From e5278c2201b44609d51d06d44369cc4f1e68c9bbcb8ddfaf3f5899a724b0d905 Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Thu, 13 Aug 2020 12:18:47 +0000 Subject: [PATCH] Accepting request 826219 from home:adkorte - update to 2.3.11.3 and pigeonhole to 0.5.11 Dovecot 2.3.11.3 - pop3-login: Login didn't handle commands in multiple IP packets properly. This mainly affected large XCLIENT commands or a large SASL initial response parameter in the AUTH command. - pop3: pop3_deleted_flag setting was broken, causing: Panic: file seq-range-array.c: line 472 (seq_range_array_invert): assertion failed: (range[count-1].seq2 <= max_seq) Dovecot 2.3.11.2 - auth: Lua passdb/userdb leaks stack elements per call, eventually causing the stack to become too deep and crashing the auth or auth-worker process. - lib-mail: v2.3.11 regression: MIME parts not returned correctly by Dovecot MIME parser. - pop3-login: Login would fail with "Input buffer full" if the initial response for SASL was too long. Dovecot 2.3.11 * CVE-2020-12100: Parsing mails with a large number of MIME parts could have resulted in excessive CPU usage or a crash due to running out of stack memory. * CVE-2020-12673: Dovecot's NTLM implementation does not correctly check message buffer size, which leads to reading past allocation which can lead to crash. * CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an address that has the empty quoted string as local-part causes the lmtp service to crash. * CVE-2020-12674: Dovecot's RPA mechanism implementation accepts zero-length message, which leads to assert-crash later on. * Events: Fix inconsistency in events. See event documentation in https://doc.dovecot.org. OBS-URL: https://build.opensuse.org/request/show/826219 OBS-URL: https://build.opensuse.org/package/show/server:mail/dovecot23?expand=0&rev=76 --- dovecot-2.3-pigeonhole-0.5.10.tar.gz | 3 - dovecot-2.3-pigeonhole-0.5.10.tar.gz.sig | 17 ---- dovecot-2.3-pigeonhole-0.5.11.tar.gz | 3 + dovecot-2.3-pigeonhole-0.5.11.tar.gz.sig | 17 ++++ dovecot-2.3.10.1.tar.gz | 3 - dovecot-2.3.10.1.tar.gz.sig | 17 ---- dovecot-2.3.11.3.tar.gz | 3 + dovecot-2.3.11.3.tar.gz.sig | 17 ++++ dovecot23.changes | 116 +++++++++++++++++++++++ dovecot23.spec | 6 +- 10 files changed, 159 insertions(+), 43 deletions(-) delete mode 100644 dovecot-2.3-pigeonhole-0.5.10.tar.gz delete mode 100644 dovecot-2.3-pigeonhole-0.5.10.tar.gz.sig create mode 100644 dovecot-2.3-pigeonhole-0.5.11.tar.gz create mode 100644 dovecot-2.3-pigeonhole-0.5.11.tar.gz.sig delete mode 100644 dovecot-2.3.10.1.tar.gz delete mode 100644 dovecot-2.3.10.1.tar.gz.sig create mode 100644 dovecot-2.3.11.3.tar.gz create mode 100644 dovecot-2.3.11.3.tar.gz.sig diff --git a/dovecot-2.3-pigeonhole-0.5.10.tar.gz b/dovecot-2.3-pigeonhole-0.5.10.tar.gz deleted file mode 100644 index 3bdc8e1..0000000 --- a/dovecot-2.3-pigeonhole-0.5.10.