Accepting request 826219 from home:adkorte

- update to 2.3.11.3 and pigeonhole to 0.5.11
  Dovecot 2.3.11.3
  - pop3-login: Login didn't handle commands in multiple IP packets properly.
    This mainly affected large XCLIENT commands or a large SASL initial
    response parameter in the AUTH command.
  - pop3: pop3_deleted_flag setting was broken, causing:
    Panic: file seq-range-array.c: line 472 (seq_range_array_invert):
    assertion failed: (range[count-1].seq2 <= max_seq)
  Dovecot 2.3.11.2
  - auth: Lua passdb/userdb leaks stack elements per call, eventually
    causing the stack to become too deep and crashing the auth or
    auth-worker process.
  - lib-mail: v2.3.11 regression: MIME parts not returned correctly by
    Dovecot MIME parser.
  - pop3-login: Login would fail with "Input buffer full" if the initial
    response for SASL was too long.
  Dovecot 2.3.11
  * CVE-2020-12100: Parsing mails with a large number of MIME parts could
    have resulted in excessive CPU usage or a crash due to running out of
    stack memory.
  * CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
    message buffer size, which leads to reading past allocation which can
    lead to crash.
  * CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
    address that has the empty quoted string as local-part causes the lmtp
    service to crash.
  * CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
    zero-length message, which leads to assert-crash later on.
  * Events: Fix inconsistency in events. See event documentation in
    https://doc.dovecot.org.

OBS-URL: https://build.opensuse.org/request/show/826219
OBS-URL: https://build.opensuse.org/package/show/server:mail/dovecot23?expand=0&rev=76

dovecot-2.3-pigeonhole-0.5.10.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:48c89cc9f3caa9c5f2454f9dcca74fe251a99749a38062bfab7e5017d329605e
-size 1899237

dovecot-2.3-pigeonhole-0.5.10.tar.gz.sig

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAl5iGioXHGRvdmVjb3Qt
-Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaHIdA//Ttwgm2VD1ebTAZ7b4MnTbNKd
-PPmTnt+EXelxUSvnbFoUhJ6L4baMMx3N7ko02ocni9tEGHfrSizcCLD4EjSu4VQd
-9R/FHwcJAz0H+r4exCdu7xo2tvKhVfejLuMVHI07VBYVwbZwHEkXTuUbzTdDzdwZ
-LPMK9Eyp3qogLWH4jJAhj/SQISHQsWToeKXoHpFichGUjDJPacpbEllyV4nKxdRO
-q5gv3l5u5gRK4Ios53lDUVNQ0olEk55Zj1RLgmV5NjjmgRljr7TdS4M6TGKov3D/
-4igVU+7SgyaC+RUztmZTW/pkf8i++m58Xf4Lj1Jd4zf/Xsin9da/mLQ1IMCtsNmQ
-48mHYXf4NPEqfWINauDNwmEMsiupvGZzdE7CvVWQmJYsHAPL4tLicpIOrzSngNuA
-o56lqxyrw9WMYuL4M2Wpkfasex+FqtucBDxGrKCC6UE3FkTrpbGGHWA+2cSBH0Ca
-XGhgj9S4OUVFVSBGKRhiYu8BSzR4My0+X393iUY8uATIHgce70udsX5subuNR1JJ
-PvKF6r34l8a0BQ5+6iJm8oleArf28vzo4rGk84sExM/9JIE1UhwzNSDwaXLl0VMZ
-ccawKNypLJQORNMzM+h2HXw/zfNLH0e1DEuSbPBG8KIjGrs3gLlDg1is236Udxyu
-AxLE9+Q5BhULkFWr9P4=
-=CdBM
------END PGP SIGNATURE-----

dovecot-2.3-pigeonhole-0.5.11.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0b972a441f680545ddfacd2f41fb2a705fb03249d46ed5ce7e01fe68b6cfb5f0
+size 1912411

