From b8511773eb9e591f5e28427daafe2cf6a1c98c2d Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 3 Nov 2020 06:53:21 -0500 Subject: [PATCH] import cyrus-imapd-3.0.7-19.el8 --- .cyrus-imapd.metadata | 1 + .gitignore | 1 + SOURCES/cyrus-imapd-CVE-2019-18928.patch | 30 ++++ SOURCES/cyrus-imapd-CVE-2019-19783.patch | 13 ++ SOURCES/cyrus-imapd-init.service | 3 +- SPECS/cyrus-imapd.spec | 220 +++-------------------- 6 files changed, 69 insertions(+), 199 deletions(-) create mode 100644 SOURCES/cyrus-imapd-CVE-2019-18928.patch create mode 100644 SOURCES/cyrus-imapd-CVE-2019-19783.patch diff --git a/.cyrus-imapd.metadata b/.cyrus-imapd.metadata index 86adb1e..38fde1b 100644 --- a/.cyrus-imapd.metadata +++ b/.cyrus-imapd.metadata @@ -1,3 +1,4 @@ +b537ecfca22df8a41f53d07d88d9547a1cb63d7d SOURCES/CHANGES.rpm e39754f688d98ac0040df85e8850a2e330c6235d SOURCES/README.rpm b3157c127c9cc404ecb2672e0eb4f18cac2a2a73 SOURCES/cassandane-00bfe01.tar.gz fdbc28a259af65792e23ce8da16faf323039139c SOURCES/cassandane-testdata-20170523.tar.gz diff --git a/.gitignore b/.gitignore index 0ca6d2b..4354db9 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +SOURCES/CHANGES.rpm SOURCES/README.rpm SOURCES/cassandane-00bfe01.tar.gz SOURCES/cassandane-testdata-20170523.tar.gz diff --git a/SOURCES/cyrus-imapd-CVE-2019-18928.patch b/SOURCES/cyrus-imapd-CVE-2019-18928.patch new file mode 100644 index 0000000..b5f2cb0 --- /dev/null +++ b/SOURCES/cyrus-imapd-CVE-2019-18928.patch @@ -0,0 +1,30 @@ +diff --git a/imap/httpd.c b/imap/httpd.c +index 5dcf38dc4..d2fdeb945 100644 +--- a/imap/httpd.c ++++ b/imap/httpd.c +@@ -1729,6 +1729,25 @@ static int examine_request(struct transaction_t *txn) + txn->auth_chal.scheme = NULL; + } + ++ /* Drop auth credentials, if not a backend in a Murder */ ++ else if (!config_mupdate_server || !config_getstring(IMAPOPT_PROXYSERVERS)) { ++ syslog(LOG_DEBUG, "drop auth creds"); ++ ++ free(httpd_userid); ++ httpd_userid = NULL; ++ ++ free(httpd_extrafolder); ++ httpd_extrafolder = NULL; ++ ++ free(httpd_extradomain); ++ httpd_extradomain = NULL; ++ ++ if (httpd_authstate) { ++ auth_freestate(httpd_authstate); ++ httpd_authstate = NULL; ++ } ++ } ++ + /* Perform proxy authorization, if necessary */ + else if (saslprops.authid && + (hdr = spool_getheader(txn->req_hdrs, "Authorize-As")) && diff --git a/SOURCES/cyrus-imapd-CVE-2019-19783.patch b/SOURCES/cyrus-imapd-CVE-2019-19783.patch new file mode 100644 index 0000000..ff8a626 --- /dev/null +++ b/SOURCES/cyrus-imapd-CVE-2019-19783.patch @@ -0,0 +1,13 @@ +diff --git a/imap/lmtp_sieve.c b/imap/lmtp_sieve.c +index 4c3bbc3..d0abdd3 100644 +--- a/imap/lmtp_sieve.c ++++ b/imap/lmtp_sieve.c +@@ -999,7 +999,7 @@ static int autosieve_createfolder(const char *userid, const struct auth_state *a + if (createsievefolder) { + /* Folder is already in internal namespace format */ + r = mboxlist_createmailbox(internalname, 0, NULL, +- 1, userid, auth_state, 0, 0, 0, 1, NULL); ++ 0, userid, auth_state, 0, 0, 0, 1, NULL); + if (!r) { + mboxlist_changesub(internalname, userid, auth_state, 1, 1, 1); + syslog(LOG_DEBUG, "autosievefolder: User %s, folder %s creation succeeded", diff --git a/SOURCES/cyrus-imapd-init.service b/SOURCES/cyrus-imapd-init.service index e7a2611..07909aa 100644 --- a/SOURCES/cyrus-imapd-init.service +++ b/SOURCES/cyrus-imapd-init.service @@ -7,5 +7,6 @@ ConditionPathExists=!