- update to 2.3.7.2

* CVE-2019-11500: IMAP protocol parser does not properly handle
    NUL byte when scanning data in quoted strings, leading to out
    of bounds heap memory writes. Found by Nick Roessler and Rafi
    Rubin.
- update pigeonhole to 0.5.7.2
  * CVE-2019-11500: ManageSieve protocol parser does not properly
    handle NUL byte when scanning data in quoted strings, leading
    to out of bounds heap memory writes. Found by Nick Roessler and
    Rafi Rubin.
- refreshed patches to apply cleanly again:
  dovecot-2.3.0-better_ssl_defaults.patch
  dovecot-2.3.0-dont_use_etc_ssl_certs.patch

OBS-URL: https://build.opensuse.org/package/show/server:mail/dovecot23?expand=0&rev=52

dovecot-2.3-pigeonhole-0.5.7.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:3270b24c1f75a7c144f54d6d08ce994176e39c2cdb3ac4dd80ad5e64aaaa2028
-size 1857291

dovecot-2.3-pigeonhole-0.5.7.1.tar.gz.sig

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAl026V4XHGRvdmVjb3Qt
-Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaELXRAA1a9kMXlDYaaKzOooSMFhWCJ7
-GC0b4H8qZ1p6bCvR073fwhRFwzAO3O6X1f3op8MLtuLyk/k13tWNETOvXlEDTPVf
-3DfSSQ9D76+DnSElc2aToX3MjnRbk/C+b6DWpSpgEi6f5wbNBWF3JgS+JHTnCq1P
-9rYD9Y8evdSwPfYmEIZgPvP05/n4rsSFvB5HgqISqM7pQ4zCjwJqlepgzuXzvTyj
-q7ZHj/t/ey7nW0m4aVbixB/DPboDfnTJbx2agTUKs8QugnzWBzdR03k3qUvuh2bV
-+Tdp41mo+9L6CcRnjjfc/ZSbvjZkk4O3ZwcvUgG8mdKwqGJ+aICd7nf4LLIfi+dj
-u5PHlD4e/9Lx33Hg53lVjLgUGPLR2iKeLAMLYh6q547ZQ+YWU6vEnnaQzuc6HBe5
-b55A5QEn0GsodomqROzk7NaRK2f8b4IZZwiImRucfDxL22tSaLvu3CKJwKqWUTTc
-clRC9UQlTvVXvCKefiVoXzCniQywc2QXdwDMyZcem3avPNU/9OHbt4mzNvdbHDcV
-DRt57RGFPT0dVx/CJ9vY++Iq4ZOBLsClqNA/ZyYkrym+g4TAwRtGuihhTQO2Q+pP
-ok5QaAwjv1WPqoM7as+RtrtzqKzScE7j8Drl8d9g4cjEIs8q1RkHuk8vKqbOKrz/
-6/7EIWTn1m6tMPoC5Tg=
-=YEKl
------END PGP SIGNATURE-----

dovecot-2.3-pigeonhole-0.5.7.2.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d59d0c5c5225a126e5b98bf95d75e8dd368bdeeb3da2e9766dbe4fddaa9411b0
+size 1857602

dovecot-2.3-pigeonhole-0.5.7.2.tar.gz.sig

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAl1mKPUXHGRvdmVjb3Qt
+Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaH5jA//ScAL3ofL2pxgt0NyS9Vuya8K
+Y4Eof+UpeILJ/v/npfIlJjKsxg1L9WbReTmo5t2GgXtin0fbVor1LguCWuhmKR9U
+HATQtIMNJxU3YIMGI80+0poHJW4rCfHQTQmBqChE535XGIWKT/XrGbqRgI02HrdB
+SXGAXajqoWZG5qEcwr/wcsJ+HXLYsCE3ywvEqPQK1AUrKEo5sdGLOvbZ8sSUda4f
+VUCPG7KJ5+KQX9/nf0mfXHUq2l8xwvlSyay8eiZ4SU+QUydi33GUTHYrhJwD/FOs
+iiqUpu0iH+JDLl1VZd4pD3ruoraVeMsyvbPmuPXtxIzns5MrrmVYGptjBkB39V4E
+pPCkmrCJUqTRga1V3+T2+xcZd8cz6alFAaIM7eYLQWz+8iJ2cxGGMPUFWY2CjvL/
+errF9wJzm6YqpU087/JGBm+UiTnvgp1rvzV9QPEnUNkn9Q5ikLeCMy3sZ047pg1q
+hOLYizeRt9fpEhF19nkDC4O4NA3g5hY489uRhDEueQpA2Ro3V1C2+cZo4pjhM7pf
+L+DAenWTsup1c/TrA+hGXNJld7GGYcmDoXBmRmqs/whUKBa+js2irZtAzdkos+g9
+yH2cm+ji91D6R+H1ZJxTgl31DBwt8QgQwJLMJ3JERKqKuiFD9Q73jia+2l7j4h3o
+JPiM+UCudeqS8miBNQI=
+=Zqi8
+-----END PGP SIGNATURE-----

