forked from pool/dovecot23
Marcus Rueckert
7469ea6825
4ff4bd024a
.patch
OBS-URL: https://build.opensuse.org/package/show/server:mail/dovecot23?expand=0&rev=26
362 lines
16 KiB
Plaintext
362 lines
16 KiB
Plaintext
-------------------------------------------------------------------
|
|
Fri Jul 13 21:23:16 UTC 2018 - mrueckert@suse.de
|
|
|
|
- added
|
|
https://github.com/dovecot/core/commit/4ff4bd024a9b6e7973b76b186ce085c2ca669d3e.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jul 11 14:17:57 UTC 2018 - mrueckert@suse.de
|
|
|
|
- update to 2.3.2.1
|
|
- SSL/TLS servers may have crashed during client disconnection
|
|
- lmtp: With lmtp_rcpt_check_quota=yes mail deliveries may have
|
|
sometimes assert-crashed.
|
|
- v2.3.2: "make check" may have crashed with 32bit systems
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jun 30 20:06:40 UTC 2018 - mrueckert@suse.de
|
|
|
|
- update to 2.3.2
|
|
* old-stats plugin: Don't temporarily enable PR_SET_DUMPABLE
|
|
while opening /proc/self/io. This may still cause security
|
|
problems if the process is ptrace()d at the same time.
|
|
Instead, open it while still running as root.
|
|
+ doveadm: Added mailbox cache decision&remove commands. See
|
|
doveadm-mailbox(1) man page for details.
|
|
+ doveadm: Added rebuild attachments command for rebuilding
|
|
$HasAttachment or $HasNoAttachment flags for matching mails.
|
|
See doveadm-rebuild(1) man page for details.
|
|
+ cassandra: Use fallback_consistency on more types of errors
|
|
+ lmtp proxy: Support outgoing SSL/TLS connections
|
|
+ lmtp: Add lmtp_rawlog_dir and lmtp_proxy_rawlog_dir settings.
|
|
+ submission: Add support for rawlog_dir
|
|
+ submission: Add submission_client_workarounds setting.
|
|
+ lua auth: Add password_verify() function and additional fields
|
|
in auth request.
|
|
- doveadm-server: TCP connections are hanging when there is a lot
|
|
of network output. This especially caused hangs in
|
|
dsync-replication.
|
|
- Using multiple type=shared mdbox namespaces crashed
|
|
- mail_fsync setting was ignored. It was always set to
|
|
"optimized".
|
|
- lua auth: Fix potential crash at deinit
|
|
- SSL/TLS servers may have crashed if client disconnected during
|
|
handshake.
|
|
- SSL/TLS servers: Don't send extraneous certificates to client
|
|
when alt certs are used.
|
|
- lda, lmtp: Return-Path header without '<' may have
|
|
assert-crashed.
|
|
- lda, lmtp: Unencoded UTF-8 in email address headers may
|
|
assert-crash
|
|
- lda: -f parameter didn't allow empty/null/domainless address
|
|
- lmtp, submission: Message size limit was hardcoded to 40 MB.
|
|
Exceeding it caused the connection to get dropped during
|
|
transfer.
|
|
- lmtp: Fix potential crash when delivery fails at DATA stage
|
|
- lmtp: login_greeting setting was ignored
|
|
- Fix to work with OpenSSL v1.0.2f
|
|
- systemd unit restrictions were too strict by default
|
|
- Fix potential crashes when a lot of log output was produced
|
|
- SMTP client may have assert-crashed when sending mail
|
|
- IMAP COMPRESS: Send "end of compression" marker when
|
|
disconnecting.
|
|
- cassandra: Fix consistency=quorum to work
|
|
- dsync: Lock file generation failed if home directory didn't
|
|
exist
|
|
- Snippet generation for HTML mails didn't ignore &entities
|
|
inside blockquotes, producing strange looking snippets.
|
|
- imapc: Fix assert-crash if getting disconnected and after
|
|
reconnection all mails in the selected mailbox are gone.
|
|
- pop3c: Handle unexpected server disconnections without
|
|
assert-crash
|
|
- fts: Fixes to indexing mails via virtual mailboxes.
|
|
- fts: If mails contained NUL characters, the text around it
|
|
wasn't indexed.
|
|
- Obsolete dovecot.index.cache offsets were sometimes used.
|
|
Trying to fetch a field that was just added to cache file may
|
|
not have always found it.
|
|
- update pigeonhole to 0.5.2
|
|
+ Implement plugin for the a vendor-defined IMAP capability
|
|
called "FILTER=SIEVE". It adds the ability to manually invoke
|
|
Sieve filtering in IMAP. More information can be found in
|
|
doc/plugins/imap_filter_sieve.txt.
