dovecot updated to 2.3.15, pigeonhole updated to 0.5.15

CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens, if attacker has local access (#1979833) CVE-2021-33515: On-path attacker could have injected plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client Add TSLv1.3 support to min_protocols. Resolves: #1979833
2021-07-21 11:29:52 +02:00 · 2021-07-21 11:29:52 +02:00 · 91c7c1a6c5
parent 1e547c27d1
commit 91c7c1a6c5
5 changed files with 66 additions and 36 deletions
--- a/dovecot-2.1.10-waitonline.patch
+++ b/dovecot-2.1.10-waitonline.patch
@ -1,11 +1,11 @@
-diff -up dovecot-2.3.0.1/dovecot.service.in.waitonline dovecot-2.3.0.1/dovecot.service.in
--- dovecot-2.3.0.1/dovecot.service.in.waitonline	2018-03-01 10:35:39.888371078 +0100
-+++ dovecot-2.3.0.1/dovecot.service.in	2018-03-01 10:36:29.738784661 +0100
-@@ -12,6 +12,7 @@ After=local-fs.target network-online.tar
+diff -up dovecot-2.3.15/dovecot.service.in.waitonline dovecot-2.3.15/dovecot.service.in
+--- dovecot-2.3.15/dovecot.service.in.waitonline	2021-06-21 20:19:19.560494654 +0200
+++ dovecot-2.3.15/dovecot.service.in	2021-06-21 20:21:17.443066248 +0200
+@@ -15,6 +15,7 @@ After=local-fs.target network-online.tar
 
 [Service]
- Type=simple
+ Type=@systemdservicetype@
 +ExecStartPre=/usr/libexec/dovecot/prestartscript
 ExecStart=@sbindir@/dovecot -F
- PIDFile=@rundir@/master.pid
 ExecReload=@bindir@/doveadm reload
+ ExecStop=@bindir@/doveadm stop
--- a/dovecot-2.2.20-initbysystemd.patch
+++ b/dovecot-2.2.20-initbysystemd.patch
@ -1,6 +1,6 @@
-diff -up dovecot-2.3.0.1/dovecot-init.service.initbysystemd dovecot-2.3.0.1/dovecot-init.service
--- dovecot-2.3.0.1/dovecot-init.service.initbysystemd	2018-03-01 10:38:22.059716008 +0100
-+++ dovecot-2.3.0.1/dovecot-init.service	2018-03-01 10:38:22.059716008 +0100
+diff -up dovecot-2.3.15/dovecot-init.service.initbysystemd dovecot-2.3.15/dovecot-init.service
+--- dovecot-2.3.15/dovecot-init.service.initbysystemd	2021-06-21 20:21:49.250680889 +0200
+++ dovecot-2.3.15/dovecot-init.service	2021-06-21 20:21:49.250680889 +0200
@@ -0,0 +1,13 @@
 +[Unit]
 +Description=One-time Dovecot init service
@ -15,10 +15,10 @@ diff -up dovecot-2.3.0.1/dovecot-init.service.initbysystemd dovecot-2.3.0.1/dove
 +  SSLDIR=/etc/pki/dovecot/ OPENSSLCONFIG=/etc/pki/dovecot/dovecot-openssl.cnf /usr/libexec/dovecot/mkcert.sh /dev/null 2>&1;\
 +fi'
 +
-diff -up dovecot-2.3.0.1/dovecot.service.in.initbysystemd dovecot-2.3.0.1/dovecot.service.in
--- dovecot-2.3.0.1/dovecot.service.in.initbysystemd	2018-03-01 10:38:22.060716016 +0100
-+++ dovecot-2.3.0.1/dovecot.service.in	2018-03-01 10:40:45.524901319 +0100
-@@ -8,7 +8,8 @@
+diff -up dovecot-2.3.15/dovecot.service.in.initbysystemd dovecot-2.3.15/dovecot.service.in
+--- dovecot-2.3.15/dovecot.service.in.initbysystemd	2021-06-21 20:21:49.250680889 +0200
+++ dovecot-2.3.15/dovecot.service.in	2021-06-21 20:22:46.935981920 +0200
+@@ -11,7 +11,8 @@
 Description=Dovecot IMAP/POP3 email server
 Documentation=man:dovecot(1)
 Documentation=https://doc.dovecot.org/
@ -27,20 +27,25 @@ diff -up dovecot-2.3.0.1/dovecot.service.in.initbysystemd dovecot-2.3.0.1/doveco
 +Requires=dovecot-init.service
 
