Accepting request 756989 from home:stroeder:branches:server:mail

update to 2.3.9.2 with security fixes OBS-URL: https://build.opensuse.org/request/show/756989 OBS-URL: https://build.opensuse.org/package/show/server:mail/dovecot23?expand=0&rev=59
2019-12-17 21:27:17 +00:00 · 2019-12-17 21:27:17 +00:00 · 75113b87e9
commit 75113b87e9
parent 5228e3fbb8
10 changed files with 160 additions and 44 deletions
--- a/dovecot-2.3-pigeonhole-0.5.8.tar.gz
+++ b/dovecot-2.3-pigeonhole-0.5.8.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8fb860d50c1b1a09aea9e25f8ee89c22e34ecedfb0e11a1c48a7f67310759022
-size 1857780
--- a/dovecot-2.3-pigeonhole-0.5.8.tar.gz.sig
+++ b/dovecot-2.3-pigeonhole-0.5.8.tar.gz.sig
@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAl2cZncXHGRvdmVjb3Qt
-Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaE0rQ/9E3AWtt+QBmnslFQPNMPD26Y3
-Lqzi1gertrf+O+L9Kgy2kRfJTlF9Mi9O2PuNFiO2eghgQoyqr9EODjjTsb0TnNM9
-o9LWqk5HPzBnf9/qJGca1O8y4i/1WB9hwuoW05XGwmM3uaCAF7wpz3Y8rGRxeaUg
-KklncVmcFH1QEHHzE8iF+36lCpT8nf2x9y+niPtTUJHfJnEYyv5jebAc3TjHeeq9
-OKQRmrUPRdySUv/Wtohu6J5sDhYuu3aImkVE3llARRrR5JWqdN3n6czMxG6+uljh
-pH9kXyvf6mCg97GyGuGEJEXza4Kx6DaT2u+0G3/+TPxHKAxg392O4hBvAWoA/7Xf
-OoyDg4X1+biXQtGb9OTz864R/lZeD6iHDenQQ7aeh0rR6jGdRpuCK7JqrlZu+Ap7
-R5FekqzBo0sbCpQBYUhHAqxUCLjoAmiIbH4BY0OhBhSUec+V62OvHncOlVaovGRI
-ys4FdBEOP7hTlVkpVxmiTq2YnGcwR7Olkgf9nEXVFGzbGHumQ2/MNBQXc9gYHnx8
-sQ2YR0lUEQhx0EpYaG4s98rldn5tSMKYU660zkXGbI0FPAJpeyix8D5mW+R1CQtI
-8oUTJmSZH18/i2uuFiGm9Sy2RbpJiWXN2Obzv85H1dt8ZIIOfZUlt5m/5atbcdw1
-BS4ywBGoOqXTMSAwg64=
-=Olcg
-----END PGP SIGNATURE-----
--- a/dovecot-2.3-pigeonhole-0.5.9.tar.gz
+++ b/dovecot-2.3-pigeonhole-0.5.9.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:36da68aae5157b83e21383f711b8977e5b6f5477f369f71e7e22e76a738bbd05
+size 1897060
--- a/dovecot-2.3-pigeonhole-0.5.9.tar.gz.sig
+++ b/dovecot-2.3-pigeonhole-0.5.9.tar.gz.sig
@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAl3niXIXHGRvdmVjb3Qt
+Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaEVCRAAxZN9YrDBh/oyt/1LOlfO2mur
+scamt7R7qOPrD9j5DFcqLCZIkdiBSZGaAVsi9IVjWN5UmYWNB8ScKLTBjl4jobRZ
+4xe8NBmJA8m2jNKhzK9bNpfjJk7/B9KBL74twhjnFc5E5Uhnok5YAVq6sL582EU4
+4ChAlrVE/qhzuWyp/hlL+YC4PZw2IAxcm0a29SENVPpg2ZfSfK9Wv1fA7zAf/QSr
+mJDFXX2XkUnSX/cnoUZPaJ8HBITq58PAcXUha+I07VJSVgcPQaJBImx6VO2+zqmP
+N7OUZDQ3pIqowETMYEk37ZBrQC4mGzz85SpzwhlJPoex5jF1q5M4IJHiXbsL0FUK
+b1G55ZxHG22LQANf+rcIC1B1HeNfARqxVAbdGUrOw3Ij5m9jFcp0wwTGCs7EJpX6
+PmdDI4hkg4odRVMapzW+PwvY5qHzhDTmq7Iv+4CGlaJOjCpnxGeOYx0j4KVHrCXn
+sd6hBzlEkGUzWMp8Kr38bF9fWhZ6FGmGGs8asJf8BFCHnJ1YohyA6aaDtvAAXIw9
+y83iJfh7IrY074ecoz8KeAsgbkcFjrF3mWr2G5OocnsXhBsoDkUCXoon21yAqHRG
+GXA8tfwEnteYbziBW2DsH3GmOpQOZa9RJWym9k64c+a2EhZh8y/azCXsLoXujfuv
+jGhMIbyFJziItO93BTI=
+=PGEG
+-----END PGP SIGNATURE-----
--- a/dovecot-2.3.8.tar.gz
