dovecot updated to 2.2.33.2

doveadm: Fix crash in proxying (or dsync replication) if remote is
  running older than v2.2.33
auth: Fix memory leak in %{ldap_dn}
dict-sql: Fix data types to work correctly with Cassandra

.gitignore

@@ -103,3 +103,20 @@ pigeonhole-snap0592366457df.tar.bz2
 /dovecot-2.2.24.tar.gz
 /dovecot-2.2-pigeonhole-0.4.14.tar.gz
 /dovecot-2.2.25.tar.gz
+/dovecot-2.2.26.0.tar.gz
+/dovecot-2.2-pigeonhole-0.4.16.tar.gz
+/dovecot-2.2.27.tar.gz
+/dovecot-2.2.28.tar.gz
+/dovecot-2.2-pigeonhole-0.4.17.tar.gz
+/dovecot-2.2.29.tar.gz
+/dovecot-2.2.29.1.tar.gz
+/dovecot-2.2-pigeonhole-0.4.18.tar.gz
+/dovecot-2.2.30.1.tar.gz
+/dovecot-2.2.30.2.tar.gz
+/dovecot-2.2.31.tar.gz
+/dovecot-2.2-pigeonhole-0.4.19.tar.gz
+/dovecot-2.2.32.tar.gz
+/dovecot-2.2-pigeonhole-0.4.20.tar.gz
+/dovecot-2.2.33.1.tar.gz
+/dovecot-2.2-pigeonhole-0.4.21.tar.gz
+/dovecot-2.2.33.2.tar.gz

dovecot-1.0.rc7-mkcert-paths.patch

@@ -1,8 +1,9 @@
---- dovecot-1.0.rc7/doc/mkcert.sh.mkcert-paths	2006-10-04 11:34:46.000000000 +0200
-+++ dovecot-1.0.rc7/doc/mkcert.sh	2006-10-04 11:35:31.000000000 +0200
-@@ -4,8 +4,8 @@
- # Edit dovecot-openssl.cnf before running this.
+diff -up dovecot-2.2.27/doc/mkcert.sh.mkcert-paths dovecot-2.2.27/doc/mkcert.sh
+--- dovecot-2.2.27/doc/mkcert.sh.mkcert-paths	2016-12-05 10:26:07.913515286 +0100
++++ dovecot-2.2.27/doc/mkcert.sh	2016-12-05 10:28:25.439634417 +0100
+@@ -5,8 +5,8 @@
  
+ umask 077
  OPENSSL=${OPENSSL-openssl}
 -SSLDIR=${SSLDIR-/etc/ssl}
 -OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}

dovecot-2.2.22-systemd_w_protectsystem.patch

@@ -1,12 +1,14 @@
-diff -up dovecot-2.2.22/dovecot.service.in.systemd_w_protectsystem dovecot-2.2.22/dovecot.service.in
---- dovecot-2.2.22/dovecot.service.in.systemd_w_protectsystem	2016-03-16 13:49:46.678894652 +0100
-+++ dovecot-2.2.22/dovecot.service.in	2016-03-16 13:49:46.690894592 +0100
-@@ -33,7 +33,7 @@ ExecStop=@bindir@/doveadm stop
+diff -up dovecot-2.2.28/dovecot.service.in.systemd_w_protectsystem dovecot-2.2.28/dovecot.service.in
+--- dovecot-2.2.28/dovecot.service.in.systemd_w_protectsystem	2017-02-27 10:00:14.647423500 +0100
++++ dovecot-2.2.28/dovecot.service.in	2017-02-27 10:02:18.051377067 +0100
+@@ -20,8 +20,8 @@ ExecReload=@bindir@/doveadm reload
+ ExecStop=@bindir@/doveadm stop
  PrivateTmp=true
  NonBlocking=yes
- # Enable this if your systemd is new enough to support it:
+-# Enable this if your systemd is new enough to support it:
 -#ProtectSystem=full
++# Enable this if your systemd is new enough to support it: (it will make /usr /boot /etc read only for dovecot)
 +ProtectSystem=full
  