dovecot-2.3.0-better_ssl_defaults.patch

@@ -1,7 +1,7 @@
-Index: dovecot-2.3.2/doc/example-config/conf.d/10-ssl.conf
+Index: dovecot-2.3.7.2/doc/example-config/conf.d/10-ssl.conf
 ===================================================================
---- dovecot-2.3.2.orig/doc/example-config/conf.d/10-ssl.conf
-+++ dovecot-2.3.2/doc/example-config/conf.d/10-ssl.conf
+--- dovecot-2.3.7.2.orig/doc/example-config/conf.d/10-ssl.conf
++++ dovecot-2.3.7.2/doc/example-config/conf.d/10-ssl.conf
 @@ -9,8 +9,8 @@
  # dropping root privileges, so keep the key file unreadable by anyone but
  # root. Included doc/mkcert.sh can be used to easily generate self-signed
@@ -13,7 +13,7 @@ Index: dovecot-2.3.2/doc/example-config/conf.d/10-ssl.conf
  
  # If key file is password protected, give the password here. Alternatively
  # give it when starting dovecot with -p parameter. Since this file is often
-@@ -57,6 +57,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
+@@ -60,6 +60,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
  #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
  # To disable non-EC DH, use:
  #ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
@@ -21,7 +21,7 @@ Index: dovecot-2.3.2/doc/example-config/conf.d/10-ssl.conf
  
  # Colon separated list of elliptic curves to use. Empty value (the default)
  # means use the defaults from the SSL library. P-521:P-384:P-256 would be an
-@@ -65,6 +66,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
+@@ -68,6 +69,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
  
  # Prefer the server's order of ciphers over client's.
  #ssl_prefer_server_ciphers = no
@@ -29,16 +29,16 @@ Index: dovecot-2.3.2/doc/example-config/conf.d/10-ssl.conf
  
  # SSL crypto device to use, for valid values run "openssl engine"
  #ssl_crypto_device =
-@@ -73,3 +75,4 @@ ssl_key = </etc/ssl/private/dovecot.pem
+@@ -76,3 +78,4 @@ ssl_key = </etc/ssl/private/dovecot.pem
  #   compression - Enable compression.
  #   no_ticket - Disable SSL session tickets.
  #ssl_options =
 +ssl_options = no_compression
-Index: dovecot-2.3.2/src/lib-master/master-service-ssl-settings.c
+Index: dovecot-2.3.7.2/src/lib-master/master-service-ssl-settings.c
 ===================================================================
---- dovecot-2.3.2.orig/src/lib-master/master-service-ssl-settings.c
-+++ dovecot-2.3.2/src/lib-master/master-service-ssl-settings.c
-@@ -59,7 +59,7 @@ static const struct master_service_ssl_s
+--- dovecot-2.3.7.2.orig/src/lib-master/master-service-ssl-settings.c
++++ dovecot-2.3.7.2/src/lib-master/master-service-ssl-settings.c
+@@ -61,7 +61,7 @@ static const struct master_service_ssl_s
  	.ssl_client_cert = "",
  	.ssl_client_key = "",
  	.ssl_dh = "",