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:48c89cc9f3caa9c5f2454f9dcca74fe251a99749a38062bfab7e5017d329605e -size 1899237 diff --git a/dovecot-2.3-pigeonhole-0.5.10.tar.gz.sig b/dovecot-2.3-pigeonhole-0.5.10.tar.gz.sig deleted file mode 100644 index d91203e..0000000 --- a/dovecot-2.3-pigeonhole-0.5.10.tar.gz.sig +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAl5iGioXHGRvdmVjb3Qt -Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaHIdA//Ttwgm2VD1ebTAZ7b4MnTbNKd -PPmTnt+EXelxUSvnbFoUhJ6L4baMMx3N7ko02ocni9tEGHfrSizcCLD4EjSu4VQd -9R/FHwcJAz0H+r4exCdu7xo2tvKhVfejLuMVHI07VBYVwbZwHEkXTuUbzTdDzdwZ -LPMK9Eyp3qogLWH4jJAhj/SQISHQsWToeKXoHpFichGUjDJPacpbEllyV4nKxdRO -q5gv3l5u5gRK4Ios53lDUVNQ0olEk55Zj1RLgmV5NjjmgRljr7TdS4M6TGKov3D/ -4igVU+7SgyaC+RUztmZTW/pkf8i++m58Xf4Lj1Jd4zf/Xsin9da/mLQ1IMCtsNmQ -48mHYXf4NPEqfWINauDNwmEMsiupvGZzdE7CvVWQmJYsHAPL4tLicpIOrzSngNuA -o56lqxyrw9WMYuL4M2Wpkfasex+FqtucBDxGrKCC6UE3FkTrpbGGHWA+2cSBH0Ca -XGhgj9S4OUVFVSBGKRhiYu8BSzR4My0+X393iUY8uATIHgce70udsX5subuNR1JJ -PvKF6r34l8a0BQ5+6iJm8oleArf28vzo4rGk84sExM/9JIE1UhwzNSDwaXLl0VMZ -ccawKNypLJQORNMzM+h2HXw/zfNLH0e1DEuSbPBG8KIjGrs3gLlDg1is236Udxyu -AxLE9+Q5BhULkFWr9P4= -=CdBM ------END PGP SIGNATURE----- diff --git a/dovecot-2.3-pigeonhole-0.5.11.tar.gz b/dovecot-2.3-pigeonhole-0.5.11.tar.gz new file mode 100644 index 0000000..86e64a9 --- /dev/null +++ b/dovecot-2.3-pigeonhole-0.5.11.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0b972a441f680545ddfacd2f41fb2a705fb03249d46ed5ce7e01fe68b6cfb5f0 +size 1912411 diff --git a/dovecot-2.3-pigeonhole-0.5.11.tar.gz.sig b/dovecot-2.3-pigeonhole-0.5.11.tar.gz.sig new file mode 100644 index 0000000..4437647 --- /dev/null +++ b/dovecot-2.3-pigeonhole-0.5.11.tar.gz.sig @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAl805/8XHGRvdmVjb3Qt +Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaEyaxAAlssO1IX8UH/Dj7r3i6efjbtF +lJ0pjPc5fvBYBs9q5OUD7q70H70JwmsbEjSHFGDPqOMA302BbWVLwPgVKx37LUe8 +sCtIGHrc+Q4lr/tU30NMcb+FEhk0Llzov9HTGjCltotN33jSZGIrcclLM2WHevD5 +FVJZH/zs23TP0/9tAjjUsGsVjq8lE9E+KNZpKHT4oyl1T58lTy+sN4O9QHW8xYX2 +sORuOeEMDcKoEQFegr9EJ3s1Wa0QtaI7NbfAKSUYiKQXmlSOfloOoWF65JbBgWfG +ANujVGnUP9Q9RFQJAeB4K51djKZVH5xp2ovQKYOsCivW12Ma2Ols29+Cxwc/K4ob +9HcrmZJWIfAt6PK64U+8JAt2h4/VLQSPvGcjaQ9P728Z52K4e7wJe4oUotpN7xFn +/JLXyC4Mpgn0ZLpNPuQ8mYq3NBxU+27ZLPDAeymQJNaqzP1U6NzQ5jjxBBMf1JYg +Dk9TZQgDZ3rX5Gr7E8Tcs0Hst+14eSI1ARS7/jHU2KvsNAm4b9/+qRXAi5kl62XF +u94tgym0Ha7AaSiPh5MHwsAxOPmS+0n3eKwcjjdDNb6SIorjtPHwZ6udWxy9Ecg2 +paUqBy6E023h4tG537BPocxGQzzW14WqBt0ATAMRiUHHD/eBvMIMzSrol+vrdXtX +e9Xo7nAZZsq+8kURfEE= +=kwRh +-----END PGP SIGNATURE----- diff --git a/dovecot-2.3.10.1.tar.gz b/dovecot-2.3.10.1.tar.gz deleted file mode 100644 index e491099..0000000 --- a/dovecot-2.3.10.