 [Service]
- Type=simple
-diff -up dovecot-2.3.0.1/Makefile.am.initbysystemd dovecot-2.3.0.1/Makefile.am
--- dovecot-2.3.0.1/Makefile.am.initbysystemd	2018-02-28 15:28:57.000000000 +0100
-+++ dovecot-2.3.0.1/Makefile.am	2018-03-01 10:38:22.060716016 +0100
-@@ -63,9 +63,10 @@ if HAVE_SYSTEMD
+ Type=@systemdservicetype@
+diff -up dovecot-2.3.15/Makefile.am.initbysystemd dovecot-2.3.15/Makefile.am
+--- dovecot-2.3.15/Makefile.am.initbysystemd	2021-06-21 20:21:49.250680889 +0200
+++ dovecot-2.3.15/Makefile.am	2021-06-21 20:24:26.676765849 +0200
+@@ -21,6 +21,7 @@ EXTRA_DIST = \
+ 	run-test-valgrind.supp \
+ 	dovecot.service.in \
+ 	dovecot.socket \
+	dovecot-init.service \
+ 	$(conf_DATA)
 
+ noinst_DATA = dovecot-config
+@@ -69,7 +70,8 @@ dovecot-config: dovecot-config.in Makefi
+ if WANT_SYSTEMD
 systemdsystemunit_DATA = \
         dovecot.socket \
 -        dovecot.service
 +        dovecot.service \
 +        dovecot-init.service
- else
-EXTRA_DIST += dovecot.socket dovecot.service.in
-+EXTRA_DIST += dovecot.socket dovecot.service.in dovecot-init.service
 endif
 
 install-exec-hook:
--- a/dovecot-2.3.11-bigkey.patch
+++ b/dovecot-2.3.11-bigkey.patch
@ -1,9 +1,9 @@
-diff -up dovecot-2.2.36/doc/dovecot-openssl.cnf.bigkey dovecot-2.2.36/doc/dovecot-openssl.cnf
--- dovecot-2.2.36/doc/dovecot-openssl.cnf.bigkey	2017-06-23 13:18:28.000000000 +0200
-+++ dovecot-2.2.36/doc/dovecot-openssl.cnf	2018-10-16 17:15:35.836205498 +0200
+diff -up dovecot-2.3.15/doc/dovecot-openssl.cnf.bigkey dovecot-2.3.15/doc/dovecot-openssl.cnf
+--- dovecot-2.3.15/doc/dovecot-openssl.cnf.bigkey	2021-06-21 20:24:51.913456628 +0200
+++ dovecot-2.3.15/doc/dovecot-openssl.cnf	2021-06-21 20:25:36.352912123 +0200
@@ -1,5 +1,5 @@
 [ req ]
-default_bits = 1024
+-default_bits = 2048
 +default_bits = 3072
 encrypt_key = yes
 distinguished_name = req_dn
--- a/dovecot.spec
+++ b/dovecot.spec
@ -1,20 +1,25 @@
 %global __provides_exclude_from %{_docdir}
 %global __requires_exclude_from %{_docdir}
+
+## FIXME: lto and annobin breaks build atm, retest after 2021-08
+#%global _lto_cflags %nil
+#%undefine _annotated_build
+
 Summary: Secure imap and pop3 server
 Name: dovecot
 Epoch: 1
-Version: 2.3.14
+Version: 2.3.15
 %global prever %{nil}
-Release: 5%{?dist}
+Release: 1%{?dist}
 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
 License: MIT and LGPLv2

-URL: http://www.dovecot.org/
-Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz
+URL: https://www.dovecot.org/
+Source: https://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz
 Source1: dovecot.init
 Source2: dovecot.pam
-%global pigeonholever 0.5.14
-Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz
+%global pigeonholever 0.5.15
+Source8: https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz
 Source9: dovecot.sysconfig
 Source10: dovecot.tmpfilesd