+++ b/dovecot-2.3.8.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c5778d03bf26ab34a605854098035badec455d07adfab38d974f610c8f78b649
-size 7136958
--- a/dovecot-2.3.8.tar.gz.sig
+++ b/dovecot-2.3.8.tar.gz.sig
@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAl2cZm4XHGRvdmVjb3Qt
-Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaF8wQ//dfvB6vGkHNdvotdHCpnm8r9+
-fisLJEn+wHvVOYpia0Tsn5r13jcNeXaJC2+8yxKGw9lW7k305Lf7qnes0JJSY7U2
-Oi971eCQibIVI69N4DsjSmCXSTs6K2Xrvx5BlYu8voFfbvlv2G++TxV7SnRsqBbS
-QgULwi4PG6EJu1rgok9D+D2rU6iByWhysqRNFMbQoUpejqpoWc7WPLhvxZA+QPih
-Wnxd/7ZVJPUKLpJMuA8PP/b6Im6wqhlSUK97EmKVHU8j6y8w2yzsPiOJybTBJl25
-QiaK5KjsitvtR3VlzUxQW0Gl5eFvsg6vVQuZsVssUQ2QSHm+CwkdPxr0wcDm4Xuo
-q/32lOx4PuyOd5A5cpEpujZCnqhGtY9FapxCzPrQDsGKxJBKy1+4dslGkTxYXBu6
-moY2O+Ix6W6GHafrKfGLbc6njkWA67NHRlronTNooO0bM1nkTNr1brSavbtMaOnz
-vJNfR3JbRZQaEHPR85eTlnO9I4vA+KDqUJnlJYwMnD5YsFa/q3wPsJIFJ7B5cGB/
-uthhsKe4MfAyTxbw3P2kU8BBKFWWPHQCAh9xEah74CMumH5YtIJFXHbdgl331urV
-9WTCi8Z08pCp1UdEyOXGCXG8JbhGW2Q/pugLrvd150xW7/2K3jfuKLxUh7FOJhkM
-zKrVp62/hHKeQjtSXNo=
-=9Mtz
-----END PGP SIGNATURE-----
--- a/dovecot-2.3.9.2.tar.gz
+++ b/dovecot-2.3.9.2.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4784fb98dd41b83888e4aa9908efcbcad2e04a254e97440863903c0c498486f9
+size 7182306
--- a/dovecot-2.3.9.2.tar.gz.sig
+++ b/dovecot-2.3.9.2.tar.gz.sig
@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAl3zk+0XHGRvdmVjb3Qt
+Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaF8Ug/+LJkNfjvKArSpsnJLhG4Dji8r
+cC4cfHiCLzrNmIgqGlog5o7k8tsT+hTFjd4TGBT5F/pdS2guyk2tEXsRNYV75I7W
+k7GG06bfA9tJYXQJPDiFVpkkVvU+eh447k8GeN8r78+LRYbRUe8Xa+AHBZJ6oj22
+/hn1rHPRpWOEKhuzFOSiIRgv4ERxXCfT5k59WMeRjYL8Ivqwcb/NnXrQFDYynebi
+X1XpKF3YMNzE43E/NYWgz8Wcqbcf/i3kt2ETCyd4ClzpuPNQKdEGPxdSbaA+pdb7
+0v4Lnun/xUaQGdXb/h/3WklaIIcVIveIMT/KAKVyKzEb+Cz5s5LWE2iwTwNb51mf
+iP+t7FIgJdDXaAaSlIESpS7DFFvKNUnAJixMwMI5aEkB3SkH9UQFnvNhpUu8KMdS
+aVE4SJn493+1PfHdBrc6N5gcP00iCUp1IpKBcbc2kMYYYIjNEGRBsTi5X4PVbrVS
+j2JSxmbrj86DsKfg46Oq9EtH5vn8i1nYU3vIMp5vZy0ahGgeuDt09geqTmAdfauZ
+REiPxe4uaP+ik9PnafmiNwtInZbqnEe6gQJkHCmY5q0N7A1YvFHPAUZZROTjT3W/
+dQiKkjq9tI+ZAZBwFmFIBPIasV0V1iQt7TcB72oPrD0xKXbOkn4OdpAZPYv4KrBY
+Sm1JmoXsbxiZW/sLezs=
+=SKvh
+-----END PGP SIGNATURE-----
--- a/dovecot23.changes
+++ b/dovecot23.changes
@ -1,3 +1,119 @@
+-------------------------------------------------------------------
+Sat Dec 14 08:55:56 UTC 2019 - Michael Ströder <michael@stroeder.com>
+
+- update to 2.3.9.2 with security fixes:
+  * CVE-2019-19722: Mails with group addresses in From or To
+    fields caused crash in push notification drivers.
+  * Mails with empty From/To headers can also cause crash
+    in push notification drivers.
+
+-------------------------------------------------------------------
+Wed Dec  4 21:46:28 UTC 2019 - Michael Ströder <michael@stroeder.com>
+
