import dovecot-2.3.8-1.el8

2020-01-21 13:53:24 -05:00 · 2020-01-21 13:53:24 -05:00 · 78a48395b6
commit 78a48395b6
parent fbe52931b8
13 changed files with 288 additions and 475 deletions
--- a/.dovecot.metadata
+++ b/.dovecot.metadata
@ -1,2 +1,2 @@
-09febe0f459ba26c526d8195b22179f39d48bc69 SOURCES/dovecot-2.2-pigeonhole-0.4.24.tar.gz
-74c55736dfc92f586e2c75b7b4dd50816f63850b SOURCES/dovecot-2.2.36.tar.gz
+b9c7290dad1ac3bc1ead11359812a137a3d173f7 SOURCES/dovecot-2.3-pigeonhole-0.5.8.tar.gz
+65b93f7fd53705b3c97f9eee141a76c5f4f3a624 SOURCES/dovecot-2.3.8.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
-SOURCES/dovecot-2.2-pigeonhole-0.4.24.tar.gz
-SOURCES/dovecot-2.2.36.tar.gz
+SOURCES/dovecot-2.3-pigeonhole-0.5.8.tar.gz
+SOURCES/dovecot-2.3.8.tar.gz
--- a/SOURCES/dovecot-2.0-defaultconfig.patch
+++ b/SOURCES/dovecot-2.0-defaultconfig.patch
@ -1,6 +1,6 @@
-diff -up dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf
--- dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf.default-settings	2014-06-02 13:50:10.000000000 +0200
-+++ dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf	2015-08-24 17:09:03.866648631 +0200
+diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf
+--- dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings	2018-02-28 15:28:57.000000000 +0100
+++ dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf	2018-03-01 10:29:38.208368555 +0100
@@ -165,7 +165,7 @@ namespace inbox {
 # to make sure that users can't log in as daemons or other system users.
 # Note that denying root logins is hardcoded to dovecot binary and can't
@ -10,7 +10,7 @@ diff -up dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf.default-settings
 #last_valid_uid = 0
 
 # Valid GID range for users, defaults to non-root/wheel. Users having
-@@ -283,6 +283,7 @@ namespace inbox {
+@@ -322,6 +322,7 @@ protocol !indexer-worker {
 # them simultaneously.
 #mbox_read_locks = fcntl
 #mbox_write_locks = dotlock fcntl
@ -18,9 +18,9 @@ diff -up dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf.default-settings
 
 # Maximum time to wait for lock (all of them) before aborting.
 #mbox_lock_timeout = 5 mins
-diff -up dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf
--- dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf.default-settings	2014-10-03 16:36:00.000000000 +0200
-+++ dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf	2015-08-24 17:10:49.536071649 +0200
+diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf
+--- dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings	2018-02-28 15:28:57.000000000 +0100
+++ dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf	2018-03-01 10:33:54.779499044 +0100
@@ -3,7 +3,9 @@
 ##
 
@ -32,11 +32,11 @@ diff -up dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf.default-settings d
 
 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
 # dropping root privileges, so keep the key file unreadable by anyone but
-@@ -50,6 +52,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
- 
- # SSL ciphers to use
- #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
+@@ -57,6 +59,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
+ #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+ # To disable non-EC DH, use:
+ #ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
 +ssl_cipher_list = PROFILE=SYSTEM
 
- # Prefer the server's order of ciphers over client's.
- #ssl_prefer_server_ciphers = no
+ # Colon separated list of elliptic curves to use. Empty value (the default)
+ # means use the defaults from the SSL library. P-521:P-384:P-256 would be an
--- a/SOURCES/dovecot-2.1.10-waitonline.patch
+++ b/SOURCES/dovecot-2.1.10-waitonline.patch
@ -1,11 +1,11 @@
-diff -up dovecot-2.2.22/dovecot.service.in.waitonline dovecot-2.2.22/dovecot.service.in
--- dovecot-2.2.22/dovecot.service.in.waitonline	2016-03-16 13:36:49.426772606 +0100
-+++ dovecot-2.2.22/dovecot.service.in	2016-03-16 13:47:23.923606903 +0100
-@@ -24,6 +24,7 @@ After=local-fs.target network.target
+diff -up dovecot-2.3.0.1/dovecot.service.in.waitonline dovecot-2.3.0.1/dovecot.service.in
+--- dovecot-2.3.0.1/dovecot.service.in.waitonline	2018-03-01 10:35:39.888371078 +0100
+++ dovecot-2.3.0.1/dovecot.service.in	2018-03-01 10:36:29.738784661 +0100
+@@ -12,6 +12,7 @@ After=local-fs.target network-online.tar
 
