Accepting request 689340 from server:mail

- update to 2.3.5.1

OBS-URL: https://build.opensuse.org/request/show/689340
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dovecot23?expand=0&rev=16

10048229...de42b54a.patch

@@ -1,102 +0,0 @@
-From 10048229ed3030fe47b35a2200e33c45e3e97a84 Mon Sep 17 00:00:00 2001
-From: Aki Tuomi <aki.tuomi@dovecot.fi>
-Date: Fri, 23 Nov 2018 15:33:20 +0200
-Subject: [PATCH 1/2] lib-master: test-event-stats - Include signal.h
-
-Forgotten in e16ba6f
----
- src/lib-master/test-event-stats.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/lib-master/test-event-stats.c b/src/lib-master/test-event-stats.c
-index 41d6f01e76..8fcb3dd22d 100644
---- a/src/lib-master/test-event-stats.c
-+++ b/src/lib-master/test-event-stats.c
-@@ -13,6 +13,7 @@
- #include "test-common.h"
- #include <fcntl.h>
- #include <unistd.h>
-+#include <signal.h>
- #include <sys/socket.h>
- #include <sys/un.h>
- #include <sys/wait.h>
-
-From de42b54aaf165d4f62b45be864dde36bdbbc4276 Mon Sep 17 00:00:00 2001
-From: Aki Tuomi <aki.tuomi@dovecot.fi>
-Date: Fri, 23 Nov 2018 15:34:51 +0200
-Subject: [PATCH 2/2] lib-master: test-event-stats - Use PRIu64 format
-
-Forgotten in e16ba6f
----
- src/lib-master/test-event-stats.c | 22 +++++++++++-----------
- 1 file changed, 11 insertions(+), 11 deletions(-)
-
-diff --git a/src/lib-master/test-event-stats.c b/src/lib-master/test-event-stats.c
-index 8fcb3dd22d..2d8a13cd40 100644
---- a/src/lib-master/test-event-stats.c
-+++ b/src/lib-master/test-event-stats.c
-@@ -344,7 +344,7 @@ static void test_no_merging2(void)
- 	event_unref(&child_ev);
- 	test_assert(
- 		compare_test_stats_to(
--			"EVENT	%lu	1	0	0"
-+			"EVENT	%"PRIu64"	1	0	0"
- 			"	stest-event-stats.c	%d"
- 			"	l0	0	ctest2\n", id, l));
- 	test_end();
-@@ -370,12 +370,12 @@ static void test_no_merging3(void)
- 	event_unref(&child_ev);
- 	test_assert(
- 		compare_test_stats_to(
--			"BEGIN	%lu	0	1	0	0"
-+			"BEGIN	%"PRIu64"	0	1	0	0"
- 			"	stest-event-stats.c	%d	ctest1\n"
--			"EVENT	%lu	1	1	0"
-+			"EVENT	%"PRIu64"	1	1	0"
- 			"	stest-event-stats.c	%d"
- 			"	l1	0	ctest2\n"
--			"END\t%lu\n", idp, lp, idp, l, idp));
-+			"END\t%"PRIu64"\n", idp, lp, idp, l, idp));
- 	test_end();
- }
- 
-@@ -435,7 +435,7 @@ static void test_merge_events2(void)
- 	event_unref(&merge_ev2);
- 	test_assert(
- 		compare_test_stats_to(
--			"EVENT	%lu	1	0	0"
-+			"EVENT	%"PRIu64"	1	0	0"
- 			"	stest-event-stats.c	%d	l0	0"
- 			"	ctest3	ctest2	ctest1	Tkey3"
- 			"	10	0	Ikey2	20"
-@@ -467,11 +467,11 @@ static void test_skip_parents(void)
- 	event_unref(&child_ev);
- 	test_assert(
- 		compare_test_stats_to(
--			"BEGIN	%lu	0	1	0	0"
-+			"BEGIN	%"PRIu64"	0	1	0	0"
- 			"	stest-event-stats.c	%d	ctest1\n"
--			"EVENT	%lu	1	3	0	"
-+			"EVENT	%"PRIu64"	1	3	0	"
- 			"stest-event-stats.c	%d	l3	0"
--			"	ctest2\nEND\t%lu\n", id, lp, id, l, id));
-+			"	ctest2\nEND\t%"PRIu64"\n", id, lp, id, l, id));
- 	test_end();
- }
- 
-@@ -509,12 +509,12 @@ static void test_merge_events_skip_parents(void)
- 	event_unref(&child2_ev);
- 	test_assert(
- 		compare_test_stats_to(
--			"BEGIN	%lu	0	1	0	0"
-+			"BEGIN	%"PRIu64"	0	1	0	0"
- 			"	stest-event-stats.c	%d	ctest1\n"
--			"EVENT	%lu	1	3	0	"
-+			"EVENT	%"PRIu64"	1	3	0	"
- 			"stest-event-stats.c	%d	l3	0	"
- 			"ctest4	ctest5	Tkey3	10	0	Skey4"
--			"	str4\nEND\t%lu\n", id, lp, id, l, id));
-+			"	str4\nEND\t%"PRIu64"\n", id, lp, id, l, id));
- 	test_end();
- }
- 