+- update to 2.3.9 and pigeonhole to 0.5.9
+
+  Dovecot 2.3.9
+  * Changed several event field names for consistency and to avoid
+    conflicts in parent-child event relationships:
+     * SMTP server command events: Renamed "name" to "cmd_name"
+     * Events inheriting from a mailbox: Renamed "name" to "mailbox"
+     * Server connection events have only "remote_ip", "remote_port",
+       "local_ip" and "local_port".
+     * Removed duplicate "client_ip", "ip" and "port".
+     * Mail storage events: Removed "service" field.
+       Use "service:<name>" category instead.
+     * HTTP client connection events: Renamed "host" to "dest_host" and
+       "port" to "dest_port"
+  * auth: Drop Postfix socketmap support. It hasn't been working
+    with recent Postfix versions for a while now.
+  * push-notification-lua: The "subject" field is now decoded to UTF8
+    instead of kept as MIME-encoded.
+  + push-notification-lua: Added new "from_address", "from_display_name",
+    "to_address" and "to_display_name" fields. The display names are
+    decoded to UTF8.
+  + Added various new fields to existing events.
+    See http://doc.dovecot.net/admin_manual/list_of_events.html
+  + Add lmtp_add_received_header setting. It can be used to prevent LMTP
+    from adding "Received:" headers.
+  + doveadm: Support SSL/STARTTLS for proxied doveadm connections based on
+    doveadm_ssl setting and proxy ssl/tls settings.
+  + Log filters support now "service:<name>", which matches all events for
+    the given service. It can also be used as a category.
+  + lib: Use libunwind to get abort backtraces with function names
+    where available.
+  + lmtp: When the LMTP proxy changes the username (from passdb lookup)
+    add an appropriate ORCPT parameter.
+  - lmtp: Add lmtp_client_workarounds setting to implement workarounds for
+    clients that send MAIL and RCPT commands with additional spaces before
+    the path and for clients that omit <> brackets around the path.
+    See example-config/conf.d/20-lmtp.conf.
+  - lda/lmtp: Invalid MAIL FROM addresses were rejcted too aggressively.
+    Now mails from addresses with unicode characters are delivered, but
+    their Return-Path header will be <> instead of the given MAIL FROM
+    address.
+  - lmtp: The lmtp_hdr_delivery_address setting is ignored.
+  - imap: imap_command_finished event's "args" and "human_args" parameters
+    were always empty.
+  - mbox: Seeking in zlib and bzip2 compressed input streams didn't work
+    correctly.
+  - imap-hibernate: Process crashed when client got destroyed while it was
+    attempted to be unhibernated, and the unhibernation fails.
+  - *-login: Proxying may have crashed if SSL handshake to the backend
+    failed immediately. This was unlikely to happen in normal operation.