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6642e62f23b1b23cfac235007ca6e21cb67460cca834689fad450724456eb10c -size 7226958 diff --git a/dovecot-2.3.10.1.tar.gz.sig b/dovecot-2.3.10.1.tar.gz.sig deleted file mode 100644 index 27b4c75..0000000 --- a/dovecot-2.3.10.1.tar.gz.sig +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAl7CQmQXHGRvdmVjb3Qt -Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaGKng/+KOljo/BTYEBFL+rn38eDhhZC -nCzbAJZl6GOYMnrN0vuEExJoQ7B9Bqy4HlO0iFsYXyD7nsOVpsfyF9z8tkk0RYCd -PLxUCuzMrQml1af9kygghm03/PUflfsV/zu3cBzh3vy0Bygflhrr+CVWjAvauD5y -DFGjULHZhJnNm1PG2Wwk/2Unr8MI9erXY4TG0b2hGgTxV6orZoLj1MyhPKdmVM6n -LXYwrkhnK+RGIwISJKZVdYHAiFO7XNVgpw9gQtKff+Vs3Sa9aA2F1cGJ2Y0p+azb -+wQFLObGy/Rn87pQRkI3KPo9er3QCEwOfQQmECCnk4Aj/qhwnu7OEMrz3kj3IlLU -uWOjzfIro0STiFqUnpZnFYVzTYgGmVUV/6mYkiYFdiVhRBPqQ2TTCsPlWPF8LXGo -9epFAzpuCjBP+hhfrFP03CLF5B6BvDx76bB1hTacJJr1McAP4Cw7UTB9WzSEU8BX -X5I3BAnCL8VJ73hHFWL/Wju7h45pYmd4TV0t0ZPUOIP9HonfB2BvEfLZZfMcHcEN -QkVAmqpO2td7M7B8e6zo5+URZ0RVasuoTFlMwNcvzPCt5XdfxY/WMH9FAzJ5Kbdo -U7Vte4WMyTsS8msfIMUwn9hH7xtwoNz9CSQ/vFcCDb+zANG18TC2uNXzjYNoFzib -yYeoSMY2wtd2cz2GxD4= -=2qVX ------END PGP SIGNATURE----- diff --git a/dovecot-2.3.11.3.tar.gz b/dovecot-2.3.11.3.tar.gz new file mode 100644 index 0000000..f0183c9 --- /dev/null +++ b/dovecot-2.3.11.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d3d9ea9010277f57eb5b9f4166a5d2ba539b172bd6d5a2b2529a6db524baafdc +size 7353412 diff --git a/dovecot-2.3.11.3.tar.gz.sig b/dovecot-2.3.11.3.tar.gz.sig new file mode 100644 index 0000000..f4d6fa5 --- /dev/null +++ b/dovecot-2.3.11.3.tar.gz.sig @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAl8z40wXHGRvdmVjb3Qt +Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaFrkw//c5eVa6F4iC8Fl9YAnBAqzYi5 +d2Jy4kOYCLJnSq1FTp+0Bh6iyxIFBVFanubpqNoxxNtvzbjuKGlpB+a4yvvyY4tf +zjOvOtAVxzxvVurMxinnLjLtNdUSP55IDWmOVBZC3XipbrkCTkkpbnZBlcm9YxTJ +9+wT4KWX8o+hddNZZ7A7GVb4J1eHeAdAkXslWSzCBPRhsSFKvUPmZtklbxfZCZiw +Ug7MspDT60oFOkRGiZ08CYbYsNKw7MFeqXxEIAHq/XX64blE3i3XudTq1m4I3j9V +1+Pzr8UB1qXG3zP1Tysdhn06GzwU3BVrWTrr8QmaYaQtWM1LC/ffF0uqVzWSNrud +yMoGc3n2bH7CZmtiIFBLhNohe9MkUusTjKSKxj7659tH/Pq+I1XZ8dtXc0eNaNUi +LYKmGf0l3T4cyB+INWN/1sLMsUJ25XhUABJo0C5Ovv8jsSqoPE/sglvBNLqad+cy +tvPm6JrivOu2hMgSMjCfc5Z3/I6Qyv9m3HVg1V08HlT9T+TDpW3V3zLfYHI9UZib +UjAKI5Fs4HYvv2v03irqlo9rkfpWCrtrd4G1dG3erM9rWe68vewtUP9nMI9UYC3g +jClpSmg2o8uZj0imj60JE0+HoBLa+tk52M2Umiil0EVAE9dbT91qdWaeP+pylDvM +oRClJm6uemmLrtE9MHk= +=rtpE +-----END PGP SIGNATURE----- diff --git a/dovecot23.changes b/dovecot23.changes index 7f0d6e1..13d7f6e 100644 --- a/dovecot23.changes +++ b/dovecot23.changes @@ -1,3 +1,119 @@ +------------------------------------------------------------------- +Wed Aug 12 13:57:05 UTC 2020 - Arjen de Korte + +- update to 2.3.11.3 and pigeonhole to 0.5.11 + + Dovecot 2.3.11.3 + - pop3-login: Login didn't handle commands in multiple IP packets properly. + This mainly affected large XCLIENT commands or a large SASL initial + response parameter in the AUTH command. + - pop3: pop3_deleted_flag setting was broken, causing: + Panic: file seq-range-array.c: line 472 (seq_range_array_invert): + assertion failed: (range[count-1].seq2 <= max_seq) + Dovecot 2.3.11.2 + - auth: Lua passdb/userdb leaks stack elements per call, eventually + causing the stack to become too deep and crashing the auth or + auth-worker process. + - lib-mail: v2.3.11 regression: MIME parts not returned correctly by + Dovecot MIME