 [Service]
- Type=forking
+ Type=simple
 +ExecStartPre=/usr/libexec/dovecot/prestartscript
- ExecStart=@sbindir@/dovecot
+ ExecStart=@sbindir@/dovecot -F
 PIDFile=@rundir@/master.pid
 ExecReload=@bindir@/doveadm reload
--- a/SOURCES/dovecot-2.2-gidcheck.patch
+++ b/SOURCES/dovecot-2.2-gidcheck.patch
@ -1,60 +0,0 @@
-From ca5b3ec5331545b46ec1f1c4ecfa1302ddb10653 Mon Sep 17 00:00:00 2001
-From: Timo Sirainen <timo.sirainen@dovecot.fi>
-Date: Wed, 29 Jun 2016 00:56:56 +0300
-Subject: [PATCH] auth: userdb passwd iteration now skips users not in
- first/last_valid_gid range
-
-Patch by Michal Hlavinka / Red Hat
---
- src/auth/auth-settings.c | 4 ++++
- src/auth/auth-settings.h | 2 ++
- src/auth/userdb-passwd.c | 4 ++++
- 3 files changed, 10 insertions(+)
-
-diff -up dovecot-2.2.36/src/auth/auth-settings.c.gidcheck dovecot-2.2.36/src/auth/auth-settings.c
--- dovecot-2.2.36/src/auth/auth-settings.c.gidcheck	2018-04-30 15:52:05.000000000 +0200
-+++ dovecot-2.2.36/src/auth/auth-settings.c	2018-09-17 12:17:13.132032699 +0200
-@@ -272,6 +272,8 @@ static const struct setting_define auth_
- 	DEF_NOPREFIX(SET_BOOL, verbose_proctitle),
- 	DEF_NOPREFIX(SET_UINT, first_valid_uid),
- 	DEF_NOPREFIX(SET_UINT, last_valid_uid),
-+	DEF_NOPREFIX(SET_UINT, first_valid_gid),
-+	DEF_NOPREFIX(SET_UINT, last_valid_gid),
- 
- 	DEF_NOPREFIX(SET_STR, ssl_client_ca_dir),
- 	DEF_NOPREFIX(SET_STR, ssl_client_ca_file),
-@@ -331,6 +333,8 @@ static const struct auth_settings auth_d
- 	.verbose_proctitle = FALSE,
- 	.first_valid_uid = 500,
- 	.last_valid_uid = 0,
-+	.first_valid_gid = 1,
-+	.last_valid_gid = 0,
- };
- 
- const struct setting_parser_info auth_setting_parser_info = {
-diff -up dovecot-2.2.36/src/auth/auth-settings.h.gidcheck dovecot-2.2.36/src/auth/auth-settings.h
--- dovecot-2.2.36/src/auth/auth-settings.h.gidcheck	2018-04-30 15:52:05.000000000 +0200
-+++ dovecot-2.2.36/src/auth/auth-settings.h	2018-09-17 12:13:30.540159133 +0200
-@@ -88,6 +88,8 @@ struct auth_settings {
- 	bool verbose_proctitle;
- 	unsigned int first_valid_uid;
- 	unsigned int last_valid_uid;
-+	unsigned int first_valid_gid;
-+	unsigned int last_valid_gid;
- 
- 	/* generated: */
- 	char username_chars_map[256];
-diff -up dovecot-2.2.36/src/auth/userdb-passwd.c.gidcheck dovecot-2.2.36/src/auth/userdb-passwd.c
--- dovecot-2.2.36/src/auth/userdb-passwd.c.gidcheck	2018-04-30 15:52:05.000000000 +0200
-+++ dovecot-2.2.36/src/auth/userdb-passwd.c	2018-09-17 12:13:30.540159133 +0200
-@@ -145,6 +145,10 @@ passwd_iterate_want_pw(struct passwd *pw
- 		return FALSE;
- 	if (pw->pw_uid > (uid_t)set->last_valid_uid && set->last_valid_uid != 0)
- 		return FALSE;
-+	if (pw->pw_gid < (gid_t)set->first_valid_gid)
-+		return FALSE;
-+	if (pw->pw_gid > (gid_t)set->last_valid_gid && set->last_valid_gid != 0)
-+		return FALSE;
- 	return TRUE;
- }
- 
--- a/SOURCES/dovecot-2.2.13-online.patch
+++ b/SOURCES/dovecot-2.2.13-online.patch
@ -1,12 +0,0 @@
-diff -up dovecot-2.2.22/dovecot.service.in.online dovecot-2.2.22/dovecot.service.in
--- dovecot-2.2.22/dovecot.service.in.online	2016-03-16 13:47:47.112491206 +0100
-+++ dovecot-2.2.22/dovecot.service.in	2016-03-16 13:48:14.339355363 +0100
-@@ -20,7 +20,7 @@
- Description=Dovecot IMAP/POP3 email server
- Documentation=man:dovecot(1)
- Documentation=http://wiki2.dovecot.org/
-After=local-fs.target network.target
-+After=local-fs.target network-online.target
- 
- [Service]
- Type=forking
--- a/SOURCES/dovecot-2.2.20-initbysystemd.patch
+++ b/SOURCES/dovecot-2.2.20-initbysystemd.patch
@ -1,10 +1,9 @@
-diff -up dovecot-2.2.22/dovecot-init.service.initbysystemd dovecot-2.2.22/dovecot-init.service
--- dovecot-2.2.22/dovecot-init.service.initbysystemd	2016-03-16 13:48:25.996297203 +0100
-+++ dovecot-2.2.22/dovecot-init.service	2016-03-16 13:48:25.996297203 +0100
-@@ -0,0 +1,18 @@
+diff -up dovecot-2.3.0.1/dovecot-init.service.initbysystemd dovecot-2.3.0.1/dovecot-init.service
+--- dovecot-2.3.0.1/dovecot-init.service.initbysystemd	2018-03-01 10:38:22.059716008 +0100
+++ dovecot-2.3.0.1/dovecot-init.service	2018-03-01 10:38:22.059716008 +0100
+@@ -0,0 +1,13 @@
 +[Unit]
 +Description=One-time Dovecot init service
-+ConditionPathExists=|!/var/lib/dovecot/ssl-parameters.dat
 +ConditionPathExists=|!/etc/pki/dovecot/certs/dovecot.pem
 +
 +[Service]
@ -14,16 +13,12 @@ diff -up dovecot-2.2.22/dovecot-init.service.initbysystemd dovecot-2.2.22/doveco
 +if [ ! -f /etc/pki/dovecot/certs/dovecot.pem ]; \
 +then\
 +  SSLDIR=/etc/pki/dovecot/ OPENSSLCONFIG=/etc/pki/dovecot/dovecot-openssl.cnf /usr/libexec/dovecot/mkcert.sh /dev/null 2>&1;\
-+fi;\
-+if [ ! -f /var/lib/dovecot/ssl-parameters.dat ]; \
-+then\
-+  /usr/libexec/dovecot/ssl-params >/dev/null 2>&1; \
 +fi'
 +
-diff -up dovecot-2.2.22/dovecot.service.in.initbysystemd dovecot-2.2.22/dovecot.service.in
--- dovecot-2.2.22/dovecot.service.in.initbysystemd	2016-03-16 13:48:25.996297203 +0100
-+++ dovecot-2.2.22/dovecot.service.in	2016-03-16 13:49:17.619039641 +0100
-@@ -20,7 +20,8 @@
+diff -up dovecot-2.3.0.1/dovecot.service.in.initbysystemd dovecot-2.3.0.1/dovecot.service.in
+--- dovecot-2.3.0.1/dovecot.service.in.initbysystemd	2018-03-01 10:38:22.060716016 +0100
+++ dovecot-2.3.0.1/dovecot.service.in	2018-03-01 10:40:45.524901319 +0100
+@@ -8,7 +8,8 @@
 Description=Dovecot IMAP/POP3 email server
 Documentation=man:dovecot(1)
 Documentation=http://wiki2.dovecot.org/
@ -32,11 +27,11 @@ diff -up dovecot-2.2.22/dovecot.service.in.initbysystemd dovecot-2.2.22/dovecot.
 +Requires=dovecot-init.service
 
 [Service]
- Type=forking
-diff -up dovecot-2.2.22/Makefile.am.initbysystemd dovecot-2.2.22/Makefile.am
--- dovecot-2.2.22/Makefile.am.initbysystemd	2016-03-04 12:04:33.000000000 +0100
-+++ dovecot-2.2.22/Makefile.am	2016-03-16 13:48:25.996297203 +0100
-@@ -51,9 +51,10 @@ if HAVE_SYSTEMD
+ Type=simple
+diff -up dovecot-2.3.0.1/Makefile.am.initbysystemd dovecot-2.3.0.1/Makefile.am
+--- dovecot-2.3.0.1/Makefile.am.initbysystemd	2018-02-28 15:28:57.000000000 +0100
+++ dovecot-2.3.0.1/Makefile.am	2018-03-01 10:38:22.060716016 +0100
+@@ -63,9 +63,10 @@ if HAVE_SYSTEMD
 
