279ffdf12617166b27a9222edc7455a9ce7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Franti=C5=A1ek=20Zatloukal?= Date: Wed, 6 Aug 2025 09:53:18 +0200 Subject: [PATCH 159/163] Rebuilt for icu 77.1 --- dovecot.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dovecot.spec b/dovecot.spec index a2b3419..e13fd72 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.4.1 %global prever -4 -Release: 4%{?dist} +Release: 5%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -473,6 +473,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Aug 06 2025 František Zatloukal - 1:2.4.1-5 +- Rebuilt for icu 77.1 + * Wed Jul 30 2025 Michal Hlavinka - 1:2.4.1-4 - fix compatibility with latest openssl (#2383209) From a410538c46a993da6a5923dedc9c07348f201461 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 9 Oct 2025 15:54:00 +0200 Subject: [PATCH 160/163] fix CVE-2025-30189: users would end up overwriting each other in cache (rhbz#2402122) --- dovecot-2.4.1-cve-2025-30189.patch | 104 +++++++++++++++++++++++++++++ dovecot.spec | 9 ++- 2 files changed, 112 insertions(+), 1 deletion(-) create mode 100644 dovecot-2.4.1-cve-2025-30189.patch diff --git a/dovecot-2.4.1-cve-2025-30189.patch b/dovecot-2.4.1-cve-2025-30189.patch new file mode 100644 index 0000000..ec5a370 --- /dev/null +++ b/dovecot-2.4.1-cve-2025-30189.patch @@ -0,0 +1,104 @@ +diff --git a/src/auth/auth-settings.h b/src/auth/auth-settings.h +index 1d420eceaa..90aba17ec3 100644 +--- a/src/auth/auth-settings.h ++++ b/src/auth/auth-settings.h +@@ -1,6 +1,8 @@ + #ifndef AUTH_SETTINGS_H + #define AUTH_SETTINGS_H + ++#define AUTH_CACHE_KEY_USER "%{user}" ++ + struct master_service; + struct master_service_settings_output; + +diff --git a/src/auth/passdb-bsdauth.c b/src/auth/passdb-bsdauth.c +index 68292679b7..1b86da4053 100644 +--- a/src/auth/passdb-bsdauth.c ++++ b/src/auth/passdb-bsdauth.c +@@ -14,8 +14,6 @@ + #include + #include + +-#define BSDAUTH_CACHE_KEY "%u" +- + struct passdb_bsdauth_settings { + pool_t pool; + }; +@@ -104,7 +102,7 @@ bsdauth_preinit(pool_t pool, struct event *event, + &post_set, error_r) < 0) + return -1; + module->default_cache_key = auth_cache_parse_key_and_fields( +- pool, BSDAUTH_CACHE_KEY, &post_set->fields, "bsdauth"); ++ pool, AUTH_CACHE_KEY_USER, &post_set->fields, "bsdauth"); + + settings_free(post_set); + *module_r = module; +diff --git a/src/auth/passdb-oauth2.c b/src/auth/passdb-oauth2.c +index 96d902d323..91fed06018 100644 +--- a/src/auth/passdb-oauth2.c ++++ b/src/auth/passdb-oauth2.c +@@ -53,7 +53,7 @@ oauth2_preinit(pool_t pool, struct event *event, struct passdb_module **module_r + if (db_oauth2_init(event, TRUE, &module->db, error_r) < 0) + return -1; + module->module.default_pass_scheme = "PLAIN"; +- module->module.default_cache_key = "%u"; ++ module->module.default_cache_key = AUTH_CACHE_KEY_USER; + *module_r = &module->module; + return 0; + } +diff --git a/src/auth/passdb-pam.c b/src/auth/passdb-pam.c +index 2acbceb80a..fdf0f573ef 100644 +--- a/src/auth/passdb-pam.c ++++ b/src/auth/passdb-pam.c +@@ -415,7 +415,8 @@ static int pam_preinit(pool_t pool, struct event *event, + module = p_new(pool, struct pam_passdb_module, 1); + module->module.default_cache_key = + auth_cache_parse_key_and_fields(pool, +- t_strdup_printf("%%u/%s", set->service_name), ++ t_strdup_printf("%"AUTH_CACHE_KEY_USER"\t%s", ++ set->service_name), + &post_set->fields, "pam"); + module->requests_left = set->max_requests; + module->pam_setcred = set->setcred; +diff --git a/src/auth/passdb-passwd.c b/src/auth/passdb-passwd.c +index 13003151f9..22e2eae7fa 100644 +--- a/src/auth/passdb-passwd.c ++++ b/src/auth/passdb-passwd.c +@@ -10,7 +10,6 @@ + #include "safe-memset.h" + #include "ipwd.h" + +-#define PASSWD_CACHE_KEY "%u" + #define PASSWD_PASS_SCHEME "CRYPT" + + #undef DEF +@@ -142,7 +141,7 @@ static int passwd_preinit(pool_t pool, struct event *event, + &post_set, error_r) < 0) + return -1; + module->default_cache_key = auth_cache_parse_key_and_fields(pool, +- PASSWD_CACHE_KEY, ++ AUTH_CACHE_KEY_USER, + &post_set->fields, + "passwd"); + settings_free(post_set); +diff --git a/src/auth/userdb-passwd.c b/src/auth/userdb-passwd.c +index 5241129a0c..14cf90a6d6 100644 +--- a/src/auth/userdb-passwd.c ++++ b/src/auth/userdb-passwd.c +@@ -9,7 +9,6 @@ + #include "ipwd.h" + #include "time-util.h" + +-#define USER_CACHE_KEY "%u" + #define PASSWD_SLOW_WARN_MSECS (10*1000) + #define PASSWD_SLOW_MASTER_WARN_MSECS 50 + #define PASSDB_SLOW_MASTER_WARN_COUNT_INTERVAL 100 +@@ -225,7 +224,7 @@ static int passwd_preinit(pool_t pool, struct event *event ATTR_UNUSED, + struct passwd_userdb_module *module = + p_new(pool, struct passwd_userdb_module, 1); + +- module->module.default_cache_key = USER_CACHE_KEY; ++ module->module.default_cache_key = AUTH_CACHE_KEY_USER; + *module_r = &module->module; + return 0; + } diff --git a/dovecot.spec b/dovecot.spec index e13fd72..cf4c370 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.4.1 %global prever -4 -Release: 5%{?dist} +Release: 6%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -48,6 +48,9 @@ Patch18: dovecot-2.3.15-valbasherr.patch # Fedora/RHEL specific, drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes Patch23: dovecot-2.4.1-nolibotp.patch Patch24: dovecot-2.4.1-gssapi.patch +#from upstream, for <= 2.4.1, rhbz#2402122 +#https://github.com/dovecot/core/commit/a70ce7d3e2f983979e971414c5892c4e30197231.diff +Patch25: dovecot-2.4.1-cve-2025-30189.patch BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel BuildRequires: libtool, autoconf, automake, pkgconfig @@ -153,6 +156,7 @@ mv dovecot-pigeonhole-%{pigeonholever} dovecot-pigeonhole %patch -P 18 -p1 -b .valbasherr %patch -P 23 -p2 -b .nolibotp %patch -P 24 -p1 -b .gssapi +%patch -P 25 -p1 -b .cve-2025-30189 cp run-test-valgrind.supp dovecot-pigeonhole/ # valgrind would fail with shell wrapper echo "testsuite" >dovecot-pigeonhole/run-test-valgrind.exclude @@ -473,6 +477,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Thu Oct 09 2025 Michal Hlavinka - 1:2.4.1-6 +- fix CVE-2025-30189: users would end up overwriting each other in cache (rhbz#2402122) + * Wed Aug 06 2025 František Zatloukal - 1:2.4.1-5 - Rebuilt for icu 77.1 From 9d5bfd100c4d531af7900d82ec6cc30af4d7970d Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 15 Oct 2025 12:11:32 +0200 Subject: [PATCH 161/163] enable fts flatcurve --- dovecot-2.0-defaultconfig.patch | 25 +++++++++++++++++-------- dovecot.spec | 7 ++++++- 2 files changed, 23 insertions(+), 9 deletions(-) diff --git a/dovecot-2.0-defaultconfig.patch b/dovecot-2.0-defaultconfig.patch index 1fcc276..c9d0eb4 100644 --- a/dovecot-2.0-defaultconfig.patch +++ b/dovecot-2.0-defaultconfig.patch @@ -1,7 +1,15 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in.default-settings dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in --- dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in.default-settings 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in 2025-06-03 16:50:19.632050332 +0200 -@@ -24,16 +24,13 @@ protocols { ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in 2025-10-15 12:05:14.570388273 +0200 +@@ -16,24 +16,19 @@ dovecot_storage_version = @DOVECOT_CONFI + # The configuration below is a minimal configuration file using system user authentication. + # See https://@DOVECOT_ASSET_URL@/configuration_manual/quick_configuration/ + +-!include_try conf.d/*.conf +- + # Enable wanted protocols: + protocols { + imap = yes lmtp = yes } @@ -22,7 +30,7 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in.default-setting namespace inbox { inbox = yes -@@ -44,7 +41,13 @@ namespace inbox { +@@ -44,7 +39,15 @@ namespace inbox { passdb pam { } @@ -38,10 +46,11 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in.default-setting + cert_file = /etc/pki/dovecot/certs/dovecot.pem + key_file = /etc/pki/dovecot/private/dovecot.pem } -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/20-managesieve.conf.default-settings dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/20-managesieve.conf ++ ++!include_try conf.d/*.conf diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf.default-settings dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf ---- dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf.default-settings 2025-06-03 16:28:32.356717374 +0200 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf 2025-06-03 16:29:15.924259043 +0200 +--- dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf.default-settings 2025-03-28 12:33:46.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf 2025-10-15 12:00:16.233557725 +0200 @@ -21,7 +21,6 @@ # file or directory. Refer to Pigeonhole wiki or INSTALL file for more # information. @@ -68,8 +77,8 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-conf #sieve_trace_addresses = no -} diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf.default-settings dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf ---- dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf.default-settings 2025-06-03 16:28:43.039733071 +0200 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf 2025-06-03 16:29:27.569868558 +0200 +--- dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf.default-settings 2025-03-28 12:33:46.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf 2025-10-15 12:00:16.234048364 +0200 @@ -6,7 +6,6 @@ # sieve_extensions or sieve_global_extensions settings. Restricting these # extensions to a global context using sieve_global_extensions is recommended. diff --git a/dovecot.spec b/dovecot.spec index cf4c370..dc4dfa0 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.4.1 %global prever -4 -Release: 6%{?dist} +Release: 7%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -72,6 +72,7 @@ BuildRequires: lua-json BuildRequires: libicu-devel %if %{?rhel}0 == 0 BuildRequires: libstemmer-devel +BuildRequires: xapian-core-devel %endif BuildRequires: multilib-rpm-config BuildRequires: flex, bison @@ -211,6 +212,7 @@ fi --with-icu \ %if %{?rhel}0 == 0 --with-libstemmer \ + --with-flatcurve \ --with-lua=plugin \ %else --without-libstemmer \ @@ -477,6 +479,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Oct 15 2025 Michal Hlavinka - 1:2.4.1-7 +- enable fts flatcurve + * Thu Oct 09 2025 Michal Hlavinka - 1:2.4.1-6 - fix CVE-2025-30189: users would end up overwriting each other in cache (rhbz#2402122) From 23861b39298d698bc65c323cf2f2e3c39be739a9 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 5 Nov 2025 12:00:08 +0100 Subject: [PATCH 162/163] update patch for CVE-2025-30189 --- dovecot-2.4.1-cve-2025-30189.patch | 371 ++++++++++++++++++++++++++++- dovecot.spec | 7 +- 2 files changed, 370 insertions(+), 8 deletions(-) diff --git a/dovecot-2.4.1-cve-2025-30189.patch b/dovecot-2.4.1-cve-2025-30189.patch index ec5a370..5b9deae 100644 --- a/dovecot-2.4.1-cve-2025-30189.patch +++ b/dovecot-2.4.1-cve-2025-30189.patch @@ -1,5 +1,25 @@ +From a70ce7d3e2f983979e971414c5892c4e30197231 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Fri, 25 Jul 2025 08:16:52 +0300 +Subject: [PATCH 1/7] auth: Use AUTH_CACHE_KEY_USER instead of per-database + constants + +Fixes cache key issue where users would end up overwriting +each other in cache due to cache key being essentially static +string because we no longer support %u. + +Forgotten in 2e298e7ee98b6df61cf85117f000290d60a473b8 +--- + src/auth/auth-settings.h | 2 ++ + src/auth/passdb-bsdauth.c | 4 +--- + src/auth/passdb-oauth2.c | 2 +- + src/auth/passdb-pam.c | 3 ++- + src/auth/passdb-passwd.c | 3 +-- + src/auth/userdb-passwd.c | 3 +-- + 6 files changed, 8 insertions(+), 9 deletions(-) + diff --git a/src/auth/auth-settings.h b/src/auth/auth-settings.h -index 1d420eceaa..90aba17ec3 100644 +index 1d420eceaaf..90aba17ec38 100644 --- a/src/auth/auth-settings.h +++ b/src/auth/auth-settings.h @@ -1,6 +1,8 @@ @@ -12,7 +32,7 @@ index 1d420eceaa..90aba17ec3 100644 struct master_service_settings_output; diff --git a/src/auth/passdb-bsdauth.c b/src/auth/passdb-bsdauth.c -index 68292679b7..1b86da4053 100644 +index 