* CVE-2019-11500: IMAP protocol parser does not properly handle
NUL byte when scanning data in quoted strings, leading to out
of bounds heap memory writes. Found by Nick Roessler and Rafi
Rubin.
- update pigeonhole to 0.5.7.2
* CVE-2019-11500: ManageSieve protocol parser does not properly
handle NUL byte when scanning data in quoted strings, leading
to out of bounds heap memory writes. Found by Nick Roessler and
Rafi Rubin.
- refreshed patches to apply cleanly again:
dovecot-2.3.0-better_ssl_defaults.patch
dovecot-2.3.0-dont_use_etc_ssl_certs.patch
OBS-URL: https://build.opensuse.org/package/show/server:mail/dovecot23?expand=0&rev=52
+ sieve: Redirect loop prevention is sometimes ineffective.
Improve existing loop detection by also recognizing the
X-Sieve-Redirected-From header in incoming messages and
dropping redirect actions when it points to the sending
account. This header is already added by the redirect action,
so this improvement only adds an additional use of this header.
- sieve: Prevent execution of implicit keep upon temporary
failure occurring at runtime.
OBS-URL: https://build.opensuse.org/package/show/server:mail/dovecot23?expand=0&rev=47
* CVE-2019-11494: Submission-login crashed with signal 11 due to
null pointer access when authentication was aborted by
disconnecting.
* CVE-2019-11499: Submission-login crashed when authentication
was started over TLS secured channel and invalid authentication
message was sent.
* auth: Support password grant with passdb oauth2.
+ Use system default CAs for outbound TLS connections.
+ Simplify array handling with new helper macros.
+ fts_solr: Enable configuring batch_size and soft_commit features.
- lmtp/submission: Fixed various bugs in XCLIENT handling,
including a hang when XCLIENT commands were sent infinitely to
the remote server.
- lmtp/submission: Forwarded multi-line replies were erroneously
sent as two replies to the client.
- lib-smtp: client: Message was not guaranteed to contain CRLF
consistently when CHUNKING was used.
- fts_solr: Plugin was no longer compatible with Solr 7.
- Make it possible to disable certificate checking without
setting ssl_client_ca_* settings.
- pop3c: SSL support was broken.
- mysql: Closing connection twice lead to crash on some systems.
- auth: Multiple oauth2 passdbs crashed auth process on deinit.
- HTTP client connection errors infrequently triggered a
segmentation fault when the connection was idle and not used
for a particular client instance.
- drop https://github.com/dovecot/core/commit/3c5101ffd.patch
OBS-URL: https://build.opensuse.org/package/show/server:mail/dovecot23?expand=0&rev=46
* CVE-2019-10691: Trying to login with 8bit username containing
invalid UTF8 input causes auth process to crash if auth policy
is enabled. This could be used rather easily to cause a DoS.
Similar crash also happens during mail delivery when using
invalid UTF8 in From or Subject header when OX push
notification driver is used.
- update to 2.3.5.1 (boo#1130116)
OBS-URL: https://build.opensuse.org/package/show/server:mail/dovecot23?expand=0&rev=43
* CVE-2019-3814: If imap/pop3/managesieve/submission client has
trusted certificate with missing username field
(ssl_cert_username_field), under some configurations Dovecot
mistakenly trusts the username provided via authentication
instead of failing.
* ssl_cert_username_field setting was ignored with external
SMTP AUTH, because none of the MTAs (Postfix, Exim) currently
send the cert_username field. This may have allowed users with
trusted certificate to specify any username in the
authentication. This bug didn't affect Dovecot's Submission
service.
OBS-URL: https://build.opensuse.org/package/show/server:mail/dovecot23?expand=0&rev=38
- imap4flags extension: Fix binary corruption occurring when
setflag/addflag/removeflag flag-list is a variable.
- sieve-extprograms plugin: Fix segfault occurring when used in
IMAPSieve context.
- drop 321a39be974deb2e7eff7b2a509a3ee6ff2e5ae1.patch
OBS-URL: https://build.opensuse.org/package/show/server:mail/dovecot23?expand=0&rev=8
* CVE-2017-15130: TLS SNI config lookups may lead to excessive
memory usage, causing imap-login/pop3-login VSZ limit to be
reached and the process restarted. This happens only if Dovecot
config has local_name { } or local { } configuration blocks and
attacker uses randomly generated SNI servernames.
* CVE-2017-14461: Parsing invalid email addresses may cause a
crash or leak memory contents to attacker. For example, these
memory contents might contain parts of an email from another
user if the same imap process is reused for multiple users.
First discovered by Aleksandar Nikolic of Cisco Talos.
Independently also discovered by "flxflndy" via HackerOne.
* CVE-2017-15132: Aborted SASL authentication leaks memory in
login process.
* Linux: Core dumping is no longer enabled by default via
PR_SET_DUMPABLE, because this may allow attackers to bypass
chroot/group restrictions. Found by cPanel Security Team.
Nowadays core dumps can be safely enabled by using "sysctl -w
fs.suid_dumpable=2". If the old behaviour is wanted, it can
still be enabled by setting:
import_environment=$import_environment PR_SET_DUMPABLE=1
- imap-login with SSL/TLS connections may end up in infinite loop
OBS-URL: https://build.opensuse.org/package/show/server:mail/dovecot23?expand=0&rev=6