/etc/pki/cyrus-imapd/cyrus-imapd-ca.pem [Service] Type=oneshot +Group=mail RemainAfterExit=no -ExecStart=/usr/bin/sscg --package cyrus-imapd --cert-file /etc/pki/cyrus-imapd/cyrus-imapd.pem --cert-key-file /etc/pki/cyrus-imapd/cyrus-imapd-key.pem --ca-file /etc/pki/cyrus-imapd/cyrus-imapd-ca.pem +ExecStart=/usr/bin/sscg --package cyrus-imapd --cert-file /etc/pki/cyrus-imapd/cyrus-imapd.pem --cert-key-file /etc/pki/cyrus-imapd/cyrus-imapd-key.pem --ca-file /etc/pki/cyrus-imapd/cyrus-imapd-ca.pem --cert-key-mode=0640 diff --git a/SPECS/cyrus-imapd.spec b/SPECS/cyrus-imapd.spec index a5e2b21..c2c2d6e 100644 --- a/SPECS/cyrus-imapd.spec +++ b/SPECS/cyrus-imapd.spec @@ -9,9 +9,9 @@ Name: cyrus-imapd Version: 3.0.7 -Release: 16%{?dist} +Release: 19%{?dist} -%define ssl_pem_file /etc/pki/%name/%name.pem +%define ssl_pem_file_prefix /etc/pki/%name/%name # UID/GID 76 have long been reserved for Cyrus %define uid 76 @@ -25,6 +25,7 @@ Summary: A high-performance email, contacts and calendar server License: BSD URL: http://www.cyrusimap.org/ Source0: http://www.cyrusimap.org/releases/%name-%version.tar.gz +Source1: CHANGES.rpm # Adapt a timeout to handle our slower builders Patch0: patch-cyrus-testsuite-timeout @@ -43,6 +44,8 @@ Patch5: cyrus-imapd-memory_leak_on_cleanup.patch Patch6: cyrus-imapd-memory_leak_on_cleanup_2.patch Patch7: cyrus-imapd-close_backup_fd_on_error.patch Patch8: cyrus-imapd-cve_2019_11356.patch +Patch9: cyrus-imapd-CVE-2019-19783.patch +Patch10: cyrus-imapd-CVE-2019-18928.patch Source10: cyrus-imapd.logrotate Source11: cyrus-imapd.pam-config @@ -217,6 +220,7 @@ IMAP server. echo %version > VERSION # Install the Fedora-specific documentation file +install -m 644 %SOURCE1 doc/ install -m 644 %SOURCE16 doc/ # Unpack and prepare cassandane @@ -411,9 +415,6 @@ find %buildroot/%_libdir/perl5/ -type f -name "*.so" -exec chmod 755 {} \; sed -e 's/^ *//' -e 's/-nosync//' -e 's/ *$//' -e 's/"/=/' echo sieve_version=2.2.3 ) | sort > %buildroot/%_datadir/%name/rpm/db.cfg -# create the ghost pem file -touch %buildroot/%ssl_pem_file - # Cyrus has various files with extremely conflicting names. Some of these are # not unexpected ("imapd" itself) but some like "httpd" are rather surprising. @@ -589,7 +590,7 @@ getent passwd cyrus >/dev/null || /usr/sbin/useradd -c "Cyrus IMAP Server" -d /v %files %license COPYING -%doc README.md doc/README.* doc/examples doc/text +%doc README.md doc/README.* doc/examples doc/text doc/CHANGES.rpm %_datadir/cyrus-imapd %_libdir/libcyrus*.so.* @@ -597,8 +598,9 @@ getent passwd cyrus >/dev/null || /usr/sbin/useradd -c "Cyrus IMAP Server" -d /v %_mandir/man8/* %dir /etc/pki/cyrus-imapd -%attr(0640,root,%cyrusgroup) %ghost %config(missingok,noreplace) %verify(not md5 size mtime) %ssl_pem_file - +%attr(0644,root,%cyrusgroup) %ghost %config(missingok,noreplace) %verify(not md5 size mtime) %ssl_pem_file_prefix-ca.pem +%attr(0644,root,%cyrusgroup) %ghost %config(missingok,noreplace) %verify(not md5 size mtime) %ssl_pem_file_prefix.pem +%attr(0640,root,%cyrusgroup) %ghost %config(missingok,noreplace) %verify(not md5 size mtime) %ssl_pem_file_prefix-key.pem %config(noreplace) /etc/cyrus.conf %config(noreplace) /etc/imapd.conf @@ -675,6 +677,16 @@ getent passwd cyrus >/dev/null || /usr/sbin/useradd -c "Cyrus IMAP Server" -d /v %changelog +* Thu Apr 23 2020 Pavel Zhukov - 3.0.7-19 +- change ownership of pki files (#1710722) + +* Thu Apr 23 2020 Pavel