Accepting request 901209 from home:stroeder:network

- update to 2.3.15 and pigeonhole to 0.5.15:
  * security fixes for CVE-2021-29157, CVE-2021-33515, and CVE-2020-28200

FWIW: It seems to work for me on Tumbleweed x64_64.

OBS-URL: https://build.opensuse.org/request/show/901209
OBS-URL: https://build.opensuse.org/package/show/server:mail/dovecot23?expand=0&rev=96

allow-tls1.3-only.patch

@@ -1,46 +0,0 @@
-Index: dovecot-2.3.10.1/src/config/old-set-parser.c
-===================================================================
---- dovecot-2.3.10.1.orig/src/config/old-set-parser.c
-+++ dovecot-2.3.10.1/src/config/old-set-parser.c
-@@ -172,6 +172,9 @@ static int ssl_protocols_to_min_protocol
- {
- 	static const char *protocol_versions[] = {
- 		"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2",
-+#ifdef TLS1_3_VERSION
-+    "TLSv1.3",
-+#endif
- 	};
- 	/* Array where -1 = disable, 0 = not found, 1 = enable */
- 	int protos[N_ELEMENTS(protocol_versions)];
-Index: dovecot-2.3.10.1/src/lib-ssl-iostream/iostream-openssl-common.c
-===================================================================
---- dovecot-2.3.10.1.orig/src/lib-ssl-iostream/iostream-openssl-common.c
-+++ dovecot-2.3.10.1/src/lib-ssl-iostream/iostream-openssl-common.c
-@@ -9,6 +9,16 @@
- #include <openssl/err.h>
- #include <arpa/inet.h>
- 
-+/*
-+ * SSL_TXT_TLSV1_3 is not defined in the openssl headers up to 1.1.1g.
-+ * Define it here as no other part of the code uses those defines.
-+ *
-+ * https://github.com/openssl/openssl/pull/6720
-+ */
-+#ifndef SSL_TXT_TLSV1_3
-+#define SSL_TXT_TLSV1_3 "TLSv1.3"
-+#endif
-+
- /* openssl_min_protocol_to_options() scans this array for name and returns
-    version and opt. opt is used with SSL_set_options() and version is used with
-    SSL_set_min_proto_version(). Using either method should enable the same
-@@ -23,6 +33,10 @@ static const struct {
- 	{ SSL_TXT_TLSV1_1, TLS1_1_VERSION, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 },
- 	{ SSL_TXT_TLSV1_2, TLS1_2_VERSION,
- 		SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 },
-+#ifdef TLS1_3_VERSION
-+	{ SSL_TXT_TLSV1_3, TLS1_3_VERSION,
-+		SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 },
-+#endif
- };
- int openssl_min_protocol_to_options(const char *min_protocol, long *opt_r,
- 				    int *version_r)

dovecot-2.3-pigeonhole-0.5.14.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:68ca0f78a3caa6b090a469f45c395c44cf16da8fcb3345755b1ca436c9ffb2d2
-size 1910607

dovecot-2.3-pigeonhole-0.5.14.tar.gz.sig

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAmBAssQXHGRvdmVjb3Qt
-Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaFA8Q//RhJpoX8nwT7m5B78Vvy/a1rW
-56++CQosLUxpjnwlzJ+4/G/x29nmI7qgt0cwVX1bPy5jrmTD4826M3MWCcn329R/
-YDQRk5BlU26f9MshNQC+MRA72YGUQyoLkW4aaGUXQdcTYzwOgTDDbu+uZbFOMwDV
-EWqAIXi/7faaVwxZiE2mMwXKDT9+6jyudsIRL9jKIJmbZSG0oiJN+5pIjZ4EQrt4
-mYyR3YQP+QlAMEqmY23vsrCtq7DiR+0hEnQUVCYtyGsZWbMjyMzwmRtx8v25s3HP
-M6A1+S/aBddKMPGNydk+VQz8Y7kSSdSEjoag5DRF6s/4+lSrIpDt7PzC9//A2At0
-BdW52i4AH6uw4Ggwicg0xJ95argFC8rNVxk2pl/zzH6MlQa5Hl0VnHuxc5HyGjuN
-uZqdPHN+ak3Mg/7zzN2w3nyjSuc6FmuWjdGX0PKkCgMPtDWE8yr5+jHX4blMvAgR
-Pc0FkdmOpjfVUhMTT/GZxR3pkk9oKyoJV/9UbjuBAL8oSLAznlj+gFoYmTW1vCNm
-ApJobM2Idn6tRnUi/88eI2E2JFEx8np0oiQY0uhAjdhw51eyHpws9sD4LF1NE4CH
-WFNR7zzO4ENG+NFV/eiSXc3v/6QacTcGNJkxm2SvhrSO/i7588Sni5tReWjq4woM
-pZ9IOPOWGeveyC40ppQ=
-=onpa
------END PGP SIGNATURE-----

