diff --git a/CVE-2019-10691.patch b/CVE-2019-10691.patch deleted file mode 100644 index 01ccbf826b1dc3d12cb93373d7a65d5130b74242..0000000000000000000000000000000000000000 --- a/CVE-2019-10691.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 973769d74433de3c56c4ffdf4f343cb35d98e4f7 Mon Sep 17 00:00:00 2001 -From: Aki Tuomi -Date: Tue, 2 Apr 2019 13:09:48 +0300 -Subject: [PATCH] lib: json - Escape invalid UTF-8 as unicode bytes - -This prevents dovecot from crashing if invalid UTF-8 input -is given. ---- - src/lib/json-parser.c | 12 ++++++++---- - src/lib/test-json-parser.c | 8 ++++---- - 2 files changed, 12 insertions(+), 8 deletions(-) - -diff --git a/src/lib/json-parser.c b/src/lib/json-parser.c -index 677091d649..e7846a329f 100644 ---- a/src/lib/json-parser.c -+++ b/src/lib/json-parser.c -@@ -803,9 +803,13 @@ void json_append_escaped_data(string_t *dest, const unsigned char *src, size_t s - - for (i = 0; i < size;) { - bytes = uni_utf8_get_char_n(src+i, size-i, &chr); -- /* refuse to add invalid data */ -- i_assert(bytes > 0 && uni_is_valid_ucs4(chr)); -- json_append_escaped_ucs4(dest, chr); -- i += bytes; -+ if (bytes > 0 && uni_is_valid_ucs4(chr)) { -+ json_append_escaped_ucs4(dest, chr); -+ i += bytes; -+ } else { -+ str_append_data(dest, UNICODE_REPLACEMENT_CHAR_UTF8, -+ UTF8_REPLACEMENT_CHAR_LEN); -+ i++; -+ } - } - } -diff --git a/src/lib/test-json-parser.c b/src/lib/test-json-parser.c -index bae6fb202b..9ce1e489ba 100644 ---- a/src/lib/test-json-parser.c -+++ b/src/lib/test-json-parser.c -@@ -267,20 +267,20 @@ static void test_json_append_escaped(void) - string_t *str = t_str_new(32); - - test_begin("json_append_escaped()"); -- json_append_escaped(str, "\b\f\r\n\t\"\\\001\002-\xC3\xA4\xf0\x90\x90\xb7"); -- test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0001\\u0002-\\u00e4\\ud801\\udc37") == 0); -+ json_append_escaped(str, "\b\f\r\n\t\"\\\001\002-\xC3\xA4\xf0\x90\x90\xb7\xff"); -+ test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0001\\u0002-\\u00e4\\ud801\\udc37" UNICODE_REPLACEMENT_CHAR_UTF8) == 0); - test_end(); - } - - static void test_json_append_escaped_data(void) - { - static const unsigned char test_input[] = -- "\b\f\r\n\t\"\\\000\001\002-\xC3\xA4\xf0\x90\x90\xb7"; -+ "\b\f\r\n\t\"\\\000\001\002-\xC3\xA4\xf0\x90\x90\xb7\xff"; - string_t *str = t_str_new(32); - - test_begin("json_append_escaped()"); - json_append_escaped_data(str, test_input, sizeof(test_input)-1); -- test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0000\\u0001\\u0002-\\u00e4\\ud801\\udc37") == 0); -+ test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0000\\u0001\\u0002-\\u00e4\\ud801\\udc37" UNICODE_REPLACEMENT_CHAR_UTF8) == 0); - test_end(); - } diff --git a/CVE-2019-11494-1.patch b/CVE-2019-11494-1.patch deleted file mode 100644 index a74ff16e9ab5a74b277c1b2378fffa6259248ed2..0000000000000000000000000000000000000000 --- a/CVE-2019-11494-1.patch +++ /dev/null @@ -1,31 +0,0 @@ -From e9d60648abb9bbceff89882a5309cb9532e702e9 Mon Sep 17 00:00:00 2001 -From: Stephan Bosch -Date: Thu, 25 Apr 2019 09:51:32 +0200 -Subject: [PATCH 3/3] lib-smtp: smtp-server-cmd-auth - Fix AUTH response error - handling so that it stops reading more input. - -Otherwise, it may try to read more data from the stream as the next AUTH -response, which causes an assert crash in the command parser later on. Even when -the parser finds no input from the stream, it will advance its state -towards AUTH response parsing, which is a problem when the next command is -subsequently being parsed. - -Panic was: - -Panic: file smtp-command-parser.c: line 438 (smtp_command_parse_next): assertion failed: (!parser->auth_response || parser->state.state == SMTP_COMMAND_PARSE_STATE_INIT || parser->state.state == SMTP_COMMAND_PARSE_STATE_ERROR) ---- - src/lib-smtp/smtp-server-cmd-auth.c | 1 + - 1 file changed, 1 insertion(+) - -Index: dovecot-2.3.4.1/src/lib-smtp/smtp-server-cmd-auth.c -=================================================================== ---- dovecot-2.3.4.1.orig/src/lib-smtp/smtp-server-cmd-auth.c 2019-04-29 07:39:15.045289307 -0400 -+++ dovecot-2.3.4.1/src/lib-smtp/smtp-server-cmd-auth.c 2019-04-29 07:39:15.037289277 -0400 -@@ -97,6 +97,7 @@ static void cmd_auth_input(struct smtp_s - smtp_server_connection_debug(conn, - "Client sent invalid AUTH response: %s", error); - -+ smtp_server_command_input_lock(cmd); - switch (error_code) { - case SMTP_COMMAND_PARSE_ERROR_BROKEN_COMMAND: - conn->input_broken = TRUE; diff --git a/CVE-2019-11494-2.patch b/CVE-2019-11494-2.patch deleted file mode 100644 index ba79ce298a2735452c328f606876b9f9336204c2..0000000000000000000000000000000000000000 --- a/CVE-2019-11494-2.patch +++ /dev/null @@ -1,37 +0,0 @@ -From f79745dae4a9a5fca33320e03a4fc9064b88d01e Mon Sep 17 00:00:00 2001 -From: Stephan Bosch -Date: Tue, 12 Mar 2019 03:18:33 +0100 -Subject: [PATCH 2/3] submission-login: client-authenticate - Fix crash - occurring when client disconnects during authentication. - ---- - src/submission-login/client-authenticate.c | 3 +++ - src/submission-login/client.c | 1 + - 2 files changed, 4 insertions(+) - -Index: dovecot-2.3.4.1/src/submission-login/client-authenticate.c -=================================================================== ---- dovecot-2.3.4.1.orig/src/submission-login/client-authenticate.c 2019-04-29 07:39:05.705254949 -0400 -+++ dovecot-2.3.4.1/src/submission-login/client-authenticate.c 2019-04-29 07:39:05.705254949 -0400 -@@ -89,6 +89,9 @@ void submission_client_auth_result(struc - container_of(client, struct submission_client, common); - struct smtp_server_cmd_ctx *cmd = subm_client->pending_auth; - -+ if (subm_client->conn == NULL) -+ return; -+ - subm_client->pending_auth = NULL; - i_assert(cmd != NULL); - -Index: dovecot-2.3.4.1/src/submission-login/client.c -=================================================================== ---- dovecot-2.3.4.1.orig/src/submission-login/client.c 2019-04-29 07:39:05.705254949 -0400 -+++ dovecot-2.3.4.1/src/submission-login/client.c 2019-04-29 07:39:05.705254949 -0400 -@@ -176,6 +176,7 @@ static void client_connection_disconnect - { - struct submission_client *client = context; - -+ client->pending_auth = NULL; - client_disconnect(&client->common, reason); - } - diff --git a/CVE-2019-11499.patch b/CVE-2019-11499.patch deleted file mode 100644 index e10d43eef857ac03426cc687e8a419ecaa0f5b0d..0000000000000000000000000000000000000000 --- a/CVE-2019-11499.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 754f791dd26313de8d75b740bddd1a192f11bf3f Mon Sep 17 00:00:00 2001 -From: Stephan Bosch -Date: Tue, 23 Apr 2019 00:13:46 +0200 -Subject: [PATCH 1/3] submission-login: Remove unused client->pending_starttls. - ---- - src/submission-login/client.