- update to 2.3.5.1

* CVE-2019-7524: Missing input buffer size validation leads into arbitrary buffer overflow when reading fts or pop3 uidl header from Dovecot index. Exploiting this requires direct write access to the index files. OBS-URL: https://build.opensuse.org/package/show/server:mail/dovecot23?expand=0&rev=41
2019-03-28 12:47:57 +00:00 · 2019-03-28 12:47:57 +00:00 · 5865d4af03
commit 5865d4af03
parent be50c964a0
6 changed files with 31 additions and 22 deletions
--- a/dovecot-2.3.5.1.tar.gz
+++ b/dovecot-2.3.5.1.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:d78f9d479e3b2caa808160f86bfec1c9c7b46344d8b14b88f5fa9bbbf8c7c33f
 size 6953150
--- a/dovecot-2.3.5.1.tar.gz.sig
+++ b/dovecot-2.3.5.1.tar.gz.sig
@ -0,0 +1,17 @@
 -----BEGIN PGP SIGNATURE-----
 iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAlyYoFMXHGRvdmVjb3Qt
 Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaHamhAAkKY08CH7HxUio95L4d2IUS7t
 W7XsCahhsAmhGWyCVTheT2o/3AVPuKW++6nomKwuFmPJFrFdFVmVAhX9tjyNcgHJ
 YGH1IKy0DrV0RKAkYSvJcooyWXaqejTEQ7E/Ad94ldhGF1twa8xX+8Hr/1QY9cnB
 1YuqczirsaU+fI9wBc4Dogt3RfA/r36/jGQKNlQYxf9/KTSV1QXtqKQRQWaBsDni
 W4+ovuXlVNB3B5/aKUylsxHHUWYX5Ls4kk6+qpdKqTw9/WImuWPy7x5byRR3ycIP
 EI31S1LjipM/oe/o0VKHserJCAf8Wkvj8f1t6ZzYFY7LQwj0Lge0FQ8jVctBhv+P
 mFtX3L/tv7GN7k+nsH27jCFPfTlyGD9kN2UivUIXsiDkgRJI3ifcDvIuF1VnEybD
 +IQksd3eMCHfV9NnFcIy4X7FiHxTz1S2FTFlb8nbr1CirehV4WJt5x27FDZjVHXP
 mAvRY/iNkzRWEHbrTrgb9I9OUA5mXE2v3lox7WIPJwh+Nc8USS8/O0jFXPE7am5x
 SspQ+2ZAOhLja2fp7wLZR2vxMXyjXAFT0teGoTq67fTPX8OKDgbNjFCKR4ROJKU8
 d33KfXt8N4MPi6F9LZTm352248+jFUI4tXV7eJp6Aw9k8jje9OJzBfPYIdBgd2rD
 EBi+rfFY/GcORlMO6Wc=
 =RY2x
 -----END PGP SIGNATURE-----
--- a/dovecot-2.3.5.tar.gz
+++ b/dovecot-2.3.5.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:bfe112ec6d11f7d6c6f7f0440e3b6e2c840c15cec1e99466b5495765d54aaaff
 size 6970480
--- a/dovecot-2.3.5.tar.gz.sig
+++ b/dovecot-2.3.5.tar.gz.sig
@ -1,17 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAlx+afoXHGRvdmVjb3Qt
 Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaGmvQ/8D5tOni6a8HJaGF1KlQ1ubMhJ
 CkFWGSNJ5x0UCycCsqgEOMmDPL7Euf9LLwmKgb8FHTWc96TexyiM+n+VXuzaH2yN
 J6UXLrUqtOybKt1kTOmy8L14tcZG9eBq8V3ycogyuXe2qnucVJjr8D1MS3UX4xsV
 ly1Zqcwky8RrUVTcTlbEwjoYUJY75NNeoTEKG/Eq3xwiDSTzh2/JQuhO/wP89ZDW
 8H681rHEGQImzYUVlMMYqeUvgqATVn/pwpDp1ov4/K52vQTfY3vX6xYnE+lQ5cg0
 LzXokkBS54CsVCg7XwqfMpTjEOfpOLSbwCE+Ujak/xIvzz1Fg7sn1XL9oIYaZg5R
 2IU9lmWkzscPiBfz57knOyB/jiNJjSHYEFlgrVjskqId5xfLdkFN/VNeI7LDWNC/
 sKHgRy92EwOVi9gQM8FRTmnsDyfpeSZ5DW8FaNr4iRg8RYfqjwSs1xTH6mzD1hcX
 RodblVxxEWB4uFj/0lY0J60Mad63l+xrsv4NEpnxFRQknoINyWNWM5JHRJjoW2rS
 XGUh8XZWsCiNVg5dQj+1uNLVarLUHBfCzb6+RWevY09hIJqkMafHDYHwwbFDdvZh
 dz3jHdtOksDoObUWKZ/1XJgm/Zg4vw4b2ZfrezCyruo45l/6T2vuaCHsYfF0/hDz
 Ec1Rox1X6gjvbp4IjqA=
 =sFpO
 -----END PGP SIGNATURE-----
--- a/dovecot23.changes
+++ b/dovecot23.changes
@ -1,3 +1,12 @@
 -------------------------------------------------------------------
 Thu Mar 28 12:36:55 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>
 - update to 2.3.5.1
  * CVE-2019-7524: Missing input buffer size validation leads into
    arbitrary buffer overflow when reading fts or pop3 uidl header
    from Dovecot index. Exploiting this requires direct write
    access to the index files.
 -------------------------------------------------------------------
 Fri Mar  8 18:09:00 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>
--- a/dovecot23.spec
+++ b/dovecot23.spec
@ -17,10 +17,10 @@
 Name:           dovecot23
-Version:        2.3.5
+Version:        2.3.5.1
 Release:        0
 %define pkg_name dovecot
-%define dovecot_version 2.3.5
+%define dovecot_version 2.3.5.1
 %define dovecot_pigeonhole_version 0.5.5
 %define dovecot_branch  2.3
 %define dovecot_pigeonhole_source_dir %{pkg_name}-%{dovecot_branch}-pigeonhole-%{dovecot_pigeonhole_version}