- [Install]
- WantedBy=multi-user.target
+ # You can add environment variables with e.g.:
+ #Environment='CORE_OUTOFMEM=1'

dovecot.spec

@@ -3,7 +3,7 @@
 Summary: Secure imap and pop3 server
 Name: dovecot
 Epoch: 1
-Version: 2.2.25
+Version: 2.2.33.2
 %global prever %{nil}
 Release: 1%{?dist}
 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
@@ -14,7 +14,7 @@ URL: http://www.dovecot.org/
 Source: http://www.dovecot.org/releases/2.2/%{name}-%{version}%{?prever}.tar.gz
 Source1: dovecot.init
 Source2: dovecot.pam
-%global pigeonholever 0.4.14
+%global pigeonholever 0.4.21
 Source8: http://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-%{pigeonholever}.tar.gz
 Source9: dovecot.sysconfig
 Source10: dovecot.tmpfilesd
@@ -45,6 +45,7 @@ BuildRequires: openldap-devel
 BuildRequires: krb5-devel
 BuildRequires: quota-devel
 BuildRequires: xz-devel
+BuildRequires: tcp_wrappers-devel
 
 # gettext-devel is needed for running autoconf because of the
 # presence of AM_ICONV
@@ -129,6 +130,7 @@ This package provides the development files for dovecot.
 %patch7 -p1 -b .online
 %patch8 -p1 -b .initbysystemd
 %patch9 -p1 -b .systemd_w_protectsystem
+
 #pushd dovecot-2*2-pigeonhole-%{pigeonholever}
 #popd
 sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in
@@ -140,6 +142,7 @@ export CFLAGS="%{__global_cflags} -fno-strict-aliasing"
 export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}"
 # el6 autoconf too old to regen; use packaged files (#1082384)
 %if %{?fedora}00%{?rhel} > 6
+mkdir -p m4
 autoreconf -I . -fiv #required for aarch64 support
 %endif
 %configure                       \
@@ -158,6 +161,7 @@ autoreconf -I . -fiv #required for aarch64 support
     --with-sqlite                \
     --with-zlib                  \
     --with-libcap                \
+    --with-libwrap               \
 %if %{?fedora}0 > 150 || %{?rhel}0 >60
     --with-lucene                \
 %endif
@@ -404,9 +408,10 @@ make check
 %{_libdir}/dovecot/doveadm
 %exclude %{_libdir}/dovecot/doveadm/*sieve*
 %{_libdir}/dovecot/*.so.*
-#these (*.so files) are plugins, not a devel files
+#these (*.so files) are plugins, not devel files
 %{_libdir}/dovecot/*_plugin.so
 %exclude %{_libdir}/dovecot/*_sieve_plugin.so
+%{_libdir}/dovecot/auth/lib20_auth_var_expand_crypt.so
 %{_libdir}/dovecot/auth/libauthdb_imap.so
 %{_libdir}/dovecot/auth/libauthdb_ldap.so
 %{_libdir}/dovecot/auth/libmech_gssapi.so
@@ -418,7 +423,11 @@ make check
 %{_libdir}/dovecot/libdriver_sqlite.so
 %{_libdir}/dovecot/libssl_iostream_openssl.so
 %{_libdir}/dovecot/libfs_compress.so
+%{_libdir}/dovecot/libfs_crypt.so
+%{_libdir}/dovecot/libfs_mail_crypt.so
 %{_libdir}/dovecot/libdcrypt_openssl.so
+%{_libdir}/dovecot/lib20_var_expand_crypt.so
+
 %dir %{_libdir}/dovecot/settings
 
 %{_libexecdir}/%{name}
@@ -481,6 +490,222 @@ make check
 %{_libdir}/%{name}/dict/libdriver_pgsql.so
 