@ -38,8 +43,12 @@ Patch15: dovecot-2.3.11-bigkey.patch
 # not sent upstream as proper fix would use dovecot's lib-dcrypt but it introduces
 # hard to break circular dependency between lib and lib-dcrypt
 Patch16: dovecot-2.3.6-opensslhmac.patch
+
 Patch17: dovecot-2.3.14-opensslv3.patch
-Patch18: dovecot-2.3.8-blockcount.patch
+
+# FTBFS
+Patch18: dovecot-2.3.15-fixvalcond.patch
+Patch19: dovecot-2.3.15-valbasherr.patch

 Source15: prestartscript

@ -62,6 +71,8 @@ BuildRequires: libicu-devel
 BuildRequires: libexttextcat-devel
 BuildRequires: libstemmer-devel
 BuildRequires: multilib-rpm-config
+BuildRequires: flex, bison
+BuildRequires: systemd-devel

 # gettext-devel is needed for running autoconf because of the
 # presence of AM_ICONV
@ -130,7 +141,11 @@ This package provides the development files for dovecot.
 %patch15 -p1 -b .bigkey
 %patch16 -p1 -b .opensslhmac
 %patch17 -p1 -b .opensslv3
-%patch18 -p1 -b .blockcount
+%patch18 -p1 -b .fixvalcond
+%patch19 -p1 -b .valbasherr
+cp run-test-valgrind.supp dovecot-2.3-pigeonhole-%{pigeonholever}/
+# valgrind would fail with shell wrapper
+echo "testsuite" >dovecot-2.3-pigeonhole-%{pigeonholever}/run-test-valgrind.exclude

 #pushd dovecot-2*3-pigeonhole-%{pigeonholever}
 #popd
@ -149,6 +164,7 @@ autoreconf -I . -fiv #required for aarch64 support
 %configure                       \
    INSTALL_DATA="install -c -p -m644" \
    --with-rundir=%{_rundir}/%{name}   \
+    --with-systemd               \
    --docdir=%{_docdir}/%{name}  \
    --disable-static             \
    --disable-rpath              \
@ -171,7 +187,6 @@ autoreconf -I . -fiv #required for aarch64 support
    --with-solr                  \
    --with-systemdsystemunitdir=%{_unitdir}  \
    --with-docs
-
 sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10-ssl.conf

 %make_build
@ -456,6 +471,16 @@ make check
 %{_libdir}/%{name}/dict/libdriver_pgsql.so

 %changelog
+* Wed Jul 21 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.15-1
+- dovecot updated to 2.3.15, pigeonhole updated to 0.5.15
+- CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
+  JWT tokens. This may be used to supply attacker controlled keys to
+  validate tokens, if attacker has local access (#1979833)
+- CVE-2021-33515: On-path attacker could have injected plaintext commands
+  before STARTTLS negotiation that would be executed after STARTTLS
+  finished with the client
+- Add TSLv1.3 support to min_protocols.
+
 * Wed Jul 14 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.14-5
 - fix mail storage block count parsing (#1974281)

--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (dovecot-2.3.14.tar.gz) = 69df234cb739c7ee7ae3acfb9756bc22481e94c95463d32bfac315c7ec4b1ba0dfbff552b769f2ab7ee554087ca2ebbe331aa008d3af26417016612dc7cad103
-SHA512 (dovecot-2.3-pigeonhole-0.5.14.tar.gz) = c5d5d309769eabe2c0971646d0c14d166b6b524acf59e1069eca803f764544fa2535c09c9a630ca706aa70442b688ee26af831d29e674823bac7ea7c0e1f33cc
+SHA512 (dovecot-2.3.15.tar.gz) = 75bbdbeac663da109f78dba06c42bb5193e911c6b3c64f055fc4473ae9afaf0c8304c49fc7f06c5c6b61e67dd13dc21fbed6ff160a99f38f547c88ba05e6b03a
+SHA512 (dovecot-2.3-pigeonhole-0.5.15.tar.gz) = 521070080802bf2a50cd0ff0af5dc991c04d70b807abc2cd9aa567444a4869f5f42800f19d9b740a519bd4069437139e70ca6ae4b905479fcec8faa133ac5f54