- update to 2.3.6: (boo#1133624 boo#1133625)

* CVE-2019-11494: Submission-login crashed with signal 11 due to
    null pointer access when authentication was aborted by
    disconnecting.
  * CVE-2019-11499: Submission-login crashed when authentication
    was started over TLS secured channel and invalid authentication
    message was sent.
  * auth: Support password grant with passdb oauth2.
  + Use system default CAs for outbound TLS connections.
  + Simplify array handling with new helper macros.
  + fts_solr: Enable configuring batch_size and soft_commit features.
  - lmtp/submission: Fixed various bugs in XCLIENT handling,
    including a hang when XCLIENT commands were sent infinitely to
    the remote server.
  - lmtp/submission: Forwarded multi-line replies were erroneously
    sent as two replies to the client.
  - lib-smtp: client: Message was not guaranteed to contain CRLF
    consistently when CHUNKING was used.
  - fts_solr: Plugin was no longer compatible with Solr 7.
  - Make it possible to disable certificate checking without
    setting ssl_client_ca_* settings.
  - pop3c: SSL support was broken.
  - mysql: Closing connection twice lead to crash on some systems.
  - auth: Multiple oauth2 passdbs crashed auth process on deinit.
  - HTTP client connection errors infrequently triggered a
    segmentation fault when the connection was idle and not used
    for a particular client instance.
- drop https://github.com/dovecot/core/commit/3c5101ffd.patch

OBS-URL: https://build.opensuse.org/package/show/server:mail/dovecot23?expand=0&rev=46

3c5101ffd.patch

@@ -1,36 +0,0 @@
-From 3c5101ffdd2a8115e03ed7180d53578765dea4c9 Mon Sep 17 00:00:00 2001
-From: Aki Tuomi <aki.tuomi@dovecot.fi>
-Date: Tue, 4 Dec 2018 14:40:04 +0200
-Subject: [PATCH] driver-mysql: Avoid double-closing MySQL connection
-
-Fixes double-free
----
- src/lib-sql/driver-mysql.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/src/lib-sql/driver-mysql.c b/src/lib-sql/driver-mysql.c
-index c87e825e4b..5dd1c3124f 100644
---- a/src/lib-sql/driver-mysql.c
-+++ b/src/lib-sql/driver-mysql.c
-@@ -173,7 +173,9 @@ static int driver_mysql_connect(struct sql_db *_db)
- static void driver_mysql_disconnect(struct sql_db *_db)
- {
- 	struct mysql_db *db = (struct mysql_db *)_db;
--	mysql_close(db->mysql);
-+	if (db->mysql != NULL)
-+		mysql_close(db->mysql);
-+	db->mysql = NULL;
- }
- 
- static int driver_mysql_parse_connect_string(struct mysql_db *db,
-@@ -311,7 +313,9 @@ static void driver_mysql_deinit_v(struct sql_db *_db)
- 	_db->no_reconnect = TRUE;
- 	sql_db_set_state(&db->api, SQL_DB_STATE_DISCONNECTED);
- 
--	mysql_close(db->mysql);
-+	if (db->mysql != NULL)
-+		mysql_close(db->mysql);
-+	db->mysql = NULL;
- 
- 	sql_connection_log_finished(_db);
- 	event_unref(&_db->event);

dovecot-2.3.5.2.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ba14e41aefd81a868a35b83bcb54194116106424d37690519b50ea83c0f31bf2
-size 6953228

dovecot-2.3.5.2.tar.gz.sig

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAly4Op0XHGRvdmVjb3Qt
-Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaGNmBAAmVTk1EHLtY++LjMAwax5mDQ1
-rwnoGWcCTCVrM7s7FAehvQ+FXnDTtHEWcWzxvjngm58jFBr+H/1NfAYR8srLfHc7
-ucj4Xt9Fyl++pGyUXKS+RTZP+rcI6nt/AmPBqG/WaaMGKI04jFzNw2MMIJ2afOI6
-MJbDOCZm6PDQiCAw7xJ2RaD021irAvZu1Xa1mVq2eZb5vrU8heVfOwZhyVU6H8bD
-xaYbhvMNB7CHl3xMQDFNKLlArxEiAQgm4akVvC1NzCkkR87RwZfjjQZfdVd2xlx2
-x2Jm33WrGPumXlpWNqPCrwKgynLJ0qgZZ78c9pwsIGW8Nq+LxK6z1hDdCbUjjTGj
-AOYqxXuD9yJfKYFAL9y1YSY/BEVGrBK30RQdQxXb/xqQ6bxIysxPjSg7lWetclQO
-XzyJlKV2qP8zjAjZisY4T4WGJm9zLX1JK6cojenjZBapRuGF9ro+QulZZtRCtljf
-7jrOQLir8LjhA0KCH8mlPps33qyzVpOKmLtZ2w9MGIQowHQUAQA3G2EBp7h2pNm2
-dFW/I+F6sU2CFBm9lvuLV4BWt2y9VZsaz7uk0NdUscPJ4i0XBQnoa7CEOzj1SXnR
-R58tqxtXoelX/XmUsd6JWeW1jDaS/dGaxe30zSMKwZR3zKP7T+pJmKhHwRxwo1G8
-Z3qiNsmMUycFz06VMho=
-=t6Fw
------END PGP SIGNATURE-----

