Accepting request 1316014 from server:mail

- cyrus-imapd don't start because of missing "Requires=var-run.mount" from systemd
  (bsc#1251788)
  Remove var-run.mount from Requires and After

OBS-URL: https://build.opensuse.org/request/show/1316014
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cyrus-imapd?expand=0&rev=6

0001-Squash-some-clang-complaints.patch

@@ -0,0 +1,108 @@
+From f187c82604997991121c913732ffd95c161cbe27 Mon Sep 17 00:00:00 2001
+From: Ken Murchison <murch@fastmail.com>
+Date: Mon, 27 Feb 2023 11:09:51 -0500
+Subject: [PATCH] Squash some clang complaints
+
+---
+ backup/cyr_backup.c | 3 ---
+ imap/httpd.h        | 2 +-
+ imap/reconstruct.c  | 2 +-
+ imap/squat_build.c  | 4 ----
+ imap/zoneinfo_db.c  | 3 ++-
+ 5 files changed, 4 insertions(+), 10 deletions(-)
+
+diff --git a/backup/cyr_backup.c b/backup/cyr_backup.c
+index 07d534454..ec3f752bd 100644
+--- a/backup/cyr_backup.c
++++ b/backup/cyr_backup.c
+@@ -730,7 +730,6 @@ static int cmd_json_chunks(struct backup *backup,
+     struct backup_chunk *chunk = NULL;
+     json_t *jchunks = NULL;
+     struct stat data_stat_buf;
+-    double total_length = 0.0;
+     int r;
+ 
+     (void) options;
+@@ -759,8 +758,6 @@ static int cmd_json_chunks(struct backup *backup,
+             ratio = 100.0 * (data_stat_buf.st_size - chunk->offset) / chunk->length;
+         }
+ 
+-        total_length += chunk->length;
+-
+         /* XXX which fields do we want? */
+         json_object_set_new(jchunk, "id", json_integer(chunk->id));
+         json_object_set_new(jchunk, "offset", json_integer(chunk->offset));
+diff --git a/imap/httpd.h b/imap/httpd.h
+index 67279a942..43cf8205b 100644
+--- a/imap/httpd.h
++++ b/imap/httpd.h
+@@ -280,7 +280,7 @@ struct range {
+ 
+ struct patch_doc_t {
+     const char *format;                 /* MIME format of patch document */
+-    int (*proc)();                      /* Function to parse and apply doc */
++    int (*proc)(txn_t *, void *);       /* Function to parse and apply doc */
+ };
+ 
+ typedef int (*encode_proc_t)(struct transaction_t *txn,
+diff --git a/imap/reconstruct.c b/imap/reconstruct.c
+index d5f355653..58f215a4b 100644
+--- a/imap/reconstruct.c
++++ b/imap/reconstruct.c
+@@ -821,7 +821,7 @@ static void reconstruct_mbentry(const char *header_path)
+                         mbentry->mbtype &= ~(MBTYPE_LEGACY_DIRS);
+ 
+                         token = tok_next(&tok);
+-                        if (strcmpnull(token, FNAME_HEADER+1) || tok_next(&tok)) {
++                        if (strcmpnull(token, &FNAME_HEADER[1]) || tok_next(&tok)) {
+                             xzfree(mbentry->uniqueid);
+                         }
+                     }
+diff --git a/imap/squat_build.c b/imap/squat_build.c
+index b56717f30..b7dd51867 100644
+--- a/imap/squat_build.c
++++ b/imap/squat_build.c
+@@ -1163,7 +1163,6 @@ static int dump_doc_list_present_bits(SquatIndex *index,
+     int start_present = docs->first_valid_entry;
+     int end_present = docs->last_valid_entry;
+     char *buf;
+-    int present_count;
+ 
+     /* If the leaf is empty, we should never get here! */
+     assert(start_present <= end_present);
+@@ -1175,7 +1174,6 @@ static int dump_doc_list_present_bits(SquatIndex *index,
+             return SQUAT_ERR;
+         } else {
+             *buf++ = (char)end_present;
+-            present_count = 1;
+         }
+     } else {
+         int first_byte = start_present >> 3;
+@@ -1191,10 +1189,8 @@ static int dump_doc_list_present_bits(SquatIndex *index,
+             *buf++ = (char)first_byte;
+             *buf++ = (char)byte_count - 1;
+             memset(buf, 0, byte_count);
+-            present_count = 0;
+             for (i = start_present; i <= end_present; i++) {
+                 if (docs->docs[i] != NULL) {
+-                    present_count++;
+                     buf[(i >> 3) - first_byte] |= 1 << (i & 7);
+                 }
+             }
+diff --git a/imap/zoneinfo_db.c b/imap/zoneinfo_db.c
+index 3be631ccd..46f7c661a 100644
+--- a/imap/zoneinfo_db.c
++++ b/imap/zoneinfo_db.c
+@@ -243,7 +243,8 @@ struct findrock {
+     const char *find;
+     int tzid_only;
+     time_t changedsince;
+-    int (*proc)();
++    int (*proc)(const char *tzid, int tzidlen,
++                struct zoneinfo *zi, void *rock);
+     void *rock;
+ };
+ 
+-- 
+2.49.0
+

