dovecot updated to 2.3.15, pigeonhole updated to 0.5.15

CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
  JWT tokens. This may be used to supply attacker controlled keys to
  validate tokens, if attacker has local access.
CVE-2021-33515: On-path attacker could have injected plaintext commands
  before STARTTLS negotiation that would be executed after STARTTLS
  finished with the client.
Add TSLv1.3 support to min_protocols.
Allow configuring ssl_cipher_suites. (for TLSv1.3+)

dovecot-2.1.10-waitonline.patch

@@ -1,11 +1,11 @@
-diff -up dovecot-2.3.0.1/dovecot.service.in.waitonline dovecot-2.3.0.1/dovecot.service.in
+diff -up dovecot-2.3.15/dovecot.service.in.waitonline dovecot-2.3.15/dovecot.service.in
---- dovecot-2.3.0.1/dovecot.service.in.waitonline	2018-03-01 10:35:39.888371078 +0100
+--- dovecot-2.3.15/dovecot.service.in.waitonline	2021-06-21 20:19:19.560494654 +0200
-+++ dovecot-2.3.0.1/dovecot.service.in	2018-03-01 10:36:29.738784661 +0100
++++ dovecot-2.3.15/dovecot.service.in	2021-06-21 20:21:17.443066248 +0200
-@@ -12,6 +12,7 @@ After=local-fs.target network-online.tar
+@@ -15,6 +15,7 @@ After=local-fs.target network-online.tar
  
  [Service]
- Type=simple
+ Type=@systemdservicetype@
 +ExecStartPre=/usr/libexec/dovecot/prestartscript
  ExecStart=@sbindir@/dovecot -F
- PIDFile=@rundir@/master.pid
  ExecReload=@bindir@/doveadm reload
+ ExecStop=@bindir@/doveadm stop

dovecot-2.2.20-initbysystemd.patch

@@ -1,6 +1,6 @@
-diff -up dovecot-2.3.0.1/dovecot-init.service.initbysystemd dovecot-2.3.0.1/dovecot-init.service
+diff -up dovecot-2.3.15/dovecot-init.service.initbysystemd dovecot-2.3.15/dovecot-init.service
---- dovecot-2.3.0.1/dovecot-init.service.initbysystemd	2018-03-01 10:38:22.059716008 +0100
+--- dovecot-2.3.15/dovecot-init.service.initbysystemd	2021-06-21 20:21:49.250680889 +0200
-+++ dovecot-2.3.0.1/dovecot-init.service	2018-03-01 10:38:22.059716008 +0100
++++ dovecot-2.3.15/dovecot-init.service	2021-06-21 20:21:49.250680889 +0200
 @@ -0,0 +1,13 @@
 +[Unit]
 +Description=One-time Dovecot init service
@@ -15,10 +15,10 @@ diff -up dovecot-2.3.0.1/dovecot-init.service.initbysystemd dovecot-2.3.0.1/dove
 +  SSLDIR=/etc/pki/dovecot/ OPENSSLCONFIG=/etc/pki/dovecot/dovecot-openssl.cnf /usr/libexec/dovecot/mkcert.sh /dev/null 2>&1;\
 +fi'
 +
-diff -up dovecot-2.3.0.1/dovecot.service.in.initbysystemd dovecot-2.3.0.1/dovecot.service.in
+diff -up dovecot-2.3.15/dovecot.service.in.initbysystemd dovecot-2.3.15/dovecot.service.in
---- dovecot-2.3.0.1/dovecot.service.in.initbysystemd	2018-03-01 10:38:22.060716016 +0100
+--- dovecot-2.3.15/dovecot.service.in.initbysystemd	2021-06-21 20:21:49.250680889 +0200
-+++ dovecot-2.3.0.1/dovecot.service.in	2018-03-01 10:40:45.524901319 +0100
++++ dovecot-2.3.15/dovecot.service.in	2021-06-21 20:22:46.935981920 +0200
-@@ -8,7 +8,8 @@
+@@ -11,7 +11,8 @@
  Description=Dovecot IMAP/POP3 email server
  Documentation=man:dovecot(1)
  Documentation=https://doc.dovecot.org/
@@ -27,20 +27,25 @@ diff -up dovecot-2.3.0.1/dovecot.service.in.initbysystemd dovecot-2.3.0.1/doveco
 +Requires=dovecot-init.service
  
