dovecot updated to 2.3.13, pigeonhole to 0.5.13

CVE-2020-24386: Specially crafted command can cause IMAP hibernate to allow logged in user to access other people's emails and filesystem information. Metric filter and global event filter variable syntax changed to a SQL-like format. auth: Added new aliases for %{variables}. Usage of the old ones is possible, but discouraged. auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth mechanism and related password schemes. auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail. auth: Removed postfix postmap socket
2021-01-04 19:46:26 +01:00 · 2021-01-04 19:46:26 +01:00 · f8f94ccbdf
commit f8f94ccbdf
parent 5e0f363767
5 changed files with 22 additions and 62 deletions
--- a/dovecot-2.3.11.3-ftbfs1.patch
+++ b/dovecot-2.3.11.3-ftbfs1.patch
@ -1,15 +0,0 @@
-diff --git a/src/auth/test-mech.c b/src/auth/test-mech.c
-index cf05370035..0a030a2be0 100644
--- a/src/auth/test-mech.c
-+++ b/src/auth/test-mech.c
-@@ -196,8 +196,8 @@ test_mech_construct_apop_challenge(unsigned int connect_uid, unsigned long *len_
- {
- 	string_t *apop_challenge = t_str_new(128);
- 
-	str_printfa(apop_challenge,"<%lx.%u.%"PRIdTIME_T"", (unsigned long) getpid(),
-		    connect_uid, process_start_time+10);
-+	str_printfa(apop_challenge,"<%lx.%lx.%"PRIxTIME_T".", (unsigned long)getpid(),
-+		    (unsigned long)connect_uid, process_start_time+10);
- 	str_append_data(apop_challenge, "\0testuser\0responseoflen16-", 26);
- 	*len_r = apop_challenge->used;
- 	return apop_challenge->data;
--- a/dovecot-2.3.11.3-ftbfs2.patch
+++ b/dovecot-2.3.11.3-ftbfs2.patch
@ -1,22 +0,0 @@
-diff --git a/src/auth/test-mech.c b/src/auth/test-mech.c
-index 0a030a2be0..0a22ff46d0 100644
--- a/src/auth/test-mech.c
-+++ b/src/auth/test-mech.c
-@@ -192,7 +192,7 @@ static void test_mech_handle_challenge(struct auth_request *request,
- }
- 
- static inline const unsigned char *
-test_mech_construct_apop_challenge(unsigned int connect_uid, unsigned long *len_r)
-+test_mech_construct_apop_challenge(unsigned int connect_uid, size_t *len_r)
- {
- 	string_t *apop_challenge = t_str_new(128);
- 
-@@ -323,7 +323,7 @@ static void test_mechs(void)
- 		struct test_case *test_case = &tests[running_test];
- 		const struct mech_module *mech = test_case->mech;
- 		struct auth_request *request;
-		const char *testname = t_strdup_printf("auth mech %s %d/%lu",
-+		const char *testname = t_strdup_printf("auth mech %s %d/%zu",
- 						       mech->mech_name,
- 						       running_test+1,
- 						       N_ELEMENTS(tests));
--- a/dovecot-2.3.11.3-gssapi.patch
+++ b/dovecot-2.3.11.3-gssapi.patch
@ -1,13 +0,0 @@
-diff --git a/src/auth/mech-gssapi.c b/src/auth/mech-gssapi.c
-index f29e48da88..966273d388 100644
--- a/src/auth/mech-gssapi.c
-+++ b/src/auth/mech-gssapi.c
-@@ -735,7 +735,7 @@ mech_gssapi_auth_free(struct auth_request *request)
- const struct mech_module mech_gssapi = {
- 	"GSSAPI",
- 
-	.flags = 0,
-+	.flags = MECH_SEC_ALLOW_NULS,
- 	.passdb_need = MECH_PASSDB_NEED_NOTHING,
- 
- 	mech_gssapi_auth_new,
--- a/dovecot.spec
+++ b/dovecot.spec
@ -3,9 +3,9 @@
 Summary: Secure imap and pop3 server
 Name: dovecot
 Epoch: 1
-Version: 2.3.11.3
+Version: 2.3.13
 %global prever %{nil}
-Release: 7%{?dist}
+Release: %{?dist}
 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
 License: MIT and LGPLv2