cyrus-imapd-3.8.2_syslog-facility-doc.patch

@@ -1,47 +0,0 @@
-diff '--color=auto' -ru a/doc/html/imap/concepts/overview_and_concepts.html b/doc/html/imap/concepts/overview_and_concepts.html
---- a/doc/html/imap/concepts/overview_and_concepts.html	2024-03-13 03:51:12.000000000 +0100
-+++ b/doc/html/imap/concepts/overview_and_concepts.html	2024-04-10 17:42:03.859885326 +0200
-@@ -1307,7 +1307,7 @@
- </section>
- <section id="the-syslog-facility">
- <h2>The syslog facility<a class="headerlink" href="#the-syslog-facility" title="Permalink to this heading">¶</a></h2>
--<p>The Cyrus IMAP server software sends log messages to the <code class="docutils literal notranslate"><span class="pre">local6</span></code>
-+<p>The Cyrus IMAP server software sends log messages to the <code class="docutils literal notranslate"><span class="pre">daemon</span></code>
- syslog facility.  The severity levels used are:</p>
- <ul class="simple">
- <li><p><strong>CRIT</strong> - Critical errors which probably require prompt administrator action</p></li>
-@@ -1571,4 +1571,4 @@
- 
- 
- </body>
--</html>
-\ No newline at end of file
-+</html>
-diff '--color=auto' -ru a/doc/legacy/install-configure.html b/doc/legacy/install-configure.html
---- a/doc/legacy/install-configure.html	2024-03-13 03:47:32.000000000 +0100
-+++ b/doc/legacy/install-configure.html	2024-04-10 17:40:43.429453680 +0200
-@@ -45,10 +45,10 @@
- 
- If you do not copy the "<tt>syslog/syslog.conf</tt>" file to the
- "<tt>/etc</tt>" directory, be sure to add support for
--"<tt>local6.debug</tt>".  The file should include a line like:
-+"<tt>daemon.debug</tt>".  The file should include a line like:
- 
- <pre>
--   local6.debug  /var/log/imapd.log
-+   daemon.debug  /var/log/imapd.log
- </pre>
- 
- You probably also want to log SASL messages with a line like:
-diff '--color=auto' -ru a/doc/legacy/overview.html b/doc/legacy/overview.html
---- a/doc/legacy/overview.html	2024-03-13 03:47:44.000000000 +0100
-+++ b/doc/legacy/overview.html	2024-04-10 17:40:58.012865278 +0200
-@@ -623,7 +623,7 @@
- 
- <h3><a name="syslog">The <TT>syslog</TT> facility</a></h3>
- 
--The Cyrus IMAP server software sends log messages to the "<TT>local6</TT>"
-+The Cyrus IMAP server software sends log messages to the "<TT>daemon</TT>"
- syslog facility.  The severity levels used are:
- 
- <UL>

cyrus-imapd-3.8.4.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e67d3e9dd99d9c7055b01254939f5f08c955a935a64c0e1c083c0b43ebe21ef2
-size 14488926