dovecot-2.3.0-dont_use_etc_ssl_certs.patch

@@ -1,7 +1,7 @@
-Index: dovecot-2.3.0.rc1/doc/example-config/conf.d/10-ssl.conf
+Index: dovecot-2.3.7.2/doc/example-config/conf.d/10-ssl.conf
 ===================================================================
---- dovecot-2.3.0.rc1.orig/doc/example-config/conf.d/10-ssl.conf
-+++ dovecot-2.3.0.rc1/doc/example-config/conf.d/10-ssl.conf
+--- dovecot-2.3.7.2.orig/doc/example-config/conf.d/10-ssl.conf
++++ dovecot-2.3.7.2/doc/example-config/conf.d/10-ssl.conf
 @@ -9,7 +9,7 @@
  # dropping root privileges, so keep the key file unreadable by anyone but
  # root. Included doc/mkcert.sh can be used to easily generate self-signed
@@ -11,11 +11,11 @@ Index: dovecot-2.3.0.rc1/doc/example-config/conf.d/10-ssl.conf
  ssl_key = </etc/ssl/private/dovecot.pem
  
  # If key file is password protected, give the password here. Alternatively
-Index: dovecot-2.3.0.rc1/doc/man/doveconf.1.in
+Index: dovecot-2.3.7.2/doc/man/doveconf.1.in
 ===================================================================
---- dovecot-2.3.0.rc1.orig/doc/man/doveconf.1.in
-+++ dovecot-2.3.0.rc1/doc/man/doveconf.1.in
-@@ -126,7 +126,7 @@ Dump settings in simplified machine pars
+--- dovecot-2.3.7.2.orig/doc/man/doveconf.1.in
++++ dovecot-2.3.7.2/doc/man/doveconf.1.in
+@@ -132,7 +132,7 @@ Show passwords and other sensitive value
  .TP
  .B \-x
  Expand configuration variables (e.g. \(Domail_plugins \(rA quota) and show
@@ -24,17 +24,17 @@ Index: dovecot-2.3.0.rc1/doc/man/doveconf.1.in
  .\"---------------------------------
  .TP
  .I section_name
-@@ -207,4 +207,4 @@ dict/quota = pgsql:@pkgsysconfdir@/dovec
+@@ -213,4 +213,4 @@ dict/quota = pgsql:@pkgsysconfdir@/dovec
  .BR doveadm (1),
  .BR dovecot (1),
  .BR dovecot\-lda (1),
 -.BR dsync (1)
 \ No newline at end of file
 +.BR dsync (1)
-Index: dovecot-2.3.0.rc1/doc/mkcert.sh
+Index: dovecot-2.3.7.2/doc/mkcert.sh
 ===================================================================
---- dovecot-2.3.0.rc1.orig/doc/mkcert.sh
-+++ dovecot-2.3.0.rc1/doc/mkcert.sh
+--- dovecot-2.3.7.2.orig/doc/mkcert.sh
++++ dovecot-2.3.7.2/doc/mkcert.sh
 @@ -8,10 +8,10 @@ OPENSSL=${OPENSSL-openssl}
  SSLDIR=${SSLDIR-/etc/ssl}
  OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}
@@ -48,10 +48,10 @@ Index: dovecot-2.3.0.rc1/doc/mkcert.sh
  KEYFILE=$KEYDIR/dovecot.pem
  