dovecot-2.3-pigeonhole-0.5.15.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e1498f50cef74c351a57474cc423b008627ab1ab60724b859283ead6d00550d0
+size 1935601

dovecot-2.3-pigeonhole-0.5.15.tar.gz.sig

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJLBAABCgA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAmDQc4sXHGRvdmVjb3Qt
+Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaFVbRAAhgiKJIXsySgNbKePCVibmd1J
+PUMZxruEYzQfdF/l5UzWjY7shXjrZjT+JVdQCRdW1gUhCLDhf8+Ss5HsUt0TqUZ4
+Nm000CS6CTrSzQDASXQRyjIw57Sfm13CCneu/LcO1UMWorktY/Vx7dCiMr7rrHzP
+m1QAEaUpgdlmeLrhATjiCHeRgl1nE7vjlBzRQjLXnyjlsMjLZ5ckjIbjADM5pO9g
+W3SzFe2TRFA4Q4Q/BUtG+sEdbC7y61vW4nDL4Hk7JMyyLx2p05OFQ8h8gw5PyPUo
+FxeP+vpklCmhE3CJE4JrBifjTAl/UYRBjzW4iBxl1x2a7muTDK4BLSQzOxyyRzzh
+O8lNx8kIcPq7QzfjUlLi8Kb/TPJmgNkXRGHpVQ+9Zo+QPBe88UeAVkY9fzelC4gg
+AS8Lucw/zianKhOypelU2AoA5LhqdXjbhwmSSCK4Ga3umUjlyoWfjWZtSITT654H
+1c+KDxpup+e4aUL3oB29Xm2ONUpxZNQbJLg/Snp/PGQC4Xc6SxoS9Y4/VR8o1IZF
+TToDUptV5exKHy1EXxd2vJcWj0ByVsh/Tm4WgjxuiyLtQH1PusoD4pExk3xKuDSG
+9epPzZAFRUIyK6iejbdk/ZenaP+LEWv9q66yLQwHummXuuGG1iAXT4jQeMPr0u9i
+FhyBSN5yKGKC9h7KsR8=
+=eHZe
+-----END PGP SIGNATURE-----

dovecot-2.3.0-better_ssl_defaults.patch

@@ -1,19 +1,18 @@
-Index: dovecot-2.3.7.2/doc/example-config/conf.d/10-ssl.conf
-===================================================================
---- dovecot-2.3.7.2.orig/doc/example-config/conf.d/10-ssl.conf
-+++ dovecot-2.3.7.2/doc/example-config/conf.d/10-ssl.conf
+diff -ur dovecot-2.3.15.orig/doc/example-config/conf.d/10-ssl.conf dovecot-2.3.15/doc/example-config/conf.d/10-ssl.conf
+--- dovecot-2.3.15.orig/doc/example-config/conf.d/10-ssl.conf
++++ dovecot-2.3.15/doc/example-config/conf.d/10-ssl.conf
 @@ -9,8 +9,8 @@
  # dropping root privileges, so keep the key file unreadable by anyone but
  # root. Included doc/mkcert.sh can be used to easily generate self-signed
  # certificate, just make sure to update the domains in dovecot-openssl.cnf
--ssl_cert = </etc/ssl/private/dovecot.crt
+-ssl_cert = </etc/ssl/certs/dovecot.pem
 -ssl_key = </etc/ssl/private/dovecot.pem
 +#ssl_cert = </etc/ssl/private/dovecot.crt
 +#ssl_key = </etc/ssl/private/dovecot.pem
  