68292679b7f..1b86da4053c 100644 --- a/src/auth/passdb-bsdauth.c +++ b/src/auth/passdb-bsdauth.c @@ -14,8 +14,6 @@ @@ -34,7 +54,7 @@ index 68292679b7..1b86da4053 100644 settings_free(post_set); *module_r = module; diff --git a/src/auth/passdb-oauth2.c b/src/auth/passdb-oauth2.c -index 96d902d323..91fed06018 100644 +index 96d902d323d..91fed060183 100644 --- a/src/auth/passdb-oauth2.c +++ b/src/auth/passdb-oauth2.c @@ -53,7 +53,7 @@ oauth2_preinit(pool_t pool, struct event *event, struct passdb_module **module_r @@ -47,7 +67,7 @@ index 96d902d323..91fed06018 100644 return 0; } diff --git a/src/auth/passdb-pam.c b/src/auth/passdb-pam.c -index 2acbceb80a..fdf0f573ef 100644 +index 2acbceb80a3..fdf0f573ef4 100644 --- a/src/auth/passdb-pam.c +++ b/src/auth/passdb-pam.c @@ -415,7 +415,8 @@ static int pam_preinit(pool_t pool, struct event *event, @@ -61,7 +81,7 @@ index 2acbceb80a..fdf0f573ef 100644 module->requests_left = set->max_requests; module->pam_setcred = set->setcred; diff --git a/src/auth/passdb-passwd.c b/src/auth/passdb-passwd.c -index 13003151f9..22e2eae7fa 100644 +index 13003151f9c..22e2eae7fa3 100644 --- a/src/auth/passdb-passwd.c +++ b/src/auth/passdb-passwd.c @@ -10,7 +10,6 @@ @@ -82,7 +102,7 @@ index 13003151f9..22e2eae7fa 100644 "passwd"); settings_free(post_set); diff --git a/src/auth/userdb-passwd.c b/src/auth/userdb-passwd.c -index 5241129a0c..14cf90a6d6 100644 +index 5241129a0cc..14cf90a6d65 100644 --- a/src/auth/userdb-passwd.c +++ b/src/auth/userdb-passwd.c @@ -9,7 +9,6 @@ @@ -102,3 +122,342 @@ index 5241129a0c..14cf90a6d6 100644 *module_r = &module->module; return 0; } + +From c45ce2c073c9439a9d6366016cb4d41059d737f0 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Wed, 30 Jul 2025 09:42:20 +0300 +Subject: [PATCH 2/7] auth: auth-cache - Refactor + auth_cache_parse_key_and_fields() + +Call auth_cache_parse_key_exclude() at the function end, +simplifies next commit. +--- + src/auth/auth-cache.c | 24 +++++++++++------------- + 1 file changed, 11 insertions(+), 13 deletions(-) + +diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c +index 360ad8b3f62..3ccd45ff4b9 100644 +--- a/src/auth/auth-cache.c ++++ b/src/auth/auth-cache.c +@@ -129,20 +129,18 @@ char *auth_cache_parse_key_and_fields(pool_t pool, const char *query, + const ARRAY_TYPE(const_string) *fields, + const char *exclude_driver) + { +- if (array_is_empty(fields)) +- return auth_cache_parse_key_exclude(pool, query, exclude_driver); +- +- string_t *full_query = t_str_new(128); +- str_append(full_query, query); +- +- unsigned int i, count; +- const char *const *str = array_get(fields, &count); +- for (i = 0; i < count; i += 2) { +- str_append_c(full_query, '\t'); +- str_append(full_query, str[i + 1]); ++ if (!array_is_empty(fields)) { ++ unsigned int i, count; ++ const char *const *str = array_get(fields, &count); ++ string_t *full_query = t_str_new(128); ++ str_append(full_query, query); ++ for (i = 0; i < count; i += 2) { ++ str_append_c(full_query, '\t'); ++ str_append(full_query, str[i + 1]); ++ } ++ query = str_c(full_query); + } +- return auth_cache_parse_key_exclude(pool, str_c(full_query), +- exclude_driver); ++ return auth_cache_parse_key_exclude(pool, query, exclude_driver); + } + + static void + +From 759ee1af848480987d012de2f7135160156724b6 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Fri, 25 Jul 2025 11:48:43 +0300 +Subject: [PATCH 3/7] auth: auth-cache - Deduplicate auth_cache_parse_key() to + use auth_cache_parse_key_and_fields() + +Simplifies following commit +--- + src/auth/auth-cache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c +index 3ccd45ff4b9..ad8cbe50784 100644 +--- a/src/auth/auth-cache.c ++++ b/src/auth/auth-cache.c +@@ -122,14 +122,14 @@ static char *auth_cache_parse_key_exclude(pool_t pool, const char *query, + + char *auth_cache_parse_key(pool_t pool, const char *query) + { +- return auth_cache_parse_key_exclude(pool, query, NULL); ++ return auth_cache_parse_key_and_fields(pool, query, NULL, NULL); + } + + char *auth_cache_parse_key_and_fields(pool_t pool, const char *query, + const ARRAY_TYPE(const_string) *fields, + const char *exclude_driver) + { +- if (!array_is_empty(fields)) { ++ if (fields != NULL && !array_is_empty(fields)) { + unsigned int i, count; + const char *const *str = array_get(fields, &count); + string_t *full_query = t_str_new(128); + +From d12bb78b5a235f31c9d5a655bd223c28d44bcadb Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Fri, 25 Jul 2025 11:51:16 +0300 +Subject: [PATCH 4/7] auth: auth-cache - Change auth_cache_parse_key_exclude() + to return error + +Simplifies following commit +--- + src/auth/auth-cache.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c +index ad8cbe50784..407e5d4aa0e 100644 +--- a/src/auth/auth-cache.c ++++ b/src/auth/auth-cache.c +@@ -64,8 +64,10 @@ static void auth_cache_key_add_tab_idx(string_t *str, unsigned int i) + str_append_c(str, '}'); + } + +-static char *auth_cache_parse_key_exclude(pool_t pool, const char *query, +- const char *exclude_driver) ++static int auth_cache_parse_key_exclude(pool_t pool, const char *query, ++ const char *exclude_driver, ++ char **cache_key_r, ++ const char **error_r) + { + string_t *str; + bool key_seen[AUTH_REQUEST_VAR_TAB_COUNT]; +@@ -76,9 +78,9 @@ static char *auth_cache_parse_key_exclude(pool_t pool, const char *query, + + struct var_expand_program *prog; + if (var_expand_program_create(query, &prog, &error) < 0) { +- e_debug(auth_event, "auth-cache: var_expand_program_create('%s') failed: %s", +- query, error); +- return p_strdup(pool, ""); ++ *error_r = t_strdup_printf("var_expand_program_create(%s) failed: %s", ++ query, error); ++ return -1; + } + + const char *const *vars = var_expand_program_variables(prog); +@@ -117,7 +119,8 @@ static char *auth_cache_parse_key_exclude(pool_t pool, const char *query, + + var_expand_program_free(&prog); + +- return p_strdup(pool, str_c(str)); ++ *cache_key_r = p_strdup(pool, str_c(str)); ++ return 0; + } + + char *auth_cache_parse_key(pool_t pool, const char *query) +@@ -140,7 +143,15 @@ char *auth_cache_parse_key_and_fields(pool_t pool, const char *query, + } + query = str_c(full_query); + } +- return auth_cache_parse_key_exclude(pool, query, exclude_driver); ++ ++ char *cache_key; ++ const char *error; ++ if (auth_cache_parse_key_exclude(pool, query, exclude_driver, ++ &cache_key, &error) < 0) { ++ e_debug(auth_event, "auth-cache: %s", error); ++ cache_key = p_strdup(pool, ""); ++ } ++ return cache_key; + } + + static void + +From 20d15baa071747f91176eb3115235aa8c78a3d11 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Fri, 25 Jul 2025 11:52:36 +0300 +Subject: [PATCH 5/7] auth: auth-cache - Treat cache key parsing errors as + fatals + +Avoids accidentically turning off caching +--- + src/auth/auth-cache.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c +index 407e5d4aa0e..be569349182 100644 +--- a/src/auth/auth-cache.c ++++ b/src/auth/auth-cache.c +@@ -147,10 +147,8 @@ char *auth_cache_parse_key_and_fields(pool_t pool, const char *query, + char *cache_key; + const char *error; + if (auth_cache_parse_key_exclude(pool, query, exclude_driver, +- &cache_key, &error) < 0) { +- e_debug(auth_event, "auth-cache: %s", error); +- cache_key = p_strdup(pool, ""); +- } ++ &cache_key, &error) < 0) ++ i_fatal("auth-cache: %s", error); + return cache_key; + } + + +From 0172f8e8c55aff42c688633b2891cf157641366b Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Fri, 25 Jul 2025 11:41:03 +0300 +Subject: [PATCH 6/7] auth: auth-cache - Require cache key to contain at least + one variable + +--- + src/auth/auth-cache.c | 7 +++++++ + src/auth/test-auth-cache.c | 37 ++++++++++++++++++++++++++++++++++++- + 2 files changed, 43 insertions(+), 1 deletion(-) + +diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c +index be569349182..32959f5d0f4 100644 +--- a/src/auth/auth-cache.c ++++ b/src/auth/auth-cache.c +@@ -86,6 +86,13 @@ static int auth_cache_parse_key_exclude(pool_t pool, const char *query, + const char *const *vars = var_expand_program_variables(prog); + str = t_str_new(32); + ++ if (*vars == NULL && *query != '\0') { ++ var_expand_program_free(&prog); ++ *error_r = t_strdup_printf("%s: Cache key must contain at least one variable", ++ query); ++ return -1; ++ } ++ + for (; *vars != NULL; vars++) { + /* ignore any providers */ + if (strchr(*vars, ':') != NULL && +diff --git a/src/auth/test-auth-cache.c b/src/auth/test-auth-cache.c +index 46836defc6d..b36d83ec022 100644 +--- a/src/auth/test-auth-cache.c ++++ b/src/auth/test-auth-cache.c +@@ -97,7 +97,35 @@ static void test_auth_cache_parse_key(void) + tests[i].in); + test_assert_strcmp_idx(cache_key, tests[i].out, i); + } ++ ++ test_end(); ++} ++ ++static enum fatal_test_state test_cache_key_missing_variable(unsigned int i) ++{ ++ if (i == 0) ++ test_begin("auth cache missing variable"); ++ ++ /* ensure that we do not accept static string */ ++ static const struct { ++ const char *in, *out; ++ } tests_bad[] = { ++ { "%u", "auth-cache: %u: Cache key must contain at least one variable" }, ++ { "foobar", "auth-cache: foobar: Cache key must contain at least one variable" }, ++ { "%{test", "auth-cache: var_expand_program_create(%{test) " \ ++ "failed: syntax error, unexpected end of file, " \ ++ "expecting CCBRACE or PIPE" }, ++ }; ++ ++ if (i < N_ELEMENTS(tests_bad)) { ++ test_expect_fatal_string(tests_bad[i].out); ++ (void)auth_cache_parse_key(pool_datastack_create(), ++ tests_bad[i].in); ++ return FATAL_TEST_FAILURE; ++ } ++ + test_end(); ++ return FATAL_TEST_FINISHED; + } + + int main(void) +@@ -108,7 +136,14 @@ int main(void) + test_auth_cache_parse_key, + NULL + }; +- int ret = test_run(test_functions); ++ ++ static test_fatal_func_t *const fatal_functions[] = { ++ test_cache_key_missing_variable, ++ NULL, ++ }; ++ ++ int ret = test_run_with_fatals(test_functions, fatal_functions); ++ + event_unref(&auth_event); + return ret; + } + +From 34caed79b76a7b82a2a9c94cf35371bec6c2b826 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Fri, 25 Jul 2025 12:00:57 +0300 +Subject: [PATCH 7/7] auth: auth-cache - Drop auth_cache_parse_key() + +It's only used by tests and can now just call +auth_cache_parse_key_and_fields(). +--- + src/auth/auth-cache.c | 5 ----- + src/auth/auth-cache.h | 6 ++---- + src/auth/test-auth-cache.c | 8 ++++---- + 3 files changed, 6 insertions(+), 13 deletions(-) + +diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c +index 32959f5d0f4..82cc0d526eb 100644 +--- a/src/auth/auth-cache.c ++++ b/src/auth/auth-cache.c +@@ -130,11 +130,6 @@ static int auth_cache_parse_key_exclude(pool_t pool, const char *query, + return 0; + } + +-char *auth_cache_parse_key(pool_t pool, const char *query) +-{ +- return auth_cache_parse_key_and_fields(pool, query, NULL, NULL); +-} +- + char *auth_cache_parse_key_and_fields(pool_t pool, const char *query, + const ARRAY_TYPE(const_string) *fields, + const char *exclude_driver) +diff --git a/src/auth/auth-cache.h b/src/auth/auth-cache.h +index 9bdb9185170..d63621b1a4c 100644 +--- a/src/auth/auth-cache.h ++++ b/src/auth/auth-cache.h +@@ -16,10 +16,8 @@ struct auth_cache_node { + struct auth_cache; + struct auth_request; + +-/* Parses all %x variables from query and compresses them into tab-separated +- list, so it can be used as a cache key. */ +-char *auth_cache_parse_key(pool_t pool, const char *query); +-/* Same as auth_cache_parse_key(), but add also variables from "fields", ++/* Parses all %variables from query and compresses them into tab-separated ++ list, so it can be used as a cache key. Adds also variables from "fields", + except variables prefixed with ":" */ + char *auth_cache_parse_key_and_fields(pool_t pool, const char *query, + const ARRAY_TYPE(const_string) *fields, +diff --git a/src/auth/test-auth-cache.c b/src/auth/test-auth-cache.c +index b36d83ec022..f58c21f7afb 100644 +--- a/src/auth/test-auth-cache.c ++++ b/src/auth/test-auth-cache.c +@@ -93,8 +93,8 @@ static void test_auth_cache_parse_key(void) + test_begin("auth cache parse key"); + + for (i = 