  [Service]
- Type=simple
+ Type=@systemdservicetype@
-diff -up dovecot-2.3.0.1/Makefile.am.initbysystemd dovecot-2.3.0.1/Makefile.am
+diff -up dovecot-2.3.15/Makefile.am.initbysystemd dovecot-2.3.15/Makefile.am
---- dovecot-2.3.0.1/Makefile.am.initbysystemd	2018-02-28 15:28:57.000000000 +0100
+--- dovecot-2.3.15/Makefile.am.initbysystemd	2021-06-21 20:21:49.250680889 +0200
-+++ dovecot-2.3.0.1/Makefile.am	2018-03-01 10:38:22.060716016 +0100
++++ dovecot-2.3.15/Makefile.am	2021-06-21 20:24:26.676765849 +0200
-@@ -63,9 +63,10 @@ if HAVE_SYSTEMD
+@@ -21,6 +21,7 @@ EXTRA_DIST = \
+ 	run-test-valgrind.supp \
+ 	dovecot.service.in \
+ 	dovecot.socket \
++	dovecot-init.service \
+ 	$(conf_DATA)
  
+ noinst_DATA = dovecot-config
+@@ -69,7 +70,8 @@ dovecot-config: dovecot-config.in Makefi
+ if WANT_SYSTEMD
  systemdsystemunit_DATA = \
          dovecot.socket \
 -        dovecot.service
 +        dovecot.service \
 +        dovecot-init.service
- else
--EXTRA_DIST += dovecot.socket dovecot.service.in
-+EXTRA_DIST += dovecot.socket dovecot.service.in dovecot-init.service
  endif
  
  install-exec-hook:

dovecot-2.3.11-bigkey.patch

@@ -1,9 +1,9 @@
-diff -up dovecot-2.2.36/doc/dovecot-openssl.cnf.bigkey dovecot-2.2.36/doc/dovecot-openssl.cnf
+diff -up dovecot-2.3.15/doc/dovecot-openssl.cnf.bigkey dovecot-2.3.15/doc/dovecot-openssl.cnf
---- dovecot-2.2.36/doc/dovecot-openssl.cnf.bigkey	2017-06-23 13:18:28.000000000 +0200
+--- dovecot-2.3.15/doc/dovecot-openssl.cnf.bigkey	2021-06-21 20:24:51.913456628 +0200
-+++ dovecot-2.2.36/doc/dovecot-openssl.cnf	2018-10-16 17:15:35.836205498 +0200
++++ dovecot-2.3.15/doc/dovecot-openssl.cnf	2021-06-21 20:25:36.352912123 +0200
 @@ -1,5 +1,5 @@
  [ req ]
--default_bits = 1024
+-default_bits = 2048
 +default_bits = 3072
  encrypt_key = yes
  distinguished_name = req_dn

dovecot-2.3.15-fixvalcond.patch

@@ -0,0 +1,24 @@
+diff -up dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c
+--- dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond	2021-06-21 23:07:55.269814896 +0200
++++ dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c	2021-06-21 23:07:55.298814544 +0200
+@@ -109,7 +109,7 @@ static int sieve_dict_script_get_stream
+ {
+ 	struct sieve_dict_script *dscript =
+ 		(struct sieve_dict_script *)script;
+-	const char *path, *name = script->name, *data, *error;
++	const char *path, *name = script->name, *data, *error = NULL;
+ 	int ret;
+ 
+ 	dscript->data_pool =
+diff -up dovecot-2.3.15/src/lib-storage/index/index-attribute.c.fixvalcond dovecot-2.3.15/src/lib-storage/index/index-attribute.c
+--- dovecot-2.3.15/src/lib-storage/index/index-attribute.c.fixvalcond	2021-06-14 15:40:37.000000000 +0200
++++ dovecot-2.3.15/src/lib-storage/index/index-attribute.c	2021-06-21 21:52:22.963171229 +0200
+@@ -249,7 +249,7 @@ int index_storage_attribute_get(struct m
+ 				struct mail_attribute_value *value_r)
+ {
+ 	struct dict *dict;
+-	const char *mailbox_prefix, *error;
++	const char *mailbox_prefix, *error = NULL;
+ 	int ret;
+ 
+ 	i_zero(value_r);