 systemdsystemunit_DATA = \
         dovecot.socket \
--- a/SOURCES/dovecot-2.2.22-systemd_w_protectsystem.patch
+++ b/SOURCES/dovecot-2.2.22-systemd_w_protectsystem.patch
@ -1,14 +1,11 @@
-diff -up dovecot-2.2.28/dovecot.service.in.systemd_w_protectsystem dovecot-2.2.28/dovecot.service.in
--- dovecot-2.2.28/dovecot.service.in.systemd_w_protectsystem	2017-02-27 10:00:14.647423500 +0100
-+++ dovecot-2.2.28/dovecot.service.in	2017-02-27 10:02:18.051377067 +0100
-@@ -20,8 +20,8 @@ ExecReload=@bindir@/doveadm reload
+diff -up dovecot-2.3.2/dovecot.service.in.systemd_w_protectsystem dovecot-2.3.2/dovecot.service.in
+--- dovecot-2.3.2/dovecot.service.in.systemd_w_protectsystem	2018-07-09 12:00:13.359193526 +0200
+++ dovecot-2.3.2/dovecot.service.in	2018-07-09 12:00:46.387716884 +0200
+@@ -23,6 +23,7 @@ ExecReload=@bindir@/doveadm reload
 ExecStop=@bindir@/doveadm stop
 PrivateTmp=true
 NonBlocking=yes
-# Enable this if your systemd is new enough to support it:
-#ProtectSystem=full
-+# Enable this if your systemd is new enough to support it: (it will make /usr /boot /etc read only for dovecot)
-+ProtectSystem=full
- 
- # You can add environment variables with e.g.:
- #Environment='CORE_OUTOFMEM=1'
+# this will make /usr /boot /etc read only for dovecot
+ ProtectSystem=full
+ ProtectHome=no
+ PrivateDevices=true
--- a/SOURCES/dovecot-2.2.36-cve_2019_3814part1of3.patch
+++ b/SOURCES/dovecot-2.2.36-cve_2019_3814part1of3.patch
@ -1,69 +0,0 @@
-From eb5ffe2641febe0fa5e9038f2e216c130e1e7519 Mon Sep 17 00:00:00 2001
-From: Aki Tuomi <aki.tuomi@open-xchange.com>
-Date: Mon, 21 Jan 2019 11:36:30 +0200
-Subject: [PATCH] login-common: Ensure we get username from certificate
-
---
- src/login-common/sasl-server.c | 42 ++++++++++++++++++++++++++++++++--
- 1 file changed, 40 insertions(+), 2 deletions(-)
-
-diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c
-index a833c9a6d4..9465da9657 100644
--- a/src/login-common/sasl-server.c
-+++ b/src/login-common/sasl-server.c
-@@ -321,6 +321,37 @@ authenticate_callback(struct auth_client_request *request,
- 	}
- }
- 
-+static bool get_cert_username(struct client *client, const char **username_r,
-+			      const char **error_r)
-+{
-+	/* no SSL */
-+	if (client->ssl_proxy == NULL) {
-+		*username_r = NULL;
-+		return TRUE;
-+	}
-+
-+	/* no client certificate */
-+	if (!ssl_proxy_has_valid_client_cert(client->ssl_proxy)) {
-+		*username_r = NULL;
-+		return TRUE;
-+	}
-+
-+	/* get peer name */
-+	const char *username = ssl_proxy_get_peer_name(client->ssl_proxy);
-+
-+	/* if we wanted peer name, but it was not there, fail */
-+	if (client->set->auth_ssl_username_from_cert &&
-+	    (username == NULL || *username == '\0')) {
-+		if (client->set->auth_ssl_require_client_cert) {
-+			*error_r = "Missing username in certificate";
-+			return FALSE;
-+		}
-+	}
-+
-+	*username_r = username;
-+	return TRUE;
-+}
-+
- void sasl_server_auth_begin(struct client *client,
- 			    const char *service, const char *mech_name,
- 			    const char *initial_resp_base64,
-@@ -359,8 +390,15 @@ void sasl_server_auth_begin(struct client *client,
- 	info.mech = mech->name;
- 	info.service = service;
- 	info.session_id = client_get_session_id(client);
-	info.cert_username = client->ssl_proxy == NULL ? NULL :
-		ssl_proxy_get_peer_name(client->ssl_proxy);
-+	if (client->set->auth_ssl_username_from_cert) {
-+		const char *error;
-+		if (!get_cert_username(client, &info.cert_username, &error)) {
-+			client_log_err(client, t_strdup_printf("Cannot get username "
-+							       "from certificate: %s", error));
-+			sasl_server_auth_failed(client, "Unable to validate certificate");
-+			return;
-+		}
-+	}
- 	info.flags = client_get_auth_flags(client);
- 	info.local_ip = client->local_ip;
- 	info.remote_ip = client->ip;
--- a/SOURCES/dovecot-2.2.36-cve_2019_3814part2of3.patch
+++ b/SOURCES/dovecot-2.2.36-cve_2019_3814part2of3.patch
@ -1,29 +0,0 @@
-From 7525fece60f01b52deb13df3620976ee1d616837 Mon Sep 17 00:00:00 2001
-From: Aki Tuomi <aki.tuomi@open-xchange.com>
-Date: Mon, 21 Jan 2019 10:54:06 +0200
-Subject: [PATCH] auth: Fail authentication if certificate username was
- unexpectedly missing
-
---
- src/auth/auth-request-handler.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/src/auth/auth-request-handler.c b/src/auth/auth-request-handler.c
-index 617dc1883d..3044e94f91 100644
--- a/src/auth/auth-request-handler.c
-+++ b/src/auth/auth-request-handler.c
-@@ -560,6 +560,14 @@ bool auth_request_handler_auth_begin(struct auth_request_handler *handler,
- 		return TRUE;
- 	}
- 
-+	if (request->set->ssl_require_client_cert &&
-+	    request->set->ssl_username_from_cert &&
-+	    !request->cert_username) {
-+		 auth_request_handler_auth_fail(handler, request,
-+			"SSL certificate didn't contain username");
-+		return TRUE;
-+	}
-+
- 	/* Empty initial response is a "=" base64 string. Completely empty
- 	   string shouldn't really be sent, but at least Exim does it,
- 	   so just allow it for backwards compatibility.. */
--- a/SOURCES/dovecot-2.2.36-cve_2019_3814part3of3.patch
+++ b/SOURCES/dovecot-2.2.36-cve_2019_3814part3of3.patch
@ -1,22 +0,0 @@
-From e5d428297d70e3ac8b6dfce7e0de182b86825082 Mon Sep 17 00:00:00 2001
-From: Aki Tuomi <aki.tuomi@open-xchange.com>
-Date: Wed, 16 Jan 2019 18:28:57 +0200
-Subject: [PATCH] auth: Do not import empty certificate username
-
---
- src/auth/auth-request.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c
-index dd288b6d23..1cb665ec8c 100644
--- a/src/auth/auth-request.c
-+++ b/src/auth/auth-request.c
-@@ -445,7 +445,7 @@ bool auth_request_import_auth(struct auth_request *request,
- 	else if (strcmp(key, "valid-client-cert") == 0)
- 		request->valid_client_cert = TRUE;
- 	else if (strcmp(key, "cert_username") == 0) {
-		if (request->set->ssl_username_from_cert) {
-+		if (request->set->ssl_username_from_cert && *value != '\0') {
- 			/* get username from SSL certificate. it overrides
- 			   the username given by the auth mechanism. */
- 			request->user = p_strdup(request->pool, value);
--- a/SOURCES/dovecot-2.3.6-opensslhmac.patch
+++ b/SOURCES/dovecot-2.3.6-opensslhmac.patch
@ -1,7 +1,7 @@
-diff -up dovecot-2.2.36/src/auth/auth-token.c.opensslhmac dovecot-2.2.36/src/auth/auth-token.c
--- dovecot-2.2.36/src/auth/auth-token.c.opensslhmac	2018-04-30 15:52:04.000000000 +0200
-+++ dovecot-2.2.36/src/auth/auth-token.c	2019-06-10 15:38:38.834070480 +0200
-@@ -163,17 +163,17 @@ void auth_token_deinit(void)
+diff -up dovecot-2.3.8/src/auth/auth-token.c.opensslhmac dovecot-2.3.8/src/auth/auth-token.c
+--- dovecot-2.3.8/src/auth/auth-token.c.opensslhmac	2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/auth/auth-token.c	2019-11-19 16:34:11.338037002 +0100
+@@ -161,17 +161,17 @@ void auth_token_deinit(void)
 const char *auth_token_get(const char *service, const char *session_pid,
 			   const char *username, const char *session_id)
 {
@ -26,9 +26,9 @@ diff -up dovecot-2.2.36/src/auth/auth-token.c.opensslhmac dovecot-2.2.36/src/aut
 
 	return binary_to_hex(result, sizeof(result));
 }
-diff -up dovecot-2.2.36/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.2.36/src/auth/mech-cram-md5.c
--- dovecot-2.2.36/src/auth/mech-cram-md5.c.opensslhmac	2018-04-30 15:52:05.000000000 +0200
-+++ dovecot-2.2.36/src/auth/mech-cram-md5.c	2019-06-10 15:38:38.834070480 +0200
+diff -up dovecot-2.3.8/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.8/src/auth/mech-cram-md5.c
+--- dovecot-2.3.8/src/auth/mech-cram-md5.c.opensslhmac	2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/auth/mech-cram-md5.c	2019-11-19 16:34:11.338037002 +0100
@@ -51,7 +51,7 @@ static bool verify_credentials(struct cr
 {
 	
@ -52,9 +52,9 @@ diff -up dovecot-2.2.36/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.2.36/src/
 
 	response_hex = binary_to_hex(digest, sizeof(digest));
 
