dovecot updated to 2.3.10.1

fixes CVE-2020-10967, CVE-2020-10958, CVE-2020-10957

dovecot-2.3.4-de42b54.patch

@@ -1,69 +0,0 @@
-diff --git a/src/lib-master/test-event-stats.c b/src/lib-master/test-event-stats.c
-index 8fcb3dd22d..2d8a13cd40 100644
---- a/src/lib-master/test-event-stats.c
-+++ b/src/lib-master/test-event-stats.c
-@@ -344,7 +344,7 @@ static void test_no_merging2(void)
- 	event_unref(&child_ev);
- 	test_assert(
- 		compare_test_stats_to(
--			"EVENT	%lu	1	0	0"
-+			"EVENT	%"PRIu64"	1	0	0"
- 			"	stest-event-stats.c	%d"
- 			"	l0	0	ctest2\n", id, l));
- 	test_end();
-@@ -370,12 +370,12 @@ static void test_no_merging3(void)
- 	event_unref(&child_ev);
- 	test_assert(
- 		compare_test_stats_to(
--			"BEGIN	%lu	0	1	0	0"
-+			"BEGIN	%"PRIu64"	0	1	0	0"
- 			"	stest-event-stats.c	%d	ctest1\n"
--			"EVENT	%lu	1	1	0"
-+			"EVENT	%"PRIu64"	1	1	0"
- 			"	stest-event-stats.c	%d"
- 			"	l1	0	ctest2\n"
--			"END\t%lu\n", idp, lp, idp, l, idp));
-+			"END\t%"PRIu64"\n", idp, lp, idp, l, idp));
- 	test_end();
- }
- 
-@@ -435,7 +435,7 @@ static void test_merge_events2(void)
- 	event_unref(&merge_ev2);
- 	test_assert(
- 		compare_test_stats_to(
--			"EVENT	%lu	1	0	0"
-+			"EVENT	%"PRIu64"	1	0	0"
- 			"	stest-event-stats.c	%d	l0	0"
- 			"	ctest3	ctest2	ctest1	Tkey3"
- 			"	10	0	Ikey2	20"
-@@ -467,11 +467,11 @@ static void test_skip_parents(void)
- 	event_unref(&child_ev);
- 	test_assert(
- 		compare_test_stats_to(
--			"BEGIN	%lu	0	1	0	0"
-+			"BEGIN	%"PRIu64"	0	1	0	0"
- 			"	stest-event-stats.c	%d	ctest1\n"
--			"EVENT	%lu	1	3	0	"
-+			"EVENT	%"PRIu64"	1	3	0	"
- 			"stest-event-stats.c	%d	l3	0"
--			"	ctest2\nEND\t%lu\n", id, lp, id, l, id));
-+			"	ctest2\nEND\t%"PRIu64"\n", id, lp, id, l, id));
- 	test_end();
- }
- 
-@@ -509,12 +509,12 @@ static void test_merge_events_skip_parents(void)
- 	event_unref(&child2_ev);
- 	test_assert(
- 		compare_test_stats_to(
--			"BEGIN	%lu	0	1	0	0"
-+			"BEGIN	%"PRIu64"	0	1	0	0"
- 			"	stest-event-stats.c	%d	ctest1\n"
--			"EVENT	%lu	1	3	0	"
-+			"EVENT	%"PRIu64"	1	3	0	"
- 			"stest-event-stats.c	%d	l3	0	"
- 			"ctest4	ctest5	Tkey3	10	0	Skey4"
--			"	str4\nEND\t%lu\n", id, lp, id, l, id));
-+			"	str4\nEND\t%"PRIu64"\n", id, lp, id, l, id));
- 	test_end();
- }
- 

dovecot.spec

@@ -3,9 +3,9 @@
 Summary: Secure imap and pop3 server
 Name: dovecot
 Epoch: 1
-Version: 2.3.4
+Version: 2.3.10.1
 %global prever %{nil}
-Release: 3%{?dist}
+Release: 1%{?dist}
 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
 License: MIT and LGPLv2
 