dovecot-2.3.15-valbasherr.patch

@@ -0,0 +1,20 @@
+diff -up dovecot-2.3.15/run-test-valgrind.supp.valbasherr dovecot-2.3.15/run-test-valgrind.supp
+--- dovecot-2.3.15/run-test-valgrind.supp.valbasherr	2021-06-21 22:52:53.272707239 +0200
++++ dovecot-2.3.15/run-test-valgrind.supp	2021-06-21 22:54:19.786668430 +0200
+@@ -1,4 +1,16 @@
+ {
++   <bashagin>
++   Memcheck:Leak
++   match-leak-kinds: definite
++   fun:malloc
++   fun:make_if_command
++   fun:yyparse
++   fun:parse_command
++   fun:read_command
++   fun:reader_loop
++   fun:main
++}
++{
+    <bash>
+    Memcheck:Leak
+    fun:malloc

dovecot.spec

@@ -3,9 +3,9 @@
 Summary: Secure imap and pop3 server
 Name: dovecot
 Epoch: 1
-Version: 2.3.14
+Version: 2.3.15
 %global prever %{nil}
-Release: 4%{?dist}
+Release: 1%{?dist}
 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
 License: MIT and LGPLv2
 
@@ -13,7 +13,7 @@ URL: http://www.dovecot.org/
 Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz
 Source1: dovecot.init
 Source2: dovecot.pam
-%global pigeonholever 0.5.14
+%global pigeonholever 0.5.15
 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz
 Source9: dovecot.sysconfig
 Source10: dovecot.tmpfilesd
@@ -38,6 +38,8 @@ Patch15: dovecot-2.3.11-bigkey.patch
 # not sent upstream as proper fix would use dovecot's lib-dcrypt but it introduces
 # hard to break circular dependency between lib and lib-dcrypt
 Patch16: dovecot-2.3.6-opensslhmac.patch
+Patch17: dovecot-2.3.15-fixvalcond.patch
+Patch18: dovecot-2.3.15-valbasherr.patch
 
 Source15: prestartscript
 
@@ -127,6 +129,11 @@ This package provides the development files for dovecot.
 %patch9 -p1 -b .systemd_w_protectsystem
 %patch15 -p1 -b .bigkey
 %patch16 -p1 -b .opensslhmac
+%patch17 -p1 -b .fixvalcond
+%patch18 -p1 -b .valbasherr
+cp run-test-valgrind.supp dovecot-2.3-pigeonhole-%{pigeonholever}/
+# valgrind would fail with shell wrapper
+echo "testsuite" >dovecot-2.3-pigeonhole-%{pigeonholever}/run-test-valgrind.exclude
 
 #pushd dovecot-2*3-pigeonhole-%{pigeonholever}
 #popd
@@ -449,6 +456,17 @@ make check
 %{_libdir}/%{name}/dict/libdriver_pgsql.so
 
 %changelog
+* Mon Jun 21 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.15-1
+- dovecot updated to 2.3.15, pigeonhole updated to 0.5.15
+- CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
+  JWT tokens. This may be used to supply attacker controlled keys to
+  validate tokens, if attacker has local access.
+- CVE-2021-33515: On-path attacker could have injected plaintext commands
+  before STARTTLS negotiation that would be executed after STARTTLS
+  finished with the client.
+- Add TSLv1.3 support to min_protocols.
+- Allow configuring ssl_cipher_suites. (for TLSv1.3+)
+
 * Wed May 19 2021 Pete Walter <pwalter@fedoraproject.org> - 1:2.3.14-4
 - Rebuild for ICU 69
 

sources

@@ -1,2 +1,2 @@
-SHA512 (dovecot-2.3.14.tar.gz) = 69df234cb739c7ee7ae3acfb9756bc22481e94c95463d32bfac315c7ec4b1ba0dfbff552b769f2ab7ee554087ca2ebbe331aa008d3af26417016612dc7cad103
+SHA512 (dovecot-2.3.15.tar.gz) = 75bbdbeac663da109f78dba06c42bb5193e911c6b3c64f055fc4473ae9afaf0c8304c49fc7f06c5c6b61e67dd13dc21fbed6ff160a99f38f547c88ba05e6b03a
-SHA512 (dovecot-2.3-pigeonhole-0.5.14.tar.gz) = c5d5d309769eabe2c0971646d0c14d166b6b524acf59e1069eca803f764544fa2535c09c9a630ca706aa70442b688ee26af831d29e674823bac7ea7c0e1f33cc
+SHA512 (dovecot-2.3-pigeonhole-0.5.15.tar.gz) = 521070080802bf2a50cd0ff0af5dc991c04d70b807abc2cd9aa567444a4869f5f42800f19d9b740a519bd4069437139e70ca6ae4b905479fcec8faa133ac5f54