  if [ ! -d $CERTDIR ]; then
-Index: dovecot-2.3.0.rc1/doc/wiki/CompilingSource.txt
+Index: dovecot-2.3.7.2/doc/wiki/CompilingSource.txt
 ===================================================================
---- dovecot-2.3.0.rc1.orig/doc/wiki/CompilingSource.txt
-+++ dovecot-2.3.0.rc1/doc/wiki/CompilingSource.txt
+--- dovecot-2.3.7.2.orig/doc/wiki/CompilingSource.txt
++++ dovecot-2.3.7.2/doc/wiki/CompilingSource.txt
 @@ -142,7 +142,7 @@ non-standard path. Make sure you have th
  installed, and if it is not in the standard location, set 'CPPFLAGS' and
  'LDFLAGS' as shown in <the first section above.> [CompilingSource.txt]
@@ -61,10 +61,10 @@ Index: dovecot-2.3.0.rc1/doc/wiki/CompilingSource.txt
  the private key from '/etc/ssl/private/dovecot.pem'. The '/etc/ssl' directory
  can be changed using the '--with-ssldir=DIR' configure option. Both can of
  course be overridden from the configuration file.
-Index: dovecot-2.3.0.rc1/doc/wiki/SSL.CertificateCreation.txt
+Index: dovecot-2.3.7.2/doc/wiki/SSL.CertificateCreation.txt
 ===================================================================
---- dovecot-2.3.0.rc1.orig/doc/wiki/SSL.CertificateCreation.txt
-+++ dovecot-2.3.0.rc1/doc/wiki/SSL.CertificateCreation.txt
+--- dovecot-2.3.7.2.orig/doc/wiki/SSL.CertificateCreation.txt
++++ dovecot-2.3.7.2/doc/wiki/SSL.CertificateCreation.txt
 @@ -39,7 +39,7 @@ CN matches the connected host name, othe
  invalid. It's also possible to use wildcards (eg. *.domain.com) in the host
  name. They should work with most clients.
@@ -74,11 +74,11 @@ Index: dovecot-2.3.0.rc1/doc/wiki/SSL.CertificateCreation.txt
  private key file is created to '/etc/ssl/private/dovecot.pem'. Also by default
  the certificate will expire in 365 days. If you wish to change any of these,
  modify the mkcert.sh script.
-Index: dovecot-2.3.0.rc1/doc/wiki/SSL.DovecotConfiguration.txt
+Index: dovecot-2.3.7.2/doc/wiki/SSL.DovecotConfiguration.txt
 ===================================================================
---- dovecot-2.3.0.rc1.orig/doc/wiki/SSL.DovecotConfiguration.txt
-+++ dovecot-2.3.0.rc1/doc/wiki/SSL.DovecotConfiguration.txt
-@@ -6,7 +6,7 @@ The most important SSL settings are (in
+--- dovecot-2.3.7.2.orig/doc/wiki/SSL.DovecotConfiguration.txt
++++ dovecot-2.3.7.2/doc/wiki/SSL.DovecotConfiguration.txt
+@@ -41,7 +41,7 @@ The most important SSL settings are (in
  ---%<-------------------------------------------------------------------------
  ssl = yes
  # Preferred permissions: root:root 0444
@@ -87,7 +87,7 @@ Index: dovecot-2.3.0.rc1/doc/wiki/SSL.DovecotConfiguration.txt
  # Preferred permissions: root:root 0400
  ssl_key = </etc/ssl/private/dovecot.pem
  ---%<-------------------------------------------------------------------------
-@@ -35,11 +35,11 @@ override the global setting.:
+@@ -73,11 +73,11 @@ override the global setting.:
  
  ---%<-------------------------------------------------------------------------
  protocol imap {
@@ -101,7 +101,7 @@ Index: dovecot-2.3.0.rc1/doc/wiki/SSL.DovecotConfiguration.txt
    ssl_key = </etc/ssl/private/pop3.pem
  }
  ---%<-------------------------------------------------------------------------
-@@ -156,11 +156,11 @@ support SNI.
+@@ -194,11 +194,11 @@ support SNI.
  
  ---%<-------------------------------------------------------------------------
  local_name imap.example.org {

dovecot-2.3.7.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c5a51d6f76e6e9c843df69e52a364a4c65c4c60e0c51d992eaa45f22f71803c3
-size 7076500

dovecot-2.3.7.1.tar.gz.sig

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAl026UMXHGRvdmVjb3Qt
-Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaGDahAApKWQbtbto+1qpjXArqCUM9Po
-X1USvZ9fnUq1scrNwRh1B2F6ViOSJfe0BOAWqbnhGzk2zi5XXbGXSCGBMu79kxvc
-GvrSeomQ+yI0keaI0EK/t2Rc6ieUIveezIXNFW5UBTWtjkh868a6DTUUVhl+RFUT
-tEJzqR1L9gK5e3NpPrvJdoDTQvWqTut6CWjtr/nrwHp4NKJ00atsJaHfrqffqMdN
-QbYCy89/YPD6TTjdt6b1GRmi4Oavp7d8uUe27GAezam/beNIaCXEyKyz7uPR/tMy
-38eeSnprTRN2xXvcJgvtcOcDHvjXmZ2De5JWtCW3v+9sHwxnsCn20VfwQUWlns1j
-epQXuv3j2piq6MculRPpM0Lsd9vuhOYTVrDpR0n70DtvGmtO+5Ze6snrdKBpabfd
-/nhH2X27ww3zHttjMoVeafew+hMwaRXRF5FjoN6gLEx/acaDgPrRFGcHd0ivp/II
-pdfHW5izyI0pq5G8ZEVgpBzaEic1f4JhETOFTTDK/quAhGv3ElUxbZNQAIQlfsjE
-C1u+Nk/YhP+LJmpqr1zTzGPs79ZVfXUzk06LDBj4xq1ABZ7tKLmwMWd0sAOXBs6X
-I7ht3hjyNXazRldPtb4ydHOOLDqEyuwuJ6NpEsZtrmoPXYCcVlsoHQTomILupZyq
-Idx4xQnKgHYgcIo5J+4=
-=RulT
------END PGP SIGNATURE-----