@@ -13,7 +13,7 @@ URL: http://www.dovecot.org/
 Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz
 Source1: dovecot.init
 Source2: dovecot.pam
-%global pigeonholever 0.5.4
+%global pigeonholever 0.5.10
 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz
 Source9: dovecot.sysconfig
 Source10: dovecot.tmpfilesd
@@ -32,7 +32,6 @@ Patch6: dovecot-2.1.10-waitonline.patch
 Patch8: dovecot-2.2.20-initbysystemd.patch
 Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch
 Patch10: dovecot-2.3.0.1-libxcrypt.patch
-Patch11: dovecot-2.3.4-de42b54.patch
 
 Source15: prestartscript
 
@@ -51,7 +50,10 @@ BuildRequires: openldap-devel
 BuildRequires: krb5-devel
 BuildRequires: quota-devel
 BuildRequires: xz-devel
+BuildRequires: lz4-devel
 BuildRequires: libsodium-devel
+BuildRequires: libexttextcat-devel
+BuildRequires: libstemmer-devel
 
 # gettext-devel is needed for running autoconf because of the
 # presence of AM_ICONV
@@ -88,7 +90,7 @@ BuildRequires: curl-devel expat-devel
 BuildRequires: libcurl-devel expat-devel
 %endif
 
-%global restart_flag /var/run/%{name}/%{name}-restart-after-rpm-install
+%global restart_flag /run/%{name}/%{name}-restart-after-rpm-install
 
 %description
 Dovecot is an IMAP server for Linux/UNIX-like systems, written with security 
@@ -132,7 +134,6 @@ This package provides the development files for dovecot.
 %patch8 -p1 -b .initbysystemd
 %patch9 -p1 -b .systemd_w_protectsystem
 #%patch10 -p1 -b .libxcrypt
-%patch11 -p1 -b .de42b54
 
 #pushd dovecot-2*3-pigeonhole-%{pigeonholever}
 #popd
@@ -141,7 +142,7 @@ sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src
 %build
 #required for fdpass.c line 125,190: dereferencing type-punned pointer will break strict-aliasing rules
 %global _hardened_build 1
-export CFLAGS="%{__global_cflags} -fno-strict-aliasing"
+export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none"
 export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}"
 # el6 autoconf too old to regen; use packaged files (#1082384)
 %if %{?fedora}00%{?rhel} > 6
@@ -243,7 +244,7 @@ install -p -D -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_initddir}/dovecot
 install -p -D -m 600 %{SOURCE9} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/dovecot
 %endif
 
-mkdir -p $RPM_BUILD_ROOT/var/run/dovecot/{login,empty,token-login}
+mkdir -p $RPM_BUILD_ROOT/run/dovecot/{login,empty,token-login}
 
 # Install dovecot configuration and dovecot-openssl.cnf
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d
@@ -300,11 +301,11 @@ then
 %endif
 fi
 
-install -d -m 0755 -g dovecot -d /var/run/dovecot
-install -d -m 0755 -d /var/run/dovecot/empty
-install -d -m 0750 -g dovenull -d /var/run/dovecot/login
-install -d -m 0755 -g dovenull -d /var/run/dovecot/token-login
-[ -x /sbin/restorecon ] && /sbin/restorecon -R /var/run/dovecot
+install -d -m 0755 -g dovecot -d /run/dovecot
+install -d -m 0755 -d /run/dovecot/empty
+install -d -m 0750 -g dovenull -d /run/dovecot/login
+install -d -m 0750 -g dovenull -d /run/dovecot/token-login
+[ -x /sbin/restorecon ] && /sbin/restorecon -R /run/dovecot
 
 %preun
 if [ $1 = 0 ]; then
@@ -315,7 +316,7 @@ if [ $1 = 0 ]; then
     /sbin/service %{name} stop > /dev/null 2>&1
     /sbin/chkconfig --del %{name}
 %endif
-    rm -rf /var/run/dovecot
+    rm -rf /run/dovecot
 fi
 
 %postun
@@ -356,6 +357,7 @@ make check
 %{_bindir}/doveadm
 %{_bindir}/doveconf
 %{_bindir}/dsync
+%{_bindir}/dovecot-sysreport
 
 
 %if %{?fedora}0 > 140 || %{?rhel}0 > 60
@@ -438,7 +440,11 @@ make check
 %{_libexecdir}/%{name}
 %exclude %{_libexecdir}/%{name}/managesieve*
 