3c5101ffdd2a8115e03ed7180d53578765dea4c9.patch

@@ -1,36 +0,0 @@
-From 3c5101ffdd2a8115e03ed7180d53578765dea4c9 Mon Sep 17 00:00:00 2001
-From: Aki Tuomi <aki.tuomi@dovecot.fi>
-Date: Tue, 4 Dec 2018 14:40:04 +0200
-Subject: [PATCH] driver-mysql: Avoid double-closing MySQL connection
-
-Fixes double-free
----
- src/lib-sql/driver-mysql.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/src/lib-sql/driver-mysql.c b/src/lib-sql/driver-mysql.c
-index c87e825e4b..5dd1c3124f 100644
---- a/src/lib-sql/driver-mysql.c
-+++ b/src/lib-sql/driver-mysql.c
-@@ -173,7 +173,9 @@ static int driver_mysql_connect(struct sql_db *_db)
- static void driver_mysql_disconnect(struct sql_db *_db)
- {
- 	struct mysql_db *db = (struct mysql_db *)_db;
--	mysql_close(db->mysql);
-+	if (db->mysql != NULL)
-+		mysql_close(db->mysql);
-+	db->mysql = NULL;
- }
- 
- static int driver_mysql_parse_connect_string(struct mysql_db *db,
-@@ -311,7 +313,9 @@ static void driver_mysql_deinit_v(struct sql_db *_db)
- 	_db->no_reconnect = TRUE;
- 	sql_db_set_state(&db->api, SQL_DB_STATE_DISCONNECTED);
- 
--	mysql_close(db->mysql);
-+	if (db->mysql != NULL)
-+		mysql_close(db->mysql);
-+	db->mysql = NULL;
- 
- 	sql_connection_log_finished(_db);
- 	event_unref(&_db->event);

dovecot-2.3-pigeonhole-0.5.4.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:547999e67a001abc5e654c7e35653d3fe057fa9a47a24257e39a79c41ef08516
-size 1831570

dovecot-2.3-pigeonhole-0.5.4.tar.gz.sig

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEQvPNUNTyWkGDO+43BNYrHj37tPQFAlv3870ACgkQBNYrHj37
-tPQJJwf/QCT3BVbiVC4kUvZWmMoMT8DXt27NNihyQ1slHg3JA5UNR++jK93DBR7u
-vqd2yuhQDPYWlWjwphc4auVNMGh5aIfLahzu4qQeopyHZ0Eo2jAvf27vHCXY0oqG
-o9hO/RmreafsetwU2qhzbTcyVIZsitxwuUWdlhuYrHxR62VZdZ4ZGXGY5QA/+cGT
-UlLTP8izdKaxYyyweMqjr2/PP+rGT37b2coi4DZSbvETZMSewlb48iI7ETWBkFbU
-daULRdmaDrOEZi864tdzhfqyXGxFw39wZEI8Xi1tn6kAi+EF3UPVAPwJF/d3iWdX
-Vhzm3YtNc8v2R7N/CLSKdRe2w1Cxeg==
-=JNE+
------END PGP SIGNATURE-----