  # If key file is password protected, give the password here. Alternatively
  # give it when starting dovecot with -p parameter. Since this file is often
-@@ -60,6 +60,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
+@@ -64,6 +64,7 @@
  #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
  # To disable non-EC DH, use:
  #ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
@@ -21,29 +20,29 @@ Index: dovecot-2.3.7.2/doc/example-config/conf.d/10-ssl.conf
  
  # Colon separated list of elliptic curves to use. Empty value (the default)
  # means use the defaults from the SSL library. P-521:P-384:P-256 would be an
-@@ -68,6 +69,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
+@@ -71,7 +72,7 @@
+ #ssl_curve_list =
  
  # Prefer the server's order of ciphers over client's.
- #ssl_prefer_server_ciphers = no
+-#ssl_prefer_server_ciphers = no
 +ssl_prefer_server_ciphers = yes
  
  # SSL crypto device to use, for valid values run "openssl engine"
  #ssl_crypto_device =
-@@ -76,3 +78,4 @@ ssl_key = </etc/ssl/private/dovecot.pem
+@@ -80,3 +81,4 @@
  #   compression - Enable compression.
  #   no_ticket - Disable SSL session tickets.
  #ssl_options =
 +ssl_options = no_compression
-Index: dovecot-2.3.7.2/src/lib-master/master-service-ssl-settings.c
-===================================================================
---- dovecot-2.3.7.2.orig/src/lib-master/master-service-ssl-settings.c
-+++ dovecot-2.3.7.2/src/lib-master/master-service-ssl-settings.c
-@@ -61,7 +61,7 @@ static const struct master_service_ssl_s
+diff -ur dovecot-2.3.15.orig/src/lib-master/master-service-ssl-settings.c dovecot-2.3.15/src/lib-master/master-service-ssl-settings.c
+--- dovecot-2.3.15.orig/src/lib-master/master-service-ssl-settings.c	2021-06-14 15:40:37.000000000 +0200
++++ dovecot-2.3.15/src/lib-master/master-service-ssl-settings.c	2021-06-21 14:09:29.663825041 +0200
+@@ -62,7 +62,7 @@
  	.ssl_client_cert = "",
  	.ssl_client_key = "",
  	.ssl_dh = "",
 -	.ssl_cipher_list = "ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH",
 +	.ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH",
+ 	.ssl_cipher_suites = "", /* Use TLS library provided value */
  	.ssl_curve_list = "",
- 	.ssl_min_protocol = "TLSv1",
- 	.ssl_cert_username_field = "commonName",
+ 	.ssl_min_protocol = "TLSv1.2",

dovecot-2.3.0-dont_use_etc_ssl_certs.patch

@@ -1,16 +1,3 @@
-Index: dovecot-2.3.9.3/doc/example-config/conf.d/10-ssl.conf
-===================================================================
---- dovecot-2.3.9.3.orig/doc/example-config/conf.d/10-ssl.conf
-+++ dovecot-2.3.9.3/doc/example-config/conf.d/10-ssl.conf
-@@ -9,7 +9,7 @@
- # dropping root privileges, so keep the key file unreadable by anyone but
- # root. Included doc/mkcert.sh can be used to easily generate self-signed
- # certificate, just make sure to update the domains in dovecot-openssl.cnf
--ssl_cert = </etc/ssl/certs/dovecot.pem
-+ssl_cert = </etc/ssl/private/dovecot.crt
- ssl_key = </etc/ssl/private/dovecot.pem
- 
- # If key file is password protected, give the password here. Alternatively
 Index: dovecot-2.3.9.3/doc/man/doveconf.1.in
 ===================================================================
 --- dovecot-2.3.9.3.orig/doc/man/doveconf.1.in