dovecot-2.3-pigeonhole-0.5.11.tar.gz.sig

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAl805/8XHGRvdmVjb3Qt
+Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaEyaxAAlssO1IX8UH/Dj7r3i6efjbtF
+lJ0pjPc5fvBYBs9q5OUD7q70H70JwmsbEjSHFGDPqOMA302BbWVLwPgVKx37LUe8
+sCtIGHrc+Q4lr/tU30NMcb+FEhk0Llzov9HTGjCltotN33jSZGIrcclLM2WHevD5
+FVJZH/zs23TP0/9tAjjUsGsVjq8lE9E+KNZpKHT4oyl1T58lTy+sN4O9QHW8xYX2
+sORuOeEMDcKoEQFegr9EJ3s1Wa0QtaI7NbfAKSUYiKQXmlSOfloOoWF65JbBgWfG
+ANujVGnUP9Q9RFQJAeB4K51djKZVH5xp2ovQKYOsCivW12Ma2Ols29+Cxwc/K4ob
+9HcrmZJWIfAt6PK64U+8JAt2h4/VLQSPvGcjaQ9P728Z52K4e7wJe4oUotpN7xFn
+/JLXyC4Mpgn0ZLpNPuQ8mYq3NBxU+27ZLPDAeymQJNaqzP1U6NzQ5jjxBBMf1JYg
+Dk9TZQgDZ3rX5Gr7E8Tcs0Hst+14eSI1ARS7/jHU2KvsNAm4b9/+qRXAi5kl62XF
+u94tgym0Ha7AaSiPh5MHwsAxOPmS+0n3eKwcjjdDNb6SIorjtPHwZ6udWxy9Ecg2
+paUqBy6E023h4tG537BPocxGQzzW14WqBt0ATAMRiUHHD/eBvMIMzSrol+vrdXtX
+e9Xo7nAZZsq+8kURfEE=
+=kwRh
+-----END PGP SIGNATURE-----

dovecot-2.3.10.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:6642e62f23b1b23cfac235007ca6e21cb67460cca834689fad450724456eb10c
-size 7226958

dovecot-2.3.10.1.tar.gz.sig

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAl7CQmQXHGRvdmVjb3Qt
-Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaGKng/+KOljo/BTYEBFL+rn38eDhhZC
-nCzbAJZl6GOYMnrN0vuEExJoQ7B9Bqy4HlO0iFsYXyD7nsOVpsfyF9z8tkk0RYCd
-PLxUCuzMrQml1af9kygghm03/PUflfsV/zu3cBzh3vy0Bygflhrr+CVWjAvauD5y
-DFGjULHZhJnNm1PG2Wwk/2Unr8MI9erXY4TG0b2hGgTxV6orZoLj1MyhPKdmVM6n
-LXYwrkhnK+RGIwISJKZVdYHAiFO7XNVgpw9gQtKff+Vs3Sa9aA2F1cGJ2Y0p+azb
-+wQFLObGy/Rn87pQRkI3KPo9er3QCEwOfQQmECCnk4Aj/qhwnu7OEMrz3kj3IlLU
-uWOjzfIro0STiFqUnpZnFYVzTYgGmVUV/6mYkiYFdiVhRBPqQ2TTCsPlWPF8LXGo
-9epFAzpuCjBP+hhfrFP03CLF5B6BvDx76bB1hTacJJr1McAP4Cw7UTB9WzSEU8BX
-X5I3BAnCL8VJ73hHFWL/Wju7h45pYmd4TV0t0ZPUOIP9HonfB2BvEfLZZfMcHcEN
-QkVAmqpO2td7M7B8e6zo5+URZ0RVasuoTFlMwNcvzPCt5XdfxY/WMH9FAzJ5Kbdo
-U7Vte4WMyTsS8msfIMUwn9hH7xtwoNz9CSQ/vFcCDb+zANG18TC2uNXzjYNoFzib
-yYeoSMY2wtd2cz2GxD4=
-=2qVX
------END PGP SIGNATURE-----

dovecot-2.3.11.3.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d3d9ea9010277f57eb5b9f4166a5d2ba539b172bd6d5a2b2529a6db524baafdc
+size 7353412