cyrus-imapd-3.8.5_syslog-facility-doc.patch

@@ -0,0 +1,40 @@
+diff '--color=auto' -ru cyrus-imapd-3.8.5.orig/doc/legacy/install-configure.html cyrus-imapd-3.8.5/doc/legacy/install-configure.html
+--- cyrus-imapd-3.8.5.orig/doc/legacy/install-configure.html	2025-01-22 00:32:31.000000000 +0100
++++ cyrus-imapd-3.8.5/doc/legacy/install-configure.html	2025-05-28 18:14:06.503515889 +0200
+@@ -45,10 +45,10 @@
+ 
+ If you do not copy the "<tt>syslog/syslog.conf</tt>" file to the
+ "<tt>/etc</tt>" directory, be sure to add support for
+-"<tt>local6.debug</tt>".  The file should include a line like:
++"<tt>daemon.debug</tt>".  The file should include a line like:
+ 
+ <pre>
+-   local6.debug  /var/log/imapd.log
++   daemon.debug  /var/log/imapd.log
+ </pre>
+ 
+ You probably also want to log SASL messages with a line like:
+diff '--color=auto' -ru cyrus-imapd-3.8.5.orig/doc/legacy/overview.html cyrus-imapd-3.8.5/doc/legacy/overview.html
+--- cyrus-imapd-3.8.5.orig/doc/legacy/overview.html	2025-01-22 01:26:18.000000000 +0100
++++ cyrus-imapd-3.8.5/doc/legacy/overview.html	2025-05-28 18:14:29.215118793 +0200
+@@ -623,7 +623,7 @@
+ 
+ <h3><a name="syslog">The <TT>syslog</TT> facility</a></h3>
+ 
+-The Cyrus IMAP server software sends log messages to the "<TT>local6</TT>"
++The Cyrus IMAP server software sends log messages to the "<TT>daemon</TT>"
+ syslog facility.  The severity levels used are:
+ 
+ <UL>
+diff '--color=auto' -ru cyrus-imapd-3.8.5.orig/docsrc/imap/concepts/overview_and_concepts.rst cyrus-imapd-3.8.5/docsrc/imap/concepts/overview_and_concepts.rst
+--- cyrus-imapd-3.8.5.orig/docsrc/imap/concepts/overview_and_concepts.rst	2025-01-22 01:26:18.000000000 +0100
++++ cyrus-imapd-3.8.5/docsrc/imap/concepts/overview_and_concepts.rst	2025-05-28 18:15:19.388701124 +0200
+@@ -411,7 +411,7 @@
+ The syslog facility
+ *******************
+ 
+-The Cyrus IMAP server software sends log messages to the ``local6``
++The Cyrus IMAP server software sends log messages to the ``daemon``
+ syslog facility.  The severity levels used are:
+ 
+ * **CRIT** - Critical errors which probably require prompt administrator action

cyrus-imapd-3.8.6.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:eff5fc056a6458413e1de986416a54a82a690ccbe91ec20034bb41e672cc7505
+size 11210022

cyrus-imapd-rc-3.tar.gz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:966ac146e1a14fc12ba0e20e8d3b189a11b8829e9b75e287511859250f47bebd
-size 4054
+oid sha256:94b144f637274fb1d2806d9ae2a43d3d910264d7e07ed5a649bff4567070e89a
+size 4072