0; i < N_ELEMENTS(tests); i++) { +- cache_key = auth_cache_parse_key(pool_datastack_create(), +- tests[i].in); ++ cache_key = auth_cache_parse_key_and_fields(pool_datastack_create(), ++ tests[i].in, NULL, NULL); + test_assert_strcmp_idx(cache_key, tests[i].out, i); + } + +@@ -119,8 +119,8 @@ static enum fatal_test_state test_cache_key_missing_variable(unsigned int i) + + if (i < N_ELEMENTS(tests_bad)) { + test_expect_fatal_string(tests_bad[i].out); +- (void)auth_cache_parse_key(pool_datastack_create(), +- tests_bad[i].in); ++ (void)auth_cache_parse_key_and_fields(pool_datastack_create(), ++ tests_bad[i].in, NULL, NULL); + return FATAL_TEST_FAILURE; + } + diff --git a/dovecot.spec b/dovecot.spec index dc4dfa0..9937b17 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -6,7 +6,7 @@ Name: dovecot Epoch: 1 Version: 2.4.1 %global prever -4 -Release: 7%{?dist} +Release: 8%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -49,7 +49,7 @@ Patch18: dovecot-2.3.15-valbasherr.patch Patch23: dovecot-2.4.1-nolibotp.patch Patch24: dovecot-2.4.1-gssapi.patch #from upstream, for <= 2.4.1, rhbz#2402122 -#https://github.com/dovecot/core/commit/a70ce7d3e2f983979e971414c5892c4e30197231.diff +#https://github.com/dovecot/core/compare/a70ce7d3e2f983979e971414c5892c4e30197231%5E...34caed79b76a7b82a2a9c94cf35371bec6c2b826.patch Patch25: dovecot-2.4.1-cve-2025-30189.patch BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel @@ -479,6 +479,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Wed Nov 05 2025 Michal Hlavinka - 1:2.4.1-8 +- update patch for CVE-2025-30189 + * Wed Oct 15 2025 Michal Hlavinka - 1:2.4.1-7 - enable fts flatcurve From 92e5ee1d37bfe4e6608de4b3c602b05ffa500b70 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Sun, 30 Nov 2025 21:40:26 +0100 Subject: [PATCH 163/163] updated to 2.4.2 (#2411846) --- dovecot-2.0-defaultconfig.patch | 20 +- dovecot-2.4.1-cve-2025-30189.patch | 463 ----------------------------- dovecot-2.4.1-gssapi.patch | 12 - dovecot-2.4.1-nolibotp.patch | 331 +++++++++++++-------- dovecot-2.4.1-opensslhmac3.patch | 237 ++++++++------- dovecot-2.4.2-fixbuild.patch | 135 +++++++++ dovecot.spec | 23 +- sources | 4 +- 8 files changed, 496 insertions(+), 729 deletions(-) delete mode 100644 dovecot-2.4.1-cve-2025-30189.patch delete mode 100644 dovecot-2.4.1-gssapi.patch create mode 100644 dovecot-2.4.2-fixbuild.patch diff --git a/dovecot-2.0-defaultconfig.patch b/dovecot-2.0-defaultconfig.patch index c9d0eb4..c7e145e 100644 --- a/dovecot-2.0-defaultconfig.patch +++ b/dovecot-2.0-defaultconfig.patch @@ -1,9 +1,9 @@ -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in.default-settings dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in ---- dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in.default-settings 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in 2025-10-15 12:05:14.570388273 +0200 +diff -up dovecot-2.4.2-build/dovecot-2.4.2/doc/dovecot.conf.in.default-settings dovecot-2.4.2-build/dovecot-2.4.2/doc/dovecot.conf.in +--- dovecot-2.4.2-build/dovecot-2.4.2/doc/dovecot.conf.in.default-settings 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/doc/dovecot.conf.in 2025-11-30 09:24:17.130246956 +0100 @@ -16,24 +16,19 @@ dovecot_storage_version = @DOVECOT_CONFI # The configuration below is a minimal configuration file using system user authentication. - # See https://@DOVECOT_ASSET_URL@/configuration_manual/quick_configuration/ + # See https://@DOVECOT_ASSET_URL@/latest/core/config/quick.html -!include_try conf.d/*.conf - @@ -48,9 +48,9 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in.default-setting } + +!include_try conf.d/*.conf -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf.default-settings dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf ---- dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf.default-settings 2025-03-28 12:33:46.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf 2025-10-15 12:00:16.233557725 +0200 +diff -up dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf.default-settings dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf +--- dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf.default-settings 2025-10-29 08:00:30.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf 2025-11-30 09:18:17.667869864 +0100 @@ -21,7 +21,6 @@ # file or directory. Refer to Pigeonhole wiki or INSTALL file for more # information. @@ -76,9 +76,9 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-conf # the source line numbers. #sieve_trace_addresses = no -} -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf.default-settings dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf ---- dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf.default-settings 2025-03-28 12:33:46.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf 2025-10-15 12:00:16.234048364 +0200 +diff -up dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf.default-settings dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf +--- dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf.default-settings 2025-10-29 08:00:30.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf 2025-11-30 09:18:17.668131795 +0100 @@ -6,7 +6,6 @@ # sieve_extensions or sieve_global_extensions settings. Restricting these # extensions to a global context using sieve_global_extensions is recommended. diff --git a/dovecot-2.4.1-cve-2025-30189.patch b/dovecot-2.4.1-cve-2025-30189.patch deleted file mode 100644 index 5b9deae..0000000 --- a/dovecot-2.4.1-cve-2025-30189.patch +++ /dev/null @@ -1,463 +0,0 @@ -From a70ce7d3e2f983979e971414c5892c4e30197231 Mon Sep 17 00:00:00 2001 -From: Aki Tuomi -Date: Fri, 25 Jul 2025 08:16:52 +0300 -Subject: [PATCH 1/7] auth: Use AUTH_CACHE_KEY_USER instead of per-database - constants - -Fixes cache key issue where users would end up overwriting -each other in cache due to cache key being essentially static -string because we no longer support %u. - -Forgotten in 2e298e7ee98b6df61cf85117f000290d60a473b8 ---- - src/auth/auth-settings.h | 2 ++ - src/auth/passdb-bsdauth.c | 4 +--- - src/auth/passdb-oauth2.c | 2 +- - src/auth/passdb-pam.c | 3 ++- - src/auth/passdb-passwd.c | 3 +-- - src/auth/userdb-passwd.c | 3 +-- - 6 files changed, 8 insertions(+), 9 deletions(-) - -diff --git a/src/auth/auth-settings.h b/src/auth/auth-settings.h -index 1d420eceaaf..90aba17ec38 100644 ---- a/src/auth/auth-settings.h -+++ b/src/auth/auth-settings.h -@@ -1,6 +1,8 @@ - #ifndef AUTH_SETTINGS_H - #define AUTH_SETTINGS_H - -+#define AUTH_CACHE_KEY_USER "%{user}" -+ - struct master_service; - struct master_service_settings_output; - -diff --git a/src/auth/passdb-bsdauth.c b/src/auth/passdb-bsdauth.c -index 68292679b7f..1b86da4053c 100644 ---- a/src/auth/passdb-bsdauth.c -+++ b/src/auth/passdb-bsdauth.c -@@ -14,8 +14,6 @@ - #include - #include - --#define BSDAUTH_CACHE_KEY "%u" -- - struct passdb_bsdauth_settings { - pool_t pool; - }; -@@ -104,7 +102,7 @@ bsdauth_preinit(pool_t pool, struct event *event, - &post_set, error_r) < 0) - return -1; - module->default_cache_key = auth_cache_parse_key_and_fields( -- pool, BSDAUTH_CACHE_KEY, &post_set->fields, "bsdauth"); -+ pool, AUTH_CACHE_KEY_USER, &post_set->fields, "bsdauth"); - - settings_free(post_set); - *module_r = module; -diff --git a/src/auth/passdb-oauth2.c b/src/auth/passdb-oauth2.c -index 96d902d323d..91fed060183 100644 ---- a/src/auth/passdb-oauth2.c -+++ b/src/auth/passdb-oauth2.c -@@ -53,7 +53,7 @@ oauth2_preinit(pool_t pool, struct event *event, struct passdb_module **module_r - if (db_oauth2_init(event, TRUE, &module->db, error_r) < 0) - return -1; - module->module.default_pass_scheme = "PLAIN"; -- module->module.default_cache_key = "%u"; -+ module->module.default_cache_key = AUTH_CACHE_KEY_USER; - *module_r = &module->module; - return 0; - } -diff --git a/src/auth/passdb-pam.c b/src/auth/passdb-pam.c -index 2acbceb80a3..fdf0f573ef4 100644 ---- a/src/auth/passdb-pam.c -+++ b/src/auth/passdb-pam.c -@@ -415,7 +415,8 @@ static int pam_preinit(pool_t pool, struct event *event, - module = p_new(pool, struct pam_passdb_module, 1); - module->module.default_cache_key = - auth_cache_parse_key_and_fields(pool, -- t_strdup_printf("%%u/%s", set->service_name), -+ t_strdup_printf("%"AUTH_CACHE_KEY_USER"\t%s", -+ set->service_name), - &post_set->fields, "pam"); - module->requests_left = set->max_requests; - module->pam_setcred = set->setcred; -diff --git a/src/auth/passdb-passwd.c b/src/auth/passdb-passwd.c -index 13003151f9c..22e2eae7fa3 100644 ---- a/src/auth/passdb-passwd.c -+++ b/src/auth/passdb-passwd.c -@@ -10,7 +10,6 @@ - #include "safe-memset.h" - #include "ipwd.h" - --#define PASSWD_CACHE_KEY "%u" - #define PASSWD_PASS_SCHEME "CRYPT" - - #undef DEF -@@ -142,7 +141,7 @@ static int passwd_preinit(pool_t pool, struct event *event, - &post_set, error_r) < 0) - return -1; - module->default_cache_key = auth_cache_parse_key_and_fields(pool, -- PASSWD_CACHE_KEY, -+ AUTH_CACHE_KEY_USER, - &post_set->fields, - "passwd"); - settings_free(post_set); -diff --git a/src/auth/userdb-passwd.c b/src/auth/userdb-passwd.c -index 5241129a0cc..14cf90a6d65 100644 ---- a/src/auth/userdb-passwd.c -+++ b/src/auth/userdb-passwd.c -@@ -9,7 +9,6 @@ - #include "ipwd.h" - #include "time-util.h" - --#define USER_CACHE_KEY "%u" - #define PASSWD_SLOW_WARN_MSECS (10*1000) - #define PASSWD_SLOW_MASTER_WARN_MSECS 50 - #define PASSDB_SLOW_MASTER_WARN_COUNT_INTERVAL 100 -@@ -225,7 +224,7 @@ static int passwd_preinit(pool_t pool, struct event *event ATTR_UNUSED, - struct passwd_userdb_module *module = - p_new(pool, struct passwd_userdb_module, 1); - -- module->module.default_cache_key = USER_CACHE_KEY; -+ module->module.default_cache_key = AUTH_CACHE_KEY_USER; - *module_r = &module->module; - return 0; - } - -From c45ce2c073c9439a9d6366016cb4d41059d737f0 Mon Sep 17 00:00:00 2001 -From: Aki Tuomi -Date: Wed, 30 Jul 2025 09:42:20 +0300 -Subject: [PATCH 2/7] auth: auth-cache - Refactor - auth_cache_parse_key_and_fields() - -Call auth_cache_parse_key_exclude() at the function end, -simplifies next commit. ---- - src/auth/auth-cache.c | 24 +++++++++++------------- - 1 file changed, 11 insertions(+), 13 deletions(-) - -diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c -index 360ad8b3f62..3ccd45ff4b9 100644 ---- a/src/auth/auth-cache.c -+++ b/src/auth/auth-cache.c -@@ -129,20 +129,18 @@ char *auth_cache_parse_key_and_fields(pool_t pool, const char *query, - const ARRAY_TYPE(const_string) *fields, - const char *exclude_driver) - { -- if (array_is_empty(fields)) -- return auth_cache_parse_key_exclude(pool, query, exclude_driver); -- -- string_t *full_query = t_str_new(128); -- str_append(full_query, query); -- -- unsigned int i, count; -- const char *const *str = array_get(fields, &count); -- for (i = 0; i < count; i += 2) { -- str_append_c(full_query, '\t'); -- str_append(full_query, str[i + 1]); -+ if (!array_is_empty(fields)) { -+ unsigned int i, count; -+ const char *const *str = array_get(fields, &count); -+ string_t *full_query = t_str_new(128); -+ str_append(full_query, query); -+ for (i = 0; i < count; i += 2) { -+ str_append_c(full_query, '\t'); -+ str_append(full_query, str[i + 1]); -+ } -+ query = str_c(full_query); - } -- return auth_cache_parse_key_exclude(pool, str_c(full_query), -- exclude_driver); -+ return auth_cache_parse_key_exclude(pool, query, exclude_driver); - } - - static void - -From 759ee1af848480987d012de2f7135160156724b6 Mon Sep 17 00:00:00 2001 -From: Aki Tuomi -Date: Fri, 25 Jul 2025 11:48:43 +0300 -Subject: [PATCH 3/7] auth: auth-cache - Deduplicate auth_cache_parse_key() to - use auth_cache_parse_key_and_fields() - -Simplifies following commit ---- - src/auth/auth-cache.