-diff -up dovecot-2.2.36/src/auth/mech-scram-sha1.c.opensslhmac dovecot-2.2.36/src/auth/mech-scram-sha1.c
--- dovecot-2.2.36/src/auth/mech-scram-sha1.c.opensslhmac	2018-04-30 15:52:05.000000000 +0200
-+++ dovecot-2.2.36/src/auth/mech-scram-sha1.c	2019-06-10 15:38:38.834070480 +0200
+diff -up dovecot-2.3.8/src/auth/mech-scram-sha1.c.opensslhmac dovecot-2.3.8/src/auth/mech-scram-sha1.c
+--- dovecot-2.3.8/src/auth/mech-scram-sha1.c.opensslhmac	2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/auth/mech-scram-sha1.c	2019-11-19 16:34:11.338037002 +0100
@@ -71,7 +71,7 @@ static const char *get_scram_server_firs
 
 static const char *get_scram_server_final(struct scram_auth_request *request)
@ -101,26 +101,26 @@ diff -up dovecot-2.2.36/src/auth/mech-scram-sha1.c.opensslhmac dovecot-2.2.36/sr
 
 	for (i = 0; i < sizeof(client_signature); i++)
 		client_key[i] =
-diff -up dovecot-2.2.36/src/auth/password-scheme.c.opensslhmac dovecot-2.2.36/src/auth/password-scheme.c
--- dovecot-2.2.36/src/auth/password-scheme.c.opensslhmac	2018-04-30 15:52:05.000000000 +0200
-+++ dovecot-2.2.36/src/auth/password-scheme.c	2019-06-10 15:38:38.834070480 +0200
-@@ -655,11 +655,11 @@ static void
- cram_md5_generate(const char *plaintext, const char *user ATTR_UNUSED,
+diff -up dovecot-2.3.8/src/auth/password-scheme.c.opensslhmac dovecot-2.3.8/src/auth/password-scheme.c
+--- dovecot-2.3.8/src/auth/password-scheme.c.opensslhmac	2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/auth/password-scheme.c	2019-11-19 16:34:11.339036998 +0100
+@@ -647,11 +647,11 @@ static void
+ cram_md5_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED,
 		  const unsigned char **raw_password_r, size_t *size_r)
 {
 -	struct hmac_context ctx;
 +	struct orig_hmac_context ctx;
 	unsigned char *context_digest;
 
- 	context_digest = t_malloc(CRAM_MD5_CONTEXTLEN);
+ 	context_digest = t_malloc_no0(CRAM_MD5_CONTEXTLEN);
 -	hmac_init(&ctx, (const unsigned char *)plaintext,
 +	orig_hmac_init(&ctx, (const unsigned char *)plaintext,
 		  strlen(plaintext), &hash_method_md5);
 	hmac_md5_get_cram_context(&ctx, context_digest);
 
-diff -up dovecot-2.2.36/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.2.36/src/auth/password-scheme-scram.c
--- dovecot-2.2.36/src/auth/password-scheme-scram.c.opensslhmac	2018-04-30 15:52:05.000000000 +0200
-+++ dovecot-2.2.36/src/auth/password-scheme-scram.c	2019-06-10 15:38:38.834070480 +0200
+diff -up dovecot-2.3.8/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3.8/src/auth/password-scheme-scram.c
+--- dovecot-2.3.8/src/auth/password-scheme-scram.c.opensslhmac	2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/auth/password-scheme-scram.c	2019-11-19 16:34:11.339036998 +0100
@@ -27,23 +27,23 @@ static void Hi(const unsigned char *str,
 	       const unsigned char *salt, size_t salt_size, unsigned int i,
 	       unsigned char result[SHA1_RESULTLEN])
@ -213,10 +213,10 @@ diff -up dovecot-2.2.36/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.2
 	str_append_c(str, ',');
 	base64_encode(server_key, sizeof(server_key), str);
 
-diff -up dovecot-2.2.36/src/lib/hmac.c.opensslhmac dovecot-2.2.36/src/lib/hmac.c
--- dovecot-2.2.36/src/lib/hmac.c.opensslhmac	2018-04-30 15:52:05.000000000 +0200
-+++ dovecot-2.2.36/src/lib/hmac.c	2019-06-10 15:38:38.834070480 +0200
-@@ -7,15 +7,74 @@
+diff -up dovecot-2.3.8/src/lib/hmac.c.opensslhmac dovecot-2.3.8/src/lib/hmac.c
+--- dovecot-2.3.8/src/lib/hmac.c.opensslhmac	2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/lib/hmac.c	2019-11-19 17:25:28.045716181 +0100
+@@ -7,6 +7,10 @@
  * This software is released under the MIT license.
  */
 
@ -227,7 +227,9 @@ diff -up dovecot-2.2.36/src/lib/hmac.c.opensslhmac dovecot-2.2.36/src/lib/hmac.c
 #include "lib.h"
 #include "hmac.h"
 #include "safe-memset.h"
- #include "buffer.h"
+@@ -14,10 +18,65 @@
+ 
+ #include "hex-binary.h"
 
 -void hmac_init(struct hmac_context *_ctx, const unsigned char *key,
 +#ifndef HAVE_HMAC_CTX_NEW
@ -243,13 +245,14 @@ diff -up dovecot-2.2.36/src/lib/hmac.c.opensslhmac dovecot-2.2.36/src/lib/hmac.c
 +
 +
 +void openssl_hmac_init(struct openssl_hmac_context *_ctx, const unsigned char *key,
-+		size_t key_len, const struct hash_method *meth)
-+{
+ 		size_t key_len, const struct hash_method *meth)
+ {
+-	struct hmac_context_priv *ctx = &_ctx->u.priv;
 + 	struct openssl_hmac_context_priv *ctx = &_ctx->u.priv;
 +
 +	const EVP_MD *md;
-+    const char *ebuf = NULL;
-+    const char **error_r = &ebuf;
+	const char *ebuf = NULL;
+	const char **error_r = &ebuf;
 +
 +	md = EVP_get_digestbyname(meth->name);
 +	if(md == NULL) {
@ -272,9 +275,8 @@ diff -up dovecot-2.2.36/src/lib/hmac.c.opensslhmac dovecot-2.2.36/src/lib/hmac.c
 +}
 +
 +void orig_hmac_init(struct orig_hmac_context *_ctx, const unsigned char *key,
- 		size_t key_len, const struct hash_method *meth)
- {
-	struct hmac_context_priv *ctx = &_ctx->u.priv;
+		size_t key_len, const struct hash_method *meth)
+{
 +    static int no_fips = -1;
 +    if (no_fips == -1) {
 +        int fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
@ -293,7 +295,7 @@ diff -up dovecot-2.2.36/src/lib/hmac.c.opensslhmac dovecot-2.2.36/src/lib/hmac.c
 	int i;
 	unsigned char k_ipad[64];
 	unsigned char k_opad[64];
-@@ -51,9 +110,27 @@ void hmac_init(struct hmac_context *_ctx
+@@ -53,9 +112,27 @@ void hmac_init(struct hmac_context *_ctx
 	safe_memset(k_opad, 0, 64);
 }
 
@ -323,7 +325,7 @@ diff -up dovecot-2.2.36/src/lib/hmac.c.opensslhmac dovecot-2.2.36/src/lib/hmac.c
 
 	ctx->hash->result(ctx->ctx, digest);
 
-@@ -61,35 +138,35 @@ void hmac_final(struct hmac_context *_ct
+@@ -63,53 +140,50 @@ void hmac_final(struct hmac_context *_ct
 	ctx->hash->result(ctx->ctxo, digest);
 }
 
@ -338,7 +340,7 @@ diff -up dovecot-2.2.36/src/lib/hmac.c.opensslhmac dovecot-2.2.36/src/lib/hmac.c
 	i_assert(key != NULL && key_len > 0);
 	i_assert(data != NULL || data_len == 0);
 
- 	buffer_t *res = buffer_create_dynamic(pool_datastack_create(), meth->digest_size);
+ 	buffer_t *res = t_buffer_create(meth->digest_size);
 -	hmac_init(&ctx, key, key_len, meth);
 +	openssl_hmac_init(&ctx, key, key_len, meth);
 	if (data_len > 0)
@ -368,9 +370,92 @@ diff -up dovecot-2.2.36/src/lib/hmac.c.opensslhmac dovecot-2.2.36/src/lib/hmac.c
 +	return openssl_t_hmac_data(meth, key, key_len, data, strlen(data));
 }
 