dovecot-2.3.6.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ed1d8dc1beeae9c6c73deac73a62ef19fe9262fbffd86604a3f690452f5536c7
+size 6980135

dovecot-2.3.6.tar.gz.sig

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAlzIRtYXHGRvdmVjb3Qt
+Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaFDBhAAp3vvNdz2+nOUe106ToQs3VA9
+8jPxUQjxeiUVODkx3Hth9VjRCaD1n0hpJwq02bWCN/bqbFir8ObB/t+jhGMUuqG9
+unvp3gCfSo4AVT3HezYL2+7a5USAskkAkoDu4zfGE8OfBKx+mF0XMoOY2OmyCpbt
+k7k52lM/wKfjDhi04kkhu6yM5S5C7IMkTt8GeKbCrk9W2F5AAoIVH/6KryfMcQd4
+pActK/q1fMDyxe+wcG9UOQb6POzXdO/jO790CmWv4C6ZY1yoojguRzTMIwvEF0ow
+TYbAjmn9+IXl4rgIUBhe4l9lS4jHohwE9heooDO08ZdVIRMzPTALn0p9C4DCuE4K
+EmVGzEpmKfy47eFdwU6Adp8KPYYaTTh8ykg8zk+tItMq6vK0Dq3L4P7iHJ1Lvqsc
+YdZwGgm2mqXPG7ZizOve/sKfRlAQ8mzImlwRcEvtjMp3kcy28OOljWWRzxzmHYCY
+CmuhuEZq2JDQ33sNuzkUNaPhx5qmDwRrOqpGhcnWXAtHTIDeWJNMreV/LQbSvMDS
+B3Ko+QB61ebC4aAts6ddt6b7IgQmifNXHbxJ5u41qcbtpD+FaQNl648b/7FZTGOx
+900QaaSK+K4PtjGypa2ZZZAo1rVGCbzc8HzmUMSsdwWsoKgTQYMChNn4wNdKxM99
+RWnqdL/PRZdQHRXzr08=
+=UAEA
+-----END PGP SIGNATURE-----

dovecot23.changes

@@ -1,3 +1,35 @@
+-------------------------------------------------------------------
+Tue Apr 30 13:34:16 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>
+
+- update to 2.3.6: (boo#1133624 boo#1133625)
+  * CVE-2019-11494: Submission-login crashed with signal 11 due to
+    null pointer access when authentication was aborted by
+    disconnecting.
+  * CVE-2019-11499: Submission-login crashed when authentication
+    was started over TLS secured channel and invalid authentication
+    message was sent.
+  * auth: Support password grant with passdb oauth2.
+  + Use system default CAs for outbound TLS connections.
+  + Simplify array handling with new helper macros.
+  + fts_solr: Enable configuring batch_size and soft_commit features.
+  - lmtp/submission: Fixed various bugs in XCLIENT handling,
+    including a hang when XCLIENT commands were sent infinitely to
+    the remote server.
+  - lmtp/submission: Forwarded multi-line replies were erroneously
+    sent as two replies to the client.
+  - lib-smtp: client: Message was not guaranteed to contain CRLF
+    consistently when CHUNKING was used.
+  - fts_solr: Plugin was no longer compatible with Solr 7.
+  - Make it possible to disable certificate checking without
+    setting ssl_client_ca_* settings.
+  - pop3c: SSL support was broken.
+  - mysql: Closing connection twice lead to crash on some systems.
+  - auth: Multiple oauth2 passdbs crashed auth process on deinit.
+  - HTTP client connection errors infrequently triggered a
+    segmentation fault when the connection was idle and not used
+    for a particular client instance.
+- drop https://github.com/dovecot/core/commit/3c5101ffd.patch
+
 -------------------------------------------------------------------
 Mon Apr 29 22:11:53 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>
 

dovecot23.spec

@@ -17,10 +17,10 @@
 
 
 Name:           dovecot23
-Version:        2.3.5.2
+Version:        2.3.6
 Release:        0
 %define pkg_name dovecot
-%define dovecot_version 2.3.5.2
+%define dovecot_version 2.3.6
 %define dovecot_pigeonhole_version 0.5.5
 %define dovecot_branch  2.3
 %define dovecot_pigeonhole_source_dir %{pkg_name}-%{dovecot_branch}-pigeonhole-%{dovecot_pigeonhole_version}
@@ -137,7 +137,6 @@ Source11:       http://pigeonhole.dovecot.org/releases/%{dovecot_branch}/%{dovec
 Source12:       dovecot23.keyring
 Patch:          dovecot-2.3.0-dont_use_etc_ssl_certs.patch
 Patch1:         dovecot-2.3.0-better_ssl_defaults.patch
-Patch2:         https://github.com/dovecot/core/commit/3c5101ffd.patch
 Summary:        IMAP and POP3 Server Written Primarily with Security in Mind
 License:        BSD-3-Clause AND LGPL-2.1-or-later AND MIT
 Group:          Productivity/Networking/Email/Servers
@@ -317,7 +316,6 @@ dovecot tree.
 %setup -q -n %{pkg_name}-%{dovecot_version} -a 1
 %patch -p1
 %patch1 -p1
-%patch2 -p1
 gzip -9v ChangeLog
 # Fix plugins dir.
 sed -i 's|#mail_plugin_dir = /usr/lib/dovecot|mail_plugin_dir = %{_libdir}/dovecot/modules|' doc/example-config/conf.d/10-mail.conf