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c -index 3ccd45ff4b9..ad8cbe50784 100644 ---- a/src/auth/auth-cache.c -+++ b/src/auth/auth-cache.c -@@ -122,14 +122,14 @@ static char *auth_cache_parse_key_exclude(pool_t pool, const char *query, - - char *auth_cache_parse_key(pool_t pool, const char *query) - { -- return auth_cache_parse_key_exclude(pool, query, NULL); -+ return auth_cache_parse_key_and_fields(pool, query, NULL, NULL); - } - - char *auth_cache_parse_key_and_fields(pool_t pool, const char *query, - const ARRAY_TYPE(const_string) *fields, - const char *exclude_driver) - { -- if (!array_is_empty(fields)) { -+ if (fields != NULL && !array_is_empty(fields)) { - unsigned int i, count; - const char *const *str = array_get(fields, &count); - string_t *full_query = t_str_new(128); - -From d12bb78b5a235f31c9d5a655bd223c28d44bcadb Mon Sep 17 00:00:00 2001 -From: Aki Tuomi -Date: Fri, 25 Jul 2025 11:51:16 +0300 -Subject: [PATCH 4/7] auth: auth-cache - Change auth_cache_parse_key_exclude() - to return error - -Simplifies following commit ---- - src/auth/auth-cache.c | 25 ++++++++++++++++++------- - 1 file changed, 18 insertions(+), 7 deletions(-) - -diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c -index ad8cbe50784..407e5d4aa0e 100644 ---- a/src/auth/auth-cache.c -+++ b/src/auth/auth-cache.c -@@ -64,8 +64,10 @@ static void auth_cache_key_add_tab_idx(string_t *str, unsigned int i) - str_append_c(str, '}'); - } - --static char *auth_cache_parse_key_exclude(pool_t pool, const char *query, -- const char *exclude_driver) -+static int auth_cache_parse_key_exclude(pool_t pool, const char *query, -+ const char *exclude_driver, -+ char **cache_key_r, -+ const char **error_r) - { - string_t *str; - bool key_seen[AUTH_REQUEST_VAR_TAB_COUNT]; -@@ -76,9 +78,9 @@ static char *auth_cache_parse_key_exclude(pool_t pool, const char *query, - - struct var_expand_program *prog; - if (var_expand_program_create(query, &prog, &error) < 0) { -- e_debug(auth_event, "auth-cache: var_expand_program_create('%s') failed: %s", -- query, error); -- return p_strdup(pool, ""); -+ *error_r = t_strdup_printf("var_expand_program_create(%s) failed: %s", -+ query, error); -+ return -1; - } - - const char *const *vars = var_expand_program_variables(prog); -@@ -117,7 +119,8 @@ static char *auth_cache_parse_key_exclude(pool_t pool, const char *query, - - var_expand_program_free(&prog); - -- return p_strdup(pool, str_c(str)); -+ *cache_key_r = p_strdup(pool, str_c(str)); -+ return 0; - } - - char *auth_cache_parse_key(pool_t pool, const char *query) -@@ -140,7 +143,15 @@ char *auth_cache_parse_key_and_fields(pool_t pool, const char *query, - } - query = str_c(full_query); - } -- return auth_cache_parse_key_exclude(pool, query, exclude_driver); -+ -+ char *cache_key; -+ const char *error; -+ if (auth_cache_parse_key_exclude(pool, query, exclude_driver, -+ &cache_key, &error) < 0) { -+ e_debug(auth_event, "auth-cache: %s", error); -+ cache_key = p_strdup(pool, ""); -+ } -+ return cache_key; - } - - static void - -From 20d15baa071747f91176eb3115235aa8c78a3d11 Mon Sep 17 00:00:00 2001 -From: Aki Tuomi -Date: Fri, 25 Jul 2025 11:52:36 +0300 -Subject: [PATCH 5/7] auth: auth-cache - Treat cache key parsing errors as - fatals - -Avoids accidentically turning off caching ---- - src/auth/auth-cache.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c -index 407e5d4aa0e..be569349182 100644 ---- a/src/auth/auth-cache.c -+++ b/src/auth/auth-cache.c -@@ -147,10 +147,8 @@ char *auth_cache_parse_key_and_fields(pool_t pool, const char *query, - char *cache_key; - const char *error; - if (auth_cache_parse_key_exclude(pool, query, exclude_driver, -- &cache_key, &error) < 0) { -- e_debug(auth_event, "auth-cache: %s", error); -- cache_key = p_strdup(pool, ""); -- } -+ &cache_key, &error) < 0) -+ i_fatal("auth-cache: %s", error); - return cache_key; - } - - -From 0172f8e8c55aff42c688633b2891cf157641366b Mon Sep 17 00:00:00 2001 -From: Aki Tuomi -Date: Fri, 25 Jul 2025 11:41:03 +0300 -Subject: [PATCH 6/7] auth: auth-cache - Require cache key to contain at least - one variable - ---- - src/auth/auth-cache.c | 7 +++++++ - src/auth/test-auth-cache.c | 37 ++++++++++++++++++++++++++++++++++++- - 2 files changed, 43 insertions(+), 1 deletion(-) - -diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c -index be569349182..32959f5d0f4 100644 ---- a/src/auth/auth-cache.c -+++ b/src/auth/auth-cache.c -@@ -86,6 +86,13 @@ static int auth_cache_parse_key_exclude(pool_t pool, const char *query, - const char *const *vars = var_expand_program_variables(prog); - str = t_str_new(32); - -+ if (*vars == NULL && *query != '\0') { -+ var_expand_program_free(&prog); -+ *error_r = t_strdup_printf("%s: Cache key must contain at least one variable", -+ query); -+ return -1; -+ } -+ - for (; *vars != NULL; vars++) { - /* ignore any providers */ - if (strchr(*vars, ':') != NULL && -diff --git a/src/auth/test-auth-cache.c b/src/auth/test-auth-cache.c -index 46836defc6d..b36d83ec022 100644 ---- a/src/auth/test-auth-cache.c -+++ b/src/auth/test-auth-cache.c -@@ -97,7 +97,35 @@ static void test_auth_cache_parse_key(void) - tests[i].in); - test_assert_strcmp_idx(cache_key, tests[i].out, i); - } -+ -+ test_end(); -+} -+ -+static enum fatal_test_state test_cache_key_missing_variable(unsigned int i) -+{ -+ if (i == 0) -+ test_begin("auth cache missing variable"); -+ -+ /* ensure that we do not accept static string */ -+ static const struct { -+ const char *in, *out; -+ } tests_bad[] = { -+ { "%u", "auth-cache: %u: Cache key must contain at least one variable" }, -+ { "foobar", "auth-cache: foobar: Cache key must contain at least one variable" }, -+ { "%{test", "auth-cache: var_expand_program_create(%{test) " \ -+ "failed: syntax error, unexpected end of file, " \ -+ "expecting CCBRACE or PIPE" }, -+ }; -+ -+ if (i < N_ELEMENTS(tests_bad)) { -+ test_expect_fatal_string(tests_bad[i].out); -+ (void)auth_cache_parse_key(pool_datastack_create(), -+ tests_bad[i].in); -+ return FATAL_TEST_FAILURE; -+ } -+ - test_end(); -+ return FATAL_TEST_FINISHED; - } - - int main(void) -@@ -108,7 +136,14 @@ int main(void) - test_auth_cache_parse_key, - NULL - }; -- int ret = test_run(test_functions); -+ -+ static test_fatal_func_t *const fatal_functions[] = { -+ test_cache_key_missing_variable, -+ NULL, -+ }; -+ -+ int ret = test_run_with_fatals(test_functions, fatal_functions); -+ - event_unref(&auth_event); - return ret; - } - -From 34caed79b76a7b82a2a9c94cf35371bec6c2b826 Mon Sep 17 00:00:00 2001 -From: Aki Tuomi -Date: Fri, 25 Jul 2025 12:00:57 +0300 -Subject: [PATCH 7/7] auth: auth-cache - Drop auth_cache_parse_key() - -It's only used by tests and can now just call -auth_cache_parse_key_and_fields(). ---- - src/auth/auth-cache.c | 5 ----- - src/auth/auth-cache.h | 6 ++---- - src/auth/test-auth-cache.c | 8 ++++---- - 3 files changed, 6 insertions(+), 13 deletions(-) - -diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c -index 32959f5d0f4..82cc0d526eb 100644 ---- a/src/auth/auth-cache.c -+++ b/src/auth/auth-cache.c -@@ -130,11 +130,6 @@ static int auth_cache_parse_key_exclude(pool_t pool, const char *query, - return 0; - } - --char *auth_cache_parse_key(pool_t pool, const char *query) --{ -- return auth_cache_parse_key_and_fields(pool, query, NULL, NULL); --} -- - char *auth_cache_parse_key_and_fields(pool_t pool, const char *query, - const ARRAY_TYPE(const_string) *fields, - const char *exclude_driver) -diff --git a/src/auth/auth-cache.h b/src/auth/auth-cache.h -index 9bdb9185170..d63621b1a4c 100644 ---- a/src/auth/auth-cache.h -+++ b/src/auth/auth-cache.h -@@ -16,10 +16,8 @@ struct auth_cache_node { - struct auth_cache; - struct auth_request; - --/* Parses all %x variables from query and compresses them into tab-separated -- list, so it can be used as a cache key. */ --char *auth_cache_parse_key(pool_t pool, const char *query); --/* Same as auth_cache_parse_key(), but add also variables from "fields", -+/* Parses all %variables from query and compresses them into tab-separated -+ list, so it can be used as a cache key. Adds also variables from "fields", - except variables prefixed with ":" */ - char *auth_cache_parse_key_and_fields(pool_t pool, const char *query, - const ARRAY_TYPE(const_string) *fields, -diff --git a/src/auth/test-auth-cache.c b/src/auth/test-auth-cache.c -index b36d83ec022..f58c21f7afb 100644 ---- a/src/auth/test-auth-cache.c -+++ b/src/auth/test-auth-cache.c -@@ -93,8 +93,8 @@ static void test_auth_cache_parse_key(void) - test_begin("auth cache parse key"); - - for (i = 0; i < N_ELEMENTS(tests); i++) { -- cache_key = auth_cache_parse_key(pool_datastack_create(), -- tests[i].in); -+ cache_key = auth_cache_parse_key_and_fields(pool_datastack_create(), -+ tests[i].in, NULL, NULL); - test_assert_strcmp_idx(cache_key, tests[i].out, i); - } - -@@ -119,8 +119,8 @@ static enum fatal_test_state test_cache_key_missing_variable(unsigned int i) - - if (i < N_ELEMENTS(tests_bad)) { - test_expect_fatal_string(tests_bad[i].out); -- (void)auth_cache_parse_key(pool_datastack_create(), -- tests_bad[i].in); -+ (void)auth_cache_parse_key_and_fields(pool_datastack_create(), -+ tests_bad[i].in, NULL, NULL); - return FATAL_TEST_FAILURE; - } - diff --git a/dovecot-2.4.1-gssapi.patch b/dovecot-2.4.1-gssapi.patch deleted file mode 100644 index 9765eb9..0000000 --- a/dovecot-2.4.1-gssapi.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up dovecot-2.4.1-4/src/auth/mech-gssapi.c.gssapi dovecot-2.4.1-4/src/auth/mech-gssapi.c ---- dovecot-2.4.1-4/src/auth/mech-gssapi.c.gssapi 2025-06-24 00:07:54.720275640 +0200 -+++ dovecot-2.4.1-4/src/auth/mech-gssapi.c 2025-06-24 00:10:04.541651871 +0200 -@@ -672,7 +672,7 @@ mech_gssapi_auth_initial(struct auth_req - - if (data_size == 0) { - /* The client should go first */ -- auth_request_handler_reply_continue(request, NULL, 0); -+ auth_request_handler_reply_continue(request, uchar_empty_ptr, 0); - } else { - mech_gssapi_auth_continue(request, data, data_size); - } diff --git a/dovecot-2.4.1-nolibotp.patch b/dovecot-2.4.1-nolibotp.patch index 6c8dad5..aea6ada 100644 --- a/dovecot-2.4.1-nolibotp.patch +++ b/dovecot-2.4.1-nolibotp.patch @@ -1,134 +1,80 @@ -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c.nolibotp 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c 2025-06-05 22:36:50.148155427 +0200 -@@ -20,8 +20,6 @@ - #include "password-scheme.h" - #include "passdb-cache.h" - #include "mech.h" --#include "otp.h" --#include "mech-otp-common.h" - #include "auth.h" - #include "auth-penalty.h" - #include "auth-token.h" -@@ -272,7 +270,6 @@ static void main_deinit(void) - - auth_policy_deinit(); - mech_register_deinit(&mech_reg); -- mech_otp_deinit(); - db_oauth2_deinit(); - mech_deinit(global_auth_settings); - settings_free(global_auth_settings); -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c.nolibotp 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c 2025-06-05 22:36:50.148435422 +0200 -@@ -71,7 +71,6 @@ extern const struct mech_module mech_apo - extern const struct mech_module mech_cram_md5; - extern const struct mech_module mech_digest_md5; - extern const struct mech_module mech_external; --extern const struct mech_module mech_otp; - extern const struct mech_module mech_scram_sha1; - extern const struct mech_module mech_scram_sha1_plus; - extern const struct mech_module mech_scram_sha256; -@@ -217,7 +216,6 @@ void mech_init(const struct auth_setting - mech_register_module(&mech_gssapi_spnego); - #endif - } -- mech_register_module(&mech_otp); - mech_register_module(&mech_scram_sha1); - mech_register_module(&mech_scram_sha1_plus); - mech_register_module(&mech_scram_sha256); -@@ -247,7 +245,6 @@ void mech_deinit(const struct auth_setti - mech_unregister_module(&mech_gssapi_spnego); - #endif - } -- mech_unregister_module(&mech_otp); - mech_unregister_module(&mech_scram_sha1); - mech_unregister_module(&mech_scram_sha1_plus); - mech_unregister_module(&mech_scram_sha256); -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-auth.