-%ghost /var/run/dovecot
+%dir %attr(0755,root,dovecot) %ghost /run/dovecot
+%attr(0750,root,dovenull) %ghost /run/dovecot/login
+%attr(0750,root,dovenull) %ghost /run/dovecot/token-login
+%attr(0755,root,root) %ghost /run/dovecot/empty
+
 %attr(0750,dovecot,dovecot) /var/lib/dovecot
 
 %{_datadir}/%{name}
@@ -495,6 +501,68 @@ make check
 %{_libdir}/%{name}/dict/libdriver_pgsql.so
 
 %changelog
+* Mon May 18 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.10.1-1
+- dovecot updated to 2.3.10.1
+- fixes CVE-2020-10967, CVE-2020-10958, CVE-2020-10957
+
+* Tue Apr 21 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.10-1
+- dovecot updated to 2.3.10, pigeonhole updated to 0.5.10
+
+* Wed Feb 12 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.9.3-1
+- dovecot updated to 2.3.9.3
+- fixes CVE-2020-7046: Truncated UTF-8 can be used to DoS
+      submission-login and lmtp processes.
+- fixes CVE-2020-7957: Specially crafted mail can crash snippet generation.
+
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.9.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Dec 19 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.9.2-1
+- CVE-2019-19722: Mails with group addresses in From or To fields
+  caused crash in push notification drivers.
+
+* Wed Dec 04 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.9-1
+- dovecot updated to 2.3.9, pigeonhole updated to 0.5.9 
+
+* Thu Oct 10 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-1
+- dovecot updated to 2.3.8, pigeonhole 0.5.8
+
+* Thu Aug 29 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.7.2-1
+- dovecot updated to 2.3.7.2, pigeonhole 0.5.7.2
+- fixes CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
+  when scanning data in quoted strings, leading to out of bounds heap
+  memory writes
+
+* Mon Aug 19 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:1-2.3.7.1
+- dovecot updated to 2.3.7.1, pigeonhole updated to 0.5.7.1
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.6-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri May 31 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.6-3
+- disable gcc 9 stack reuse temporarily
+
+* Mon May 13 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.6-2
+- use /run instead of /var/run (#1706372)
+
+* Thu May 02 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.6-1
+- dovecot updated to 2.3.6, pigeonhole updated to 0.5.6
+
+* Thu Apr 18 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.5.2-1
+- dovecot updated to 2.3.5.2
+- fixes CVE-2019-10691: Trying to login with 8bit username containing
+  invalid UTF8 input causes auth process to crash if auth policy is enabled.
+
+* Thu Mar 28 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.5.1-1
+- dovecot updated to 2.3.5.1
+- CVE-2019-7524: Missing input buffer size validation leads into
+  arbitrary buffer overflow when reading fts or pop3 uidl header
+  from Dovecot index.
+
+* Wed Mar 06 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.5-1
+- dovecot updated to 2.3.5, pigeonhole updated to 0.5.5
+
 * Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.4-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 

dovecot.tmpfilesd

@@ -1,2 +1,2 @@
-d /var/run/dovecot 0755 root dovecot -
+d /run/dovecot 0755 root dovecot -
 

sources

@@ -1,2 +1,2 @@
-SHA512 (dovecot-2.3.4.tar.gz) = 9e97eb08c319c417e8abcb430b3e6c87ed5aa820d6288656fdfd958ff34664f67202a66e4846763bfc85b309b116cea8012e49dab98b478c57974cc178a37a5a
-SHA512 (dovecot-2.3-pigeonhole-0.5.4.tar.gz) = 9c82cce7540f8ab66e2e370e0220c99048d6ac53ed680cd763e0b03d0200e2451cee4303ef97b87a16e7248e1c73b92ba91b47a2a20c75cb2cd62695a28046f3
+SHA512 (dovecot-2.3.10.1.tar.gz) = 5c07436a3e861993f241caa2c60f035c533c5fceb5c8540c1717d31bedd54b82299f7ea11bfee12c72d4d33985d93a7130c4f56877864a7ad21cf7373a29cc06
+SHA512 (dovecot-2.3-pigeonhole-0.5.10.tar.gz) = f3d380edba4d25d20ee52db21d2965e3a6b229924e9a04fbf45cfe32e1d25448977ee41b12ba41ad8cf8b795f19bb1dbef1d7d09e775598d782123268f61dc8b