parser. + - pop3-login: Login would fail with "Input buffer full" if the initial + response for SASL was too long. + Dovecot 2.3.11 + * CVE-2020-12100: Parsing mails with a large number of MIME parts could + have resulted in excessive CPU usage or a crash due to running out of + stack memory. + * CVE-2020-12673: Dovecot's NTLM implementation does not correctly check + message buffer size, which leads to reading past allocation which can + lead to crash. + * CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an + address that has the empty quoted string as local-part causes the lmtp + service to crash. + * CVE-2020-12674: Dovecot's RPA mechanism implementation accepts + zero-length message, which leads to assert-crash later on. + * Events: Fix inconsistency in events. See event documentation in + https://doc.dovecot.org. + * imap_command_finished event's cmd_name field now contains "unknown" + for unknown commands. A new "cmd_input_name" field contains the + command name exactly as it was sent. + * lib-index: Renamed mail_cache_compress_* settings to mail_cache_purge_*. + Note that these settings are mainly intended for testing and usually + shouldn't be changed. + * events: Renamed "index" event category to "mail-index". + * events: service: category is now using the name from + configuration file. + * dns-client: service dns_client was renamed to dns-client. + * log: Prefixes generally use the service name from configuration file. + For example dict-async service will now use + "dict-async(pid): " log prefix instead of "dict(pid): " + * *-login: Changed logging done by proxying to use a consistent prefix + containing the IP address and port. + * *-login: Changed disconnection log messages to be slightly clearer. + + dict: Add events for dictionaries. + + lib-index: Finish logging with events. + + oauth2: Support local validation of JWT tokens. + + stats: Add support for dynamic histograms and grouping. See + https://doc.dovecot.org/configuration_manual/stats/. + + imap: Implement RFC 8514: IMAP SAVEDATE + + lib-index: If a long-running transaction (e.g. SORT/FETCH on a huge + folder) adds a lot of data to dovecot.index.cache file, commit those + changes periodically to make them visible to other concurrent sessions + as well. + + stats: Add OpenMetrics exporter for statistics. See + https://doc.dovecot.org/configuration_manual/stats/openmetrics/. + + stats: Support disabling stats-writer socket by setting + stats_writer_socket_path="". + - auth-worker: Process keeps slowly increasing its memory usage and + eventually dies with "out of memory" due to reaching vsz_limit. + - auth: Prevent potential timing attacks in authentication secret + comparisons: OAUTH2 JWT-token HMAC, imap-urlauth token, crypt() result. + - auth: Several auth-mechanisms allowed input to be truncated by NUL + which can potentially lead to unintentional issues or even successful + logins which should have failed. + - auth: When auth policy returned a delay, auth_request_finished event + had