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-auth.c ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-auth.c.nolibotp 2025-06-05 23:11:23.428522162 +0200 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-auth.c 2025-06-05 23:11:23.443511259 +0200 -@@ -72,7 +72,6 @@ void test_auth_init(void) - void test_auth_deinit(void) - { - auth_penalty_deinit(&auth_penalty); -- mech_otp_deinit(); - db_oauth2_deinit(); - auths_deinit(); - auth_token_deinit(); -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c.nolibotp 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c 2025-06-05 22:36:50.148639214 +0200 -@@ -24,7 +24,6 @@ extern const struct mech_module mech_dig - extern const struct mech_module mech_external; - extern const struct mech_module mech_login; - extern const struct mech_module mech_oauthbearer; --extern const struct mech_module mech_otp; - extern const struct mech_module mech_plain; - extern const struct mech_module mech_scram_sha1; - extern const struct mech_module mech_scram_sha256; -@@ -60,10 +59,7 @@ request_handler_reply_mock_callback(stru +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-auth.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-auth.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-auth.c.nolibotp 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-auth.c 2025-11-30 13:38:50.100927373 +0100 +@@ -16,7 +16,7 @@ + static const char *const settings[] = { + "base_dir", ".", + "auth_mechanisms", +- "ANONYMOUS APOP CRAM-MD5 DIGEST-MD5 EXTERNAL LOGIN PLAIN OTP " ++ "ANONYMOUS APOP CRAM-MD5 DIGEST-MD5 EXTERNAL LOGIN PLAIN " + "OAUTHBEARER SCRAM-SHA-1 SCRAM-SHA-256 XOAUTH2", + "auth_username_chars", "", + "auth_username_format", "", +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-mech.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-mech.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-mech.c.nolibotp 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-mech.c 2025-11-30 13:38:50.101130654 +0100 +@@ -46,10 +46,7 @@ request_handler_reply_mock_callback(stru if (request->passdb_result == PASSDB_RESULT_OK) request->failed = FALSE; -- else if (request->mech == &mech_otp) { +- else if (strcmp(request->fields.mech_name, SASL_MECH_NAME_OTP) == 0) { - if (null_strcmp(request->fields.user, "otp_phase_2") == 0) - request->failed = FALSE; -- } else if (request->mech == &mech_oauthbearer) { -+ else if (request->mech == &mech_oauthbearer) { +- } else if (strcmp(request->fields.mech_name, ++ else if (strcmp(request->fields.mech_name, + SASL_MECH_NAME_OAUTHBEARER) == 0) { } }; +@@ -190,10 +187,6 @@ static void test_mechs(void) + {"PLAIN", UCHAR_LEN("\0testuser\0testpass"), "testuser", TRUE, FALSE, FALSE}, + {"PLAIN", UCHAR_LEN("normaluser\0masteruser\0masterpass"), "masteruser", TRUE, FALSE, FALSE}, + {"PLAIN", UCHAR_LEN("normaluser\0normaluser\0masterpass"), "normaluser", TRUE, FALSE, FALSE}, +- {"OTP", UCHAR_LEN("hex:5Bf0 75d9 959d 036f"), "otp_phase_2", TRUE, TRUE, FALSE}, +- {"OTP", UCHAR_LEN("word:BOND FOGY DRAB NE RISE MART"), "otp_phase_2", TRUE, TRUE, FALSE}, +- {"OTP", UCHAR_LEN("init-hex:f6bd 6b33 89b8 7203:md5 499 ke6118:23d1 b253 5ae0 2b7e"), "otp_phase_2", TRUE, TRUE, FALSE}, +- {"OTP", UCHAR_LEN("init-word:END KERN BALM NICK EROS WAVY:md5 499 ke1235:BABY FAIN OILY NIL TIDY DADE"), "otp_phase_2", TRUE, TRUE, FALSE}, + {"OAUTHBEARER", UCHAR_LEN("n,a=testuser,p=cHJvb2Y=,f=nonstandart\x01host=server\x01port=143\x01""auth=Bearer vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==\x01\x01"), "testuser", FALSE, TRUE, FALSE}, + {"SCRAM-SHA-1", UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", TRUE, FALSE, FALSE}, + {"SCRAM-SHA-256", UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", TRUE, FALSE, FALSE}, +@@ -208,8 +201,6 @@ static void test_mechs(void) + {"EXTERNAL", UCHAR_LEN(""), "testuser", FALSE, TRUE, FALSE}, + {"EXTERNAL", UCHAR_LEN(""), NULL, FALSE, FALSE, FALSE}, + {"LOGIN", UCHAR_LEN(""), NULL, FALSE, FALSE, FALSE}, +- {"OTP", UCHAR_LEN(""), NULL, FALSE, FALSE, FALSE}, +- {"OTP", UCHAR_LEN(""), "testuser", FALSE, FALSE, FALSE}, + {"PLAIN", UCHAR_LEN(""), NULL, FALSE, FALSE, FALSE}, + {"OAUTHBEARER", UCHAR_LEN(""), NULL, FALSE, FALSE, FALSE}, + {"XOAUTH2", UCHAR_LEN(""), NULL, FALSE, FALSE, FALSE}, +@@ -221,7 +212,6 @@ static void test_mechs(void) + {"APOP", UCHAR_LEN("1.1.1\0testuser\0tooshort"), NULL, FALSE, FALSE, FALSE}, + {"APOP", UCHAR_LEN("1.1.1\0testuser\0responseoflen16-"), NULL, FALSE, FALSE, FALSE}, + {"APOP", UCHAR_LEN("1.1.1"), NULL, FALSE, FALSE, FALSE}, +- {"OTP", UCHAR_LEN("somebody\0testuser"), "testuser", FALSE, TRUE, FALSE}, + {"CRAM-MD5", UCHAR_LEN("testuser\0response"), "testuser", FALSE, FALSE, FALSE}, + {"PLAIN", UCHAR_LEN("testuser\0"), "testuser", FALSE, FALSE, FALSE}, -@@ -181,10 +177,6 @@ static void test_mechs(void) - {&mech_plain, UCHAR_LEN("\0testuser\0testpass"), "testuser", NULL, TRUE, FALSE, FALSE}, - {&mech_plain, UCHAR_LEN("normaluser\0masteruser\0masterpass"), "masteruser", NULL, TRUE, FALSE, FALSE}, - {&mech_plain, UCHAR_LEN("normaluser\0normaluser\0masterpass"), "normaluser", NULL, TRUE, FALSE, FALSE}, -- {&mech_otp, UCHAR_LEN("hex:5Bf0 75d9 959d 036f"), "otp_phase_2", NULL, TRUE, TRUE, FALSE}, -- {&mech_otp, UCHAR_LEN("word:BOND FOGY DRAB NE RISE MART"), "otp_phase_2", NULL, TRUE, TRUE, FALSE}, -- {&mech_otp, UCHAR_LEN("init-hex:f6bd 6b33 89b8 7203:md5 499 ke6118:23d1 b253 5ae0 2b7e"), "otp_phase_2", NULL, TRUE, TRUE, FALSE}, -- {&mech_otp, UCHAR_LEN("init-word:END KERN BALM NICK EROS WAVY:md5 499 ke1235:BABY FAIN OILY NIL TIDY DADE"), "otp_phase_2", NULL , TRUE, TRUE, FALSE}, - {&mech_oauthbearer, UCHAR_LEN("n,a=testuser,p=cHJvb2Y=,f=nonstandart\x01host=server\x01port=143\x01""auth=Bearer vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==\x01\x01"), "testuser", NULL, FALSE, TRUE, FALSE}, - {&mech_scram_sha1, UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", NULL, TRUE, FALSE, FALSE}, - {&mech_scram_sha256, UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", NULL, TRUE, FALSE, FALSE}, -@@ -199,8 +191,6 @@ static void test_mechs(void) - {&mech_external, UCHAR_LEN(""), "testuser", NULL, FALSE, TRUE, FALSE}, - {&mech_external, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, - {&mech_login, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, -- {&mech_otp, UCHAR_LEN(""), NULL, "invalid input", FALSE, FALSE, FALSE}, -- {&mech_otp, UCHAR_LEN(""), "testuser", "invalid input", FALSE, FALSE, FALSE}, - {&mech_plain, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, - {&mech_oauthbearer, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, - {&mech_xoauth2, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, -@@ -212,7 +202,6 @@ static void test_mechs(void) - {&mech_apop, UCHAR_LEN("1.1.1\0testuser\0tooshort"), NULL, NULL, FALSE, FALSE, FALSE}, - {&mech_apop, UCHAR_LEN("1.1.1\0testuser\0responseoflen16-"), NULL, NULL, FALSE, FALSE, FALSE}, - {&mech_apop, UCHAR_LEN("1.1.1"), NULL, NULL, FALSE, FALSE, FALSE}, -- {&mech_otp, UCHAR_LEN("somebody\0testuser"), "testuser", "unsupported response type", FALSE, TRUE, FALSE}, - {&mech_cram_md5, UCHAR_LEN("testuser\0response"), "testuser", NULL, FALSE, FALSE, FALSE}, - {&mech_plain, UCHAR_LEN("testuser\0"), "testuser", NULL, FALSE, FALSE, FALSE}, - -@@ -254,9 +243,7 @@ static void test_mechs(void) - {&mech_plain, UCHAR_LEN("\0fa\0il\0ing\0withthis"), NULL, NULL, FALSE, FALSE, FALSE}, - {&mech_plain, UCHAR_LEN("failingwiththis"), NULL, NULL, FALSE, FALSE, FALSE}, - {&mech_plain, UCHAR_LEN("failing\0withthis"), NULL, NULL, FALSE, FALSE, FALSE}, -- {&mech_otp, UCHAR_LEN("someb\0ody\0testuser"), NULL, "invalid input", FALSE, FALSE, FALSE}, +@@ -264,9 +254,7 @@ static void test_mechs(void) + {"PLAIN", UCHAR_LEN("\0fa\0il\0ing\0withthis"), NULL, FALSE, FALSE, FALSE}, + {"PLAIN", UCHAR_LEN("failingwiththis"), NULL, FALSE, FALSE, FALSE}, + {"PLAIN", UCHAR_LEN("failing\0withthis"), NULL, FALSE, FALSE, FALSE}, +- {"OTP", UCHAR_LEN("someb\0ody\0testuser"), NULL, FALSE, FALSE, FALSE}, /* phase 2 */ -- {&mech_otp, UCHAR_LEN("someb\0ody\0testuser"), "testuser", "unsupported response type", FALSE, TRUE, FALSE}, - {&mech_scram_sha1, UCHAR_LEN("c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts="), NULL, NULL, FALSE, FALSE, FALSE}, - {&mech_scram_sha1, UCHAR_LEN("iws0X8v3Bz2T0CJGbJQyF0X+HI4Ts=,,,,"), NULL, NULL, FALSE, FALSE, FALSE}, - {&mech_scram_sha1, UCHAR_LEN("n,a=masteruser,,"), NULL, NULL, FALSE, FALSE, FALSE}, -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.nolibotp 2025-06-05 22:36:50.142606171 +0200 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c 2025-06-05 22:36:50.148822418 +0200 +- {"OTP", UCHAR_LEN("someb\0ody\0testuser"), "testuser", FALSE, TRUE, FALSE}, + {"SCRAM-SHA-1", UCHAR_LEN("c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts="), NULL, FALSE, FALSE, FALSE}, + {"SCRAM-SHA-1", UCHAR_LEN("iws0X8v3Bz2T0CJGbJQyF0X+HI4Ts=,,,,"), NULL, FALSE, FALSE, FALSE}, + {"SCRAM-SHA-1", UCHAR_LEN("n,a=masteruser,,"), NULL, FALSE, FALSE, FALSE}, +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c.nolibotp 2025-11-30 13:38:50.093609901 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c 2025-11-30 13:38:50.101359374 +0100 @@ -13,7 +13,6 @@ #include "randgen.h" #include "sha1.h" #include "sha2.h" -#include "otp.h" #include "str.h" + #include "auth-digest.h" #include "password-scheme.h" - #include "password-scheme-private.h" -@@ -701,33 +700,6 @@ plain_md5_generate(const char *plaintext +@@ -704,33 +703,6 @@ plain_md5_generate(const char *plaintext *size_r = MD5_RESULTLEN; } @@ -162,7 +108,7 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.noli static const struct password_scheme builtin_schemes[] = { { .name = "MD5", -@@ -891,13 +863,6 @@ static const struct password_scheme buil +@@ -894,13 +866,6 @@ static const struct password_scheme buil .password_generate = plain_md5_generate, }, { @@ -176,9 +122,9 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.noli .name = "PBKDF2", .default_encoding = PW_ENCODING_NONE, .raw_password_len = 0, -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h.nolibotp 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h 2025-06-05 22:36:50.148942954 +0200 +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.h.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.h +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.h.nolibotp 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.h 2025-11-30 13:38:50.101549260 +0100 @@ -98,9 +98,6 @@ void password_set_encryption_rounds(unsi /* INTERNAL: */ const char *password_generate_salt(size_t len); @@ -187,11 +133,11 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h.noli - unsigned int algo, const char **result_r) - ATTR_NULL(2); - int scram_scheme_parse(const struct hash_method *hmethod, const char *name, - const unsigned char *credentials, size_t size, -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c.nolibotp 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c 2025-06-05 22:36:50.149077275 +0200 + int scram_verify(const struct hash_method *hmethod, const char *scheme_name, + const char *plaintext, const unsigned char *raw_password, +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/test-password-scheme.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/test-password-scheme.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/test-password-scheme.c.nolibotp 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/test-password-scheme.c 2025-11-30 13:38:50.101711124 +0100 @@ -107,7 +107,6 @@ static void test_password_schemes(void) test_password_scheme("SHA512", "{SHA512}7iaw3Ur350mqGo7jwQrpkj9hiYB3Lkc/iBml1JQODbJ6wYX4oOHV+E+IvIh/1nsUNzLDBMxfqa2Ob1f1ACio/w==", "test"); test_password_scheme("SSHA", "{SSHA}H/zrDv8FXUu1JmwvVYijfrYEF34jVZcO", "test"); @@ -200,3 +146,140 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c test_password_scheme("PBKDF2", "{PBKDF2}$1$bUnT4Pl7yFtYX0KU$5000$50a83cafdc517b9f46519415e53c6a858908680a", "test"); test_password_scheme("CRAM-MD5", "{CRAM-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6", "test"); test_password_scheme("DIGEST-MD5", "{DIGEST-MD5}77c1a8c437c9b08ba2f460fe5d58db5d", "test"); +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client.c.nolibotp 2025-11-30 13:39:54.210043386 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client.c 2025-11-30 13:39:54.217205256 +0100 +@@ -175,7 +175,6 @@ void dsasl_clients_init(void) + dsasl_client_mech_register(&dsasl_client_mech_digest_md5); + dsasl_client_mech_register(&dsasl_client_mech_cram_md5); + dsasl_client_mech_register(&dsasl_client_mech_oauthbearer); +- dsasl_client_mech_register(&dsasl_client_mech_otp); + dsasl_client_mech_register(&dsasl_client_mech_xoauth2); + dsasl_client_mech_register(&dsasl_client_mech_scram_sha_1); + dsasl_client_mech_register(&dsasl_client_mech_scram_sha_1_plus); +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-private.h.