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: dovecot-2.3.4.1/src/submission-login/client.h -=================================================================== ---- dovecot-2.3.4.1.orig/src/submission-login/client.h 2019-04-29 07:38:39.541158696 -0400 -+++ dovecot-2.3.4.1/src/submission-login/client.h 2019-04-29 07:38:39.537158682 -0400 -@@ -22,7 +22,7 @@ struct submission_client { - const struct submission_login_settings *set; - - struct smtp_server_connection *conn; -- struct smtp_server_cmd_ctx *pending_auth, *pending_starttls; -+ struct smtp_server_cmd_ctx *pending_auth; - - enum submission_proxy_state proxy_state; - enum smtp_capability proxy_capability; diff --git a/CVE-2019-3814-1.patch b/CVE-2019-3814-1.patch deleted file mode 100644 index fbcb8b5f0d32da90a6642a451ed2b69f57465480..0000000000000000000000000000000000000000 --- a/CVE-2019-3814-1.patch +++ /dev/null @@ -1,22 +0,0 @@ -From d21218b416c7f26cb42a491bbd04bcd0d6a65b51 Mon Sep 17 00:00:00 2001 -From: Aki Tuomi -Date: Wed, 16 Jan 2019 18:28:57 +0200 -Subject: [PATCH 1/3] auth: Do not import empty certificate username - ---- - src/auth/auth-request.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: dovecot-2.3.2.1/src/auth/auth-request.c -=================================================================== ---- dovecot-2.3.2.1.orig/src/auth/auth-request.c 2019-01-28 08:49:08.117668002 -0500 -+++ dovecot-2.3.2.1/src/auth/auth-request.c 2019-01-28 08:49:08.113667992 -0500 -@@ -454,7 +454,7 @@ bool auth_request_import_auth(struct aut - else if (strcmp(key, "valid-client-cert") == 0) - request->valid_client_cert = TRUE; - else if (strcmp(key, "cert_username") == 0) { -- if (request->set->ssl_username_from_cert) { -+ if (request->set->ssl_username_from_cert && *value != '\0') { - /* get username from SSL certificate. it overrides - the username given by the auth mechanism. */ - request->user = p_strdup(request->pool, value); diff --git a/CVE-2019-3814-2.patch b/CVE-2019-3814-2.patch deleted file mode 100644 index a871535b414c718021335c4b54fd427a339565d4..0000000000000000000000000000000000000000 --- a/CVE-2019-3814-2.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 1a6d921b831af5228e8ad493a88bc46bdb30ca4b Mon Sep 17 00:00:00 2001 -From: Aki Tuomi -Date: Wed, 16 Jan 2019 18:24:20 +0200 -Subject: [PATCH 2/3] auth: Fail authentication if certificate username was - unexpectedly missing - ---- - src/auth/auth-request-handler.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/auth/auth-request-handler.c b/src/auth/auth-request-handler.c -index ae7b458c9..318f15031 100644 ---- a/src/auth/auth-request-handler.c -+++ b/src/auth/auth-request-handler.c -@@ -581,6 +581,14 @@ bool auth_request_handler_auth_begin(struct auth_request_handler *handler, - return TRUE; - } - -+ if (request->set->ssl_require_client_cert && -+ request->set->ssl_username_from_cert && -+ !request->cert_username) { -+ auth_request_handler_auth_fail(handler, request, -+ "SSL certificate didn't contain username"); -+ return TRUE; -+ } -+ - /* Handle initial respose */ - if (initial_resp == NULL) { - /* No initial response */ --- -2.11.0 diff --git a/CVE-2019-3814-3.patch b/CVE-2019-3814-3.patch deleted file mode 100644 index 008fd87d04e3f7b45cdaee7332b4d69a7813096d..0000000000000000000000000000000000000000 --- a/CVE-2019-3814-3.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 3f109288a477fbf69db300b55d0dd8cd1c4da8ea Mon Sep 17 00:00:00 2001 -From: Aki Tuomi -Date: Tue, 15 Jan 2019 17:36:37 +0200 -Subject: [PATCH 3/3] login-common: Ensure we get username from certificate - ---- - src/login-common/sasl-server.c | 52 +++++++++++++++++++++++++++++++++++++++--- - 1 file changed, 49 insertions(+), 3 deletions(-) - -diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c -index dedfb5b8f..ea14c0b6e 100644 ---- a/src/login-common/sasl-server.c -+++ b/src/login-common/sasl-server.c -@@ -338,6 +338,43 @@ authenticate_callback(struct