dovecot-2.3.14.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c8b3d7f3af1e558a3ff0f970309d4013a4d3ce136f8c02a53a3b05f345b9a34a
-size 7483769

dovecot-2.3.14.tar.gz.sig

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAmBAspYXHGRvdmVjb3Qt
-Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaG80BAA0Q4KznyBEGAUOnsTV5YFGuP7
-T+ROvjCPK2RYCUN+/hFV1TIrEnTWtu9rC+G2UPEwWAHYQTnsOjR/XT+973/8bv8C
-5DSAAUFoO7SWmxuqTzEirworfYTNnuwTYcb0YAAC9mXfD2y0LrbRcSJmrNg2wbFg
-IIhlfHY1wSYSnXJvXktzJHBUKXlOLwJL4cokjtWHcJlY3PNmbTISZ6H7HfthBxaY
-k6BsqQ96n3MMkUV7Bg1WEnkwS0VGiPcj0wLdfJvpquwFTkxuNuh1DEK3yyttrtTx
-K1POSoE78JqWv++mdoHxdtm8A1le5PipqOIhoC+gpZv6TFE0+yztLNzPd8fKDfzK
-IxisA9/kWi5/4jwOXQ7R7H3pMZ3ikJiL0IIwCKoLX+NuKbD28zZkZDH0maXmDnOB
-27+hBztrT0h8gRXuC8cReOH/MpK4XVX/VhsLbMuF9n2qhR9r+atoMw4d3x17KgKK
-/jd+n4BuuXzKjWRsI7B9wVvPpHWBHYTGR1lLpC3xxhSlRV71ZJ4DStP6cgNke/Hh
-AkW/7rE8oZbxp7NhjICIb4aHmhKdpp4iSUWdm6kgtPCwJfF26oNiuXL3O7ugha8V
-sLniTTuiceU7hl9Zkt89eqERjMa1/NKf3c+g4BlKO7sN9rhmWie5zqc4oQ1VXfO9
-jSbLcfs57L7odF3s1SY=
-=B32T
------END PGP SIGNATURE-----

dovecot-2.3.15.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:21bbdd5d45957a99133de8b7e71813ecb73d9476c89dfc63479e9102b3553590
+size 7608561

dovecot-2.3.15.tar.gz.sig

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJLBAABCgA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAmDMdTwXHGRvdmVjb3Qt
+Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaF+Qw/+MUDN/HK62t51ElYoOSO7PFL6
+ajYu0kSBflJGbovcBrlYYUC5oWQWQuVTsNdxxk1g9HLt1S7rYjW6QZk5IoM/DTkG
+ICRwfHXeDKS1zNXmkauDrwFcu9tbjg0BmdZ8vsKQUni5vDEtpjH6QiXkDA18P+e7
+4qSW3rpq6Sb+nRHDsicSTVtUIVmjCjETT04tIIoLUQvP4LjOkyydpW76fNCHqYZ+
+wJzhSNF6NwJGNumh/xSyNcqdhrcLBhfNx6JVWHajUrntXh5Tiy+okC5BIOHNXSt7
+/kN1BWxb8V8k/Ku3ickJOsXarw2LBsT2LzDAqUeWK9p0ywIAj9ue6zP+COoRzu+F
+dRURqYnOohNHPFhmXCx4ixYV9VGtXpboAyf8u8BCFODmeF/HgeOLVogC/+Nda/br
+8GEXWdxdFFECTDAAqqmcxU/lZu2CfvRWhgAIbEeBGI+8KOe1vGmALvKL2GzbnFDB
+Hfjsrafs1l4hM6rynoHAJzbVY+QuvNpnwNTc4KsGtOYdYfb5jEaIDJAzfqbxgCTp
+Vd5H13PAbqsO55hHpEQclLK4QCO30SOP0geLu6+6bhZGfeSBh64VILQAqvv1R4xK
+XoNW5dSbG27yZdiHeKlC8ppB35JsUSaQheLj/msSKckBL0cGtguUZQexTnD6tfQc
+b8TKUG9FbKfM1hI9cyw=
+=bjVt
+-----END PGP SIGNATURE-----