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-private.h +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-private.h.nolibotp 2025-11-30 13:40:22.269119732 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-private.h 2025-11-30 13:40:22.275363043 +0100 +@@ -50,7 +50,6 @@ extern const struct dsasl_client_mech ds + extern const struct dsasl_client_mech dsasl_client_mech_external; + extern const struct dsasl_client_mech dsasl_client_mech_login; + extern const struct dsasl_client_mech dsasl_client_mech_oauthbearer; +-extern const struct dsasl_client_mech dsasl_client_mech_otp; + extern const struct dsasl_client_mech dsasl_client_mech_xoauth2; + extern const struct dsasl_client_mech dsasl_client_mech_scram_sha_1; + extern const struct dsasl_client_mech dsasl_client_mech_scram_sha_1_plus; +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/fuzz-sasl-authentication.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/fuzz-sasl-authentication.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/fuzz-sasl-authentication.c.nolibotp 2025-11-30 13:40:56.823727053 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/fuzz-sasl-authentication.c 2025-11-30 13:40:56.837864792 +0100 +@@ -635,7 +635,6 @@ static void fuzz_sasl_run(struct istream + sasl_server_mech_register_cram_md5(server_inst); + sasl_server_mech_register_digest_md5(server_inst); + sasl_server_mech_register_login(server_inst); +- sasl_server_mech_register_otp(server_inst); + sasl_server_mech_register_plain(server_inst); + sasl_server_mech_register_scram_sha1(server_inst); + sasl_server_mech_register_scram_sha1_plus(server_inst); +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server.h.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server.h +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server.h.nolibotp 2025-11-30 13:41:24.035316421 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server.h 2025-11-30 13:41:24.050796571 +0100 +@@ -193,8 +193,6 @@ void sasl_server_mech_register_scram_sha + void sasl_server_mech_register_scram_sha256_plus( + struct sasl_server_instance *sinst); + +-void sasl_server_mech_register_otp(struct sasl_server_instance *sinst); +- + /* Winbind */ + + struct sasl_server_winbind_settings { +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/test-sasl-authentication.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/test-sasl-authentication.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/test-sasl-authentication.c.nolibotp 2025-11-30 13:42:08.741524883 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/test-sasl-authentication.c 2025-11-30 13:42:08.757334395 +0100 +@@ -507,7 +507,6 @@ test_sasl_run(const struct test_sasl *te + sasl_server_mech_register_digest_md5(server_inst); + sasl_server_mech_register_external(server_inst); + sasl_server_mech_register_login(server_inst); +- sasl_server_mech_register_otp(server_inst); + sasl_server_mech_register_plain(server_inst); + sasl_server_mech_register_scram_sha1(server_inst); + sasl_server_mech_register_scram_sha1_plus(server_inst); +@@ -722,16 +721,6 @@ static const struct test_sasl success_te + .password = "tokentokentoken", + }, + }, +- /* OTP */ +- { +- .mech = "OTP", +- .authid_type = SASL_SERVER_AUTHID_TYPE_USERNAME, +- .server = { +- .authid = "user", +- .password = "pass", +- }, +- .repeat = 1050, +- }, + /* EXTERNAL */ + { + .mech = "EXTERNAL", +@@ -1457,31 +1446,6 @@ static const struct test_sasl bad_creds_ + }, + .failure = TRUE, + }, +- /* OTP */ +- { +- .mech = "OTP", +- .authid_type = SASL_SERVER_AUTHID_TYPE_USERNAME, +- .server = { +- .authid = "user", +- .password = "pass", +- }, +- .client = { +- .authid = "userb", +- }, +- .failure = TRUE, +- }, +- { +- .mech = "OTP", +- .authid_type = SASL_SERVER_AUTHID_TYPE_USERNAME, +- .server = { +- .authid = "user", +- .password = "pass", +- }, +- .client = { +- .password = "florp", +- }, +- .failure = TRUE, +- }, + /* EXTERNAL */ + { + .mech = "EXTERNAL", +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-sasl.c.nolibotp2 dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-sasl.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-sasl.c.nolibotp2 2025-11-30 13:56:23.124460140 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-sasl.c 2025-11-30 13:56:39.521935947 +0100 +@@ -472,7 +472,6 @@ MECH_SIMPLE_REGISTER__TEMPLATE(cram_md5) + MECH_SIMPLE_REGISTER__TEMPLATE(digest_md5) + MECH_SIMPLE_REGISTER__TEMPLATE(external) + MECH_SIMPLE_REGISTER__TEMPLATE(login) +-MECH_SIMPLE_REGISTER__TEMPLATE(otp) + MECH_SIMPLE_REGISTER__TEMPLATE(plain) + MECH_SIMPLE_REGISTER__TEMPLATE(scram_sha1) + MECH_SIMPLE_REGISTER__TEMPLATE(scram_sha1_plus) +@@ -539,12 +538,6 @@ static const struct auth_sasl_mech_modul + .mech_register = mech_login_register, + }; + +-static const struct auth_sasl_mech_module mech_otp = { +- .mech_name = SASL_MECH_NAME_OTP, +- +- .mech_register = mech_otp_register, +-}; +- + static const struct auth_sasl_mech_module mech_plain = { + .mech_name = SASL_MECH_NAME_PLAIN, + +@@ -612,7 +605,6 @@ static void auth_sasl_mechs_init(const s + if (set->use_winbind) + auth_sasl_mech_register_module(&mech_winbind_ntlm); + auth_sasl_mech_oauth2_register(); +- auth_sasl_mech_register_module(&mech_otp); + auth_sasl_mech_register_module(&mech_plain); + auth_sasl_mech_register_module(&mech_scram_sha1); + auth_sasl_mech_register_module(&mech_scram_sha1_plus); diff --git a/dovecot-2.4.1-opensslhmac3.patch b/dovecot-2.4.1-opensslhmac3.patch index d5e8a92..1947856 100644 --- a/dovecot-2.4.1-opensslhmac3.patch +++ b/dovecot-2.4.1-opensslhmac3.patch @@ -1,6 +1,6 @@ -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c 2025-07-30 11:45:19.801515296 +0200 +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-token.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-token.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-token.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-token.c 2025-11-30 09:57:55.178213106 +0100 @@ -162,17 +162,17 @@ void auth_token_deinit(void) const char *auth_token_get(const char *service, const char *session_pid, const char *username, const char *session_id) @@ -26,10 +26,10 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c.opensslhmac3 return binary_to_hex(result, sizeof(result)); } -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am 2025-07-30 11:45:19.803705887 +0200 -@@ -66,6 +66,7 @@ auth_LDFLAGS = -export-dynamic +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/auth/Makefile.am.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/auth/Makefile.am +--- dovecot-2.4.2-build/dovecot-2.4.2/src/auth/Makefile.am.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/auth/Makefile.am 2025-11-30 09:57:55.178490134 +0100 +@@ -71,6 +71,7 @@ auth_LDFLAGS = -export-dynamic auth_libs = \ ../lib-auth/libauth-crypt.la \ $(AUTH_LUA_LIBS) \ @@ -37,35 +37,9 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am.opensslhmac3 d $(LIBDOVECOT_SQL) auth_CPPFLAGS = $(AM_CPPFLAGS) $(BINARY_CFLAGS) -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c 2025-07-30 11:45:19.801656370 +0200 -@@ -50,7 +50,7 @@ static bool verify_credentials(struct cr - const unsigned char *credentials, size_t size) - { - unsigned char digest[MD5_RESULTLEN]; -- struct hmac_context ctx; -+ struct orig_hmac_context ctx; - const char *response_hex; - - if (size != CRAM_MD5_CONTEXTLEN) { -@@ -59,10 +59,10 @@ static bool verify_credentials(struct cr - return FALSE; - } - -- hmac_init(&ctx, NULL, 0, &hash_method_md5); -+ orig_hmac_init(&ctx, NULL, 0, &hash_method_md5); - hmac_md5_set_cram_context(&ctx, credentials); -- hmac_update(&ctx, request->challenge, strlen(request->challenge)); -- hmac_final(&ctx, digest); -+ orig_hmac_update(&ctx, request->challenge, strlen(request->challenge)); -+ orig_hmac_final(&ctx, digest); - - response_hex = binary_to_hex(digest, sizeof(digest)); - -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am 2025-07-30 11:45:19.803805844 +0200 +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/imap/Makefile.am.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/imap/Makefile.am +--- dovecot-2.4.2-build/dovecot-2.4.2/src/imap/Makefile.am.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/imap/Makefile.am 2025-11-30 09:57:55.179136544 +0100 @@ -21,11 +21,13 @@ AM_CPPFLAGS = \ $(BINARY_CFLAGS) @@ -80,10 +54,10 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am.opensslhmac3 d $(LIBDOVECOT_STORAGE) \ $(LIBDOVECOT) imap_DEPENDENCIES = \ -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am 2025-07-30 11:45:19.803904279 +0200 -@@ -22,6 +22,7 @@ imap_urlauth_CPPFLAGS = \ +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/imap-urlauth/Makefile.am.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/imap-urlauth/Makefile.am +--- dovecot-2.4.2-build/dovecot-2.4.2/src/imap-urlauth/Makefile.am.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/imap-urlauth/Makefile.am 2025-11-30 09:57:55.179268682 +0100 +@@ -23,6 +23,7 @@ imap_urlauth_CPPFLAGS = \ imap_urlauth_LDFLAGS = -export-dynamic imap_urlauth_LDADD = $(LIBDOVECOT) \ @@ -91,7 +65,7 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am.openss $(BINARY_LDFLAGS) imap_urlauth_DEPENDENCIES = $(LIBDOVECOT_DEPS) -@@ -52,7 +53,7 @@ imap_urlauth_worker_LDFLAGS = -export-dy +@@ -53,7 +54,7 @@ imap_urlauth_worker_LDFLAGS = -export-dy urlauth_libs = \ $(top_builddir)/src/lib-imap-urlauth/libimap-urlauth.la @@ -100,10 +74,10 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am.openss imap_urlauth_worker_DEPENDENCIES = $(urlauth_libs) $(LIBDOVECOT_STORAGE_DEPS) $(LIBDOVECOT_DEPS) imap_urlauth_worker_SOURCES = \ -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c 2025-07-30 11:45:19.801788468 +0200 -@@ -248,7 +248,7 @@ static string_t *auth_scram_get_client_f +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-client.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-client.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-client.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-client.c 2025-11-30 09:57:55.179413002 +0100 +@@ -222,7 +222,7 @@ static string_t *auth_scram_get_client_f unsigned char client_signature[hmethod->digest_size]; unsigned char client_proof[hmethod->digest_size]; unsigned char server_key[hmethod->digest_size]; @@ -112,7 +86,7 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c.op const void *cbind_input; size_t cbind_input_size; string_t *auth_message, *str; -@@ -307,9 +307,9 @@ static string_t *auth_scram_get_client_f +@@ -281,9 +281,9 @@ static string_t *auth_scram_get_client_f client->iter, salted_password); /* ClientKey := HMAC(SaltedPassword, "Client Key") */ @@ -125,7 +99,7 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c.op /* StoredKey := H(ClientKey) */ hash_method_get_digest(hmethod, client_key, sizeof(client_key), -@@ -327,9 +327,9 @@ static string_t *auth_scram_get_client_f +@@ -301,9 +301,9 @@ static string_t *auth_scram_get_client_f str_append_str(auth_message, str); /* ClientSignature := HMAC(StoredKey, AuthMessage) */ @@ -138,7 +112,7 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c.op /* ClientProof := ClientKey XOR ClientSignature */ for (k = 0; k < hmethod->digest_size; k++) -@@ -340,16 +340,16 @@ static string_t *auth_scram_get_client_f +@@ -314,16 +314,16 @@ static string_t *auth_scram_get_client_f safe_memset(client_signature, 0, sizeof(client_signature)); /* ServerKey := HMAC(SaltedPassword, "Server Key") */ @@ -161,9 +135,9 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c.op safe_memset(salted_password, 0, sizeof(salted_password)); -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c 2025-07-30 11:45:19.801918022 +0200 +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram.c 2025-11-30 09:57:55.179729815 +0100 @@ -31,7 +31,7 @@ void auth_scram_hi(const struct hash_met const unsigned char *salt, size_t salt_size, unsigned int i, unsigned char *result) @@ -233,10 +207,10 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c.opensslhm safe_memset(salted_password, 0, sizeof(salted_password)); safe_memset(client_key, 0, sizeof(client_key)); -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c 2025-07-30 11:45:19.802027357 +0200 -@@ -342,7 +342,7 @@ auth_scram_server_verify_credentials(str +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-server.