dovecot-2.3-pigeonhole-0.5.5.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cbaa106e1c2b23824420efdd6a9f8572c64c8dccf75a3101a899b6ddb25149a5
+size 1847487

dovecot-2.3-pigeonhole-0.5.5.tar.gz.sig

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAlx+agQXHGRvdmVjb3Qt
+Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaFwLhAAmsOF25cj1lPtrIHmL5Oa1mBK
+kcT2+U/CG9a6cFT/7GTu2b1juKeVW0Qcznb82kibeM0ITw/T1iFciTYEwhYykeb6
+RhBFgTqwwufyxWwnzPHzvGRkWp5GRIgoEZQBlc9GbVu3qlWJU1ROvo2E6awkfr1b
+uSG6zpCfBDRjEipEqbByopb/QotTA+bGCJ2lYStVALbHvMGhkuL8LWaGIDn1XW8q
+ULWV7ab544b+Tuoeo7lzUDzmNtpxS5WMqlV44jnLqORHsE65L6LVTjr6tfjbXMaL
+cs/mr3toSfU1uO35YjAIY7PbzPN2Vz7W6yRcFW6gi+fkCEn1ZuQ7+gaHk/lq7RPP
++fqGwqLSewCu0zzyfjSl378hgl6gjacT8CaV8VQyLxUAI0fwUBklZ//sCTtNL9OT
+1/ooTEGOyE8Qd7DsfYNLqh4AfSzqvbDXfNUZ/gI97ujliBg2Ffx+22bbjOYxyB2e
+XyM8I59eEoe5i5lEILnx0lUrpCV/aEt/YmZqocoQd3pYN0pv5rSw9qSYLyNMak01
++jr9trFx652/e/3ortcZVGT4wMgcef0ra2pTmAnBH2cf+KFSfs2z7G3IACWf2Puq
+LW9n2qa0ph7WaqtO6VccNHI9/eyYk92Fi62mm2PPehwEUE/BDzIQGWkWmN+Cuw8P
+M5cDQPS1tGLt4XpHt5U=
+=rdcg
+-----END PGP SIGNATURE-----

dovecot-2.3.4.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:b8873e2ce5c33e58963bb7a8d2ff8427c09dbfdd63e13a0b0f4502864043aa07
-size 6925073

dovecot-2.3.4.1.tar.gz.sig

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAlxZb8EXHGRvdmVjb3Qt
-Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaGwOBAAm9ck9yken0ArzR0njXywornz
-ftUrEflzkEESqVxFVGF7i4ZPxa1Dfrpb5QedIBcdFp1sV1sALSh5HH5k43TV+yBY
-r7trHu8kJSOmFE4KoHst9Y6bewu3Rg5Bh2v5XBaaY6A9ADjdJNamT4AAqDDI2f6Q
-f27P/O+34bvgCI7Ol1VezFXlNagBtcSBAtPTqfqdILqW/H0oV1J21gmBGTT6u6Z8
-aPyf060U46GZWjHBQDoZRq0NUSIYf8H7qdubEbt0kCifWFuT1LjmvLRbQv3Wxp5m
-H0QjzWejVun9AX6MG5mZCzmIn+q30ArUG9EJ4tAAzvsCUqywvpbjjuU2wULGJJNz
-oEAEVIXp84yxXUavnr+DFevh2yruVHZUj16lwF98u29IWiSwFfhZZsyc+jXuwiDm
-WYl/KfOL3ACBakcPxdMyVTwghKBAA9xH0DXAsPTyIrxwmNgn48d/wiQtmtsYVAYb
-HlYtooee4KptiXL9Eq/kAz7oAPrVdhZxqT48CRh6Cd6dfWtGXNQIMdXVt/7T2ygJ
-sC/wpziKEy+BE1J/NSuCOgGNcIQij0VJvl9rnldpxACzNQ0CGaJfKv7/LPF2bO5o
-LED+rFOFfK3IOGxZgr5euQPIVVn7DxAZaIoEumwYW3YO46BJlSB+9XN20YVqH4vY
-jyPHxVeZN6q7RvlP498=
-=HaCn
------END PGP SIGNATURE-----

