diff --git a/dovecot-2.3.11.3-ftbfs1.patch b/dovecot-2.3.11.3-ftbfs1.patch deleted file mode 100644 index 42059ad..0000000 --- a/dovecot-2.3.11.3-ftbfs1.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/src/auth/test-mech.c b/src/auth/test-mech.c -index cf05370035..0a030a2be0 100644 ---- a/src/auth/test-mech.c -+++ b/src/auth/test-mech.c -@@ -196,8 +196,8 @@ test_mech_construct_apop_challenge(unsigned int connect_uid, unsigned long *len_ - { - string_t *apop_challenge = t_str_new(128); - -- str_printfa(apop_challenge,"<%lx.%u.%"PRIdTIME_T"", (unsigned long) getpid(), -- connect_uid, process_start_time+10); -+ str_printfa(apop_challenge,"<%lx.%lx.%"PRIxTIME_T".", (unsigned long)getpid(), -+ (unsigned long)connect_uid, process_start_time+10); - str_append_data(apop_challenge, "\0testuser\0responseoflen16-", 26); - *len_r = apop_challenge->used; - return apop_challenge->data; diff --git a/dovecot-2.3.11.3-ftbfs2.patch b/dovecot-2.3.11.3-ftbfs2.patch deleted file mode 100644 index 107a4cd..0000000 --- a/dovecot-2.3.11.3-ftbfs2.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff --git a/src/auth/test-mech.c b/src/auth/test-mech.c -index 0a030a2be0..0a22ff46d0 100644 ---- a/src/auth/test-mech.c -+++ b/src/auth/test-mech.c -@@ -192,7 +192,7 @@ static void test_mech_handle_challenge(struct auth_request *request, - } - - static inline const unsigned char * --test_mech_construct_apop_challenge(unsigned int connect_uid, unsigned long *len_r) -+test_mech_construct_apop_challenge(unsigned int connect_uid, size_t *len_r) - { - string_t *apop_challenge = t_str_new(128); - -@@ -323,7 +323,7 @@ static void test_mechs(void) - struct test_case *test_case = &tests[running_test]; - const struct mech_module *mech = test_case->mech; - struct auth_request *request; -- const char *testname = t_strdup_printf("auth mech %s %d/%lu", -+ const char *testname = t_strdup_printf("auth mech %s %d/%zu", - mech->mech_name, - running_test+1, - N_ELEMENTS(tests)); diff --git a/dovecot-2.3.11.3-gssapi.patch b/dovecot-2.3.11.3-gssapi.patch deleted file mode 100644 index 18f6c45..0000000 --- a/dovecot-2.3.11.3-gssapi.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/src/auth/mech-gssapi.c b/src/auth/mech-gssapi.c -index f29e48da88..966273d388 100644 ---- a/src/auth/mech-gssapi.c -+++ b/src/auth/mech-gssapi.c -@@ -735,7 +735,7 @@ mech_gssapi_auth_free(struct auth_request *request) - const struct mech_module mech_gssapi = { - "GSSAPI", - -- .flags = 0, -+ .flags = MECH_SEC_ALLOW_NULS, - .passdb_need = MECH_PASSDB_NEED_NOTHING, - - mech_gssapi_auth_new, diff --git a/dovecot-2.3.13-bigtvsec.patch b/dovecot-2.3.13-bigtvsec.patch new file mode 100644 index 0000000..3bd7ce6 --- /dev/null +++ b/dovecot-2.3.13-bigtvsec.patch @@ -0,0 +1,36 @@ +diff -up dovecot-2.3.13/src/lib/test-time-util.c.bigtvsec dovecot-2.3.13/src/lib/test-time-util.c +--- dovecot-2.3.13/src/lib/test-time-util.c.bigtvsec 2021-01-06 11:27:06.793315308 +0100 ++++ dovecot-2.3.13/src/lib/test-time-util.c 2021-01-06 11:27:06.815315088 +0100 +@@ -358,7 +358,7 @@ static void test_str_to_timeval(void) + { + struct { + const char *str; +- unsigned int tv_sec, tv_usec; ++ long int tv_sec, tv_usec; + } tests[] = { + { "0", 0, 0 }, + { "0.0", 0, 0 }, +diff -up dovecot-2.3.13/src/lib/time-util.c.bigtvsec dovecot-2.3.13/src/lib/time-util.c +--- dovecot-2.3.13/src/lib/time-util.c.bigtvsec 2021-01-06 11:10:49.791094852 +0100 ++++ dovecot-2.3.13/src/lib/time-util.c 2021-01-06 11:10:08.255501319 +0100 +@@ -43,16 +43,16 @@ int timeval_cmp_margin(const struct time + + if (tv1->tv_sec < tv2->tv_sec) { + sec_margin = ((int)usec_margin / 1000000) + 1; +- if ((tv2->tv_sec - tv1->tv_sec) > sec_margin) ++ if (((long long)tv2->tv_sec - tv1->tv_sec) > sec_margin) + return -1; +- usecs_diff = (tv2->tv_sec - tv1->tv_sec) * 1000000LL + ++ usecs_diff = ((long