 %changelog
+* Tue Oct 24 2017 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.33.2-1
+- dovecot updated to 2.2.33.2
+- doveadm: Fix crash in proxying (or dsync replication) if remote is
+  running older than v2.2.33
+- auth: Fix memory leak in %%{ldap_dn}
+- dict-sql: Fix data types to work correctly with Cassandra
+
+* Wed Oct 18 2017 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.33.1-1
+- dovecot updated to 2.2.33.1, pigeonhole updated to 
+- Added %{if}, see https://wiki2.dovecot.org/Variables#Conditionals
+- sdbox: Mails were always opened when expunging, unless
+  mail_attachment_fs was explicitly set to empty.
+- lmtp/doveadm proxy: hostip passdb field was ignored, which caused
+  unnecessary DNS lookups if host field wasn't an IP
+- lmtp proxy: Fix crash when receiving unexpected reply in RCPT TO
+- quota_clone: Update also when quota is unlimited (broken in v2.2.31)
+- mbox, zlib: Fix assert-crash when accessing compressed mbox
+- doveadm director kick -f parameter didn't work
+- doveadm director flush <host> resulted flushing all hosts, if <host>
+  wasn't an IP address.
+- director: Various fixes to handling backend/director changes at
+   abnormal times, especially while ring was unsynced.
+- director: Use less CPU in imap-login processes when moving/kicking
+  many users.
+- lmtp: Session IDs were duplicated/confusing with multiple RCPT TOs
+  when lmtp_rcpt_check_quota=yes
+- LDA Sieve plugin: Fixed sequential execution of LDAP-based scripts. A
+  missing LDAP-based script could cause the script sequence to exit earlier.
+- sieve-filter: Removed the (now) duplicate utf8 to mutf7 mailbox name
+  conversion. This caused problems with mailbox names containing UTF-8
+  characters. 
+
+* Mon Aug 28 2017 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.32-2
+- pigeonhole updated to 0.4.20
+- Made the retention period for redirect duplicate identifiers
+  configurable. Changed the default retention period from 24 to 12 hours.
+- sieve-filter: Fixed memory leak: forgot to clean up script binary at
+  end of execution
+- managesieve-login: Fixed handling of AUTHENTICATE command. A second
+  authenticate command would be parsed wrong.
+
+* Fri Aug 25 2017 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.32-1
+- dovecot updated to 2.2.32
+- Modseq tracking didn't always work correctly. This could have caused
+  imap unhibernation to fail or IMAP QRESYNC/CONDSTORE extensions to
+  not work perfectly.
+- mdbox: "Inconsistency in map index" wasn't fixed automatically
+- dict-ldap: %variable values used in the LDAP filter weren't escaped.
+- quota=count: quota_warning = -storage=.. was never executed (try #2).
+- imapc: >= 32 kB mail bodies were supposed to be cached for subsequent
+  FETCHes, but weren't.
+- quota-status service didn't support recipient_delimiter
+- acl: Don't access dovecot-acl-list files with acl_globals_only=yes
+- mail_location: If INDEX dir is set, mailbox deletion deletes its
+  childrens' indexes. 
+- director: v2.2.31 caused rapid reconnection loops to directors
+  that were down.
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.2.31-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.2.31-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Tue Jul 11 2017 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.31-3
+- enable tcpwrap support (#1450587)
+
+* Tue Jul 04 2017 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.31-2
+- revert commit breaking NOTIFY support
+
+* Tue Jun 27 2017 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.31-1
+- dovecot updated to 2.2.31
+- Various fixes to handling mailbox listing. Especially related to
+  handling nonexistent autocreated/autosubscribed mailboxes and ACLs.
+- Global ACL file was parsed as if it was local ACL file. This caused
+  some of the ACL rule interactions to not work exactly as intended.
+- Using mail_sort_max_read_count may have caused very high CPU usage.
+- Message address parsing could have crashed on invalid input.