-diff -up dovecot-2.2.36/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.2.36/src/lib/hmac-cram-md5.c
--- dovecot-2.2.36/src/lib/hmac-cram-md5.c.opensslhmac	2017-06-23 13:18:28.000000000 +0200
-+++ dovecot-2.2.36/src/lib/hmac-cram-md5.c	2019-06-10 15:38:38.835070476 +0200
+-void hmac_hkdf(const struct hash_method *method,
+void openssl_hmac_hkdf(const struct hash_method *method,
+ 	       const unsigned char *salt, size_t salt_len,
+ 	       const unsigned char *ikm, size_t ikm_len,
+ 	       const unsigned char *info, size_t info_len,
+ 	       buffer_t *okm_r, size_t okm_len)
+ {
+	const EVP_MD *md;
+	EVP_PKEY_CTX *pctx;
+	int r = 1;
+
+ 	i_assert(method != NULL);
+ 	i_assert(okm_len < 255*method->digest_size);
+-	struct hmac_context key_mac;
+-	struct hmac_context info_mac;
+-	size_t remain = okm_len;
+-	unsigned char prk[method->digest_size];
+-	unsigned char okm[method->digest_size];
+-	/* N = ceil(L/HashLen) */
+-	unsigned int rounds = (okm_len + method->digest_size - 1)/method->digest_size;
+ 
+ 	/* salt and info can be NULL */
+ 	i_assert(salt != NULL || salt_len == 0);
+@@ -118,35 +192,30 @@ void hmac_hkdf(const struct hash_method
+ 	i_assert(ikm != NULL && ikm_len > 0);
+ 	i_assert(okm_r != NULL && okm_len > 0);
+ 
+-	/* but they still need valid pointer, reduces
+-	   complains from static analysers */
+-	if (salt == NULL)
+-		salt = &uchar_nul;
+-	if (info == NULL)
+-		info = &uchar_nul;
+-
+-	/* extract */
+-	hmac_init(&key_mac, salt, salt_len, method);
+-	hmac_update(&key_mac, ikm, ikm_len);
+-	hmac_final(&key_mac, prk);
+-
+-	/* expand */
+-	for (unsigned int i = 0; remain > 0 && i < rounds; i++) {
+-		unsigned char round = (i+1);
+-		size_t amt = remain;
+-		if (amt > method->digest_size)
+-			amt = method->digest_size;
+-		hmac_init(&info_mac, prk, method->digest_size, method);
+-		if (i > 0)
+-			hmac_update(&info_mac, okm, method->digest_size);
+-		hmac_update(&info_mac, info, info_len);
+-		hmac_update(&info_mac, &round, 1);
+-		memset(okm, 0, method->digest_size);
+-		hmac_final(&info_mac, okm);
+-		buffer_append(okm_r, okm, amt);
+-		remain -= amt;
+
+	md = EVP_get_digestbyname(method->name);
+	pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
+	unsigned char *okm_buf = buffer_get_space_unsafe(okm_r, 0, okm_len);
+
+	if ((r=EVP_PKEY_derive_init(pctx)) <= 0)
+		goto out;
+	if ((r=EVP_PKEY_CTX_set_hkdf_md(pctx, md)) <= 0)
+		goto out;
+	if ((r=EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, salt_len)) <= 0)
+		goto out;
+	if ((r=EVP_PKEY_CTX_set1_hkdf_key(pctx, ikm, ikm_len)) <= 0)
+		goto out;
+	if ((r=EVP_PKEY_CTX_add1_hkdf_info(pctx, info, info_len)) <= 0)
+		goto out;
+	if ((r=EVP_PKEY_derive(pctx, okm_buf, &okm_len)) <= 0)
+		goto out;
+
+     out:
+	EVP_PKEY_CTX_free(pctx);
+	if (r <= 0) {
+		unsigned long ec = ERR_get_error();
+		unsigned char *error = t_strdup_printf("%s", ERR_error_string(ec, NULL));
+		i_error("%s", error);
+ 	}
+ 
+-	safe_memset(prk, 0, sizeof(prk));
+-	safe_memset(okm, 0, sizeof(okm));
+ }
+diff -up dovecot-2.3.8/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.8/src/lib/hmac-cram-md5.c
+--- dovecot-2.3.8/src/lib/hmac-cram-md5.c.opensslhmac	2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/lib/hmac-cram-md5.c	2019-11-19 16:34:11.339036998 +0100
@@ -9,10 +9,10 @@
 #include "md5.h"
 #include "hmac-cram-md5.h"
@ -397,9 +482,9 @@ diff -up dovecot-2.2.36/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.2.36/src/l
 	const unsigned char *cdp;
 
 	struct md5_context *ctx = (void*)hmac_ctx->ctx;
-diff -up dovecot-2.2.36/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.2.36/src/lib/hmac-cram-md5.h
--- dovecot-2.2.36/src/lib/hmac-cram-md5.h.opensslhmac	2017-06-23 13:18:28.000000000 +0200
-+++ dovecot-2.2.36/src/lib/hmac-cram-md5.h	2019-06-10 15:38:38.835070476 +0200
+diff -up dovecot-2.3.8/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.8/src/lib/hmac-cram-md5.h
+--- dovecot-2.3.8/src/lib/hmac-cram-md5.h.opensslhmac	2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/lib/hmac-cram-md5.h	2019-11-19 16:34:11.339036998 +0100
@@ -5,9 +5,9 @@
 
 #define CRAM_MD5_CONTEXTLEN 32
@ -412,15 +497,16 @@ diff -up dovecot-2.2.36/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.2.36/src/l
 		const unsigned char context_digest[CRAM_MD5_CONTEXTLEN]);
 
 
-diff -up dovecot-2.2.36/src/lib/hmac.h.opensslhmac dovecot-2.2.36/src/lib/hmac.h
--- dovecot-2.2.36/src/lib/hmac.h.opensslhmac	2017-06-23 13:18:28.000000000 +0200
-+++ dovecot-2.2.36/src/lib/hmac.h	2019-06-10 15:38:38.835070476 +0200
-@@ -3,43 +3,98 @@
+diff -up dovecot-2.3.8/src/lib/hmac.h.opensslhmac dovecot-2.3.8/src/lib/hmac.h
+--- dovecot-2.3.8/src/lib/hmac.h.opensslhmac	2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/lib/hmac.h	2019-11-19 16:34:11.339036998 +0100
+@@ -3,60 +3,97 @@
 
 #include "hash-method.h"
 #include "sha1.h"
 +#include <openssl/objects.h>
 +#include <openssl/hmac.h>
+#include <openssl/kdf.h>
 +#include <openssl/err.h>
 
 #define HMAC_MAX_CONTEXT_SIZE 256
@ -459,8 +545,7 @@ diff -up dovecot-2.2.36/src/lib/hmac.h.opensslhmac dovecot-2.2.36/src/lib/hmac.h
 
 -void hmac_init(struct hmac_context *ctx, const unsigned char *key,
 +void openssl_hmac_init(struct openssl_hmac_context *ctx, const unsigned char *key,
- 		size_t key_len, const struct hash_method *meth);
-void hmac_final(struct hmac_context *ctx, unsigned char *digest);
+		size_t key_len, const struct hash_method *meth);
 +void openssl_hmac_final(struct openssl_hmac_context *ctx, unsigned char *digest);
 +
 +static inline void
@ -477,7 +562,8 @@ diff -up dovecot-2.2.36/src/lib/hmac.h.opensslhmac dovecot-2.2.36/src/lib/hmac.h
 +}
 +
 +void orig_hmac_init(struct orig_hmac_context *ctx, const unsigned char *key,
-+		size_t key_len, const struct hash_method *meth);
+ 		size_t key_len, const struct hash_method *meth);
+-void hmac_final(struct hmac_context *ctx, unsigned char *digest);
 +void orig_hmac_final(struct orig_hmac_context *ctx, unsigned char *digest);
 
 
@ -504,30 +590,31 @@ diff -up dovecot-2.2.36/src/lib/hmac.h.opensslhmac dovecot-2.2.36/src/lib/hmac.h
 		     const unsigned char *key, size_t key_len,
 		     const char *data);
 