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-server.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-server.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-server.c 2025-11-30 09:57:55.179862473 +0100 +@@ -288,7 +288,7 @@ auth_scram_server_verify_credentials(str { const struct hash_method *hmethod = server->set.hash_method; struct auth_scram_key_data *kdata = &server->key_data; @@ -245,7 +219,7 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c.op const char *auth_message; unsigned char client_key[hmethod->digest_size]; unsigned char client_signature[hmethod->digest_size]; -@@ -363,9 +363,9 @@ auth_scram_server_verify_credentials(str +@@ -309,9 +309,9 @@ auth_scram_server_verify_credentials(str server->server_first_message, ",", server->client_final_message_without_proof, NULL); @@ -258,7 +232,7 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c.op /* ClientProof := ClientKey XOR ClientSignature */ const unsigned char *proof_data = server->proof->data; -@@ -494,7 +494,7 @@ auth_scram_get_server_final(struct auth_ +@@ -440,7 +440,7 @@ auth_scram_get_server_final(struct auth_ { const struct hash_method *hmethod = server->set.hash_method; struct auth_scram_key_data *kdata = &server->key_data; @@ -267,7 +241,7 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c.op const char *auth_message; unsigned char server_signature[hmethod->digest_size]; string_t *str; -@@ -510,9 +510,9 @@ auth_scram_get_server_final(struct auth_ +@@ -456,9 +456,9 @@ auth_scram_get_server_final(struct auth_ server->server_first_message, ",", server->client_final_message_without_proof, NULL); @@ -280,10 +254,10 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c.op /* RFC 5802, Section 7: -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c 2025-07-30 11:45:19.802166177 +0200 -@@ -631,11 +631,11 @@ static void +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c 2025-11-30 09:57:55.180035106 +0100 +@@ -633,11 +633,11 @@ static void cram_md5_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, const unsigned char **raw_password_r, size_t *size_r) { @@ -297,10 +271,10 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.open strlen(plaintext), &hash_method_md5); hmac_md5_get_cram_context(&ctx, context_digest); -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram.c ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram.c 2025-07-30 11:45:19.802285591 +0200 -@@ -69,7 +69,7 @@ int scram_verify(const struct hash_metho +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme-scram.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme-scram.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme-scram.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme-scram.c 2025-11-30 09:57:55.180182392 +0100 +@@ -23,7 +23,7 @@ int scram_verify(const struct hash_metho const char *plaintext, const unsigned char *raw_password, size_t size, const char **error_r) { @@ -309,7 +283,7 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram. const char *salt_base64; unsigned int iter_count; const unsigned char *salt; -@@ -94,9 +94,9 @@ int scram_verify(const struct hash_metho +@@ -49,9 +49,9 @@ int scram_verify(const struct hash_metho salt, salt_len, iter_count, salted_password); /* Calculate ClientKey */ @@ -322,9 +296,9 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram. /* Calculate StoredKey */ hash_method_get_digest(hmethod, client_key, sizeof(client_key), -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c 2025-07-30 11:46:43.346310291 +0200 +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.c 2025-11-30 09:57:55.180318937 +0100 @@ -7,6 +7,10 @@ * This software is released under the MIT license. */ @@ -598,9 +572,9 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c.opensslhmac3 dovecot - safe_memset(prk, 0, sizeof(prk)); - safe_memset(okm, 0, sizeof(okm)); } -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c 2025-07-30 11:45:19.802547733 +0200 +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.c 2025-11-30 09:57:55.180461985 +0100 @@ -9,10 +9,10 @@ #include "md5.h" #include "hmac-cram-md5.h" @@ -627,9 +601,9 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c.opensslhmac const unsigned char *cdp; struct md5_context *ctx = (void*)hmac_ctx->ctx; -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h 2025-07-30 11:45:19.802643613 +0200 +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.h.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.h +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.h.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.h 2025-11-30 09:57:55.180563796 +0100 @@ -5,9 +5,9 @@ #define CRAM_MD5_CONTEXTLEN 32 @@ -642,9 +616,9 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h.opensslhmac const unsigned char context_digest[CRAM_MD5_CONTEXTLEN]); -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h 2025-07-30 11:45:19.802751766 +0200 +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.h.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.h +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.h.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.h 2025-11-30 09:57:55.180723505 +0100 @@ -4,60 +4,108 @@ #include "hash-method.h" #include "sha1.h" @@ -654,7 +628,7 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h.opensslhmac3 dovecot +#include +#include - #define HMAC_MAX_CONTEXT_SIZE sizeof(struct sha512_ctx) + #define HMAC_MAX_CONTEXT_SIZE HASH_METHOD_MAX_CONTEXT_SIZE -struct hmac_context_priv { + @@ -767,9 +741,9 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h.opensslhmac3 dovecot okm_buffer, okm_len); return okm_buffer; } -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c 2025-07-30 11:45:19.802862354 +0200 +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-imap-urlauth/imap-urlauth.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-imap-urlauth/imap-urlauth.c 2025-11-30 09:57:55.180863807 +0100 @@ -87,15 +87,15 @@ imap_urlauth_internal_generate( const unsigned char mailbox_key[IMAP_URLAUTH_KEY_LEN], size_t *token_len_r) @@ -790,10 +764,10 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c *token_len_r = SHA1_RESULTLEN + 1; return token; -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am 2025-07-30 11:45:19.802976508 +0200 -@@ -359,6 +359,9 @@ headers = \ +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/Makefile.am.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/Makefile.am +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/Makefile.am.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/Makefile.am 2025-11-30 09:57:55.180990124 +0100 +@@ -414,6 +414,9 @@ headers = \ wildcard-match.h \ write-full.h @@ -803,9 +777,9 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am.opensslhmac3 do test_programs = test-lib noinst_PROGRAMS = $(test_programs) -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c 2025-07-30 11:45:19.803097425 +0200 +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/oauth2-jwt.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/oauth2-jwt.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/oauth2-jwt.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/oauth2-jwt.c 2025-11-30 09:57:55.181135306 +0100 @@ -210,14 +210,14 @@ oauth2_validate_hmac(const struct oauth2 if (oauth2_lookup_hmac_key(set, azp, alg, key_id, &key, error_r) < 0) return -1; @@ -827,9 +801,9 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c.openssl buffer_t *their_digest = t_base64url_decode_str(BASE64_DECODE_FLAG_NO_PADDING, blobs[2]); -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c 2025-07-30 11:45:19.803224443 +0200 +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/test-oauth2-jwt.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/test-oauth2-jwt.c 2025-11-30 09:57:55.181290025 +0100 @@ -250,7 +250,7 @@ static void save_key_azp_to(const char * static void sign_jwt_token_hs256(buffer_t *tokenbuf, buffer_t *key) { @@ -857,9 +831,9 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c.op tokenbuf); buffer_append(tokenbuf, ".", 1); base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX, -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c 2025-07-30 11:45:19.803357132 +0200 +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/pkcs5.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/pkcs5.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/pkcs5.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/pkcs5.c 2025-11-30 09:57:55.181492013 +0100 @@ -52,7 +52,7 @@ int pkcs5_pbkdf2(const struct hash_metho size_t l = (length + hash->digest_size - 1)/hash->digest_size; /* same as ceil(length/hash->digest_size) */ unsigned char dk[l * hash->digest_size]; @@ -894,9 +868,35 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c.opensslhmac3 doveco for(i = 0; i < hash->digest_size; i++) block[i] ^= U_c[i]; } -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c 2025-07-30 11:45:19.803460807 +0200 +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server-mech-cram-md5.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server-mech-cram-md5.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server-mech-cram-md5.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server-mech-cram-md5.c 2025-11-30 10:00:28.967795725 +0100 +@@ -53,7 +53,7 @@ verify_credentials(struct sasl_server_me + container_of(auth_request, struct cram_auth_request, + auth_request); + unsigned char digest[MD5_RESULTLEN]; +- struct hmac_context ctx; ++ struct orig_hmac_context ctx; + const char *response_hex; + + if (size != CRAM_MD5_CONTEXTLEN) { +@@ -62,10 +62,10 @@ verify_credentials(struct sasl_server_me + return; + } + +- hmac_init(&ctx, NULL, 0, &hash_method_md5); ++ orig_hmac_init(&ctx, NULL, 0, &hash_method_md5); + hmac_md5_set_cram_context(&ctx, credentials); +- hmac_update(&ctx, request->challenge, strlen(request->challenge)); +- hmac_final(&ctx, digest); ++ orig_hmac_update(&ctx, request->challenge, strlen(request->challenge)); ++ orig_hmac_final(&ctx, digest); + + response_hex = binary_to_hex(digest, sizeof(digest)); + +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/test-hmac.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/test-hmac.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/test-hmac.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/test-hmac.c 2025-11-30 09:57:55.181656401 +0100 @@ -206,11 +206,11 @@ static void test_hmac_rfc(void) test_begin("hmac sha256 rfc4231 vectors"); for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) { @@ -972,10 +972,10 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c.opensslhmac3 do vec->ikm_len, vec->info, vec->info_len, vec->okm_len); test_assert(tmp->used == vec->okm_len && -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am 2025-07-30 11:45:19.803606280 +0200 -@@ -30,13 +30,13 @@ test_libs = \ +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-var-expand-crypt/Makefile.am.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-var-expand-crypt/Makefile.am +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-var-expand-crypt/Makefile.am.