Zhukov - 3.0.7-18 +- Move old changelog into separate file (#1671239) + +* Tue Apr 21 2020 Pavel Zhukov - 3.0.7-17 +- Add fix for CVE-2019-19783 +- Add fix for CVE-2019-18928 + * Fri Jun 7 2019 Pavel Zhukov - 3.0.7-16 - Resolves: #1718195 - don't overrun buffer when parsing strings with sscanf() @@ -915,193 +927,5 @@ getent passwd cyrus >/dev/null || /usr/sbin/useradd -c "Cyrus IMAP Server" -d /v cert generation. - Change default conf to use the system crypto policy. -* Tue May 17 2016 Jitka Plesnikova - 2.4.18-3 -- Perl 5.24 rebuild - -* Wed Feb 03 2016 Fedora Release Engineering - 2.4.18-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Thu Oct 01 2015 Jason L Tibbitts III - 2.4.18-1 -- Update to 2.4.18, rhbz#1267871 and rhbz#1267878 -- Backport ff4e6c71d932b3e6bbfa67d76f095e27ff21bad0 to fix issues from - http://seclists.org/oss-sec/2015/q3/651 - -* Wed Sep 09 2015 Jason L Tibbitts III - 2.4.17-14 -- Use %%license tag -- Have -devel require the base package -- Minor cleanups - -* Sat Aug 08 2015 Jason L Tibbitts III - 2.4.17-13 -- Remove invalid Patch0: URL. -- Use HTTP for upstream source. -- pod2html was split out of the main perl package, breaking cyrus. - Add a build dep for it. - -* Wed Jul 29 2015 Kevin Fenzi 2.4.17-12 -- Rebuild for new librpm - -* Wed Jun 17 2015 Fedora Release Engineering - 2.4.17-11 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Fri Jun 05 2015 Jitka Plesnikova - 2.4.17-10 -- Perl 5.22 rebuild - -* Wed Aug 27 2014 Jitka Plesnikova - 2.4.17-9 -- Perl 5.20 rebuild - -* Sat Aug 16 2014 Fedora Release Engineering - 2.4.17-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - -* Sat Jun 07 2014 Fedora Release Engineering - 2.4.17-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Sat Aug 03 2013 Fedora Release Engineering - 2.4.17-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild - -* Thu Jul 18 2013 Petr Pisar - 2.4.17-5 -- Perl 5.18 rebuild - -* Fri Jul 12 2013 Michal Hlavinka - 2.4.17-4 -- spec clean up - -* Thu Apr 18 2013 Michal Hlavinka - 2.4.17-3 -- make sure binaries are hardened - -* Wed Feb 13 2013 Fedora Release Engineering - 2.4.17-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild - -* Sat Dec 1 2012 Jeroen van Meeuwen - 2.4.17-1 -- New upstream version, fixes upstream bugs: -- reconstruct doesn't retain internaldate correctly (#3733) -- Race condition in maibox rename (#3696) -- DBERROR db4: Transaction not specified for a transactional database (#3715) -- performance degradation on huge indexes in 2.4 branch (#3717) -- typo fix in imapd.conf man page (#3729) -- quota does not find all quotaroots if quotalegacy, fulldirhash and prefix are used and virtdomains is off (#3735) -- Mail delivered during XFER was lost (#3737) -- replication does not work on RENAME (#3742) -- Failed asserting during APPEND (#3754) - -* Fri Nov 30 2012 Michal Hlavinka - 2.4.16-5 -- do not use strict aliasing - -* Tue Aug 21 2012 Michal Hlavinka - 2.4.16-4 -- use new systemd rpm macros (#850079) - -* Wed Jul 18 2012 Fedora Release Engineering - 2.4.16-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Mon Jun 11 2012 Petr Pisar - 2.4.16-2 -- Perl 5.16 rebuild - -* Thu Apr 19 2012 Jeroen van Meeuwen - 2.4.16-1 -- New upstream release - -* Wed Apr 18 2012 Jeroen van Meeuwen - 2.4.15-1 -- New upstream release - -* Wed Apr 11 2012 Michal Hlavinka - 2.4.14-2 -- rebuilt because of new libdb - -* Wed Mar 