-+
-+#if 0
-+static bool dcrypt_openssl_error(const char **error_r)
-+{
-+	unsigned long ec;
-+
-+	if (error_r == NULL) {
-+		/* caller is not really interested */
-+		return FALSE; 
-+	}
-+
-+	ec = ERR_get_error();
-+	*error_r = t_strdup_printf("%s", ERR_error_string(ec, NULL));
-+	return FALSE;
-+}
-+#endif
-+
-+
-+
- #endif
-diff -up dovecot-2.2.36/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.2.36/src/lib-imap-urlauth/imap-urlauth.c
--- dovecot-2.2.36/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac	2018-04-30 15:52:05.000000000 +0200
-+++ dovecot-2.2.36/src/lib-imap-urlauth/imap-urlauth.c	2019-06-10 15:38:38.835070476 +0200
-@@ -83,15 +83,15 @@ imap_urlauth_internal_generate(const cha
+-void hmac_hkdf(const struct hash_method *method,
+void openssl_hmac_hkdf(const struct hash_method *method,
+ 	       const unsigned char *salt, size_t salt_len,
+ 	       const unsigned char *ikm, size_t ikm_len,
+ 	       const unsigned char *info, size_t info_len,
+ 	       buffer_t *okm_r, size_t okm_len);
+ 
+ static inline buffer_t *
+-t_hmac_hkdf(const struct hash_method *method,
+openssl_t_hmac_hkdf(const struct hash_method *method,
+ 	    const unsigned char *salt, size_t salt_len,
+ 	    const unsigned char *ikm, size_t ikm_len,
+ 	    const unsigned char *info, size_t info_len,
+ 	    size_t okm_len)
+ {
+ 	buffer_t *okm_buffer = t_buffer_create(okm_len);
+-	hmac_hkdf(method, salt, salt_len, ikm, ikm_len, info, info_len,
+	openssl_hmac_hkdf(method, salt, salt_len, ikm, ikm_len, info, info_len,
+ 		  okm_buffer, okm_len);
+ 	return okm_buffer;
+ }
+diff -up dovecot-2.3.8/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.3.8/src/lib-imap-urlauth/imap-urlauth.c
+--- dovecot-2.3.8/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac	2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/lib-imap-urlauth/imap-urlauth.c	2019-11-19 16:34:11.339036998 +0100
+@@ -85,15 +85,15 @@ imap_urlauth_internal_generate(const cha
 			       const unsigned char mailbox_key[IMAP_URLAUTH_KEY_LEN],
 			       size_t *token_len_r)
 {
@ -547,10 +634,10 @@ diff -up dovecot-2.2.36/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-
 
 	*token_len_r = SHA1_RESULTLEN + 1;
 	return token;
-diff -up dovecot-2.2.36/src/lib/Makefile.am.opensslhmac dovecot-2.2.36/src/lib/Makefile.am
--- dovecot-2.2.36/src/lib/Makefile.am.opensslhmac	2018-04-30 15:52:05.000000000 +0200
-+++ dovecot-2.2.36/src/lib/Makefile.am	2019-06-10 15:42:28.810140696 +0200
-@@ -306,6 +306,9 @@ headers = \
+diff -up dovecot-2.3.8/src/lib/Makefile.am.opensslhmac dovecot-2.3.8/src/lib/Makefile.am
+--- dovecot-2.3.8/src/lib/Makefile.am.opensslhmac	2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/lib/Makefile.am	2019-11-19 16:34:11.340036994 +0100
+@@ -323,6 +323,9 @@ headers = \
 	wildcard-match.h \
 	write-full.h
 
@ -560,17 +647,9 @@ diff -up dovecot-2.2.36/src/lib/Makefile.am.opensslhmac dovecot-2.2.36/src/lib/M
 test_programs = test-lib
 noinst_PROGRAMS = $(test_programs)
 
-@@ -335,6 +338,7 @@ test_lib_SOURCES = \
- 	test-hash-format.c \
- 	test-hash-method.c \
- 	test-hex-binary.c \
-+	test-hmac.c \
- 	test-imem.c \
- 	test-ioloop.c \
- 	test-iso8601-date.c \
-diff -up dovecot-2.2.36/src/lib-ntlm/ntlm-encrypt.c.opensslhmac dovecot-2.2.36/src/lib-ntlm/ntlm-encrypt.c
--- dovecot-2.2.36/src/lib-ntlm/ntlm-encrypt.c.opensslhmac	2018-04-30 15:52:05.000000000 +0200
-+++ dovecot-2.2.36/src/lib-ntlm/ntlm-encrypt.c	2019-06-10 15:38:38.835070476 +0200
+diff -up dovecot-2.3.8/src/lib-ntlm/ntlm-encrypt.c.opensslhmac dovecot-2.3.8/src/lib-ntlm/ntlm-encrypt.c
+--- dovecot-2.3.8/src/lib-ntlm/ntlm-encrypt.c.opensslhmac	2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/lib-ntlm/ntlm-encrypt.c	2019-11-19 16:34:11.340036994 +0100
@@ -61,12 +61,12 @@ void ntlm_v1_hash(const char *passwd, un
 }
 
@ -578,7 +657,7 @@ diff -up dovecot-2.2.36/src/lib-ntlm/ntlm-encrypt.c.opensslhmac dovecot-2.2.36/s
 -hmac_md5_ucs2le_string_ucase(struct hmac_context *ctx, const char *str)
 -{
 -	size_t len;
-	unsigned char *wstr = t_unicode_str(str, 1, &len);
+-	unsigned char *wstr = t_unicode_str(str, TRUE, &len);
 -
 -	hmac_update(ctx, wstr, len);
 +hmac_md5_ucs2le_string_ucase(struct openssl_hmac_context *ctx, const char *str)
@ -628,9 +707,9 @@ diff -up dovecot-2.2.36/src/lib-ntlm/ntlm-encrypt.c.opensslhmac dovecot-2.2.36/s
 