dovecot-2.3.11.3.tar.gz.sig

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAl8z40wXHGRvdmVjb3Qt
+Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaFrkw//c5eVa6F4iC8Fl9YAnBAqzYi5
+d2Jy4kOYCLJnSq1FTp+0Bh6iyxIFBVFanubpqNoxxNtvzbjuKGlpB+a4yvvyY4tf
+zjOvOtAVxzxvVurMxinnLjLtNdUSP55IDWmOVBZC3XipbrkCTkkpbnZBlcm9YxTJ
+9+wT4KWX8o+hddNZZ7A7GVb4J1eHeAdAkXslWSzCBPRhsSFKvUPmZtklbxfZCZiw
+Ug7MspDT60oFOkRGiZ08CYbYsNKw7MFeqXxEIAHq/XX64blE3i3XudTq1m4I3j9V
+1+Pzr8UB1qXG3zP1Tysdhn06GzwU3BVrWTrr8QmaYaQtWM1LC/ffF0uqVzWSNrud
+yMoGc3n2bH7CZmtiIFBLhNohe9MkUusTjKSKxj7659tH/Pq+I1XZ8dtXc0eNaNUi
+LYKmGf0l3T4cyB+INWN/1sLMsUJ25XhUABJo0C5Ovv8jsSqoPE/sglvBNLqad+cy
+tvPm6JrivOu2hMgSMjCfc5Z3/I6Qyv9m3HVg1V08HlT9T+TDpW3V3zLfYHI9UZib
+UjAKI5Fs4HYvv2v03irqlo9rkfpWCrtrd4G1dG3erM9rWe68vewtUP9nMI9UYC3g
+jClpSmg2o8uZj0imj60JE0+HoBLa+tk52M2Umiil0EVAE9dbT91qdWaeP+pylDvM
+oRClJm6uemmLrtE9MHk=
+=rtpE
+-----END PGP SIGNATURE-----