14 2012 Michal Hlavinka - 2.4.14-1 -- updated to 2.4.14 - -* Tue Feb 07 2012 Michal Hlavinka - 2.4.13-3 -- use PraveTmp in systemd unit file - -* Fri Jan 13 2012 Fedora Release Engineering - 2.4.13-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild - -* Mon Jan 02 2012 Jeroen van Meeuwen - 2.4.13-1 -- New upstream release - -* Wed Dec 07 2011 Michal Hlavinka - 2.4.12-5 -- do not use digest-md5 as part of default auth mechanisms, - it does not coop with pam - -* Tue Nov 22 2011 Michal Hlavinka - 2.4.12-4 -- reduce noisy logging, add option to turn on LOG_DEBUG syslog - messages again (thanks Philip Prindeville) (#754940) - -* Mon Oct 24 2011 Michal Hlavinka - 2.4.12-3 -- add login and digest-md5 as part of default auth mechanisms (#748278) - -* Tue Oct 11 2011 Michal Hlavinka - 2.4.12-2 -- do not hide errors if cyrus user can't be added - -* Wed Oct 05 2011 Michal Hlavinka - 2.4.12-1 -- cyrus-imapd updated to 2.4.12 -- fixes incomplete authentication checks in nntpd (Secunia SA46093) - -* Fri Sep 9 2011 Jeroen van Meeuwen - 2.4.11-1 -- update to 2.4.11 -- Fix CVE-2011-3208 (#734926, #736838) - -* Tue Aug 16 2011 Michal Hlavinka - 2.4.10-4 -- rebuild with db5 - -* Thu Jul 21 2011 Petr Sabata - 2.4.10-3 -- Perl mass rebuild - -* Wed Jul 20 2011 Petr Sabata - 2.4.10-2 -- Perl mass rebuild - -* Wed Jul 6 2011 Jeroen van Meeuwen - 2.4.10-1 -- New upstream release - -* Wed Jun 22 2011 Iain Arnell 2.4.8-5 -- Patch to work with Perl 5.14 - -* Mon Jun 20 2011 Marcela Mašláňová - 2.4.8-4 -- Perl mass rebuild - -* Fri Jun 10 2011 Marcela Mašláňová - 2.4.8-3 -- Perl 5.14 mass rebuild - -* Mon May 09 2011 Michal Hlavinka - 2.4.8-2 -- fixed: systemd commands in %%post (thanks Bill Nottingham) - -* Thu Apr 14 2011 Michal Hlavinka - 2.4.8-1 -- cyrus-imapd updated to 2.4.8 -- fixed: cannot set unlimited quota through proxy -- fixed: reconstruct tries to set timestamps again and again -- fixed: response for LIST "" user is wrong -- fixed: THREAD command doesn't support quoted charset -- fixed crashes in mupdatetest and cyr_expire when using -x - -* Mon Apr 04 2011 Michal Hlaivnka - 2.4.7-2 -- now using systemd - -* Thu Mar 31 2011 Michal Hlavinka - 2.4.7-1 -- updated to 2.4.7 - -* Fri Feb 11 2011 Michal Hlavinka - 2.4.6-1 -- updated to 2.4.6 -- "autocreate" and "autosieve" features were removed - -* Tue Feb 08 2011 Fedora Release Engineering - 2.3.16-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild - -* Fri Jan 21 2011 Michal Hlavinka - 2.3.16-7 -- don't force sync io for all filesystems - -* Fri Jul 09 2010 Michal Hlavinka - 2.3.16-6 -- follow licensing guideline update -- devel sub-package has to have virtual static provides (#609604) - -* Mon Jun 07 2010 Michal Hlavinka - 2.3.16-5 -- spec cleanup -- simplified packaging (merge -perl in -utils) -- remove obsoleted and/or unmaintained additional sources/patches -- remove long time not used files from the cvs/srpm -- update additional sources/patches from their upstream - -* Tue Jun 01 2010 Marcela Maslanova - 2.3.16-4 -- Mass rebuild with perl-5.12.0 - -* Tue Apr 20 2010 Michal Hlavinka - 2.3.16-3 -- add support for QoS marked traffic (#576652) - -* Thu Jan 14 2010 Michal Hlavinka - 2.3.16-2 -- ignore user_denny.db if missing (#553011) -- fix location of certificates in default imapd.conf +* Sat Jan 01 2000 Pavel Zhukov - 0.0.1-1 +- See /usr/share/doc/cyrus-imapd/CHANGELOG.rpm for more history