cyrus-imapd.changes

@@ -1,3 +1,67 @@
+-------------------------------------------------------------------
+Thu Nov  6 12:20:07 UTC 2025 - Peter Varkoly <varkoly@suse.com>
+
+- cyrus-imapd don't start because of missing "Requires=var-run.mount" from systemd
+  (bsc#1251788)
+  Remove var-run.mount from Requires and After
+
+-------------------------------------------------------------------
+Tue Jul 29 13:48:50 UTC 2025 - Bernhard Wiedemann <bwiedemann@suse.com>
+
+- Only BuildRequire systemd-rpm-macros instead of systemd
+  to reduce unneeded OBS rebuilds
+
+-------------------------------------------------------------------
+Fri Jul 18 13:03:45 UTC 2025 - Matthias Gerstner <matthias.gerstner@suse.com>
+
+- add 0001-Squash-some-clang-complaints.patch: fix compile errors in 3.8
+  release line occuring with newer compilers.
+
+-------------------------------------------------------------------
+Tue Jul 15 12:09:11 UTC 2025 - Peter Varkoly <varkoly@suse.com>
+
+- update to version 3.8.6 (bugfix release)
+  VUL-0: CVE-2025-49812: cyrus-imapd: Opossum Attack Application Layer
+  Desynchronization using Opportunistic TLS (bsc#1246165)
+  The industry is deprecating STARTTLS (aka opportunistic TLS) in favor of
+  implicit TLS over a dedicated port.  STARTTLS is now disabled by default.
+  * Fixed issue #5477: master: tighten up pidfile/etc handling (bsc#1241543)
+    VUL-0: cyrus-imapd: privilege drop happens too late, opening attack vectors from cyrus to root
+  * Fixed issue #5450: fix zoneinfo_db code for GCC 15 (thanks Yadd)
+  * Fixed issue #5309: deadlock on shutdown (thanks Mark Cammidge)
+  * Fixed issue #5424: recognise service-specific SASL options in
+    ``cyr_info conf-lint``
+  * Fixed issue #5420: fix double-free in http_admin (thanks Wolfgang Breyha)
+  * Fixed issue #5460: pop3d: add basic prometheus support (thanks Wolfgang
+    Breyha)
+  * Fixed issue #5454: httpd fails to parse OpenSSL version for status string
+
+-------------------------------------------------------------------
+Tue May 27 22:43:21 UTC 2025 - Aeneas Jaißle <aj@ajaissle.de>
+
+- update to version 3.8.5 (bugfix release)
+  * Fixed Issue #5029: check for unexpected extra tiny-tests directories
+  * Fixed Issue #5148: added --enable-release-checks configure option for use when building releases
+  * Fixed Issue #4489: calendar-color "changes" namespace (thanks Дилян Палаузов)
+  * Fixed Issue #5009: various portability warnings and nits
+  * Fixed Issue #5050: iTIP line endings (thanks Дилян Палаузов)
+  * Fixed Issue #5052: iMIP line endings (thanks Дилян Палаузов)
+  * Fixed Issue #5072: http_cgi use after free (thanks Дилян Палаузов)
+  * Fixed Issue #5094: httpd crash when PROPFIND url is /dav/calendars
+  * Fixed Issue #5118: broken language checks for "zr-hant" and "sr-me"
+  * Fixed Issue #5047: proxying UID SEARCH
+
+- rebased patches:
+  - cyrus-imapd-3.8.2_syslog-facility-doc.patch
+  + cyrus-imapd-3.8.5_syslog-facility-doc.patch
+
+-------------------------------------------------------------------
+Mon Apr 28 11:06:47 UTC 2025 - Peter Varkoly <varkoly@suse.com>
+
+- CVE-2025-23394: cyrus-imapd: daily-backup.sh allows escalation from 
+  cyrus to root (bsc#1241536)
+  Adapt backup-cyrus.service to run as user cyrus:mail
+
 -------------------------------------------------------------------
 Tue Feb 25 16:04:31 UTC 2025 - Nathan Cutler <ncutler@suse.com>
 

cyrus-imapd.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package cyrus-imapd
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -30,7 +30,7 @@
 %global _servicename    cyrus-imapd
 %define _sover 0
 Name:           cyrus-imapd
-Version:        3.8.4
+Version:        3.8.6
 Release:        0
 Summary:        The Cyrus IMAP and POP Mail Server
 License:        BSD-3-Clause
@@ -46,11 +46,12 @@ Source10:       cyrus-imapd-rc-3.tar.gz
 Source11:       cyrus-user.conf
 
 # PATCH-FIX-OPENSUSE -- Use the right syslog facility in docs
-Patch7:         cyrus-imapd-3.8.2_syslog-facility-doc.patch
+Patch7:         cyrus-imapd-3.8.5_syslog-facility-doc.patch
 
 # PATCH-FIX-FEDORA -- Link Perl components against pcre2
 # pending upstream discussion
 Patch8:         perl-pcre2.patch
+Patch9:         0001-Squash-some-clang-complaints.patch
 
 BuildRequires:  autoconf >= 2.63
 BuildRequires:  automake
@@ -66,7 +67,7 @@ BuildRequires:  libtool >= 2.2.6
 BuildRequires:  libuuid-devel
 BuildRequires:  openssl-devel
 BuildRequires:  pkgconfig
-BuildRequires:  systemd
+BuildRequires:  systemd-rpm-macros
 BuildRequires:  sysuser-tools
 
 # optionals:
@@ -106,7 +107,7 @@ BuildRequires:  db-utils >= 3.0.55
 %endif
 %endif
 
-%sysusers_requires
+#%%sysusers_requires
 Prereq:         system-user-mail
 Requires:       perl-Cyrus-Annotator = %{version}
 Requires:       perl-Cyrus-IMAP = %{version}