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-var-expand-crypt/Makefile.am 2025-11-30 09:58:11.669117030 +0100 +@@ -34,13 +34,13 @@ test_libs = \ $(DLLIB) test_var_expand_crypt_SOURCES = test-var-expand-crypt.c @@ -986,14 +986,14 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.a test_var_expand_crypt_LDFLAGS = -export-dynamic -Wl,$(LD_WHOLE_ARCHIVE),../lib/.libs/liblib.a,../lib-json/.libs/libjson.a,../lib-ssl-iostream/.libs/libssl_iostream.a,$(LD_NO_WHOLE_ARCHIVE) endif --test_var_expand_crypt_CFLAGS = $(AM_CPPFLAGS) \ -+test_var_expand_crypt_CFLAGS = $(AM_CPPFLAGS) $(SSL_CFLAGS) \ +-test_var_expand_crypt_CFLAGS = $(AM_CFLAGS) \ ++test_var_expand_crypt_CFLAGS = $(AM_CFLAGS) $(SSL_CFLAGS) \ -DDCRYPT_BUILD_DIR=\"$(top_builddir)/src/lib-dcrypt\" check-local: -diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am ---- dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 -+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am 2025-07-30 11:45:19.804003916 +0200 +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/submission/Makefile.am.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/submission/Makefile.am +--- dovecot-2.4.2-build/dovecot-2.4.2/src/submission/Makefile.am.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/submission/Makefile.am 2025-11-30 09:57:55.182137562 +0100 @@ -29,6 +29,7 @@ submission_LDADD = \ $(urlauth_libs) \ $(LIBDOVECOT_STORAGE) \ @@ -1002,3 +1002,24 @@ diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am.opensslh $(MODULE_LIBS) submission_DEPENDENCIES = \ $(urlauth_libs) \ +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-mech-cram-md5.c.fixbuild2 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-mech-cram-md5.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-mech-cram-md5.c.fixbuild2 2025-11-30 13:11:06.583413762 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-mech-cram-md5.c 2025-11-30 13:22:04.883307427 +0100 +@@ -81,13 +81,13 @@ mech_cram_md5_output(struct dsasl_client + return DSASL_CLIENT_RESULT_OK; + } + +- struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + unsigned char digest[MD5_RESULTLEN]; + +- hmac_init(&ctx, (const unsigned char *)client->password, ++ openssl_hmac_init(&ctx, (const unsigned char *)client->password, + strlen(client->password), &hash_method_md5); +- hmac_update(&ctx, cclient->challenge, strlen(cclient->challenge)); +- hmac_final(&ctx, digest); ++ openssl_hmac_update(&ctx, cclient->challenge, strlen(cclient->challenge)); ++ openssl_hmac_final(&ctx, digest); + + str = str_new(client->pool, 256); + str_append(str, client->set.authid); diff --git a/dovecot-2.4.2-fixbuild.patch b/dovecot-2.4.2-fixbuild.patch new file mode 100644 index 0000000..ad5530b --- /dev/null +++ b/dovecot-2.4.2-fixbuild.patch @@ -0,0 +1,135 @@ +diff -up dovecot-2.4.2/src/lib/istream.c.fixbuild dovecot-2.4.2/src/lib/istream.c +--- dovecot-2.4.2/src/lib/istream.c.fixbuild 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2/src/lib/istream.c 2025-11-30 11:40:37.739536137 +0100 +@@ -85,7 +85,7 @@ void i_stream_add_destroy_callback(struc + } + + void i_stream_remove_destroy_callback(struct istream *stream, +- void (*callback)()) ++ istream_callback_t *callback) + { + io_stream_remove_destroy_callback(&stream->real_stream->iostream, + callback); +diff -up dovecot-2.4.2/src/lib/istream.h.fixbuild dovecot-2.4.2/src/lib/istream.h +--- dovecot-2.4.2/src/lib/istream.h.fixbuild 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2/src/lib/istream.h 2025-11-30 11:40:37.739798710 +0100 +@@ -100,7 +100,7 @@ void i_stream_add_destroy_callback(struc + (istream_callback_t *)callback, context) + /* Remove the destroy callback. */ + void i_stream_remove_destroy_callback(struct istream *stream, +- void (*callback)()); ++ istream_callback_t *callback); + + /* Return file descriptor for stream, or -1 if none is available. */ + int i_stream_get_fd(struct istream *stream); +diff -up dovecot-2.4.2/src/lib/ostream.c.fixbuild dovecot-2.4.2/src/lib/ostream.c +--- dovecot-2.4.2/src/lib/ostream.c.fixbuild 2025-11-30 11:42:21.434063550 +0100 ++++ dovecot-2.4.2/src/lib/ostream.c 2025-11-30 11:42:55.814100259 +0100 +@@ -127,7 +127,7 @@ void o_stream_add_destroy_callback(struc + } + + void o_stream_remove_destroy_callback(struct ostream *stream, +- void (*callback)()) ++ ostream_callback_t *callback) + { + io_stream_remove_destroy_callback(&stream->real_stream->iostream, + callback); +diff -up dovecot-2.4.2/src/lib/ostream.h.fixbuild dovecot-2.4.2/src/lib/ostream.h +--- dovecot-2.4.2/src/lib/ostream.h.fixbuild 2025-11-30 11:42:29.639009602 +0100 ++++ dovecot-2.4.2/src/lib/ostream.h 2025-11-30 11:43:20.101652841 +0100 +@@ -127,7 +127,7 @@ void o_stream_add_destroy_callback(struc + (ostream_callback_t *)callback, context) + /* Remove the destroy callback. */ + void o_stream_remove_destroy_callback(struct ostream *stream, +- void (*callback)()); ++ ostream_callback_t *callback); + + /* Mark the stream and all of its parent streams closed. Nothing will be + sent after this call. When using ostreams that require writing a trailer, +diff -up dovecot-2.4.2/src/lib-json/json-istream.c.fixbuild dovecot-2.4.2/src/lib-json/json-istream.c +--- dovecot-2.4.2/src/lib-json/json-istream.c.fixbuild 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2/src/lib-json/json-istream.c 2025-11-30 12:52:15.970430672 +0100 +@@ -706,7 +706,7 @@ static void json_istream_drop_value_stre + if (stream->seekable_stream != NULL) { + i_stream_remove_destroy_callback( + stream->seekable_stream, +- json_istream_drop_seekable_stream); ++ (istream_callback_t *)json_istream_drop_seekable_stream); + i_stream_unref(&stream->seekable_stream); + } + } +@@ -720,12 +720,12 @@ static void json_istream_consumed_value_ + if (stream->seekable_stream != NULL) { + i_stream_remove_destroy_callback( + stream->seekable_stream, +- json_istream_drop_seekable_stream); ++ (istream_callback_t *)json_istream_drop_seekable_stream); + } + if (stream->value_stream != NULL) { + i_stream_remove_destroy_callback( + stream->value_stream, +- json_istream_drop_value_stream); ++ (istream_callback_t *)json_istream_drop_value_stream); + } + stream->value_stream = NULL; + stream->seekable_stream = NULL; + i_stream_remove_destroy_callback(conn->incoming_payload, +- http_client_payload_destroyed); ++ (istream_callback_t *)http_client_payload_destroyed); + conn->incoming_payload = NULL; + } + +diff -up dovecot-2.4.2/src/lib-http/http-server-connection.c.fixbuild dovecot-2.4.2/src/lib-http/http-server-connection.c +--- dovecot-2.4.2/src/lib-http/http-server-connection.c.fixbuild 2025-11-30 13:02:24.337384848 +0100 ++++ dovecot-2.4.2/src/lib-http/http-server-connection.c 2025-11-30 13:03:14.477064608 +0100 +@@ -1066,7 +1066,7 @@ http_server_connection_disconnect(struct + if (conn->incoming_payload != NULL) { + /* The stream is still accessed by lib-http caller. */ + i_stream_remove_destroy_callback(conn->incoming_payload, +- http_server_payload_destroyed); ++ (istream_callback_t *)http_server_payload_destroyed); + conn->incoming_payload = NULL; + } + if (conn->payload_handler != NULL) +diff -up dovecot-2.4.2/src/lib-http/http-client-connection.c.fixbuild dovecot-2.4.2/src/lib-http/http-client-connection.c +--- dovecot-2.4.2/src/lib-http/http-client-connection.c.fixbuild 2025-11-30 12:57:42.670247695 +0100 ++++ dovecot-2.4.2/src/lib-http/http-client-connection.c 2025-11-30 13:00:54.862436490 +0100 +@@ -832,7 +832,7 @@ void http_client_connection_request_dest + is closed and we don't care about it anymore, so act as though it is + destroyed. */ + i_stream_remove_destroy_callback(payload, +- http_client_payload_destroyed); ++ (istream_callback_t *)http_client_payload_destroyed); + http_client_payload_destroyed(req); + } + +@@ -888,7 +888,7 @@ http_client_connection_return_response(s + if (response->payload != NULL) { + i_stream_remove_destroy_callback( + conn->incoming_payload, +- http_client_payload_destroyed); ++ (istream_callback_t *)http_client_payload_destroyed); + i_stream_unref(&conn->incoming_payload); + connection_input_resume(&conn->conn); + } +@@ -1731,7 +1731,7 @@ http_client_connection_disconnect(struct + if (conn->incoming_payload != NULL) { + /* The stream is still accessed by lib-http caller. */ + i_stream_remove_destroy_callback(conn->incoming_payload, +- http_client_payload_destroyed); ++ (istream_callback_t *)http_client_payload_destroyed); + conn->incoming_payload = NULL; + } + +diff -up dovecot-2.4.2/src/lib-storage/index/index-mail.c.fixbuild2 dovecot-2.4.2/src/lib-storage/index/index-mail.c +--- dovecot-2.4.2/src/lib-storage/index/index-mail.c.fixbuild2 2025-11-30 13:48:46.658539149 +0100 ++++ dovecot-2.4.2/src/lib-storage/index/index-mail.c 2025-11-30 13:49:47.178158024 +0100 +@@ -1840,7 +1840,7 @@ static void index_mail_close_streams_ful + allowed to have references until the mail is closed + (but we can't really check that) */ + i_stream_remove_destroy_callback(data->stream, +- index_mail_stream_destroy_callback); ++ (istream_callback_t *)index_mail_stream_destroy_callback); + } + i_stream_unref(&data->stream); + /* there must be no references to the mail when the diff --git a/dovecot.spec b/dovecot.spec index 9937b17..11efa4b 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -4,9 +4,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.4.1 -%global prever -4 -Release: 8%{?dist} +Version: 2.4.2 +%global prever %{nil} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -47,10 +47,7 @@ Patch18: dovecot-2.3.15-valbasherr.patch # Fedora/RHEL specific, drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes Patch23: dovecot-2.4.1-nolibotp.patch -Patch24: dovecot-2.4.1-gssapi.patch -#from upstream, for <= 2.4.1, rhbz#2402122 -#https://github.com/dovecot/core/compare/a70ce7d3e2f983979e971414c5892c4e30197231%5E...34caed79b76a7b82a2a9c94cf35371bec6c2b826.patch -Patch25: dovecot-2.4.1-cve-2025-30189.patch +Patch24: dovecot-2.4.2-fixbuild.patch BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel BuildRequires: libtool, autoconf, automake, pkgconfig @@ -156,8 +153,7 @@ mv dovecot-pigeonhole-%{pigeonholever} dovecot-pigeonhole %patch -P 17 -p2 -b .fixvalcond %patch -P 18 -p1 -b .valbasherr %patch -P 23 -p2 -b .nolibotp -%patch -P 24 -p1 -b .gssapi -%patch -P 25 -p1 -b .cve-2025-30189 +%patch -P 24 -p1 -b .fixbuild cp run-test-valgrind.supp dovecot-pigeonhole/ # valgrind would fail with shell wrapper echo "testsuite" >dovecot-pigeonhole/run-test-valgrind.exclude @@ -168,6 +164,8 @@ echo >src/auth/mech-otp-common.c echo >src/auth/mech-otp-common.h echo >src/auth/mech-otp.c echo >src/lib-auth/password-scheme-otp.c +echo >src/lib-sasl/sasl-server-mech-otp.c +echo >src/lib-sasl/dsasl-client-mech-otp.c pushd src/lib-otp for f in *.c *.h do @@ -360,7 +358,8 @@ fi # some aarch64 tests timeout, skip for now make check cd dovecot-pigeonhole -make check +# FIXME: make check will fail as it requires doveconf to be already installed at /usr/bin/doveconf +make check ||: %endif %files @@ -404,6 +403,7 @@ make check %{_libdir}/dovecot/auth/libauthdb_lua.so %endif %{_libdir}/dovecot/auth/libmech_gssapi.so +%{_libdir}/dovecot/auth/libmech_gss_spnego.so %{_libdir}/dovecot/auth/libdriver_sqlite.so %{_libdir}/dovecot/dict/libdriver_sqlite.so %{_libdir}/dovecot/dict/libdict_ldap.so @@ -479,6 +479,9 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Sun Nov 30 2025 Michal Hlavinka - 1:2.4.2-1 +- updated to 2.4.2 (#2411846) + * Wed Nov 05 2025 Michal Hlavinka - 1:2.4.1-8 - update patch for CVE-2025-30189 diff --git a/sources b/sources index 490e720..54fc50d 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.4.1-4.tar.gz) = 4915e9282898a4bce4dc3c9781f9aa849e8a2d5bb89dffc2222b417560eaa0135d66342ef342098a86dd5e9b4e76d41145381b7264144411cf45a6f88ca36698 -SHA512 (dovecot-pigeonhole-2.4.1-4.tar.gz) = 47b9cc62b13d710123389c47d13c104e70b815d683dc6b957e86b57b2f175101d07f462d0fdb0488d6dcdcfbbc137c926825ba9a0d798551576aa7f3c9082100 +SHA512 (dovecot-2.4.2.tar.gz) = 0524695341abe711d3a811c56156889d6fef7a09becc684c6f1dc1e5add605969ca8794eb7d44bfbc49f70515f22e8640b5828443addecfe4798fb8b174670ae +SHA512 (dovecot-pigeonhole-2.4.2.tar.gz) = 82c46c7ac2792aa5c211c8b66309f9f21c05ecd2fa8ab3abf98fb4e05831fd37aaa3edffcfbe1b3defbb9ac8ef9df1c33ece83cf7524e8b226c4deab8c250134