 	safe_memset(hash, 0, sizeof(hash));
 }
-diff -up dovecot-2.2.36/src/lib/pkcs5.c.opensslhmac dovecot-2.2.36/src/lib/pkcs5.c
--- dovecot-2.2.36/src/lib/pkcs5.c.opensslhmac	2018-04-30 15:52:04.000000000 +0200
-+++ dovecot-2.2.36/src/lib/pkcs5.c	2019-06-10 15:38:38.835070476 +0200
+diff -up dovecot-2.3.8/src/lib/pkcs5.c.opensslhmac dovecot-2.3.8/src/lib/pkcs5.c
+--- dovecot-2.3.8/src/lib/pkcs5.c.opensslhmac	2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/lib/pkcs5.c	2019-11-19 16:34:11.340036994 +0100
@@ -52,7 +52,7 @@ int pkcs5_pbkdf2(const struct hash_metho
 	size_t l = (length + hash->digest_size - 1)/hash->digest_size; /* same as ceil(length/hash->digest_size) */
 	unsigned char dk[l * hash->digest_size];
@ -665,121 +744,49 @@ diff -up dovecot-2.2.36/src/lib/pkcs5.c.opensslhmac dovecot-2.2.36/src/lib/pkcs5
 			for(i = 0; i < hash->digest_size; i++)
 				block[i] ^= U_c[i];
 		}
-diff -up dovecot-2.2.36/src/lib/test-hmac.c.opensslhmac dovecot-2.2.36/src/lib/test-hmac.c
--- dovecot-2.2.36/src/lib/test-hmac.c.opensslhmac	2019-06-10 15:43:02.847003098 +0200
-+++ dovecot-2.2.36/src/lib/test-hmac.c	2019-06-10 14:00:52.000000000 +0200
-@@ -0,0 +1,103 @@
-+/* Copyright (c) 2016-2018 Dovecot authors, see the included COPYING file */
-+
-+#include "test-lib.h"
-+#include "hash-method.h"
-+#include "hmac.h"
-+#include "sha-common.h"
-+#include "buffer.h"
-+
-+struct test_vector {
-+	const char *prf;
-+	const unsigned char *key;
-+	size_t key_len;
-+	const unsigned char *data;
-+	size_t data_len;
-+	const unsigned char *res;
-+	size_t res_len;
-+};
-+
-+#define TEST_BUF(x) (const unsigned char*)x, sizeof(x)-1
-+
-+/* RFC 4231 test vectors */
-+static const struct test_vector test_vectors[] = {
-+	/* Test Case 1 */
-+	{ "sha256",
-+	TEST_BUF("\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"),
-+	TEST_BUF("Hi There"),
-+	TEST_BUF("\xb0\x34\x4c\x61\xd8\xdb\x38\x53\x5c\xa8\xaf\xce\xaf\x0b\xf1\x2b\x88\x1d\xc2\x00\xc9\x83\x3d\xa7\x26\xe9\x37\x6c\x2e\x32\xcf\xf7")
-+	},
-+	/* Test Case 2 */
-+	{ "sha256",
-+	TEST_BUF("\x4a\x65\x66\x65"), /* "Jefe" */
-+	TEST_BUF("what do ya want for nothing?"),
-+	TEST_BUF("\x5b\xdc\xc1\x46\xbf\x60\x75\x4e\x6a\x04\x24\x26\x08\x95\x75\xc7\x5a\x00\x3f\x08\x9d\x27\x39\x83\x9d\xec\x58\xb9\x64\xec\x38\x43")
-+	},
-+	/* Test Case 3 */
-+	{ "sha256",
-+	TEST_BUF("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"),
-+	TEST_BUF("\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"),
-+	TEST_BUF("\x77\x3e\xa9\x1e\x36\x80\x0e\x46\x85\x4d\xb8\xeb\xd0\x91\x81\xa7\x29\x59\x09\x8b\x3e\xf8\xc1\x22\xd9\x63\x55\x14\xce\xd5\x65\xfe")
-+	},
-+	/* Test Case 4 */
-+	{ "sha256",
-+	TEST_BUF("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19"),
-+	TEST_BUF("\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"),
-+	TEST_BUF("\x82\x55\x8a\x38\x9a\x44\x3c\x0e\xa4\xcc\x81\x98\x99\xf2\x08\x3a\x85\xf0\xfa\xa3\xe5\x78\xf8\x07\x7a\x2e\x3f\xf4\x67\x29\x66\x5b")
-+	},
-+	/* Test Case 5 */
-+	{ "sha256",
-+	TEST_BUF("\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"),
-+	TEST_BUF("\x54\x65\x73\x74\x20\x57\x69\x74\x68\x20\x54\x72\x75\x6e\x63\x61\x74\x69\x6f\x6e"), /* "Test With Truncation" */
-+	TEST_BUF("\xa3\xb6\x16\x74\x73\x10\x0e\xe0\x6e\x0c\x79\x6c\x29\x55\x55\x2b")
-+	},
-+	/* Test Case 6 */
-+	{ "sha256",
-+	TEST_BUF("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"),
-+	TEST_BUF("\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74"), /* "Test Using Larger Than Block-Size Key - Hash Key First" */
-+	TEST_BUF("\x60\xe4\x31\x59\x1e\xe0\xb6\x7f\x0d\x8a\x26\xaa\xcb\xf5\xb7\x7f\x8e\x0b\xc6\x21\x37\x28\xc5\x14\x05\x46\x04\x0f\x0e\xe3\x7f\x54")
-+	},
-+	/* Test Case 7 */
-+	{ "sha256",
-+	TEST_BUF("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"),
-+	TEST_BUF("\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"),
-+	/* "This is a test using a larger than block-size key and a larger than block-size data. The key needs to be hashed before being used by the HMAC algorithm." */
-+	TEST_BUF("\x9b\x09\xff\xa7\x1b\x94\x2f\xcb\x27\x63\x5f\xbc\xd5\xb0\xe9\x44\xbf\xdc\x63\x64\x4f\x07\x13\x93\x8a\x7f\x51\x53\x5c\x3a\x35\xe2")
-+	}
-+};
-+
-+static void test_hmac_rfc(void)
-+{
-+	test_begin("hmac sha256 rfc4231 vectors");
-+	for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) {
-+		const struct test_vector *vec = &(test_vectors[i]);
+diff -up dovecot-2.3.8/src/lib/test-hmac.c.opensslhmac dovecot-2.3.8/src/lib/test-hmac.c
+--- dovecot-2.3.8/src/lib/test-hmac.c.opensslhmac	2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/lib/test-hmac.c	2019-11-19 16:34:11.340036994 +0100
+@@ -112,11 +112,11 @@ static void test_hmac_rfc(void)
+ 	test_begin("hmac sha256 rfc4231 vectors");
+ 	for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) {
+ 		const struct test_vector *vec = &(test_vectors[i]);
+-		struct hmac_context ctx;
+-		hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
+-		hmac_update(&ctx, vec->data, vec->data_len);
 +		struct openssl_hmac_context ctx;
 +		openssl_hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
 +		openssl_hmac_update(&ctx, vec->data, vec->data_len);
-+		unsigned char res[SHA256_RESULTLEN];
+ 		unsigned char res[SHA256_RESULTLEN];
+-		hmac_final(&ctx, res);
 +		openssl_hmac_final(&ctx, res);
-+		test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i);
-+	}
-+	test_end();
-+}
-+
-+static void test_hmac_buffer(void)
-+{
-+	const struct test_vector *vec = &(test_vectors[0]);
-+	test_begin("hmac temporary buffer");
-+
-+	buffer_t *tmp;
-+
+ 		test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i);
+ 	}
+ 	test_end();
+@@ -129,7 +129,7 @@ static void test_hmac_buffer(void)
+ 
+ 	buffer_t *tmp;
+ 
+-	tmp = t_hmac_data(hash_method_lookup(vec->prf), vec->key, vec->key_len,
 +	tmp = openssl_t_hmac_data(hash_method_lookup(vec->prf), vec->key, vec->key_len,
-+			  vec->data, vec->data_len);
-+
-+	test_assert(tmp->used == vec->res_len &&
-+		    memcmp(tmp->data, vec->res, vec->res_len) == 0);
-+
-+	test_end();
-+}
-+
-+void test_hmac(void)
-+{
-+	test_hmac_rfc();
-+	test_hmac_buffer();
-+}
-diff -up dovecot-2.2.36/src/lib/test-lib.h.opensslhmac dovecot-2.2.36/src/lib/test-lib.h
--- dovecot-2.2.36/src/lib/test-lib.h.opensslhmac	2019-06-10 15:41:57.155268669 +0200
-+++ dovecot-2.2.36/src/lib/test-lib.h	2019-06-10 15:41:57.194268512 +0200
-@@ -20,6 +20,7 @@ void test_failures(void);
- void test_file_create_locked(void);
- void test_guid(void);
- void test_hash(void);
-+void test_hmac(void);
- void test_hash_format(void);
- void test_hash_method(void);
- void test_hex_binary(void);
+ 			  vec->data, vec->data_len);
+ 
+ 	test_assert(tmp->used == vec->res_len &&
+@@ -146,7 +146,7 @@ static void test_hkdf_rfc(void)
+ 		buffer_set_used_size(res, 0);
+ 		const struct test_vector_5869 *vec = &(test_vectors_5869[i]);
+ 		const struct hash_method *m = hash_method_lookup(vec->prf);
+-		hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm, vec->ikm_len,
+		openssl_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm, vec->ikm_len,
+ 			  vec->info, vec->info_len, res, vec->okm_len);
+ 		test_assert_idx(memcmp(res->data, vec->okm, vec->okm_len) == 0, i);
+ 	}
+@@ -159,7 +159,7 @@ static void test_hkdf_buffer(void)
+ 	test_begin("hkdf temporary buffer");
+ 	const struct test_vector_5869 *vec = &(test_vectors_5869[0]);
+ 	const struct hash_method *m = hash_method_lookup(vec->prf);
+-	buffer_t *tmp = t_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm,
+	buffer_t *tmp = openssl_t_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm,
+ 				    vec->ikm_len, vec->info, vec->info_len,
+ 				    vec->okm_len);
+ 	test_assert(tmp->used == vec->okm_len &&
--- a/SPECS/dovecot.spec
+++ b/SPECS/dovecot.spec
@ -3,19 +3,19 @@
 Summary: Secure imap and pop3 server
 Name: dovecot
 Epoch: 1
-Version: 2.2.36
+Version: 2.3.8
 %global prever %{nil}
-Release: 8%{?dist}
+Release: 1%{?dist}
 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
 License: MIT and LGPLv2
 Group: System Environment/Daemons

