From 75113b87e9554273edb6b6ba0393794c6f2ae7612ee0179b7854ef8dc9d6a7e5 Mon Sep 17 00:00:00 2001 From: Lars Vogdt Date: Tue, 17 Dec 2019 21:27:17 +0000 Subject: [PATCH] Accepting request 756989 from home:stroeder:branches:server:mail update to 2.3.9.2 with security fixes OBS-URL: https://build.opensuse.org/request/show/756989 OBS-URL: https://build.opensuse.org/package/show/server:mail/dovecot23?expand=0&rev=59 --- dovecot-2.3-pigeonhole-0.5.8.tar.gz | 3 - dovecot-2.3-pigeonhole-0.5.8.tar.gz.sig | 17 ---- dovecot-2.3-pigeonhole-0.5.9.tar.gz | 3 + dovecot-2.3-pigeonhole-0.5.9.tar.gz.sig | 17 ++++ dovecot-2.3.8.tar.gz | 3 - dovecot-2.3.8.tar.gz.sig | 17 ---- dovecot-2.3.9.2.tar.gz | 3 + dovecot-2.3.9.2.tar.gz.sig | 17 ++++ dovecot23.changes | 118 +++++++++++++++++++++++- dovecot23.spec | 6 +- 10 files changed, 160 insertions(+), 44 deletions(-) delete mode 100644 dovecot-2.3-pigeonhole-0.5.8.tar.gz delete mode 100644 dovecot-2.3-pigeonhole-0.5.8.tar.gz.sig create mode 100644 dovecot-2.3-pigeonhole-0.5.9.tar.gz create mode 100644 dovecot-2.3-pigeonhole-0.5.9.tar.gz.sig delete mode 100644 dovecot-2.3.8.tar.gz delete mode 100644 dovecot-2.3.8.tar.gz.sig create mode 100644 dovecot-2.3.9.2.tar.gz create mode 100644 dovecot-2.3.9.2.tar.gz.sig diff --git a/dovecot-2.3-pigeonhole-0.5.8.tar.gz b/dovecot-2.3-pigeonhole-0.5.8.tar.gz deleted file mode 100644 index d9c5be8..0000000 --- a/dovecot-2.3-pigeonhole-0.5.8.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8fb860d50c1b1a09aea9e25f8ee89c22e34ecedfb0e11a1c48a7f67310759022 -size 1857780 diff --git a/dovecot-2.3-pigeonhole-0.5.8.tar.gz.sig b/dovecot-2.3-pigeonhole-0.5.8.tar.gz.sig deleted file mode 100644 index 848b33c..0000000 --- a/dovecot-2.3-pigeonhole-0.5.8.tar.gz.sig +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAl2cZncXHGRvdmVjb3Qt -Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaE0rQ/9E3AWtt+QBmnslFQPNMPD26Y3 -Lqzi1gertrf+O+L9Kgy2kRfJTlF9Mi9O2PuNFiO2eghgQoyqr9EODjjTsb0TnNM9 -o9LWqk5HPzBnf9/qJGca1O8y4i/1WB9hwuoW05XGwmM3uaCAF7wpz3Y8rGRxeaUg -KklncVmcFH1QEHHzE8iF+36lCpT8nf2x9y+niPtTUJHfJnEYyv5jebAc3TjHeeq9 -OKQRmrUPRdySUv/Wtohu6J5sDhYuu3aImkVE3llARRrR5JWqdN3n6czMxG6+uljh -pH9kXyvf6mCg97GyGuGEJEXza4Kx6DaT2u+0G3/+TPxHKAxg392O4hBvAWoA/7Xf -OoyDg4X1+biXQtGb9OTz864R/lZeD6iHDenQQ7aeh0rR6jGdRpuCK7JqrlZu+Ap7 -R5FekqzBo0sbCpQBYUhHAqxUCLjoAmiIbH4BY0OhBhSUec+V62OvHncOlVaovGRI -ys4FdBEOP7hTlVkpVxmiTq2YnGcwR7Olkgf9nEXVFGzbGHumQ2/MNBQXc9gYHnx8 -sQ2YR0lUEQhx0EpYaG4s98rldn5tSMKYU660zkXGbI0FPAJpeyix8D5mW+R1CQtI -8oUTJmSZH18/i2uuFiGm9Sy2RbpJiWXN2Obzv85H1dt8ZIIOfZUlt5m/5atbcdw1 -BS4ywBGoOqXTMSAwg64= -=Olcg ------END PGP SIGNATURE----- diff --git a/dovecot-2.3-pigeonhole-0.5.9.tar.gz b/dovecot-2.3-pigeonhole-0.5.9.tar.gz new file mode 100644 index 0000000..3d76372 --- /dev/null +++ b/dovecot-2.3-pigeonhole-0.5.9.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:36da68aae5157b83e21383f711b8977e5b6f5477f369f71e7e22e76a738bbd05 +size 1897060 diff --git a/dovecot-2.3-pigeonhole-0.5.9.tar.gz.sig b/dovecot-2.3-pigeonhole-0.5.9.tar.gz.sig new file mode 100644 index 0000000..6977d02 --- /dev/null +++ b/dovecot-2.3-pigeonhole-0.5.9.tar.gz.sig @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAl3niXIXHGRvdmVjb3Qt +Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaEVCRAAxZN9YrDBh/oyt/1LOlfO2mur +scamt7R7qOPrD9j5DFcqLCZIkdiBSZGaAVsi9IVjWN5UmYWNB8ScKLTBjl4jobRZ +4xe8NBmJA8m2jNKhzK9bNpfjJk7/B9KBL74twhjnFc5E5Uhnok5YAVq6sL582EU4 +4ChAlrVE/qhzuWyp/hlL+YC4PZw2IAxcm0a29SENVPpg2ZfSfK9Wv1fA7zAf/QSr +mJDFXX2XkUnSX/cnoUZPaJ8HBITq58PAcXUha+I07VJSVgcPQaJBImx6VO2+zqmP +N7OUZDQ3pIqowETMYEk37ZBrQC4mGzz85SpzwhlJPoex5jF1q5M4IJHiXbsL0FUK +b1G55ZxHG22LQANf+rcIC1B1HeNfARqxVAbdGUrOw3Ij5m9jFcp0wwTGCs7EJpX6 +PmdDI4hkg4odRVMapzW+PwvY5qHzhDTmq7Iv+4CGlaJOjCpnxGeOYx0j4KVHrCXn +sd6hBzlEkGUzWMp8Kr38bF9fWhZ6FGmGGs8asJf8BFCHnJ1YohyA6aaDtvAAXIw9 +y83iJfh7IrY074ecoz8KeAsgbkcFjrF3mWr2G5OocnsXhBsoDkUCXoon21yAqHRG +GXA8tfwEnteYbziBW2DsH3GmOpQOZa9RJWym9k64c+a2EhZh8y/azCXsLoXujfuv +jGhMIbyFJziItO93BTI= +=PGEG +-----END PGP SIGNATURE----- diff --git a/dovecot-2.3.8.tar.gz b/dovecot-2.3.8.tar.gz deleted file mode 100644 index 9863cf8..0000000 --- a/dovecot-2.3.8.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c5778d03bf26ab34a605854098035badec455d07adfab38d974f610c8f78b649 -size 7136958 diff --git a/dovecot-2.3.8.tar.gz.sig b/dovecot-2.3.8.tar.gz.sig deleted file mode 100644 index c03d811..0000000 --- a/dovecot-2.3.8.tar.gz.sig +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAl2cZm4XHGRvdmVjb3Qt -Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaF8wQ//dfvB6vGkHNdvotdHCpnm8r9+ -fisLJEn+wHvVOYpia0Tsn5r13jcNeXaJC2+8yxKGw9lW7k305Lf7qnes0JJSY7U2 -Oi971eCQibIVI69N4DsjSmCXSTs6K2Xrvx5BlYu8voFfbvlv2G++TxV7SnRsqBbS -QgULwi4PG6EJu1rgok9D+D2rU6iByWhysqRNFMbQoUpejqpoWc7WPLhvxZA+QPih -Wnxd/7ZVJPUKLpJMuA8PP/b6Im6wqhlSUK97EmKVHU8j6y8w2yzsPiOJybTBJl25 -QiaK5KjsitvtR3VlzUxQW0Gl5eFvsg6vVQuZsVssUQ2QSHm+CwkdPxr0wcDm4Xuo -q/32lOx4PuyOd5A5cpEpujZCnqhGtY9FapxCzPrQDsGKxJBKy1+4dslGkTxYXBu6 -moY2O+Ix6W6GHafrKfGLbc6njkWA67NHRlronTNooO0bM1nkTNr1brSavbtMaOnz -vJNfR3JbRZQaEHPR85eTlnO9I4vA+KDqUJnlJYwMnD5YsFa/q3wPsJIFJ7B5cGB/ -uthhsKe4MfAyTxbw3P2kU8BBKFWWPHQCAh9xEah74CMumH5YtIJFXHbdgl331urV -9WTCi8Z08pCp1UdEyOXGCXG8JbhGW2Q/pugLrvd150xW7/2K3jfuKLxUh7FOJhkM -zKrVp62/hHKeQjtSXNo= -=9Mtz ------END PGP SIGNATURE----- diff --git a/dovecot-2.3.9.2.tar.gz b/dovecot-2.3.9.2.tar.gz new file mode 100644 index 0000000..64ab141 --- /dev/null +++ b/dovecot-2.3.9.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4784fb98dd41b83888e4aa9908efcbcad2e04a254e97440863903c0c498486f9 +size 7182306 diff --git a/dovecot-2.3.9.2.tar.gz.sig b/dovecot-2.3.9.2.tar.gz.sig new file mode 100644 index 0000000..8c4f73b --- /dev/null +++ b/dovecot-2.3.9.2.tar.gz.sig @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAl3zk+0XHGRvdmVjb3Qt +Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaF8Ug/+LJkNfjvKArSpsnJLhG4Dji8r +cC4cfHiCLzrNmIgqGlog5o7k8tsT+hTFjd4TGBT5F/pdS2guyk2tEXsRNYV75I7W +k7GG06bfA9tJYXQJPDiFVpkkVvU+eh447k8GeN8r78+LRYbRUe8Xa+AHBZJ6oj22 +/hn1rHPRpWOEKhuzFOSiIRgv4ERxXCfT5k59WMeRjYL8Ivqwcb/NnXrQFDYynebi +X1XpKF3YMNzE43E/NYWgz8Wcqbcf/i3kt2ETCyd4ClzpuPNQKdEGPxdSbaA+pdb7 +0v4Lnun/xUaQGdXb/h/3WklaIIcVIveIMT/KAKVyKzEb+Cz5s5LWE2iwTwNb51mf +iP+t7FIgJdDXaAaSlIESpS7DFFvKNUnAJixMwMI5aEkB3SkH9UQFnvNhpUu8KMdS +aVE4SJn493+1PfHdBrc6N5gcP00iCUp1IpKBcbc2kMYYYIjNEGRBsTi5X4PVbrVS +j2JSxmbrj86DsKfg46Oq9EtH5vn8i1nYU3vIMp5vZy0ahGgeuDt09geqTmAdfauZ +REiPxe4uaP+ik9PnafmiNwtInZbqnEe6gQJkHCmY5q0N7A1YvFHPAUZZROTjT3W/ +dQiKkjq9tI+ZAZBwFmFIBPIasV0V1iQt7TcB72oPrD0xKXbOkn4OdpAZPYv4KrBY +Sm1JmoXsbxiZW/sLezs= +=SKvh +-----END PGP SIGNATURE----- diff --git a/dovecot23.changes b/dovecot23.changes index 4605f4a..66a91ed 100644 --- a/dovecot23.changes +++ b/dovecot23.changes @@ -1,3 +1,119 @@ +------------------------------------------------------------------- +Sat Dec 14 08:55:56 UTC 2019 - Michael Ströder + +- update to 2.3.9.2 with security fixes: + * CVE-2019-19722: Mails with group addresses in From or To + fields caused crash in push notification drivers. + * Mails with empty From/To headers