policy_result=ok field instead of policy_result=delayed. + - auth: auth process crash when auth_policy_server_url is set to an + invalid URL. + - dict-ldap: Crash occurs if var_expand template expansion fails. + - dict: If dict client disconnected while iteration was still running, + dict process could have started using 100% CPU, although it was still + handling clients. + - doveadm: Running doveadm commands via proxying may hang, especially + when doveadm is printing a lot of output. + - imap: "MOVE * destfolder" goes to a loop copying the last mail to the + destination until the imap process dies due to running out of memory. + - imap: Running "UID MOVE 1:* Trash" on an empty folder goes to infinite + loop. + - imap: SEARCH doesn't support $. + - lib-compress: Buffer over-read in zlib stream read. + - lib-dns: If DNS lookup times out, lib-dns can cause crash in calling + process. + - lib-index: Fixed several bugs in dovecot.index.cache handling that + could have caused cached data to be lost. + - lib-index: Writing to >=1 GB dovecot.index.cache files may cause + assert-crashes: + Panic: file mail-index-util.c: line 37 (mail_index_uint32_to_offset): + assertion failed: (offset < 0x40000000) + - lib-ssl-iostream: Fix buggy OpenSSL error handling without + assert-crashing. If there is no error available, log it as an error + instead of crashing: + Panic: file iostream-openssl.c: line 599 (openssl_iostream_handle_error): + assertion failed: (errno != 0) + - lib-ssl-iostream: ssl_key_password setting did not work. + - submission: A segfault crash may occur when the client or server + disconnects while a non-transaction command like NOOP or VRFY is still + being processed. + - virtual: Copying/moving mails with IMAP into a virtual folder assert-crashes: + Panic: file cmd-copy.c: line 152 (fetch_and_copy): assertion failed: + (copy_ctx->copy_count == seq_range_count(©_ctx->saved_uids)) + + Pigeonhole 0.5.11 + * managesieve: managesieve_max_line_length setting is now a "size" type + instead of just number of bytes. This allows using e.g. "64k" as the + value. + - lib-sieve: When folding white space is used in the Message-ID header, + it is not stripped away correctly before the message ID value is used, + causing e.g. garbled log lines at delivery. + ------------------------------------------------------------------- Tue May 19 12:04:55 UTC 2020 - Marcus Rueckert diff --git a/dovecot23.spec b/dovecot23.spec index 33a256a..c4d1a21 100644 --- a/dovecot23.spec +++ b/dovecot23.spec @@ -19,11 +19,11 @@ %global _lto_cflags %{nil} Name: dovecot23 -Version: 2.3.10.1 +Version: 2.3.11.3 Release: 0 %define pkg_name dovecot -%define dovecot_version 2.3.10.1 -%define dovecot_pigeonhole_version 0.5.10 +%define dovecot_version 2.3.11.3 +%define dovecot_pigeonhole_version 0.5.11 %define dovecot_branch 2.3 %define dovecot_pigeonhole_source_dir %{pkg_name}-%{dovecot_branch}-pigeonhole-%{dovecot_pigeonhole_version} %define dovecot_pigeonhole_docdir %{_docdir}/%{pkg_name}/dovecot-pigeonhole