@ -13,7 +13,7 @@ URL: http://www.dovecot.org/
 Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz
 Source1: dovecot.init
 Source2: dovecot.pam
-%global pigeonholever 0.5.11
+%global pigeonholever 0.5.13
 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz
 Source9: dovecot.sysconfig
 Source10: dovecot.tmpfilesd
@ -32,9 +32,6 @@ Patch6: dovecot-2.1.10-waitonline.patch
 Patch8: dovecot-2.2.20-initbysystemd.patch
 Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch
 Patch10: dovecot-2.3.0.1-libxcrypt.patch
-Patch12: dovecot-2.3.11.3-ftbfs1.patch
-Patch13: dovecot-2.3.11.3-ftbfs2.patch
-Patch14: dovecot-2.3.11.3-gssapi.patch
 Patch15: dovecot-2.3.11-bigkey.patch

 Source15: prestartscript
@ -121,9 +118,9 @@ This package provides the development files for dovecot.
 %patch8 -p1 -b .initbysystemd
 %patch9 -p1 -b .systemd_w_protectsystem
 #%patch10 -p1 -b .libxcrypt
-%patch12 -p1 -b .ftbfs1
-%patch13 -p1 -b .ftbfs2
-%patch14 -p1 -b .gssapi
+#patch12 -p1 -b .ftbfs1
+#patch13 -p1 -b .ftbfs2
+#patch14 -p1 -b .gssapi
 %patch15 -p1 -b .bigkey

 #pushd dovecot-2*3-pigeonhole-%{pigeonholever}
@ -346,7 +343,6 @@ make check
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-sql.conf.ext
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-static.conf.ext
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-system.conf.ext
-%config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-vpopmail.conf.ext

 %config(noreplace) %{_sysconfdir}/pam.d/dovecot
 %config(noreplace) %{ssldir}/dovecot-openssl.cnf
@ -449,6 +445,20 @@ make check
 %{_libdir}/%{name}/dict/libdriver_pgsql.so

 %changelog
+* Mon Jan 04 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:
+- dovecot updated to 2.3.13, pigeonhole to 0.5.13
+- CVE-2020-24386: Specially crafted command can cause IMAP hibernate to
+  allow logged in user to access other people's emails and filesystem
+  information.
+- Metric filter and global event filter variable syntax changed to a
+  SQL-like format. 
+- auth: Added new aliases for %{variables}. Usage of the old ones is
+  possible, but discouraged.
+- auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth
+  mechanism and related password schemes.
+- auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail.
+- auth: Removed postfix postmap socket
+
 * Wed Oct 21 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-7
 - change run directory from /var/run to /run (#1777922)

--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (dovecot-2.3.11.3.tar.gz) = d83e52a7faab918a8e6f6257acc5936b81733c10489affd042c3a043cb842db060286cba9978be378e4958e9ac2e60b55ce289d7f3a88df08e7637e4785e23bb
-SHA512 (dovecot-2.3-pigeonhole-0.5.11.tar.gz) = 793d93edc50192c52654e2f7244d3e01aaa4e69f786e3ecfcd658a4ab26a5099cc5319cb93221150db4ce94bc4515ffb38115b1d0eeb6e052b956efec680b33d
+SHA512 (dovecot-2.3.13.tar.gz) = 758a169fba8925637ed18fa7522a6f06c9fe01a1707b1ca0d0a4d8757c578a8e117c91733e8314403839f9a484bbcac71ce3532c82379eb583b480756d556a95
+SHA512 (dovecot-2.3-pigeonhole-0.5.13.tar.gz) = fcbc13d71af4e6dd4e34192484e203d755e5015da76a4774b11a79182b2baad36cab5a471346093111ace36a7775dfe8294555f8b777786dde386820b3ec5cd3