dovecot-2.3.5.1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d78f9d479e3b2caa808160f86bfec1c9c7b46344d8b14b88f5fa9bbbf8c7c33f
+size 6953150

dovecot-2.3.5.1.tar.gz.sig

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAlyYoFMXHGRvdmVjb3Qt
+Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaHamhAAkKY08CH7HxUio95L4d2IUS7t
+W7XsCahhsAmhGWyCVTheT2o/3AVPuKW++6nomKwuFmPJFrFdFVmVAhX9tjyNcgHJ
+YGH1IKy0DrV0RKAkYSvJcooyWXaqejTEQ7E/Ad94ldhGF1twa8xX+8Hr/1QY9cnB
+1YuqczirsaU+fI9wBc4Dogt3RfA/r36/jGQKNlQYxf9/KTSV1QXtqKQRQWaBsDni
+W4+ovuXlVNB3B5/aKUylsxHHUWYX5Ls4kk6+qpdKqTw9/WImuWPy7x5byRR3ycIP
+EI31S1LjipM/oe/o0VKHserJCAf8Wkvj8f1t6ZzYFY7LQwj0Lge0FQ8jVctBhv+P
+mFtX3L/tv7GN7k+nsH27jCFPfTlyGD9kN2UivUIXsiDkgRJI3ifcDvIuF1VnEybD
++IQksd3eMCHfV9NnFcIy4X7FiHxTz1S2FTFlb8nbr1CirehV4WJt5x27FDZjVHXP
+mAvRY/iNkzRWEHbrTrgb9I9OUA5mXE2v3lox7WIPJwh+Nc8USS8/O0jFXPE7am5x
+SspQ+2ZAOhLja2fp7wLZR2vxMXyjXAFT0teGoTq67fTPX8OKDgbNjFCKR4ROJKU8
+d33KfXt8N4MPi6F9LZTm352248+jFUI4tXV7eJp6Aw9k8jje9OJzBfPYIdBgd2rD
+EBi+rfFY/GcORlMO6Wc=
+=RY2x
+-----END PGP SIGNATURE-----