+- imapc_features=fetch-headers wasn't always working correctly and
+  caused the full header to be fetched.
+- imapc: Various bugfixes related to connection failure handling.
+- quota=count: quota_warning = -storage=.. was never executed
+- quota=count: Add support for "ns" parameter
+- dsync: Fix incremental syncing for mails that don't have Date or
+  Message-ID headers.
+- imap: Fix hang when client sends pipelined SEARCH +
+  EXPUNGE/CLOSE/LOGOUT.
+- oauth2: Token validation didn't accept empty server responses.
+- imap: NOTIFY command has been almost completely broken since the
+  beginning.
+- pigeonhole updated to 0.4.19
+- Fixed bug in handling of implicit keep in some cases.
+- include extension: Fixed segfault that (sometimes) occurred when the
+  global script location was left unconfigured.
+
+* Wed Jun 07 2017 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.30.2-1
+- dovecot updated to 2.2.30.2
+- auth: Multiple failed authentications within short time caused crashes
+- push-notification: OX driver crashed at deinit
+
+* Thu Jun 01 2017 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.30.1-1
+- dovecot updated to 2.2.30.1
+- More fixes to automatically fix corruption in dovecot.list.index
+- dsync-server: Fix support for dsync_features=empty-header-workaround
+- imapc: Various bugfixes, including infinite loops on some errors
+- IMAP NOTIFY wasn't working for non-INBOX if IMAP client hadn't
+  enabled modseq tracking via CONDSTORE/QRESYNC.
+- fts-lucene: Fix it to work again with mbox format
+- Some internal error messages may have contained garbage in v2.2.29
+- mail-crypt: Re-encrypt when copying/moving mails and per-mailbox keys
+  are used. Otherwise the copied mails can't be opened.
+
+* Wed Apr 12 2017 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.29.1-1
+- dovecot updated to 2.2.29.1
+- dict-sql: Merging multiple UPDATEs to a single statement wasn't
+  actually working.
+- pigeonhole updated to 0.4.18
+- imapsieve plugin: Implemented the copy_source_after rule action. When this
+  is enabled for a mailbox rule, the specified Sieve script is executed for
+  the message in the source mailbox during a "COPY" event. This happens only
+  after the Sieve script that is executed for the corresponding message in the
+  destination mailbox finishes running successfully.
+- imapsieve plugin: Added non-standard Sieve environment items for the source
+  and destination mailbox.
+- multiscript: The execution of the discard script had an implicit "keep",
+  rather than an implicit "discard". 
+
+* Tue Apr 11 2017 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.29-1
+- dovecot updated to 2.2.29
+- fts-tika: Fixed crash when parsing attachment without
+  Content-Disposition header. Broken by 2.2.28.
+- trash plugin was broken in 2.2.28
+- auth: When passdb/userdb lookups were done via auth-workers, too much
+  data was added to auth cache. This could have resulted in wrong
+  replies when using multiple passdbs/userdbs.
+- auth: passdb { skip & mechanisms } were ignored for the first passdb
+- oauth2: Various fixes, including fixes to crashes
+- dsync: Large Sieve scripts (or other large metadata) weren't always
+  synced.
+- Index rebuild (e.g. doveadm force-resync) set all mails as \Recent
+- imap-hibernate: %{userdb:*} wasn't expanded in mail_log_prefix
+- doveadm: Exit codes weren't preserved when proxying commands via
+  doveadm-server. Almost all errors used exit code 75 (tempfail).
+- ACLs weren't applied to not-yet-existing autocreated mailboxes.
+- Fixed a potential crash when parsing a broken message header.
+- cassandra: Fallback consistency settings weren't working correctly.
+- doveadm director status <user>: "Initial config" was always empty
+- imapc: Various reconnection fixes.
+
+* Mon Feb 27 2017 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.28-1
+- dovecot updated to 2.2.28, pigeonhole to 0.4.17
+- auth: Support OAUTHBEARER and XOAUTH2 mechanisms. Also support them
+  in lib-dsasl for client side.