auth_client_request *request, - } - } - -+static bool get_cert_username(struct client *client, const char **username_r, -+ const char **error_r) -+{ -+ /* this was proxied connection, so we use the name here */ -+ if (client->client_cert_common_name != NULL) { -+ *username_r = client->client_cert_common_name; -+ return TRUE; -+ } -+ -+ /* no SSL */ -+ if (client->ssl_iostream == NULL) { -+ *username_r = NULL; -+ return TRUE; -+ } -+ -+ /* no client certificate */ -+ if (!ssl_iostream_has_valid_client_cert(client->ssl_iostream)) { -+ *username_r = NULL; -+ return TRUE; -+ } -+ -+ /* get peer name */ -+ const char *username = ssl_iostream_get_peer_name(client->ssl_iostream); -+ -+ /* if we wanted peer name, but it was not there, fail */ -+ if (client->set->auth_ssl_username_from_cert && -+ (username == NULL || *username == '\0')) { -+ if (client->set->auth_ssl_require_client_cert) { -+ *error_r = "Missing username in certificate"; -+ return FALSE; -+ } -+ } -+ -+ *username_r = username; -+ return TRUE; -+} -+ - void sasl_server_auth_begin(struct client *client, - const char *service, const char *mech_name, - const char *initial_resp_base64, -@@ -345,6 +382,7 @@ void sasl_server_auth_begin(struct client *client, - { - struct auth_request_info info; - const struct auth_mech_desc *mech; -+ const char *error; - - i_assert(auth_client_is_connected(auth_client)); - -@@ -376,9 +414,17 @@ void sasl_server_auth_begin(struct client *client, - info.mech = mech->name; - info.service = service; - info.session_id = client_get_session_id(client); -- if (client->client_cert_common_name != NULL) -- info.cert_username = client->client_cert_common_name; -- else if (client->ssl_iostream != NULL) { -+ -+ if (!get_cert_username(client, &info.cert_username, &error)) { -+ client_log_err(client, t_strdup_printf("Cannot get username " -+ "from certificate: %s", error)); -+ sasl_server_auth_failed(client, -+ "Unable to validate certificate", -+ AUTH_CLIENT_FAIL_CODE_AUTHZFAILED); -+ return; -+ } -+ -+ if (client->ssl_iostream != NULL) { - info.cert_username = ssl_iostream_get_peer_name(client->ssl_iostream); - info.ssl_cipher = ssl_iostream_get_cipher(client->ssl_iostream, - &info.ssl_cipher_bits); --- -2.11.0 diff --git a/CVE-2019-7524-1.patch b/CVE-2019-7524-1.patch deleted file mode 100644 index cd90980a656bb59db8c281c37ff1a36a66e77bcf..0000000000000000000000000000000000000000 --- a/CVE-2019-7524-1.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 578cf77e84b3d25e2f95f08133a2b0b212aa77cc Mon Sep 17 00:00:00 2001 -From: Timo Sirainen -Date: Mon, 4 Feb 2019 19:23:02 -0800 -Subject: [PATCH 1/2] lib-storage: Fix buffer overflow when reading oversized - hdr-pop3-uidl header - ---- - src/lib-storage/index/index-pop3-uidl.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/lib-storage/index/index-pop3-uidl.c b/src/lib-storage/index/index-pop3-uidl.c -index 13b7363ef..e537e9ff5 100644 ---- a/src/lib-storage/index/index-pop3-uidl.c -+++ b/src/lib-storage/index/index-pop3-uidl.c -@@ -37,7 +37,7 @@ bool index_pop3_uidl_can_exist(struct mail *mail) - /* this header isn't set yet */ - return TRUE; - } -- memcpy(&uidl, data, size); -+ memcpy(&uidl, data, sizeof(uidl)); - return mail->uid <= uidl.max_uid_with_pop3_uidl; - } - -@@ -95,7 +95,7 @@ void index_pop3_uidl_update_exists_finish(struct mailbox_transaction_context *tr - - /* check if we have already the same header */ - if (size >= sizeof(uidl)) { -- memcpy(&uidl, data, size); -+ memcpy(&uidl, data, sizeof(uidl)); - if (trans->highest_pop3_uidl_uid == uidl.max_uid_with_pop3_uidl) - return; - } --- -2.11.0 diff --git a/CVE-2019-7524.patch b/CVE-2019-7524.patch deleted file mode 100644 index 5fd2d70a390a50bfe5c312fcc62a3851973c4675..0000000000000000000000000000000000000000 --- a/CVE-2019-7524.