dovecot23.changes

@@ -1,3 +1,147 @@
+-------------------------------------------------------------------
+Mon Jun 21 11:27:29 UTC 2021 - Michael Ströder <michael@stroeder.com>
+
+- update to 2.3.15 and pigeonhole to 0.5.15:
+  * security fixes for CVE-2021-29157, CVE-2021-33515, and CVE-2020-28200
+  * rebased patch dovecot-2.3.0-better_ssl_defaults.patch
+  * removed obsolete back-port patches
+    allow-tls1.3-only.patch and openssl-cnf-default_bits-2048.patch
+  * require lua53-devel for build
+
+  Dovecot 2.3.15
+  * CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
+    JWT tokens. This may be used to supply attacker controlled keys to
+    validate tokens, if attacker has local access.
+  * CVE-2021-33515: On-path attacker could have injected plaintext commands
+    before STARTTLS negotiation that would be executed after STARTTLS
+    finished with the client.
+  * Disconnection log messages are now more standardized across services.
+    They also always now start with "Disconnected" prefix.
+  * Dovecot now depends on libsystemd for systemd integration.
+  * Removed support for Lua 5.2. Use version 5.1 or 5.3 instead.
+  * config: Some settings are now marked as "hidden". It's discouraged to
+    change these settings. They will no longer be visible in doveconf
+    output, except if they have been changed or if doveconf -s parameter
+    is used. See https://doc.dovecot.org/settings/advanced/ for details.
+  * imap-compress: Compression level is now algorithm specific.
+    See https://doc.dovecot.org/settings/plugin/compress-plugin/
+  * indexer-worker: Convert "Indexed" info logs to an event named
+    "indexer_worker_indexing_finished". See
+    https://doc.dovecot.org/admin_manual/list_of_events/#indexer-worker-indexing-finished
+  + Add TSLv1.3 support to min_protocols.
+  + Allow configuring ssl_cipher_suites. (for TLSv1.3+)
+  + acl: Add acl_ignore_namespace setting which allows to entirely ignore
+    ACLs for the listed namespaces.
+  + imap: Support official RFC8970 preview/snippet syntax. Old methods of
+    retrieving preview information via IMAP commands ("SNIPPET and PREVIEW
+    with explicit algorithm selection") have been deprecated.
+  + imapc: Support INDEXPVT for imapc storage to enable private
+    message flags for cluster wide shared mailboxes.
+  + lib-storage: Add new events: mail_opened, mail_expunge_requested,
+    mail_expunged, mail_cache_lookup_finished. See
+    https://doc.dovecot.org/admin_manual/list_of_events/#mail
+  + zlib, imap-compression, fs-compress: Support compression levels that
+    the algorithm supports. Before, we would allow hardcoded value between
+    1 to 9 and would default to 6. Now we allow using per-algorithm value
+    range and default to whatever default the algorithm specifies.
+  - *-login: Commands pipelined together with and just after the authenticate
+    command cause these commands to be executed twice. This applies to all
+    protocols that involve user login, which currently comprises of imap,
+    pop3, submisision and managesieve.
+  - *-login: Processes are supposed to disconnect the oldest non-logged in
+    connection when process_limit was reached. This didn't actually happen
+    with the default "high-security mode" (with service_count=1) where each
+    connection is handled by a separate process.
+  - *-login: When login process reaches client/process limits, oldest
+    client connections are disconnected. If one of these was still doing
+    anvil lookup, this caused a crash. This could happen only if the login
+    process limits were very low or if the server was overloaded.
+  - Fixed building with link time optimizations (-flto).
+  - auth: Userdb iteration with passwd driver does not always return all
+    users with some nss drivers.
+  - dsync: Shared INBOX not synced when "mail_shared_explicit_inbox" was
+    disabled. If a user has a shared mailbox which is another user's INBOX,
+    dsync didn't include the mailbox in syncing unless explicit naming is
+    enabled with "mail_shared_explicit_inbox" set to "yes".
+  - dsync: Shared namespaces were not synced with "-n" flag.
+  - dsync: Syncing shared INBOX failed if mail_attribute_dict was not set.
+    If a user has a shared mailbox that is another user's INBOX, dsync
+    failed to export the mailbox if mail attributes are disabled.
+  - fts-solr, fts-tika: Using both Solr FTS and Tika may have caused HTTP
+    requests to assert-crash: Panic: file http-client-request.c: line 1232
+    (http_client_request_send_more): assertion failed: (req->payload_input != NULL)
+  - fts-tika: 5xx errors returned by Tika server as indexing failures.