+  - *-login: If TLS handshake to upstream server failed during proxying,
+    login process could crash due to invalid memory access.
+  - *-login: v2.3 regression: Using SASL authentication without initial
+    response may have caused SSL connections to hang. This happened often
+    at least with PHP's IMAP library.
+  - *-login: When login processes are flooded with authentication attempts
+    it starts logging errors about "Authentication server sent unknown id".
+    This is still expected. However, it also caused the login process to
+    disconnect from auth server and potentially log some user's password
+    in the error message.
+  - dict-sql: SQL prepared statements were not shared between sessions.
+    This resulted in creating a lot of prepared statements, which was
+    especially inefficient when using Cassandra backend with a lot of
+    Cassandra nodes.
+  - auth: auth_request_finished event didn't have success=yes parameter
+    set for successful authentications.
+  - auth: userdb dict - Trying to list users crashed.
+  - submission: Service could be configured to allow anonymous
+    authentication mechanism and anonymous user access.
+  - LAYOUT=index: Corrupted dovecot.list.index caused folder creation to
+    panic.
+  - doveadm: HTTP server crashes if request target starts with double "/".
+  - dsync: Remote dsync started hanging if the initial doveadm
+    "dsync-server" command was sent in the same TCP packet as the
+    following dsync handshake. v2.3.8 regression.
+  - lib: Several "input streams" had a bug that in some rare situations
+    might cause it to access freed memory. This could lead to crashes or
+    corruption.
+    The only currently known effect of this is that using zlib plugin with
+    external mail attachments (mail_attachment_dir) could cause fetching
+    the mail to return a few bytes of garbage data at the beginning of the
+    header. Note that the mail wasn't saved corrupted, but fetching it
+    caused corrupted mail to be sent to the client.
+  - lib-storage: If a mail only has quoted content, use the quoted text
+    for generating message snippet (IMAP PREVIEW) instead of returning
+    empty snippet.
+  - lib-storage: When vsize header was rebuilt, newly calculated message
+    sizes were added to dovecot.index.cache instead of being directly
+    saved into vsize records in dovecot.index.
+  - lib: JSON generator was escaping UTF-8 characters unnecessarily.
+
+  Pigeonhole 0.5.8
+  + Added events for Sieve and ManageSieve, see
+    https://doc.dovecot.org/admin_manual/list_of_events/#pigeonhole
+  + Pigeonhole: Implement the Sieve "special-use" extension described in
+    RFC 8579.
+  - duplicate: Test only compared the handles which would cause
+    different values to be cached as the same duplicate test. Fix to also
+    compare the actual hashes.
+  - imap_sieve_filter: IMAP FILTER Command had various bugs in error
+    handling. Errors may have been duplicated for each email, errors
+    may have been missing entirely, command tag and ERRORS/WARNINGS
+    parameters were swapped.
+
 -------------------------------------------------------------------
 Fri Nov  8 12:20:14 UTC 2019 - Arjen de Korte <suse+build@de-korte.org>

@ -778,7 +894,7 @@ Wed Dec 20 10:32:23 UTC 2017 - mrueckert@suse.de
     already freed memory.
   - Output streams weren't previously handling failures when
     writing a trailer at the end of the stream. This mainly
-     affected encrypt and zlib compress ostreams, which could have
+     affected encrypt and zlib compress ostreams, which  have
     silently written truncated files if the last write happened to
     fail (which shouldn't normally have ever happened).
   - virtual plugin: Fixed panic when fetching mails from virtual
--- a/dovecot23.spec
+++ b/dovecot23.spec
@ -19,11 +19,11 @@
 %global _lto_cflags %{nil}

 Name:           dovecot23
-Version:        2.3.8
+Version:        2.3.9.2
 Release:        0
 %define pkg_name dovecot
-%define dovecot_version 2.3.8
-%define dovecot_pigeonhole_version 0.5.8
+%define dovecot_version 2.3.9.2
+%define dovecot_pigeonhole_version 0.5.9
 %define dovecot_branch  2.3
 %define dovecot_pigeonhole_source_dir %{pkg_name}-%{dovecot_branch}-pigeonhole-%{dovecot_pigeonhole_version}
 %define dovecot_pigeonhole_docdir     %{_docdir}/%{pkg_name}/dovecot-pigeonhole