diff --git a/3c5101ffd.patch b/3c5101ffd.patch deleted file mode 100644 index 6a6fdb9..0000000 --- a/3c5101ffd.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 3c5101ffdd2a8115e03ed7180d53578765dea4c9 Mon Sep 17 00:00:00 2001 -From: Aki Tuomi -Date: Tue, 4 Dec 2018 14:40:04 +0200 -Subject: [PATCH] driver-mysql: Avoid double-closing MySQL connection - -Fixes double-free ---- - src/lib-sql/driver-mysql.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/src/lib-sql/driver-mysql.c b/src/lib-sql/driver-mysql.c -index c87e825e4b..5dd1c3124f 100644 ---- a/src/lib-sql/driver-mysql.c -+++ b/src/lib-sql/driver-mysql.c -@@ -173,7 +173,9 @@ static int driver_mysql_connect(struct sql_db *_db) - static void driver_mysql_disconnect(struct sql_db *_db) - { - struct mysql_db *db = (struct mysql_db *)_db; -- mysql_close(db->mysql); -+ if (db->mysql != NULL) -+ mysql_close(db->mysql); -+ db->mysql = NULL; - } - - static int driver_mysql_parse_connect_string(struct mysql_db *db, -@@ -311,7 +313,9 @@ static void driver_mysql_deinit_v(struct sql_db *_db) - _db->no_reconnect = TRUE; - sql_db_set_state(&db->api, SQL_DB_STATE_DISCONNECTED); - -- mysql_close(db->mysql); -+ if (db->mysql != NULL) -+ mysql_close(db->mysql); -+ db->mysql = NULL; - - sql_connection_log_finished(_db); - event_unref(&_db->event); diff --git a/dovecot-2.3.5.2.tar.gz b/dovecot-2.3.5.2.tar.gz deleted file mode 100644 index 7493634..0000000 --- a/dovecot-2.3.5.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ba14e41aefd81a868a35b83bcb54194116106424d37690519b50ea83c0f31bf2 -size 6953228 diff --git a/dovecot-2.3.5.2.tar.gz.sig b/dovecot-2.3.5.2.tar.gz.sig deleted file mode 100644 index d7f15dd..0000000 --- a/dovecot-2.3.5.2.tar.gz.sig +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAly4Op0XHGRvdmVjb3Qt -Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaGNmBAAmVTk1EHLtY++LjMAwax5mDQ1 -rwnoGWcCTCVrM7s7FAehvQ+FXnDTtHEWcWzxvjngm58jFBr+H/1NfAYR8srLfHc7 -ucj4Xt9Fyl++pGyUXKS+RTZP+rcI6nt/AmPBqG/WaaMGKI04jFzNw2MMIJ2afOI6 -MJbDOCZm6PDQiCAw7xJ2RaD021irAvZu1Xa1mVq2eZb5vrU8heVfOwZhyVU6H8bD -xaYbhvMNB7CHl3xMQDFNKLlArxEiAQgm4akVvC1NzCkkR87RwZfjjQZfdVd2xlx2 -x2Jm33WrGPumXlpWNqPCrwKgynLJ0qgZZ78c9pwsIGW8Nq+LxK6z1hDdCbUjjTGj -AOYqxXuD9yJfKYFAL9y1YSY/BEVGrBK30RQdQxXb/xqQ6bxIysxPjSg7lWetclQO -XzyJlKV2qP8zjAjZisY4T4WGJm9zLX1JK6cojenjZBapRuGF9ro+QulZZtRCtljf -7jrOQLir8LjhA0KCH8mlPps33qyzVpOKmLtZ2w9MGIQowHQUAQA3G2EBp7h2pNm2 -dFW/I+F6sU2CFBm9lvuLV4BWt2y9VZsaz7uk0NdUscPJ4i0XBQnoa7CEOzj1SXnR -R58tqxtXoelX/XmUsd6JWeW1jDaS/dGaxe30zSMKwZR3zKP7T+pJmKhHwRxwo1G8 -Z3qiNsmMUycFz06VMho= -=t6Fw ------END PGP SIGNATURE----- diff --git a/dovecot-2.3.6.tar.gz b/dovecot-2.3.6.tar.gz new file mode 100644 index 0000000..3258fc3 --- /dev/null +++ b/dovecot-2.3.6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ed1d8dc1beeae9c6c73deac73a62ef19fe9262fbffd86604a3f690452f5536c7 +size 6980135 diff --git a/dovecot-2.3.6.tar.gz.sig b/dovecot-2.3.6.tar.gz.sig new file mode 100644 index 0000000..5bdb612 --- /dev/null +++ b/dovecot-2.3.6.tar.gz.sig @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAlzIRtYXHGRvdmVjb3Qt +Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaFDBhAAp3vvNdz2+nOUe106ToQs3VA9 +8jPxUQjxeiUVODkx3Hth9VjRCaD1n0hpJwq02bWCN/bqbFir8ObB/t+jhGMUuqG9 +unvp3gCfSo4AVT3HezYL2+7a5USAskkAkoDu4zfGE8OfBKx+mF0XMoOY2OmyCpbt +k7k52lM/wKfjDhi04kkhu6yM5S5C7IMkTt8GeKbCrk9W2F5AAoIVH/6KryfMcQd4 +pActK/q1fMDyxe+wcG9UOQb6POzXdO/jO790CmWv4C6ZY1yoojguRzTMIwvEF0ow +TYbAjmn9+IXl4rgIUBhe4l9lS4jHohwE9heooDO08ZdVIRMzPTALn0p9C4DCuE4K +EmVGzEpmKfy47eFdwU6Adp8KPYYaTTh8ykg8zk+tItMq6vK0Dq3L4P7iHJ1Lvqsc +YdZwGgm2mqXPG7ZizOve/sKfRlAQ8mzImlwRcEvtjMp3kcy28OOljWWRzxzmHYCY +CmuhuEZq2JDQ33sNuzkUNaPhx5qmDwRrOqpGhcnWXAtHTIDeWJNMreV/LQbSvMDS +B3Ko+QB61ebC4aAts6ddt6b7IgQmifNXHbxJ5u41qcbtpD+FaQNl648b/7FZTGOx +900QaaSK+K4PtjGypa2ZZZAo1rVGCbzc8HzmUMSsdwWsoKgTQYMChNn4wNdKxM99 +RWnqdL/PRZdQHRXzr08= +=UAEA +-----END PGP SIGNATURE----- diff --git a/dovecot23.changes b/dovecot23.changes index befd419..3dbb54a 100644 --- a/dovecot23.changes +++ b/dovecot23.changes @@ -1,3 +1,35 @@ +------------------------------------------------------------------- +Tue Apr 30 13:34:16 UTC 2019 - Marcus Rueckert + +- update to 2.3.6: (boo#1133624 boo#1133625) + * CVE-2019-11494: Submission-login crashed with signal 11 due to + null pointer access when authentication was aborted by + disconnecting. + * CVE-2019-11499: Submission-login crashed when authentication + was started over TLS secured channel and invalid authentication + message was sent. + * auth: Support password grant with passdb oauth2. + + Use system default CAs for outbound TLS connections. + + Simplify array handling with new helper macros. + + fts_solr: Enable configuring batch_size and soft_commit features. + - lmtp/submission: Fixed various bugs in XCLIENT handling, + including a hang when XCLIENT commands were sent infinitely to + the remote server. + - lmtp/submission: Forwarded multi-line replies were erroneously + sent as two replies to the client. + - lib-smtp: client: Message was not guaranteed to contain CRLF + consistently when CHUNKING was used. + - fts_solr: Plugin was no longer compatible with Solr 7. + - Make it possible to disable certificate checking without + setting ssl_client_ca_* settings. + - pop3c: SSL support was broken. + - mysql: Closing connection twice lead to crash on some systems. + - auth: Multiple oauth2 passdbs crashed auth process on deinit. + - HTTP client connection errors infrequently triggered a + segmentation fault when the connection was idle and not used + for a particular client instance. +- drop https://github.com/dovecot/core/commit/3c5101ffd.patch + ------------------------------------------------------------------- Mon Apr 29 22:11:53 UTC 2019 - Marcus Rueckert diff --git a/dovecot23.spec b/dovecot23.spec index cf75a81..038433a 100644 --- a/dovecot23.spec +++ b/dovecot23.spec @@ -17,10 +17,10 @@ Name: dovecot23 -Version: 2.3.5.2 +Version: 2.3.6 Release: 0 %define pkg_name dovecot -%define dovecot_version 2.3.5.2 +%define dovecot_version 2.3.6 %define dovecot_pigeonhole_version 0.5.5 %define dovecot_branch 2.3 %define dovecot_pigeonhole_source_dir %{pkg_name}-%{dovecot_branch}-pigeonhole-%{dovecot_pigeonhole_version} @@ -137,7 +137,6 @@ Source11: http://pigeonhole.dovecot.org/releases/%{dovecot_branch}/%{dovec Source12: dovecot23.keyring Patch: dovecot-2.3.0-dont_use_etc_ssl_certs.patch Patch1: dovecot-2.3.0-better_ssl_defaults.patch -Patch2: https://github.com/dovecot/core/commit/3c5101ffd.patch Summary: IMAP and POP3 Server Written Primarily with Security in Mind License: BSD-3-Clause AND LGPL-2.1-or-later AND MIT Group: Productivity/Networking/Email/Servers @@ -317,7 +316,6 @@ dovecot tree. %setup -q -n %{pkg_name}-%{dovecot_version} -a 1 %patch -p1 %patch1 -p1 -%patch2 -p1 gzip -9v ChangeLog # Fix plugins dir. sed -i 's|#mail_plugin_dir = /usr/lib/dovecot|mail_plugin_dir = %{_libdir}/dovecot/modules|' doc/example-config/conf.d/10-mail.conf