+    However, Tika can return 5xx for some attachments every time.
+    So the 5xx error should be retried once, but treated as success if it
+    happens on the retry as well. v2.3 regression.
+  - fts-tika: v2.3.11 regression: Indexing messages with fts-tika may have
+    resulted in Panic: file message-parser.c: line 802 (message_parser_deinit_from_parts):
+    assertion failed: (ctx->nested_parts_count == 0 || i_stream_have_bytes_left(ctx->input))
+  - imap: SETMETADATA could not be used to unset metadata values.
+    Instead NIL was handled as a "NIL" string. v2.3.14 regression.
+  - imap: IMAP BINARY FETCH crashes at least on empty base64 body:
+    Panic: file index-mail-binary.c: line 358 (blocks_count_lines):
+    assertion failed: (block_count == 0 || block_idx+1 == block_count)
+  - imap: If IMAP client using the NOTIFY command was disconnected while
+    sending FETCH notifications to the client, imap could crash with
+    Panic: Trying to close mailbox INBOX with open transactions.
+  - imap: Using IMAP COMPRESS extension can cause IMAP connection to hang
+    when IMAP commands are >8 kB long.
+  - imapc: If remote server sent BYE but didn't immediately disconnect, it
+    could cause infinite busy-loop.
+  - lib-index: Corrupted cache record size in dovecot.index.cache file
+    could have caused a crash (segfault) when accessing it.
+  - lib-oauth2: JWT token time validation now works correctly with
+    32-bit systems.
+  - lib-ssl-iostream: Checking hostnames against an SSL certificate was
+    case-sensitive.
+  - lib-storage: Corrupted mime.parts in dovecot.index.cache may have
+    resulted in Panic: file imap-bodystructure.c: line 206 (part_write_body):
+    assertion failed: (text == ((part->flags & MESSAGE_PART_FLAG_TEXT) != 0))
+  - lib-storage: Index rebuilding (e.g. via doveadm force-resync) didn't
+    preserve the "hdr-pop3-uidl" header. Because of this, the next pop3
+    session could have accessed all of the emails' metadata to read their
+    POP3 UIDL (opening dbox files).
+  - listescape: When using the listescape plugin and a shared namespace
+    the plugin didn't work properly anymore resulting in errors like:
+    "Invalid mailbox name: Name must not have '/' character."
+  - lmtp: Connection crashes if connection gets disconnected due to
+    multiple bad commands and the last bad command is BDAT.
+  - lmtp: The Dovecot-specific LMTP parameter XRCPTFORWARD was blindly
+    forwarded by LMTP proxy without checking that the backend has support.
+    This caused a command parameter error from the backend if it was
+    running an older Dovecot release. This could only occur in more complex
+    setups where the message was proxied twice; when the proxy generated
+    the XRCPTFORWARD parameter itself the problem did not occur, so this
+    only happened when it was forwarded.
+  - lmtp: The LMTP proxy crashes with a panic when the remote server
+    replies with an error while the mail is still being forwarded through
+    a DATA/BDAT command.
+  - lmtp: Username may have been missing from lmtp log line prefixes when
+    it was performing autoexpunging.
+  - master: Dovecot would incorrectly fail with haproxy 2.0.14 service
+    checks.
+  - master: Systemd service: Dovecot announces readiness for accepting
+    connections earlier than it should. The following environment variables
+    are now imported automatically and can be omitted from
+    import_environment setting: NOTIFY_SOCKET LISTEN_FDS LISTEN_PID.
+  - master: service { process_min_avail } was launching processes too
+    slowly when master was forking a lot of processes.
+  - util: Make the health-check.sh example script POSIX shell compatible.
+
+  Pigeonhole 0.5.15
+  * CVE-2020-28200: Sieve interpreter is not protected against abusive
+    scripts that claim excessive resource usage. Fixed by limiting the
+    user CPU time per single script execution and cumulatively over
+    several script runs within a configurable timeout period. Sufficiently
+    large CPU time usage is summed in the Sieve script binary and execution
+    is blocked when the sum exceeds the limit within that time. The block
+    is lifted when the script is updated after the resource usage times out.
+  * Disconnection log messages are now more standardized across services.
+    They also always now start with "Disconnected" prefix.
+  - managesieve: Commands pipelined together with and just after the
+    authenticate command cause these commands to be executed twice.
+
 -------------------------------------------------------------------
 Fri May 14 10:07:07 UTC 2021 - Fabian Vogt <fvogt@suse.com>
 