dovecot-2.3.7.2.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:666ce084760a47e601d49a9be3c7993c48789d332631e8dfb45f443b367b1260
+size 7076231

dovecot-2.3.7.2.tar.gz.sig

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAl1mKO8XHGRvdmVjb3Qt
+Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaHG+w/9GrPv8lmzCWV/GyrNXN2fAXL9
+16mf8wKhto58vWeLYt/1B6x6bafzq2bl2DYvIrZmfJsF1S5J2eOz3D3JlrLYXyFY
+3CQObi6qrFPtKvSzWXaLCa0XdezVeKJ4YxMfFAuqNqwhdupUs4swoMtjy35JjoJA
+gcozKiD5RWbZbORyw/QOYoxy0J7DAEFERgvDkWix3PxZU+XtVemDAZoss/2RzzNK
+w5FkjbVB0lETx3eYmNxXCccUllhDtBV6/K99mpsGSKDa9hXgOT9wIp9bEoedyRIG
+wKXWqzkHGfH+AALz9F+/Rsnqt/bqXEwupOLm25w64Qh2TTfKuHzXj7ADv04Kd+As
+EIv6N3Hs8ulWiAhFQYQyP62FDDelGlPxh6E3LvaznsoQYw8Ifw0iJff1h4e/gtEN
+kSR6NN3Mr/cZpCltfjfczkzNLm5czY7OFZ4d54+PpZe3O4uWau0NINFQRaSwJK+3
+yqh69cd/a3X62XaP2x03/lYBQfte/4ncpgX/8FJkQFVWYhTHSJn2sUSwEM1PZXax
+/zTz57lxih/NKTOF3/iSnuLAZWZIEeUERdpQlCIm9N0zXWucB8xzP4UX/61XbjGu
+I3zlp5KqXZiTxLLnpNlRaGTa7LAOdS09NWwCGHUoUV+FiqcCYjdF6nD3htGNM80l
+OkZ8WwmyZKEqEXrGPq8=
+=SU8C
+-----END PGP SIGNATURE-----

dovecot23.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Wed Aug 28 16:57:12 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>
+
+- update to 2.3.7.2
+  * CVE-2019-11500: IMAP protocol parser does not properly handle
+    NUL byte when scanning data in quoted strings, leading to out
+    of bounds heap memory writes. Found by Nick Roessler and Rafi
+    Rubin.
+- update pigeonhole to 0.5.7.2
+  * CVE-2019-11500: ManageSieve protocol parser does not properly
+    handle NUL byte when scanning data in quoted strings, leading
+    to out of bounds heap memory writes. Found by Nick Roessler and
+    Rafi Rubin.
+- refreshed patches to apply cleanly again:
+  dovecot-2.3.0-better_ssl_defaults.patch
+  dovecot-2.3.0-dont_use_etc_ssl_certs.patch
+
 -------------------------------------------------------------------
 Tue Jul 23 20:06:59 UTC 2019 - Michael Ströder <michael@stroeder.com>
 

dovecot23.spec

@@ -12,16 +12,16 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
 Name:           dovecot23
-Version:        2.3.7.1
+Version:        2.3.7.2
 Release:        0
 %define pkg_name dovecot
-%define dovecot_version 2.3.7.1
-%define dovecot_pigeonhole_version 0.5.7.1
+%define dovecot_version 2.3.7.2
+%define dovecot_pigeonhole_version 0.5.7.2
 %define dovecot_branch  2.3
 %define dovecot_pigeonhole_source_dir %{pkg_name}-%{dovecot_branch}-pigeonhole-%{dovecot_pigeonhole_version}
 %define dovecot_pigeonhole_docdir     %{_docdir}/%{pkg_name}/dovecot-pigeonhole