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/src/plugins/fts/fts-api.c 2018-04-30 21:52:04.000000000 +0800 -+++ b/src/plugins/fts/fts-api.c 2019-04-04 17:51:00.170000000 +0800 -@@ -425,7 +425,7 @@ bool fts_index_get_header(struct mailbox - i_zero(hdr_r); - ret = FALSE; - } else { -- memcpy(hdr_r, data, data_size); -+ memcpy(hdr_r, data, sizeof(*hdr_r)); - ret = TRUE; - } - mail_index_view_close(&view); diff --git a/dovecot-1.0.beta2-mkcert-permissions.patch b/dovecot-1.0.beta2-mkcert-permissions.patch new file mode 100644 index 0000000000000000000000000000000000000000..68ac01b5d7eada7d7150023a6e902b6c24aafc6b --- /dev/null +++ b/dovecot-1.0.beta2-mkcert-permissions.patch @@ -0,0 +1,11 @@ +--- dovecot-1.0.beta2/doc/mkcert.sh.configfile 2006-01-16 21:14:54.000000000 +0100 ++++ dovecot-1.0.beta2/doc/mkcert.sh 2006-01-26 14:28:38.000000000 +0100 +@@ -29,6 +29,7 @@ + fi + + $OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2 +-chmod 0600 $KEYFILE ++chown root:root $CERTFILE $KEYFILE ++chmod 0600 $CERTFILE $KEYFILE + echo + $OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2 diff --git a/dovecot-1.0.rc7-mkcert-paths.patch b/dovecot-1.0.rc7-mkcert-paths.patch new file mode 100644 index 0000000000000000000000000000000000000000..e8354e55e86bee12d7a70555db0d88f190c580f7 --- /dev/null +++ b/dovecot-1.0.rc7-mkcert-paths.patch @@ -0,0 +1,14 @@ +diff -up dovecot-2.2.27/doc/mkcert.sh.mkcert-paths dovecot-2.2.27/doc/mkcert.sh +--- dovecot-2.2.27/doc/mkcert.sh.mkcert-paths 2016-12-05 10:26:07.913515286 +0100 ++++ dovecot-2.2.27/doc/mkcert.sh 2016-12-05 10:28:25.439634417 +0100 +@@ -5,8 +5,8 @@ + + umask 077 + OPENSSL=${OPENSSL-openssl} +-SSLDIR=${SSLDIR-/etc/ssl} +-OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf} ++SSLDIR=${SSLDIR-/etc/pki/dovecot} ++OPENSSLCONFIG=${OPENSSLCONFIG-/etc/pki/dovecot/dovecot-openssl.cnf} + + CERTDIR=$SSLDIR/certs + KEYDIR=$SSLDIR/private diff --git a/dovecot-2.0-defaultconfig.patch b/dovecot-2.0-defaultconfig.patch new file mode 100644 index 0000000000000000000000000000000000000000..c18dd47fbc003258e9e83cf0d981c3f53412fcf8 --- /dev/null +++ b/dovecot-2.0-defaultconfig.patch @@ -0,0 +1,33 @@ +diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf +--- dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings 2018-02-28 15:28:57.000000000 +0100 ++++ dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf 2018-03-01 10:29:38.208368555 +0100 +@@ -322,6 +322,7 @@ protocol !indexer-worker { + # them simultaneously. + #mbox_read_locks = fcntl + #mbox_write_locks = dotlock fcntl ++mbox_write_locks = fcntl + + # Maximum time to wait for lock (all of them) before aborting. + #mbox_lock_timeout = 5 mins +diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf +--- dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings 2018-02-28 15:28:57.000000000 +0100 ++++ dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf 2018-03-01 10:33:54.779499044 +0100 +@@ -3,7 +3,9 @@ + ## + + # SSL/TLS support: yes, no, required. +-#ssl = yes ++# disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps ++# plain imap and pop3 are still allowed for local connections ++ssl = required + + # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before + # dropping root privileges, so keep the key file unreadable by anyone but +@@ -57,6 +59,7 @@ ssl_key = &1;\ ++fi' ++ +diff -up dovecot-2.3.0.1/dovecot.service.in.initbysystemd dovecot-2.3.0.1/dovecot.service.in +--- dovecot-2.3.0.1/dovecot.service.in.initbysystemd 2018-03-01 10:38:22.060716016 +0100 ++++ dovecot-2.3.0.1/dovecot.service.in 2018-03-01 10:40:45.524901319 +0100 +@@ -8,7 +8,8 @@ + Description=Dovecot IMAP/POP3 email server + Documentation=man:dovecot(1) + Documentation=http://wiki2.dovecot.org/ +-After=local-fs.target network-online.target ++After=local-fs.target network-online.target dovecot-init.service ++Requires=dovecot-init.service + + [Service] + Type=simple +diff -up dovecot-2.3.0.1/Makefile.am.initbysystemd dovecot-2.3.0.1/Makefile.am +--- dovecot-2.3.0.1/Makefile.am.initbysystemd 2018-02-28 15:28:57.000000000 +0100 ++++ dovecot-2.3.0.1/Makefile.am 2018-03-01 10:38:22.060716016 +0100 +@@ -63,9 +63,10 @@ if HAVE_SYSTEMD + + systemdsystemunit_DATA = \ + dovecot.socket \ +- dovecot.service ++ dovecot.service \ ++ dovecot-init.service + else +-EXTRA_DIST += dovecot.socket dovecot.service.in ++EXTRA_DIST += dovecot.socket dovecot.service.in dovecot-init.service + endif + + install-exec-hook: diff --git a/dovecot-2.2.22-systemd_w_protectsystem.patch b/dovecot-2.2.22-systemd_w_protectsystem.patch new file mode 100644 index 0000000000000000000000000000000000000000..d00a9b9dc3129f029c5c65b02e582e4439212828 --- /dev/null +++ b/dovecot-2.2.22-systemd_w_protectsystem.patch @@ -0,0 +1,11 @@ +diff -up dovecot-2.3.2/dovecot.service.in.systemd_w_protectsystem dovecot-2.3.2/dovecot.service.in +--- dovecot-2.3.2/dovecot.service.in.systemd_w_protectsystem 2018-07-09 12:00:13.359193526 +0200 ++++ dovecot-2.3.2/dovecot.service.in 2018-07-09 12:00:46.387716884 +0200 +@@ -23,6 +23,7 @@ ExecReload=@bindir@/doveadm reload + ExecStop=@bindir@/doveadm stop + PrivateTmp=true + NonBlocking=yes ++# this will make /usr /boot /etc read only for dovecot + ProtectSystem=full + ProtectHome=no + PrivateDevices=true diff --git a/dovecot-2.3-pigeonhole-0.5.10.tar.gz b/dovecot-2.3-pigeonhole-0.5.10.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..51dbfc936e6258875ceed311d297e55b03336cae Binary files /dev/null and b/dovecot-2.3-pigeonhole-0.5.10.tar.gz differ diff --git a/dovecot-2.3-pigeonhole-0.5.3.tar.gz b/dovecot-2.3-pigeonhole-0.5.3.tar.gz deleted file mode 100644 index ef23e092ba57496e924fe94a467feb70ace838bb..0000000000000000000000000000000000000000 Binary files a/dovecot-2.3-pigeonhole-0.5.3.tar.gz and /dev/null differ diff --git a/dovecot-2.3.0.1-libxcrypt.patch b/dovecot-2.3.0.1-libxcrypt.patch deleted file mode 100644 index 4b368f8818b5f71b4a4d9724a8f89c83ee9f04df..0000000000000000000000000000000000000000 --- a/dovecot-2.3.0.1-libxcrypt.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up dovecot-2.3.0.1/src/auth/mycrypt.c.libxcrypt dovecot-2.3.0.1/src/auth/mycrypt.c ---- dovecot-2.3.0.1/src/auth/mycrypt.c.libxcrypt 2018-02-28 15:28:58.000000000 +0100 -+++ dovecot-2.3.0.1/src/auth/mycrypt.c 2018-03-27 10:57:38.447769201 +0200 -@@ -14,6 +14,7 @@ - # define _XPG6 /* Some Solaris versions require this, some break with this */ - #endif - #include -+#include - - #include "mycrypt.h" - - diff --git a/dovecot-2.3.3.tar.gz b/dovecot-2.3.10.1.tar.gz similarity index 46% rename from dovecot-2.3.3.tar.gz rename to dovecot-2.3.10.1.tar.gz index 78447efb03dcdbc1588fa801564b8f0f2fd64afe..189c7fa43b90af869db2cac1d53707ab444ff3bd 100644 Binary files a/dovecot-2.3.3.tar.gz and b/dovecot-2.3.10.1.tar.gz differ diff --git a/dovecot.spec b/dovecot.spec index 2720448b1e79970949f1f9d63cc95b00101c227c..3320c4acb66f70c5020e34da04e4dbf43875f243 