long)tv2->tv_sec - tv1->tv_sec) * 1000000LL + + (tv2->tv_usec - tv1->tv_usec); + ret = -1; + } else if (tv1->tv_sec > tv2->tv_sec) { + sec_margin = ((int)usec_margin / 1000000) + 1; +- if ((tv1->tv_sec - tv2->tv_sec) > sec_margin) ++ if (((long long)tv1->tv_sec - tv2->tv_sec) > sec_margin) + return 1; +- usecs_diff = (tv1->tv_sec - tv2->tv_sec) * 1000000LL + ++ usecs_diff = ((long long)tv1->tv_sec - tv2->tv_sec) * 1000000LL + + (tv1->tv_usec - tv2->tv_usec); + ret = 1; + } else if (tv1->tv_usec < tv2->tv_usec) { diff --git a/dovecot.spec b/dovecot.spec index dac9610..20e110d 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -3,9 +3,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.3.11.3 +Version: 2.3.13 %global prever %{nil} -Release: 7%{?dist} +Release: %{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 @@ -13,7 +13,7 @@ URL: http://www.dovecot.org/ Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.5.11 +%global pigeonholever 0.5.13 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd @@ -32,10 +32,8 @@ Patch6: dovecot-2.1.10-waitonline.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch Patch10: dovecot-2.3.0.1-libxcrypt.patch -Patch12: dovecot-2.3.11.3-ftbfs1.patch -Patch13: dovecot-2.3.11.3-ftbfs2.patch -Patch14: dovecot-2.3.11.3-gssapi.patch Patch15: dovecot-2.3.11-bigkey.patch +Patch16: dovecot-2.3.13-bigtvsec.patch Source15: prestartscript @@ -121,10 +119,11 @@ This package provides the development files for dovecot. %patch8 -p1 -b .initbysystemd %patch9 -p1 -b .systemd_w_protectsystem #%patch10 -p1 -b .libxcrypt -%patch12 -p1 -b .ftbfs1 -%patch13 -p1 -b .ftbfs2 -%patch14 -p1 -b .gssapi +#patch12 -p1 -b .ftbfs1 +#patch13 -p1 -b .ftbfs2 +#patch14 -p1 -b .gssapi %patch15 -p1 -b .bigkey +%patch16 -p1 -b .bigtvsec #pushd dovecot-2*3-pigeonhole-%{pigeonholever} #popd @@ -346,7 +345,6 @@ make check %config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-sql.conf.ext %config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-static.conf.ext %config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-system.conf.ext -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-vpopmail.conf.ext %config(noreplace) %{_sysconfdir}/pam.d/dovecot %config(noreplace) %{ssldir}/dovecot-openssl.cnf @@ -449,6 +447,20 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog +* Mon Jan 04 2021 Michal Hlavinka - 1: +- dovecot updated to 2.3.13, pigeonhole to 0.5.13 +- CVE-2020-24386: Specially crafted command can cause IMAP hibernate to + allow logged in user to access other people's emails and filesystem + information. +- Metric filter and global event filter variable syntax changed to a + SQL-like format. +- auth: Added new aliases for %{variables}. Usage of the old ones is + possible, but discouraged. +- auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth + mechanism and related password schemes. +- auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail. +- auth: Removed postfix postmap socket + * Wed Oct 21 2020 Michal Hlavinka - 1:2.3.11.3-7 - change run directory from /var/run to /run (#1777922) diff --git a/sources b/sources index a256f67..a3e1632 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.3.11.3.tar.gz) = d83e52a7faab918a8e6f6257acc5936b81733c10489affd042c3a043cb842db060286cba9978be378e4958e9ac2e60b55ce289d7f3a88df08e7637e4785e23bb -SHA512 (dovecot-2.3-pigeonhole-0.5.11.tar.gz) = 793d93edc50192c52654e2f7244d3e01aaa4e69f786e3ecfcd658a4ab26a5099cc5319cb93221150db4ce94bc4515ffb38115b1d0eeb6e052b956efec680b33d +SHA512 (dovecot-2.3.13.tar.gz) = 758a169fba8925637ed18fa7522a6f06c9fe01a1707b1ca0d0a4d8757c578a8e117c91733e8314403839f9a484bbcac71ce3532c82379eb583b480756d556a95 +SHA512 (dovecot-2.3-pigeonhole-0.5.13.tar.gz) = fcbc13d71af4e6dd4e34192484e203d755e5015da76a4774b11a79182b2baad36cab5a471346093111ace36a7775dfe8294555f8b777786dde386820b3ec5cd3