dovecot23.changes

@@ -1,3 +1,119 @@
+-------------------------------------------------------------------
+Wed Aug 12 13:57:05 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>
+
+- update to 2.3.11.3 and pigeonhole to 0.5.11
+
+  Dovecot 2.3.11.3
+  - pop3-login: Login didn't handle commands in multiple IP packets properly.
+    This mainly affected large XCLIENT commands or a large SASL initial
+    response parameter in the AUTH command.
+  - pop3: pop3_deleted_flag setting was broken, causing:
+    Panic: file seq-range-array.c: line 472 (seq_range_array_invert):
+    assertion failed: (range[count-1].seq2 <= max_seq)
+  Dovecot 2.3.11.2
+  - auth: Lua passdb/userdb leaks stack elements per call, eventually
+    causing the stack to become too deep and crashing the auth or
+    auth-worker process.
+  - lib-mail: v2.3.11 regression: MIME parts not returned correctly by
+    Dovecot MIME parser.
+  - pop3-login: Login would fail with "Input buffer full" if the initial
+    response for SASL was too long.
+  Dovecot 2.3.11
+  * CVE-2020-12100: Parsing mails with a large number of MIME parts could
+    have resulted in excessive CPU usage or a crash due to running out of
+    stack memory.
+  * CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
+    message buffer size, which leads to reading past allocation which can
+    lead to crash.
+  * CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
+    address that has the empty quoted string as local-part causes the lmtp
+    service to crash.
+  * CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
+    zero-length message, which leads to assert-crash later on.
+  * Events: Fix inconsistency in events. See event documentation in
+    https://doc.dovecot.org.
+  * imap_command_finished event's cmd_name field now contains "unknown"
+    for unknown commands. A new "cmd_input_name" field contains the
+    command name exactly as it was sent.
+  * lib-index: Renamed mail_cache_compress_* settings to mail_cache_purge_*.
+    Note that these settings are mainly intended for testing and usually
+    shouldn't be changed.
+  * events: Renamed "index" event category to "mail-index".
+  * events: service:<name> category is now using the name from
+    configuration file.
+  * dns-client: service dns_client was renamed to dns-client.
+  * log: Prefixes generally use the service name from configuration file.
+    For example dict-async service will now use
+    "dict-async(pid): " log prefix instead of "dict(pid): "
+  * *-login: Changed logging done by proxying to use a consistent prefix
+    containing the IP address and port.
+  * *-login: Changed disconnection log messages to be slightly clearer.
+  + dict: Add events for dictionaries.
+  + lib-index: Finish logging with events.
+  + oauth2: Support local validation of JWT tokens.
+  + stats: Add support for dynamic histograms and grouping. See
+    https://doc.dovecot.org/configuration_manual/stats/.
+  + imap: Implement RFC 8514: IMAP SAVEDATE
+  + lib-index: If a long-running transaction (e.g. SORT/FETCH on a huge
+    folder) adds a lot of data to dovecot.index.cache file, commit those
+    changes periodically to make them visible to other concurrent sessions
+    as well.
+  + stats: Add OpenMetrics exporter for statistics. See
+    https://doc.dovecot.org/configuration_manual/stats/openmetrics/.
+  + stats: Support disabling stats-writer socket by setting
+    stats_writer_socket_path="".
+  - auth-worker: Process keeps slowly increasing its memory usage and
+    eventually dies with "out of memory" due to reaching vsz_limit.
+  - auth: Prevent potential timing attacks in authentication secret
+    comparisons: OAUTH2 JWT-token HMAC, imap-urlauth token, crypt() result.
+  - auth: Several auth-mechanisms allowed input to be truncated by NUL
+    which can potentially lead to unintentional issues or even successful
+    logins which should have failed.
+  - auth: When auth policy returned a delay, auth_request_finished event
+    had policy_result=ok field instead of policy_result=delayed.
+  - auth: auth process crash when auth_policy_server_url is set to an
+    invalid URL.
+  - dict-ldap: Crash occurs if var_expand template expansion fails.
+  - dict: If dict client disconnected while iteration was still running,
+    dict process could have started using 100% CPU, although it was still
+    handling clients.
+  - doveadm: Running doveadm commands via proxying may hang, especially
+    when doveadm is printing a lot of output.
+  - imap: "MOVE * destfolder" goes to a loop copying the last mail to the
+    destination until the imap process dies due to running out of memory.
+  - imap: Running "UID MOVE 1:* Trash" on an empty folder goes to infinite
+    loop.
+  - imap: SEARCH doesn't support $.
+  - lib-compress: Buffer over-read in zlib stream read.
+  - lib-dns: If DNS lookup times out, lib-dns can cause crash in calling
+    process.
+  - lib-index: Fixed several bugs in dovecot.index.cache handling that
+    could have caused cached data to be lost.
+  - lib-index: Writing to >=1 GB dovecot.index.cache files may cause
+    assert-crashes:
+    Panic: file mail-index-util.c: line 37 (mail_index_uint32_to_offset):
+    assertion failed: (offset < 0x40000000)
+  - lib-ssl-iostream: Fix buggy OpenSSL error handling without
+    assert-crashing. If there is no error available, log it as an error
+    instead of crashing:
+    Panic: file iostream-openssl.c: line 599 (openssl_iostream_handle_error):
+    assertion failed: (errno != 0)
+  - lib-ssl-iostream: ssl_key_password setting did not work.
+  - submission: A segfault crash may occur when the client or server
+    disconnects while a non-transaction command like NOOP or VRFY is still
+    being processed.
+  - virtual: Copying/moving mails with IMAP into a virtual folder assert-crashes:
+    Panic: file cmd-copy.c: line 152 (fetch_and_copy): assertion failed:
+    (copy_ctx->copy_count == seq_range_count(&copy_ctx->saved_uids))
+
+  Pigeonhole 0.5.11
+  * managesieve: managesieve_max_line_length setting is now a "size" type
+    instead of just number of bytes. This allows using e.g. "64k" as the
+    value.
+  - lib-sieve: When folding white space is used in the Message-ID header,
+    it is not stripped away correctly before the message ID value is used,
+    causing e.g. garbled log lines at delivery.
+    
 -------------------------------------------------------------------
 Tue May 19 12:04:55 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>
 

dovecot23.spec

@@ -19,11 +19,11 @@
 %global _lto_cflags %{nil}
 
 Name:           dovecot23
-Version:        2.3.10.1
+Version:        2.3.11.3
 Release:        0
 %define pkg_name dovecot
-%define dovecot_version 2.3.10.1
-%define dovecot_pigeonhole_version 0.5.10
+%define dovecot_version 2.3.11.3
+%define dovecot_pigeonhole_version 0.5.11
 %define dovecot_branch  2.3
 %define dovecot_pigeonhole_source_dir %{pkg_name}-%{dovecot_branch}-pigeonhole-%{dovecot_pigeonhole_version}
 %define dovecot_pigeonhole_docdir     %{_docdir}/%{pkg_name}/dovecot-pigeonhole