dovecot23.changes

@@ -1,3 +1,71 @@
+-------------------------------------------------------------------
+Thu Mar 28 12:36:55 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>
+
+- update to 2.3.5.1
+  * CVE-2019-7524: Missing input buffer size validation leads into
+    arbitrary buffer overflow when reading fts or pop3 uidl header
+    from Dovecot index. Exploiting this requires direct write
+    access to the index files.
+
+-------------------------------------------------------------------
+Fri Mar  8 18:09:00 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>
+
+- update to 2.3.5
+  + Lua push notification driver: mail keywords and flags are
+    provided in MessageNew and MessageAppend events.
+  + submission: Implement support for plugins.
+  + auth: When auth_policy_log_only=yes, only log what the policy
+    server response would do without actually doing it.
+  + auth: Always log policy server decisions with auth_verbose=yes
+  - v2.3.[34]: doveadm log errors: Output was missing user/session
+  - lda: Debug log lines could have shown slightly corrupted
+  - login proxy: Login processes may have crashed in various ways
+    when login_proxy_max_disconnect_delay was set.
+  - imap: Fix crash with Maildir+zlib if client disconnects during
+    APPEND
+  - lmtp proxy: Fix potential assert-crash
+  - lmtp/submission: Fix crash when SMTP client transaction times
+    out
+  - submission: Split large XCLIENT commands to 512 bytes per
+    command, so Postfix accepts them.
+  - submission: Fix crash when client sends invalid BURL command
+  - submission: relay backend: VRFY command: Avoid forwarding 500
+    and 502 replies back to client.
+  - lib-http: Fix potential assert-crash when DNS lookup fails
+  - lib-fts: Fix search query generation when one language ignores
+    a token (e.g. via stopwords).
+- update pigeonhole to 0.5.5
+  + IMAPSieve: Add new plugin/imapsieve_expunge_discarded setting
+    which causes messages discarded by an IMAPSieve script to be
+    expunged immediately, rather than only being marked as
+    "\Deleted" (which is still the default behavior).
+  - IMAPSieve: Fix panic crash occurring when a COPY command copies
+    messages from a virtual mailbox where the source messages
+    originate from more than a single real mailbox.
+  - imap4flags extension: Fix deleting all keywords. When the
+    action resulted in all keywords being removed, no changes were
+    actually applied.
+  - variables extension: Fix truncation of UTF-8 variable content.
+    The maximum size of Sieve variables was enforced by truncating
+    the variable string content bluntly at the limit, but this does
+    not consider UTF-8 code point boundaries. This resulted in
+    broken UTF-8 strings. This problem also surfaced for variable
+    modifiers, such as the ":encodeurl" modifier provided by the
+    Sieve "enotify" extension. In that case, the resulting URI
+    escaping could also be truncated inappropriately.
+  - IMAPSieve, IMAP FILTER=SIEVE: Fix replacing a modified message.
+    Sieve scripts running in IMAPSIEVE or IMAP FILTER=SIEVE context
+    that modify the message, stored the message a second time,
+    rather than replacing the originally stored unmodified message.
+  - Fix segmentation fault occurring when both the
+    sieve_extprograms plugin (for the Sieve interpreter) and the
+    imap_filter_sieve plugin (for IMAP) are loaded at the same
+    time. A symbol was defined by both plugins, causing a clash
+    when both were loaded.
+- drop patches which were backports
+  - 10048229...de42b54a.patch
+  - 3c5101ffdd2a8115e03ed7180d53578765dea4c9.patch
+
 -------------------------------------------------------------------
 Tue Feb  5 13:45:52 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>
 

dovecot23.spec

@@ -17,11 +17,11 @@
 
 
 Name:           dovecot23
-Version:        2.3.4.1
+Version:        2.3.5.1
 Release:        0
 %define pkg_name dovecot
-%define dovecot_version 2.3.4.1
-%define dovecot_pigeonhole_version 0.5.4
+%define dovecot_version 2.3.5.1
+%define dovecot_pigeonhole_version 0.5.5
 %define dovecot_branch  2.3
 %define dovecot_pigeonhole_source_dir %{pkg_name}-%{dovecot_branch}-pigeonhole-%{dovecot_pigeonhole_version}
 %define dovecot_pigeonhole_docdir     %{_docdir}/%{pkg_name}/dovecot-pigeonhole
@@ -137,8 +137,6 @@ Source11:       http://pigeonhole.dovecot.org/releases/%{dovecot_branch}/%{dovec
 Source12:       dovecot23.keyring
 Patch:          dovecot-2.3.0-dont_use_etc_ssl_certs.patch
 Patch1:         dovecot-2.3.0-better_ssl_defaults.patch
-Patch2:         10048229...de42b54a.patch
-Patch3:         3c5101ffdd2a8115e03ed7180d53578765dea4c9.patch
 Summary:        IMAP and POP3 Server Written Primarily with Security in Mind
 License:        BSD-3-Clause AND LGPL-2.1-or-later AND MIT
 Group:          Productivity/Networking/Email/Servers
@@ -318,8 +316,6 @@ dovecot tree.
 %setup -q -n %{pkg_name}-%{dovecot_version} -a 1
 %patch -p1
 %patch1 -p1
-%patch2 -p1
-%patch3 -p1
 gzip -9v ChangeLog
 # Fix plugins dir.
 sed -i 's|#mail_plugin_dir = /usr/lib/dovecot|mail_plugin_dir = %{_libdir}/dovecot/modules|' doc/example-config/conf.d/10-mail.conf