diff --git a/sendmail-8.15.2-format-security.patch b/sendmail-8.15.2-format-security.patch deleted file mode 100644 index d4ff443b22d0e7fc5146bacd4cfccbc20577d9ad..0000000000000000000000000000000000000000 --- a/sendmail-8.15.2-format-security.patch +++ /dev/null @@ -1,92 +0,0 @@ -diff --git a/sendmail/srvrsmtp.c b/sendmail/srvrsmtp.c -index ba636a8..46c5356 100644 ---- a/sendmail/srvrsmtp.c -+++ b/sendmail/srvrsmtp.c -@@ -159,6 +159,26 @@ - #define SKIP_SPACE(s) while (SM_ISSPACE(*s)) \ - (s)++ - -+static inline void -+message1(fmt) -+ char *fmt; -+{ -+ if (strchr(fmt, '%') == NULL) -+ message(fmt, NULL); -+ else -+ message("%s", fmt); -+} -+ -+static inline void -+usrerr1(fmt) -+ char *fmt; -+{ -+ if (strchr(fmt, '%') == NULL) -+ usrerr(fmt, NULL); -+ else -+ usrerr("%s", fmt); -+} -+ - #if _FFR_EAI - /* - ** ADDR_IS_ASCII -- check whether an address is 100% printable ASCII -@@ -638,13 +658,13 @@ - bool tsave = QuickAbort; \ - \ - QuickAbort = false; \ -- usrerr(response); \ -+ usrerr1(response); \ - QuickAbort = tsave; \ - e->e_sendqueue = NULL; \ - goto doquit; \ - } \ - else \ -- usrerr(response); \ -+ usrerr1(response); \ - break; \ - \ - case SMFIR_REJECT: \ -@@ -1011,7 +1031,7 @@ - else if (strncmp(nullserver, "421 ", 4) == 0) - { - /* Can't use ("%s", ...) due to message() requirements */ -- message(nullserver); -+ message1(nullserver); - goto doquit; - } - -@@ -1953,7 +1973,7 @@ - if (ISSMTPREPLY(nullserver)) - { - /* Can't use ("%s", ...) due to usrerr() requirements */ -- usrerr(nullserver); -+ usrerr1(nullserver); - } - else - { -@@ -2561,7 +2581,7 @@ - if (response != NULL) - { - /* Can't use ("%s", ...) due to usrerr() requirements */ -- usrerr(response); -+ usrerr1(response); - } - else - { -@@ -3800,7 +3820,7 @@ - #endif - - /* Can't use ("%s", ...) due to usrerr() requirements */ -- usrerr(response); -+ usrerr1(response); - if (strncmp(response, "421 ", 4) == 0 - || strncmp(response, "421-", 4) == 0) - { -@@ -3922,7 +3942,7 @@ - (void) extenhsc(response + 4, ' ', e->e_enhsc); - #endif - /* Can't use ("%s", ...) due to usrerr() requirements */ -- usrerr(response); -+ usrerr1(response); - if (strncmp(response, "421 ", 4) == 0 - || strncmp(response, "421-", 4) == 0) - rv = false; diff --git a/sendmail-8.15.2-openssl-1.1.0-fix.patch b/sendmail-8.15.2-openssl-1.1.0-fix.patch deleted file mode 100644 index c0023b142ccecc06d546d441dcc0d3d735e645b4..0000000000000000000000000000000000000000 --- a/sendmail-8.15.2-openssl-1.1.0-fix.patch +++ /dev/null @@ -1,183 +0,0 @@ ---- sendmail-8.15.2.orig/sendmail/tls.c 2016-12-01 15:20:59.953546417 +0100 -+++ sendmail-8.15.2.orig/sendmail/tls.c 2016-12-01 17:26:43.868521378 +0100 -@@ -79,7 +79,8 @@ - static DH * - get_dh512() - { -- DH *dh = NULL; -+ DH *dh; -+ BIGNUM *p, *g; - # if MTA_HAVE_DH_set0_pqg - BIGNUM *dhp_bn, *dhg_bn; - # endif -@@ -96,13 +97,23 @@ - return NULL; - } - # else -- dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); -- dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); -- if ((dh->p == NULL) || (dh->g == NULL)) -+ p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); -+ g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); -+ if (p == NULL || g == NULL) - { -+ BN_free(p); -+ BN_free(g); - DH_free(dh); - return NULL; - } -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100005L -+ DH_set0_pqg(dh, p, NULL, g); -+#else -+ dh->p = p; -+ dh->g = g; -+#endif -+ - # endif - return dh; - } -@@ -150,6 +161,8 @@ - }; - static unsigned char dh2048_g[]={ 0x02, }; - DH *dh; -+ BIGNUM *p, *g; -+ - # if MTA_HAVE_DH_set0_pqg - BIGNUM *dhp_bn, *dhg_bn; - # endif -@@ -166,13 +179,23 @@ - return NULL; - } - # else -- dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); -- dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); -- if ((dh->p == NULL) || (dh->g == NULL)) -+ p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); -+ g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); -+ if (p == NULL || g == NULL) - { -+ BN_free(p); -+ BN_free(g); - DH_free(dh); -- return(NULL); -+ return NULL; - } -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100005L -+ DH_set0_pqg(dh, p, NULL, g); -+#else -+ dh->p = p; -+ dh->g = g; -+#endif -+ - # endif - return(dh); - } -@@ -929,6 +952,54 @@ - # define SM_SSL_OP_TLS_BLOCK_PADDING_BUG 0 - # endif - -+static RSA * -+generate_rsa_key(bits, e) -+ int bits; -+ unsigned long e; -+{ -+#if OPENSSL_VERSION_NUMBER < 0x00908000L -+ return RSA_generate_key(bits, e, NULL, NULL); -+#else -+ BIGNUM *bne; -+ RSA *rsa = NULL; -+ -+ bne = BN_new(); -+ if (bne && BN_set_word(bne, e) != 1) -+ rsa = RSA_new(); -+ if (rsa && RSA_generate_key_ex(rsa, bits, bne, NULL) != 1) -+ { -+ RSA_free(rsa); -+ rsa = NULL; -+ } -+ BN_free(bne); -+ return rsa; -+#endif -+} -+ -+static DSA * -+generate_dsa_parameters(bits, seed, seed_len, counter_ret, h_ret) -+ int bits; -+ unsigned char *seed; -+ int seed_len; -+ int *counter_ret; -+ unsigned long *h_ret; -+{ -+#if OPENSSL_VERSION_NUMBER < 0x00908000L -+ return DSA_generate_parameters(bits, seed, seed_len, counter_ret, -+ h_ret, NULL, NULL); -+#else -+ DSA *dsa = DSA_new(); -+ -+ if (dsa && DSA_generate_parameters_ex(dsa, bits, seed, seed_len, -+ counter_ret, h_ret, NULL) != 1) -+ { -+ DSA_free(dsa); -+ dsa = NULL; -+ } -+ return dsa; -+#endif -+} -+ - bool - inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhparam) - SSL_CTX **ctx; -@@ -1183,8 +1254,7 @@ - if (bitset(TLS_I_RSA_TMP, req) - # if SM_CONF_SHM - && ShmId != SM_SHM_NO_ID && -- (rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, -- NULL)) == NULL -+ (rsa_tmp = generate_rsa_key(RSA_KEYLENGTH, RSA_F4)) == NULL - # else /* SM_CONF_SHM */ - && 0 /* no shared memory: no need to generate key now */ - # endif /* SM_CONF_SHM */ -@@ -1391,8 +1461,8 @@ - } - # else - /* this takes a while! */ -- dsa = DSA_generate_parameters(bits, NULL, 0, NULL, -- NULL, 0, NULL); -+ dsa = generate_dsa_parameters(bits, NULL, 0, NULL, -+ NULL); - dh = DSA_dup_DH(dsa); - # endif - DSA_free(dsa); -@@ -2081,7 +2151,7 @@ - - if (rsa_tmp != NULL) - RSA_free(rsa_tmp); -- rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, NULL); -+ rsa_tmp = generate_rsa_key(RSA_KEYLENGTH, RSA_F4); - if (rsa_tmp == NULL) - { - if (LogLevel > 0) -@@ -2526,12 +2596,21 @@ - SM_GETTLSI; - if (LogLevel > 13) - tls_verify_log(ok, ctx, "X509"); -+#if OPENSSL_VERSION_NUMBER >= 0x10100005L -+ if (X509_STORE_CTX_get_error(ctx) == -+ X509_V_ERR_UNABLE_TO_GET_CRL) -+ { -+ X509_STORE_CTX_set_error(ctx, 0); -+ return 1; /* override it */ -+ } -+#else - if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL && - !SM_TLSI_IS(tlsi_ctx, TLSI_FL_CRLREQ)) - { - X509_STORE_CTX_set_error(ctx, 0); - return 1; /* override it */ - } -+#endif - return ok; - } - diff --git a/sendmail.spec b/sendmail.spec index e243cf9887083f5015cfab239b2d0d0350c91e75..53a1987d54289653724e04d3ec7959695d5c528a 100644 --- a/sendmail.spec +++ b/sendmail.spec @@ -1,6 +1,6 @@ Name: sendmail Version: 8.17.2 -Release: 2 +Release: 3 Summary: A classic mail transfer agent from the Unix world License: Sendmail URL: http://www.sendmail.org/ @@ -344,7 +344,7 @@ if [ ! -f %{_sysconfdir}/pki/tls/certs/sendmail.pem ]; then fi %{_bindir}/openssl req -new -key %{_sysconfdir}/pki/tls/private/sendmail.key -x509 -sha256 \ - -days 730 -set_serial $RANDOM -out %{_sysconfdir}/pki/tls/certs/sendmail.pem \ + -days 2190 -set_serial $RANDOM -out %{_sysconfdir}/pki/tls/certs/sendmail.pem \ -subj "/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=${FQDN}/emailAddress=root@${FQDN}" chmod 600 %{_sysconfdir}/pki/tls/certs/sendmail.pem fi @@ -469,6 +469,13 @@ exit 0 %changelog +* Wed Feb 12 2025 xinghe - 8.17.2-3 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:extending the certificate validate period + remove redundant patches + * Wed May 22 2024 xinghe - 8.17.2-2 - Type:bugfix - ID:NA