|
|
- The Sieve addess test caused an assertion panic for invalid
|
|
addresses with UTF-8 codepoints in the localpart. Fixed by
|
|
properly detecting invalid addresses with UTF-8 codepoints in
|
|
the localpart and skipping these like other invalid addresses
|
|
while iterating addresses for the address test.
|
|
- Make the length of the subject header for the vacation response
|
|
configurable and enforce the limit in UTF-8 codepoints rather
|
|
than bytes. The subject header for a vacation response was
|
|
statically truncated to 256 bytes, which is too limited for
|
|
multi-byte UTF-8 characters.
|
|
- Sieve editheader extension: Fix assertion panic occurring when
|
|
it is used to manipulate a message header with a very large
|
|
header field.
|
|
- Properly abort execution of the sieve_discard script upon
|
|
error. Before, the LDA Sieve plugin attempted to execute the
|
|
sieve_discard script when an error occurs. This can lead to the
|
|
message being lost.
|
|
- Fix the interaction between quota and the sieve_discard script.
|
|
When quota was used together with a sieve_discard script, the
|
|
message delivery did not bounce when the quota was exceeded.
|
|
- refreshed to apply cleanly again dovecot-2.3.0-better_ssl_defaults.patch
|
|
- dropped patches:
|
|
- 35497604d80090a02619024aeec069b32568e4b4.diff
|
|
- 5522b8b3d3ed1a99c3b63bb120216af0bd427403.diff
|
|
- 847790d5aab84df38256a6f9b4849af0eb408419.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Sun May 27 09:31:02 UTC 2018 - mrueckert@suse.de
|
|
|
|
- added 847790d5aab84df38256a6f9b4849af0eb408419.patch:
|
|
Fix crash for over quota users
|
|
|
|
-------------------------------------------------------------------
|
|
Thu May 24 09:42:48 UTC 2018 - kbabioch@suse.com
|
|
|
|
- Use OpenPGP signatures provided upstream
|
|
- Added dovecot23.keyring, which contains the keys from the upstream projects
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Apr 10 15:46:04 UTC 2018 - varkoly@suse.com
|
|
|
|
- bnc#1088911 - dovecot23 can not build ond s390
|
|
add: 35497604d80090a02619024aeec069b32568e4b4.diff
|
|
add: 5522b8b3d3ed1a99c3b63bb120216af0bd427403.diff
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 28 09:02:33 UTC 2018 - mrueckert@suse.de
|
|
|
|
- update pigeonhole to 0.5.1
|
|
- Explicitly disallow UTF-8 in localpart in addresses parsed from
|
|
Sieve script.
|
|
- editheader extension: Corrected the stream position
|
|
calculations performed while making the modified message
|
|
available as a stream. Pigeonhole Sieve crashed in LMTP with
|
|
an assertion panic when the Sieve editheader extension was used
|
|
before the message was redirected. Experiments indicate that
|
|
the problem occurred only with LMTP and that LDA is not
|
|
affected.
|
|
- fileinto extension: Fix assert panic occurring when fileinto is
|
|
used without being listed in the require line, while the copy
|
|
extension is listed there. This is a very old bug.
|
|
- imapsieve plugin: Do not assert crash or log an error for
|
|
messages that disappear concurrently while applying Sieve
|
|
scripts. This event is now logged as a debug message.
|
|
- Sieve extprograms plugin: Large output from "execute" command
|
|
crashed delivery. Fixed buffering issue in code that handles
|
|
output from the external program.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 27 18:28:48 UTC 2018 - mrueckert@suse.de
|
|
|
|
- update to 2.3.1
|
|
* Submission server support improvements and bug fixes
|
|
- Lots of bug fixes to submission server
|
|
* API CHANGE: array_idx_modifiable will no longer allocate space
|
|
- Particularly affects how you should check MODULE_CONTEXT
|
|
result, or use REQUIRE_MODULE_CONTEXT.
|
|
+ mail_attachment_detection_options setting controls when
|
|
$HasAttachment and $HasNoAttachment keywords are set for mails.
|
|
+ imap: Support fetching body snippets using FETCH (SNIPPET) or
|
|
(SNIPPET (LAZY=FUZZY))
|
|
+ fs-compress: Automatically detect whether input is compressed
|
|
or not. Prefix the compression algorithm with "maybe-" to
|
|
enable the detection, for example: "compress:maybe-gz:6:..."
|
|
+ Added settings to change dovecot.index* files' optimization
|
|
behavior. See https://wiki2.dovecot.org/IndexFiles#Settings
|
|
+ Auth cache can now utilize auth workers to do password hash
|
|
verification by setting
|
|
auth_cache_verify_password_with_worker=yes.