+- imap: SEARCH/SORT may have assert-crashed in
+  client_check_command_hangs
+- imap: FETCH X-MAILBOX may have assert-crashed in virtual mailboxes.
+- search: Using NOT n:* or NOT UID n:* wasn't handled correctly
+- fts: fts_autoindex_exclude = \Special-use caused crashes
+- doveadm-server: Fix leaks and other problems when process is reused
+  for multiple requests (service_count != 1)
+- sdbox: Fix assert-crash on mailbox create race
+- lda/lmtp: deliver_log_format values weren't entirely correct if Sieve
+  was used. especially %{storage_id} was broken.
+- imapsieve plugin: Fixed assert failure occurring when used with virtual
+  mailboxes.
+- doveadm sieve plugin: Fixed crash when setting Sieve script via attribute's
+  string value.
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.2.27-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Wed Dec 14 2016 Than Ngo <than@redhat.com> - 1:2.2.27-2
+- fixed bz#1403760, big endian issue
+
+* Mon Dec 05 2016 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.27-1
+- Fixed crash in auth process when auth-policy was configured and
+  authentication was aborted/failed without a username set.
+- director: If two users had different tags but the same hash,
+  the users may have been redirected to the wrong tag's hosts.
+- Index files may have been thought incorrectly lost, causing
+  "Missing middle file seq=.." to be logged and index rebuild.
+  This happened more easily with IMAP hibernation enabled.
+- Various fixes to restoring state correctly in un-hibernation.
+- dovecot.index files were commonly 4 bytes per email too large. This
+  is because 3 bytes per email were being wasted that could have been
+  used for IMAP keywords.
+- Various fixes to handle dovecot.list.index corruption better.
+- lib-fts: Fixed assert-crash in address tokenizer with specific input.
+- Fixed assert-crash in HTML to text parsing with specific input
+  (e.g. for FTS indexing or snippet generation)
+- doveadm sync -1: Fixed handling mailbox GUID conflicts.
+- sdbox, mdbox: Perform full index rebuild if corruption is detected
+  inside lib-index, which runs index fsck.
+- quota: Don't skip quota checks when moving mails between different
+  quota roots.
+- search: Multiple sequence sets or UID sets in search parameters
+  weren't handled correctly. They were incorrectly merged together.
+
+* Fri Dec 02 2016 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.26.0-2
+- fix remote crash when auth-policy component is activated (CVE-2016-8652,#1401025)
+
+* Mon Oct 31 2016 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.26.0-1
+- dovecot updated to 2.2.26.0, pigeonhole updated to 0.4.16
+- master process's listener socket was leaked to all child processes.
+  This might have allowed untrusted processes to capture and prevent
+  "doveadm service stop" comands from working.
+- login proxy: Fixed crash when outgoing SSL connections were hanging.
+- auth: userdb fields weren't passed to auth-workers, so %{userdb:*}
+  from previous userdbs didn't work there.
+- auth: Fixed auth_bind=yes + sasl_bind=yes to work together
+- lmtp: %{userdb:*} variables didn't work in mail_log_prefix
+- Fixed writing >2GB to iostream-temp files (used by fs-compress,
+  fs-metawrap, doveadm-http)
+- fts-solr: Fixed searching multiple mailboxes
+- and more...
+
 * Mon Jul 04 2016 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.25-1
 - dovecot updated to 2.2.25
 - doveadm backup was sometimes deleting entire mailboxes unnecessarily.

sources

@@ -1,2 +1,2 @@
-8f62ea76489c47c369cbbe0b19818448  dovecot-2.2.25.tar.gz
-27e47fb731f2948d6905b12b6184705f  dovecot-2.2-pigeonhole-0.4.14.tar.gz
+SHA512 (dovecot-2.2.33.2.tar.gz) = 028910a4d02b1630f1ada4d1c45fcc3ea2057969db7078a78d46e2a578b4dceaf8be0ac8de4a613b4890019e721871f2d366ec651db658da4cc72977d3e09931
+SHA512 (dovecot-2.2-pigeonhole-0.4.21.tar.gz) = 4751f449ede1b05173c706b414ebf9f7f670ff78589ce6f0b687c32c9abe6dae8b3064ed1b20e893d9ec0147b0139ce479e1d74ebe94747c33f2d8ca177912de