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,8 +5,8 @@ %global _hardened_build 1 Name: dovecot -Version: 2.3.3 -Release: 5 +Version: 2.3.10.1 +Release: 1 Summary: Dovecot Secure imap server License: MIT and LGPLv2 URL: http://www.dovecot.org/ @@ -14,22 +14,22 @@ Epoch: 1 Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source2: dovecot.pam -Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.3.tar.gz +%global pigeonholever 0.5.10 +Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd -Patch0001: dovecot-2.3.0.1-libxcrypt.patch -Patch6000: CVE-2019-7524.patch -Patch6001: CVE-2019-3814-1.patch -Patch6002: CVE-2019-3814-2.patch -Patch6003: CVE-2019-3814-3.patch -Patch6004: CVE-2019-7524-1.patch -Patch6005: CVE-2019-10691.patch -Patch6006: CVE-2019-11494-1.patch -Patch6007: CVE-2019-11494-2.patch -Patch6008: CVE-2019-11499.patch -Patch6009: CVE-2015-3420.patch -Patch6010: CVE-2016-8652.patch +Patch6000: CVE-2015-3420.patch +Patch6001: CVE-2016-8652.patch +Patch6002: dovecot-2.0-defaultconfig.patch +Patch6003: dovecot-1.0.beta2-mkcert-permissions.patch +Patch6004: dovecot-1.0.rc7-mkcert-paths.patch + +#wait for network +Patch6005: dovecot-2.1.10-waitonline.patch + +Patch6006: dovecot-2.2.20-initbysystemd.patch +Patch6007: dovecot-2.2.22-systemd_w_protectsystem.patch BuildRequires: gcc-c++ openssl-devel pam-devel zlib-devel bzip2-devel libcap-devel BuildRequires: libtool autoconf automake pkgconfig sqlite-devel libpq-devel @@ -70,7 +70,7 @@ Man pages and other related help documents for %{name}. sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in %build -export CFLAGS="%{__global_cflags} -fno-strict-aliasing" LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}" +export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none" LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}" mkdir -p m4 autoreconf -I . -fiv #required for aarch64 support @@ -85,7 +85,7 @@ sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10 %make_build -cd dovecot-2*3-pigeonhole-0.5.3 +cd dovecot-2*3-pigeonhole-%{pigeonholever} [ -f configure ] || autoreconf -fiv [ -f ChangeLog ] || echo "Pigeonhole ChangeLog is not available, yet" >ChangeLog @@ -100,7 +100,7 @@ cd - %make_install mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/docinstall -cd dovecot-2*3-pigeonhole-0.5.3 +cd dovecot-2*3-pigeonhole-%{pigeonholever} %make_install mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole @@ -191,17 +191,17 @@ fi %check make check -cd dovecot-2*3-pigeonhole-0.5.3 +cd dovecot-2*3-pigeonhole-%{pigeonholever} make check %files %doc docinstall/* AUTHORS ChangeLog COPYING COPYING.LGPL COPYING.MIT NEWS README %{_sbindir}/dovecot -%{_bindir}/{doveadm,doveconf,dsync} +%{_bindir}/{doveadm,doveconf,dsync,dovecot-sysreport} %_tmpfilesdir/dovecot.conf -%{_unitdir}/{dovecot.service,dovecot.socket} +%{_unitdir}/{dovecot.service,dovecot.socket,dovecot-init.service} %dir %{_sysconfdir}/dovecot %dir %{_sysconfdir}/dovecot/conf.d @@ -280,6 +280,12 @@ make check %changelog +* Wed Aug 5 2020 wangyue - 2.3.10.1-1 +- Upgrade to 2.3.10.1 to fix CVE-2020-10967, CVE-2020-10958, CVE-2020-10957 + +* Thu May 21 2020 yanan li - 2.3.3-6 +- Fix building with GCC9. + * Sun Mar 16 2020 gulining - 2.3.3-5 - Type:cves - ID:CVE-2015-3420 CVE-2016-8652 diff --git a/dovecot.yaml b/dovecot.yaml new file mode 100644 index 0000000000000000000000000000000000000000..5c00661789ea786b4b7980d5aea4f01aa0c38cd5 --- /dev/null +++ b/dovecot.yaml @@ -0,0 +1,4 @@ +version_control: github +src_repo: dovecot/core +tag_prefix: ^ +seperator: .