can also cause crash + in push notification drivers. + +------------------------------------------------------------------- +Wed Dec 4 21:46:28 UTC 2019 - Michael Ströder + +- update to 2.3.9 and pigeonhole to 0.5.9 + + Dovecot 2.3.9 + * Changed several event field names for consistency and to avoid + conflicts in parent-child event relationships: + * SMTP server command events: Renamed "name" to "cmd_name" + * Events inheriting from a mailbox: Renamed "name" to "mailbox" + * Server connection events have only "remote_ip", "remote_port", + "local_ip" and "local_port". + * Removed duplicate "client_ip", "ip" and "port". + * Mail storage events: Removed "service" field. + Use "service:" category instead. + * HTTP client connection events: Renamed "host" to "dest_host" and + "port" to "dest_port" + * auth: Drop Postfix socketmap support. It hasn't been working + with recent Postfix versions for a while now. + * push-notification-lua: The "subject" field is now decoded to UTF8 + instead of kept as MIME-encoded. + + push-notification-lua: Added new "from_address", "from_display_name", + "to_address" and "to_display_name" fields. The display names are + decoded to UTF8. + + Added various new fields to existing events. + See http://doc.dovecot.net/admin_manual/list_of_events.html + + Add lmtp_add_received_header setting. It can be used to prevent LMTP + from adding "Received:" headers. + + doveadm: Support SSL/STARTTLS for proxied doveadm connections based on + doveadm_ssl setting and proxy ssl/tls settings. + + Log filters support now "service:", which matches all events for + the given service. It can also be used as a category. + + lib: Use libunwind to get abort backtraces with function names + where available. + + lmtp: When the LMTP proxy changes the username (from passdb lookup) + add an appropriate ORCPT parameter. + - lmtp: Add lmtp_client_workarounds setting to implement workarounds for + clients that send MAIL and RCPT commands with additional spaces before + the path and for clients that omit <> brackets around the path. + See example-config/conf.d/20-lmtp.conf. + - lda/lmtp: Invalid MAIL FROM addresses were rejcted too aggressively. + Now mails from addresses with unicode characters are delivered, but + their Return-Path header will be <> instead of the given MAIL FROM + address. + - lmtp: The lmtp_hdr_delivery_address setting is ignored. + - imap: imap_command_finished event's "args" and "human_args" parameters + were always empty. + - mbox: Seeking in zlib and bzip2 compressed input streams didn't work + correctly. + - imap-hibernate: Process crashed when client got destroyed while it was + attempted to be unhibernated, and the unhibernation fails. + - *-login: Proxying may have crashed if SSL handshake to the backend + failed immediately. This was unlikely to happen in normal operation. + - *-login: If TLS handshake to upstream server failed during proxying, + login process could crash due to invalid memory access. + - *-login: v2.3 regression: Using SASL authentication without initial + response may have caused SSL connections to hang. This happened often + at least with PHP's IMAP library. + - *-login: When login processes are flooded with authentication attempts + it starts logging errors about "Authentication server sent unknown id". + This is still expected. However, it also caused the login process to + disconnect from auth server and potentially log some user's password + in the error message. + - dict-sql: SQL prepared statements were not shared between