dovecot23.spec

@@ -19,11 +19,11 @@
 %global _lto_cflags %{nil}
 
 Name:           dovecot23
-Version:        2.3.14
+Version:        2.3.15
 Release:        0
 %define pkg_name dovecot
-%define dovecot_version 2.3.14
-%define dovecot_pigeonhole_version 0.5.14
+%define dovecot_version 2.3.15
+%define dovecot_pigeonhole_version 0.5.15
 %define dovecot_branch  2.3
 %define dovecot_pigeonhole_source_dir %{pkg_name}-%{dovecot_branch}-pigeonhole-%{dovecot_pigeonhole_version}
 %define dovecot_pigeonhole_docdir     %{_docdir}/%{pkg_name}/dovecot-pigeonhole
@@ -105,7 +105,7 @@ BuildRequires:  libcap-devel
 %if 0%{?suse_version} > 1020
 BuildRequires:  libbz2-devel
 %endif
-BuildRequires:  lua-devel
+BuildRequires:  lua53-devel
 %if %{with solr}
 BuildRequires:  curl-devel
 BuildRequires:  libexpat-devel
@@ -148,10 +148,6 @@ Source11:       https://pigeonhole.dovecot.org/releases/%{dovecot_branch}/%{dove
 Source12:       dovecot23.keyring
 Patch:          dovecot-2.3.0-dont_use_etc_ssl_certs.patch
 Patch1:         dovecot-2.3.0-better_ssl_defaults.patch
-#               https://github.com/dovecot/core/pull/126
-Patch2:         allow-tls1.3-only.patch
-#               https://github.com/dovecot/core/pull/161
-Patch3:         openssl-cnf-default_bits-2048.patch
 Summary:        IMAP and POP3 Server Written Primarily with Security in Mind
 License:        BSD-3-Clause AND LGPL-2.1-or-later AND MIT
 Group:          Productivity/Networking/Email/Servers

openssl-cnf-default_bits-2048.patch

@@ -1,21 +0,0 @@
-From 397ca180b8e58bf38525afcf9af249b190120607 Mon Sep 17 00:00:00 2001
-From: Arjen de Korte <build+github@de-korte.org>
-Date: Sat, 10 Apr 2021 13:52:15 +0200
-Subject: [PATCH] doc/openssl.cnf: Increase default_bits to 2048
-
-NIST guidelines mandate that all SSL certificates must be of at least 2048 key length
----
- doc/dovecot-openssl.cnf | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/doc/dovecot-openssl.cnf b/doc/dovecot-openssl.cnf
-index b2dfebfea9..f65a80cc2f 100644
---- a/doc/dovecot-openssl.cnf
-+++ b/doc/dovecot-openssl.cnf
-@@ -1,5 +1,5 @@
- [ req ]
--default_bits = 1024
-+default_bits = 2048
- encrypt_key = yes
- distinguished_name = req_dn
- x509_extensions = cert_type