|
|
+ Added charset_alias plugin. See
|
|
https://wiki2.dovecot.org/Plugins/CharsetAlias
|
|
+ imap_logout_format and pop3_logout_format settings now support
|
|
all of the generic variables (e.g. %{rip}, %{session}, etc.)
|
|
+ Added auth_policy_check_before_auth,
|
|
auth_policy_check_after_auth and auth_policy_report_after_auth
|
|
settings.
|
|
+ master: Support HAProxy PP2_TYPE_SSL command and set "secured"
|
|
variable appropriately
|
|
- Invalid UCS4 escape in HTML can cause crashes
|
|
- imap: IMAP COMPRESS -enabled client crashes on disconnect
|
|
- lmtp: Fix crash when user is over quota
|
|
- lib-lda: Parsing Return-Path header address fails when it
|
|
contains CFWS
|
|
- auth: SASL with Exim fails for AUTH commands without an initial
|
|
response
|
|
- imap: SPECIAL-USE capability isn't automatically added
|
|
- auth: LDAP subqueries do not support standard auth variables in
|
|
var-expand
|
|
- auth: SHA256-CRYPT and SHA512-CRYPT schemes do not work
|
|
- lib-index: mail_always/never_cache_fields are not used for
|
|
existing cache files
|
|
- imap: Fetching headers leaks memory if search doesn't find any
|
|
mails
|
|
- lmtp: ORCPT support in RCPT TO
|
|
- imap-login: Process sometimes ends up in infinite loop
|
|
- sdbox: Rolled back save/copy transaction doesn't delete temp
|
|
files
|
|
- mail: lock_method=dotlock causes crashes
|
|
- drop patches which are included in the update
|
|
23da0fa1b30cc11bcc1d467674a0950c527e9ff1.patch
|
|
dovecot-2.3.0.1-over-quota-lmtp-crash.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 13 10:40:48 UTC 2018 - dimstar@opensuse.org
|
|
|
|
- Fix License tag.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 7 12:25:51 UTC 2018 - mrueckert@suse.de
|
|
|
|
- added 23da0fa1b30cc11bcc1d467674a0950c527e9ff1.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 7 12:10:44 UTC 2018 - mrueckert@suse.de
|
|
|
|
- update license to SPDX-3
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 6 19:28:49 UTC 2018 - mrueckert@suse.de
|
|
|
|
- update pigeonhole to 0.5.0.1
|
|
- imap4flags extension: Fix binary corruption occurring when
|
|
setflag/addflag/removeflag flag-list is a variable.
|
|
- sieve-extprograms plugin: Fix segfault occurring when used in
|
|
IMAPSieve context.
|
|
- drop 321a39be974deb2e7eff7b2a509a3ee6ff2e5ae1.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 6 17:54:58 UTC 2018 - mrueckert@suse.de
|
|
|
|
- pull backport patch dovecot-2.3.0.1-over-quota-lmtp-crash.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 6 13:48:50 UTC 2018 - mrueckert@suse.de
|
|
|
|
- update to 2.3.0.1
|
|
* CVE-2017-15130: TLS SNI config lookups may lead to excessive
|
|
memory usage, causing imap-login/pop3-login VSZ limit to be
|
|
reached and the process restarted. This happens only if Dovecot
|
|
config has local_name { } or local { } configuration blocks and
|
|
attacker uses randomly generated SNI servernames. (boo#1082828)
|
|
* CVE-2017-14461: Parsing invalid email addresses may cause a
|
|
crash or leak memory contents to attacker. For example, these
|
|
memory contents might contain parts of an email from another
|
|
user if the same imap process is reused for multiple users.
|
|
First discovered by Aleksandar Nikolic of Cisco Talos.
|
|
Independently also discovered by "flxflndy" via HackerOne.
|
|
(boo#1082826)
|
|
* CVE-2017-15132: Aborted SASL authentication leaks memory in
|
|
login process. (boo#1075608)
|
|
* Linux: Core dumping is no longer enabled by default via
|
|
PR_SET_DUMPABLE, because this may allow attackers to bypass
|
|
chroot/group restrictions. Found by cPanel Security Team.
|
|
Nowadays core dumps can be safely enabled by using "sysctl -w
|
|
fs.suid_dumpable=2". If the old behaviour is wanted, it can
|
|
still be enabled by setting:
|
|
import_environment=$import_environment PR_SET_DUMPABLE=1
|
|
- imap-login with SSL/TLS connections may end up in infinite loop
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Dec 25 22:39:53 UTC 2017 - jengelh@inai.de
|
|
|
|
- Replace %__-type macro indirections.