sessions. + This resulted in creating a lot of prepared statements, which was + especially inefficient when using Cassandra backend with a lot of + Cassandra nodes. + - auth: auth_request_finished event didn't have success=yes parameter + set for successful authentications. + - auth: userdb dict - Trying to list users crashed. + - submission: Service could be configured to allow anonymous + authentication mechanism and anonymous user access. + - LAYOUT=index: Corrupted dovecot.list.index caused folder creation to + panic. + - doveadm: HTTP server crashes if request target starts with double "/". + - dsync: Remote dsync started hanging if the initial doveadm + "dsync-server" command was sent in the same TCP packet as the + following dsync handshake. v2.3.8 regression. + - lib: Several "input streams" had a bug that in some rare situations + might cause it to access freed memory. This could lead to crashes or + corruption. + The only currently known effect of this is that using zlib plugin with + external mail attachments (mail_attachment_dir) could cause fetching + the mail to return a few bytes of garbage data at the beginning of the + header. Note that the mail wasn't saved corrupted, but fetching it + caused corrupted mail to be sent to the client. + - lib-storage: If a mail only has quoted content, use the quoted text + for generating message snippet (IMAP PREVIEW) instead of returning + empty snippet. + - lib-storage: When vsize header was rebuilt, newly calculated message + sizes were added to dovecot.index.cache instead of being directly + saved into vsize records in dovecot.index. + - lib: JSON generator was escaping UTF-8 characters unnecessarily. + + Pigeonhole 0.5.8 + + Added events for Sieve and ManageSieve, see + https://doc.dovecot.org/admin_manual/list_of_events/#pigeonhole + + Pigeonhole: Implement the Sieve "special-use" extension described in + RFC 8579. + - duplicate: Test only compared the handles which would cause + different values to be cached as the same duplicate test. Fix to also + compare the actual hashes. + - imap_sieve_filter: IMAP FILTER Command had various bugs in error + handling. Errors may have been duplicated for each email, errors + may have been missing entirely, command tag and ERRORS/WARNINGS + parameters were swapped. + ------------------------------------------------------------------- Fri Nov 8 12:20:14 UTC 2019 - Arjen de Korte @@ -778,7 +894,7 @@ Wed Dec 20 10:32:23 UTC 2017 - mrueckert@suse.de already freed memory. - Output streams weren't previously handling failures when writing a trailer at the end of the stream. This mainly - affected encrypt and zlib compress ostreams, which could have + affected encrypt and zlib compress ostreams, which have silently written truncated files if the last write happened to fail (which shouldn't normally have ever happened). - virtual plugin: Fixed panic when fetching mails from virtual diff --git a/dovecot23.spec b/dovecot23.spec index d18ba22..72290c3 100644 --- a/dovecot23.spec +++ b/dovecot23.spec @@ -19,11 +19,11 @@ %global _lto_cflags %{nil} Name: dovecot23 -Version: 2.3.8 +Version: 2.3.9.2 Release: 0 %define pkg_name dovecot -%define dovecot_version 2.3.8 -%define dovecot_pigeonhole_version 0.5.8 +%define dovecot_version 2.3.9.2 +%define dovecot_pigeonhole_version 0.5.9 %define dovecot_branch 2.3 %define dovecot_pigeonhole_source_dir %{pkg_name}-%{dovecot_branch}-pigeonhole-%{dovecot_pigeonhole_version} %define dovecot_pigeonhole_docdir %{_docdir}/%{pkg_name}/dovecot-pigeonhole