 URL: http://www.dovecot.org/
-Source: http://www.dovecot.org/releases/2.2/%{name}-%{version}%{?prever}.tar.gz
+Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz
 Source1: dovecot.init
 Source2: dovecot.pam
-%global pigeonholever 0.4.24
-Source8: http://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-%{pigeonholever}.tar.gz
+%global pigeonholever 0.5.8
+Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz
 Source9: dovecot.sysconfig
 Source10: dovecot.tmpfilesd

@ -29,7 +29,6 @@ Patch3: dovecot-1.0.rc7-mkcert-paths.patch

 #wait for network
 Patch6: dovecot-2.1.10-waitonline.patch
-Patch7: dovecot-2.2.13-online.patch

 Patch8: dovecot-2.2.20-initbysystemd.patch
 Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch
@ -38,18 +37,12 @@ Patch10: dovecot-2.3.0.1-libxcrypt.patch
 # sent upstream, rhbz#1630380
 Patch11: dovecot-2.2.36-aclfix.patch

-# dovecot < 2.3, rhbz#1280436
-Patch12: dovecot-2.2-gidcheck.patch
 Patch13: dovecot-2.2.36-bigkey.patch

 # do not use own implementation of HMAC, use OpenSSL for certification purposes
 # not sent upstream as proper fix would use dovecot's lib-dcrypt but it introduces
 # hard to break circular dependency between lib and lib-dcrypt
 Patch14: dovecot-2.3.6-opensslhmac.patch
-Patch15: dovecot-2.2.36-cve_2019_3814part1of3.patch
-Patch16: dovecot-2.2.36-cve_2019_3814part2of3.patch
-Patch17: dovecot-2.2.36-cve_2019_3814part3of3.patch
-

 Source15: prestartscript

@ -57,11 +50,17 @@ BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel
 BuildRequires: libtool, autoconf, automake, pkgconfig
 BuildRequires: sqlite-devel
 BuildRequires: postgresql-devel
+#BuildRequires: libpq-devel
 BuildRequires: mariadb-connector-c-devel
+#BuildRequires: libxcrypt-devel
 BuildRequires: openldap-devel
 BuildRequires: krb5-devel
 BuildRequires: quota-devel
 BuildRequires: xz-devel
+BuildRequires: lz4-devel
+#BuildRequires: libsodium-devel
+#BuildRequires: libexttextcat-devel
+#BuildRequires: libstemmer-devel

 # gettext-devel is needed for running autoconf because of the
 # presence of AM_ICONV
@ -143,26 +142,22 @@ This package provides the development files for dovecot.
 %patch2 -p1 -b .mkcert-permissions
 %patch3 -p1 -b .mkcert-paths
 %patch6 -p1 -b .waitonline
-%patch7 -p1 -b .online
 %patch8 -p1 -b .initbysystemd
 %patch9 -p1 -b .systemd_w_protectsystem
-%patch10 -p1 -b .libxcrypt
+#%patch10 -p1 -b .libxcrypt
 %patch11 -p1 -b .aclfix
-%patch12 -p1 -b .gidcheck
 %patch13 -p1 -b .bigkey
 %patch14 -p1 -b .opensslhmac
-%patch15 -p1 -b .cve_2019_3814part1of3
-%patch16 -p1 -b .cve_2019_3814part2of3
-%patch17 -p1 -b .cve_2019_3814part3of3
+pushd dovecot-2*3-pigeonhole-%{pigeonholever}
+
+popd

-#pushd dovecot-2*2-pigeonhole-%{pigeonholever}
-#popd
 sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in

 %build
 #required for fdpass.c line 125,190: dereferencing type-punned pointer will break strict-aliasing rules
 %global _hardened_build 1
-export CFLAGS="%{__global_cflags} -fno-strict-aliasing"
+export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none"
 export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}"
 # el6 autoconf too old to regen; use packaged files (#1082384)
 %if %{?fedora}00%{?rhel} > 6
@ -197,7 +192,7 @@ sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10
 make %{?_smp_mflags}

 #pigeonhole
-pushd dovecot-2*2-pigeonhole-%{pigeonholever}
+pushd dovecot-2*3-pigeonhole-%{pigeonholever}

 # required for snapshot
 [ -f configure ] || autoreconf -fiv
@ -221,7 +216,7 @@ make install DESTDIR=$RPM_BUILD_ROOT
 mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/docinstall


-pushd dovecot-2*2-pigeonhole-%{pigeonholever}
+pushd dovecot-2*3-pigeonhole-%{pigeonholever}
 make install DESTDIR=$RPM_BUILD_ROOT

 mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole
@ -360,7 +355,7 @@ fi

 %check
 make check
-cd dovecot-2*2-pigeonhole-%{pigeonholever}
+cd dovecot-2*3-pigeonhole-%{pigeonholever}
 make check

 %files
@ -397,6 +392,7 @@ make check
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-imap.conf
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-lmtp.conf
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-pop3.conf
+%config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-submission.conf
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/90-acl.conf
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/90-quota.conf
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/90-plugin.conf
@ -423,7 +419,6 @@ make check
 %dir %{_libdir}/dovecot
 %dir %{_libdir}/dovecot/auth
 %dir %{_libdir}/dovecot/dict
-%dir %{_libdir}/dovecot/stats
 %{_libdir}/dovecot/doveadm
 %exclude %{_libdir}/dovecot/doveadm/*sieve*
 %{_libdir}/dovecot/*.so.*
@ -437,8 +432,6 @@ make check
 %{_libdir}/dovecot/auth/libdriver_sqlite.so
 %{_libdir}/dovecot/dict/libdriver_sqlite.so
 %{_libdir}/dovecot/dict/libdict_ldap.so
-%{_libdir}/dovecot/stats/libstats_auth.so
-%{_libdir}/dovecot/stats/libstats_mail.so
 %{_libdir}/dovecot/libdriver_sqlite.so
 %{_libdir}/dovecot/libssl_iostream_openssl.so
 %{_libdir}/dovecot/libfs_compress.so
@ -446,6 +439,8 @@ make check
 %{_libdir}/dovecot/libfs_mail_crypt.so
 %{_libdir}/dovecot/libdcrypt_openssl.so
 %{_libdir}/dovecot/lib20_var_expand_crypt.so
+%{_libdir}/dovecot/old-stats/libold_stats_mail.so
+%{_libdir}/dovecot/old-stats/libstats_auth.so

 %dir %{_libdir}/dovecot/settings

@ -511,6 +506,17 @@ make check
 %{_libdir}/%{name}/dict/libdriver_pgsql.so

 %changelog
+* Tue Nov 19 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-1
+- dovecot updated to 2.3.8 with pigeonhole updated to 0.5.8 (#1653117)
+
+* Thu Aug 29 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-10
+- fix CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
+  when scanning data in quoted strings, leading to out of bounds heap
+  memory writes (#1741788)
+
+* Fri Aug 23 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-9
+- reset errno before iterating through users (#1630410)
+
 * Mon Jun 17 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-8
 - fix CVE-2019-3814: improper certificate validation (#1674370)

@ -621,7 +627,7 @@ make check
  imap unhibernation to fail or IMAP QRESYNC/CONDSTORE extensions to
  not work perfectly.
 - mdbox: "Inconsistency in map index" wasn't fixed automatically
- dict-ldap: %variable values used in the LDAP filter weren't escaped.
+- dict-ldap: %%variable values used in the LDAP filter weren't escaped.
 - quota=count: quota_warning = -storage=.. was never executed (try #2).
 - imapc: >= 32 kB mail bodies were supposed to be cached for subsequent
  FETCHes, but weren't.