- update to 2.3.4.1 (boo#1123022)

* CVE-2019-3814: If imap/pop3/managesieve/submission client has
    trusted certificate with missing username field
    (ssl_cert_username_field), under some configurations Dovecot
    mistakenly trusts the username provided via authentication
    instead of failing.
  * ssl_cert_username_field setting was ignored with external
    SMTP AUTH, because none of the MTAs (Postfix, Exim) currently
    send the cert_username field. This may have allowed users with
    trusted certificate to specify any username in the
    authentication. This bug didn't affect Dovecot's Submission
    service.

OBS-URL: https://build.opensuse.org/package/show/server:mail/dovecot23?expand=0&rev=38

dovecot-2.3.4.1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b8873e2ce5c33e58963bb7a8d2ff8427c09dbfdd63e13a0b0f4502864043aa07
+size 6925073

dovecot-2.3.4.1.tar.gz.sig

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAlxZb8EXHGRvdmVjb3Qt
+Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaGwOBAAm9ck9yken0ArzR0njXywornz
+ftUrEflzkEESqVxFVGF7i4ZPxa1Dfrpb5QedIBcdFp1sV1sALSh5HH5k43TV+yBY
+r7trHu8kJSOmFE4KoHst9Y6bewu3Rg5Bh2v5XBaaY6A9ADjdJNamT4AAqDDI2f6Q
+f27P/O+34bvgCI7Ol1VezFXlNagBtcSBAtPTqfqdILqW/H0oV1J21gmBGTT6u6Z8
+aPyf060U46GZWjHBQDoZRq0NUSIYf8H7qdubEbt0kCifWFuT1LjmvLRbQv3Wxp5m
+H0QjzWejVun9AX6MG5mZCzmIn+q30ArUG9EJ4tAAzvsCUqywvpbjjuU2wULGJJNz
+oEAEVIXp84yxXUavnr+DFevh2yruVHZUj16lwF98u29IWiSwFfhZZsyc+jXuwiDm
+WYl/KfOL3ACBakcPxdMyVTwghKBAA9xH0DXAsPTyIrxwmNgn48d/wiQtmtsYVAYb
+HlYtooee4KptiXL9Eq/kAz7oAPrVdhZxqT48CRh6Cd6dfWtGXNQIMdXVt/7T2ygJ
+sC/wpziKEy+BE1J/NSuCOgGNcIQij0VJvl9rnldpxACzNQ0CGaJfKv7/LPF2bO5o
+LED+rFOFfK3IOGxZgr5euQPIVVn7DxAZaIoEumwYW3YO46BJlSB+9XN20YVqH4vY
+jyPHxVeZN6q7RvlP498=
+=HaCn
+-----END PGP SIGNATURE-----

dovecot-2.3.4.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d91b76eff8df6185c1799f1b279f780105bdeeea27e3286b42f4cab18efbef05
-size 6924178

dovecot-2.3.4.tar.gz.sig

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQJLBAABCAA1FiEEK+dKqz7nVN+5yA0zGKNIru1AnaEFAlv3480XHGRvdmVjb3Qt
-Y2VAZG92ZWNvdC5vcmcACgkQGKNIru1AnaF1mg//SA1Wstc+qX+LT+EzE1wqQuQR
-3aZPQI0e0T9DNggsDVifXtFUfbFBUhKX5r/dJxletbkZG5ymqHxdNMA43dLhiuAl
-wx0lXqEqanzyH+yDBC+dCXpfjw3ldu359edlFpwiGc1B+UfsxLBON6Kseh3W3/us
-0bkcDaFYmuhtPmKj3LdRWrURC5GJcDHaL639SfqL5A2J57Ah1OIh0YxWntImoYU7
-0eT6sGD5x/9HIkWtkZoGkn+Gm0hRXVPkeOQ2SmizqWiU4nxr9FCZdvb8rhCGeEVt
-0WZJANbpsKdKSXpxP7bdV+ivpUD6CorTT4apBhZSf049ZiuIueaxrWU1zaem2t1P
-cP1MGq+liZz0ZH+GPJtnAx45Gzx1SG1rBdQmBUOLnu1/v5S+NMsG+Wc0cdXMmxAF
-e7yCeRxeAvzbaKmvkVAESlonvCoh8bLdzE0XqibCRcWgGTCs1iVs3yQBSrDxii5x
-6KYiLe+r1YHH6cbMKC+ddPpuY1ybIXNo5kdLmCnUt2qOJQt2NDDH3FVHLeQFluTM
-q7ORNhmwNHlIeR01jBDvwrr1FIKPxYNTcigGQrVFQh3eLToYayXcnuFG3PgZwoI0
-zmTex70vEVrr1Ru8K9NTbsQKLu13CjGGVhenBQDj4C06P/fPLnXDYBkdVIkflQYA
-XFEAHqhpTKi0b5n0mQQ=
-=JHB0
------END PGP SIGNATURE-----

dovecot23.changes

@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Tue Feb  5 13:45:52 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>
+
+- update to 2.3.4.1 (boo#1123022)
+  * CVE-2019-3814: If imap/pop3/managesieve/submission client has
+    trusted certificate with missing username field
+    (ssl_cert_username_field), under some configurations Dovecot
+    mistakenly trusts the username provided via authentication
+    instead of failing.
+  * ssl_cert_username_field setting was ignored with external
+    SMTP AUTH, because none of the MTAs (Postfix, Exim) currently
+    send the cert_username field. This may have allowed users with
+    trusted certificate to specify any username in the
+    authentication. This bug didn't affect Dovecot's Submission
+    service.
+
 -------------------------------------------------------------------
 Thu Jan 17 21:57:42 UTC 2019 - Arjen de Korte <suse+build@de-korte.org>
 

dovecot23.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package dovecot23
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,10 +17,10 @@
 
 
 Name:           dovecot23
-Version:        2.3.4
+Version:        2.3.4.1
 Release:        0
 %define pkg_name dovecot
-%define dovecot_version 2.3.4
+%define dovecot_version 2.3.4.1
 %define dovecot_pigeonhole_version 0.5.4
 %define dovecot_branch  2.3
 %define dovecot_pigeonhole_source_dir %{pkg_name}-%{dovecot_branch}-pigeonhole-%{dovecot_pigeonhole_version}