|
|
Replace xargs rm by built in -delete of find(1).
|
|
- Run ldconfig directly via %post -p.
|
|
- Check for users in %pre before creating them, and do not suppress
|
|
errors about it.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Dec 25 18:47:35 UTC 2017 - mrueckert@suse.de
|
|
|
|
- backport 321a39be974deb2e7eff7b2a509a3ee6ff2e5ae1.patch
|
|
fixes crash with imap sieve
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Dec 24 02:04:25 UTC 2017 - mrueckert@suse.de
|
|
|
|
- Move the example-config + mkcert.sh to /usr/share/dovecot
|
|
This makes the files no longer documentation and they actually
|
|
exist on e.g. our docker image, where rpms are installed without
|
|
documentation. (boo#1070871)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 20 10:32:23 UTC 2017 - mrueckert@suse.de
|
|
|
|
- starting 2.3 package based on the latest 2.2 branch
|
|
|
|
There are several new and exciting features in v2.3.0. I'm
|
|
especially happy about the new logging and statistics code, which
|
|
will allow us to generate statistics for just about everything.
|
|
We didn't have time to implement everything we wanted for them
|
|
yet, and there especially aren't all that many logging events yet
|
|
that can be used for statistics. We'll implement those to v2.3.1,
|
|
which might also mean that some of the APIs might still change in
|
|
v2.3.1 if that's required.
|
|
|
|
We also have new lib-smtp server code, which was used to
|
|
implement SMTP submission server and do a partial rewrite for
|
|
LMTP server.
|
|
|
|
Some of the larger changes:
|
|
|
|
* Various setting changes, see
|
|
|
|
https://wiki2.dovecot.org/Upgrading/2.3
|
|
|
|
If you upgrade from 2.2: Config file changes:
|
|
- Removed:
|
|
/etc/dovecot/conf.d/11-object-storage.conf
|
|
- Added:
|
|
/etc/dovecot/conf.d/20-submission.conf
|
|
|
|
* Logging rewrite started: Logging is now based on hierarchical
|
|
events. This makes it possible to do various things, like: 1)
|
|
giving consistent log prefixes, 2) enabling debug logging with
|
|
finer granularity, 3) provide logs in more machine readable
|
|
formats (e.g. json). Everything isn't finished yet, especially
|
|
a lot of the old logging code still needs to be translated to
|
|
the new way.
|
|
* Statistics rewrite started: Stats are now based on (log)
|
|
events. It's possible to gather statistics about any event
|
|
that is logged. See http://wiki2.dovecot.org/Statistics for
|
|
details
|
|
* ssl_dh setting replaces the old generated ssl-parameters.dat
|
|
* IMAP: When BINARY FETCH finds a broken mails, send [PARSE]
|
|
error instead of [UNKNOWNCTE]
|
|
* Linux: core dumping via PR_SET_DUMPABLE is no longer enabled
|
|
by default due to potential security reasons (found by cPanel
|
|
Security Team).
|
|
|
|
+ Added support for SMTP submission proxy server, which
|
|
includes support for BURL and CHUNKING extension.
|
|
+ LMTP rewrite. Supports now CHUNKING extension and mixing of
|
|
local/proxy recipients.
|
|
+ auth: Support libsodium to add support for ARGON2I and
|
|
ARGON2ID password schemes.
|
|
+ auth: Support BLF-CRYPT password scheme in all platforms
|
|
+ auth: Added LUA scripting support for passdb/userdb.
|
|
See https://wiki2.dovecot.org/AuthDatabase/Lua
|
|
- Input streams are more reliable now when there are errors or
|
|
when the maximum buffer size is reached. Previously in some
|
|
situations this could have caused Dovecot to try to read
|
|
already freed memory.
|
|
- Output streams weren't previously handling failures when
|
|
writing a trailer at the end of the stream. This mainly
|
|
affected encrypt and zlib compress ostreams, which could have
|
|
silently written truncated files if the last write happened to
|
|
fail (which shouldn't normally have ever happened).
|
|
- virtual plugin: Fixed panic when fetching mails from virtual
|
|
mailboxes with IMAP BINARY extension.
|
|
- doveadm-server: Fix potential hangs with SSL connections
|
|
- doveadm proxy: Reading commands' output from v2.2.33+ servers
|
|
could have caused the output to be corrupted or caused a
|
|
crash.
|
|
- Many other smaller fixes
|
|
- patches:
|
|
- dovecot-2.3.0-better_ssl_defaults.patch
|
|
- dovecot-2.3.0-dont_use_etc_ssl_certs.patch
|
|
|