forked from pool/dovecot23
Marcus Rueckert
2cb5006e53
* CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap memory writes. Found by Nick Roessler and Rafi Rubin. - update pigeonhole to 0.5.7.2 * CVE-2019-11500: ManageSieve protocol parser does not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap memory writes. Found by Nick Roessler and Rafi Rubin. - refreshed patches to apply cleanly again: dovecot-2.3.0-better_ssl_defaults.patch dovecot-2.3.0-dont_use_etc_ssl_certs.patch OBS-URL: https://build.opensuse.org/package/show/server:mail/dovecot23?expand=0&rev=52
118 lines
5.1 KiB
Diff
118 lines
5.1 KiB
Diff
Index: dovecot-2.3.7.2/doc/example-config/conf.d/10-ssl.conf
|
|
===================================================================
|
|
--- dovecot-2.3.7.2.orig/doc/example-config/conf.d/10-ssl.conf
|
|
+++ dovecot-2.3.7.2/doc/example-config/conf.d/10-ssl.conf
|
|
@@ -9,7 +9,7 @@
|
|
# dropping root privileges, so keep the key file unreadable by anyone but
|
|
# root. Included doc/mkcert.sh can be used to easily generate self-signed
|
|
# certificate, just make sure to update the domains in dovecot-openssl.cnf
|
|
-ssl_cert = </etc/ssl/certs/dovecot.pem
|
|
+ssl_cert = </etc/ssl/private/dovecot.crt
|
|
ssl_key = </etc/ssl/private/dovecot.pem
|
|
|
|
# If key file is password protected, give the password here. Alternatively
|
|
Index: dovecot-2.3.7.2/doc/man/doveconf.1.in
|
|
===================================================================
|
|
--- dovecot-2.3.7.2.orig/doc/man/doveconf.1.in
|
|
+++ dovecot-2.3.7.2/doc/man/doveconf.1.in
|
|
@@ -132,7 +132,7 @@ Show passwords and other sensitive value
|
|
.TP
|
|
.B \-x
|
|
Expand configuration variables (e.g. \(Domail_plugins \(rA quota) and show
|
|
-file contents (from e.g. ssl_cert = </etc/ssl/certs/dovecot.pem).
|
|
+file contents (from e.g. ssl_cert = </etc/ssl/private/dovecot.crt).
|
|
.\"---------------------------------
|
|
.TP
|
|
.I section_name
|
|
@@ -213,4 +213,4 @@ dict/quota = pgsql:@pkgsysconfdir@/dovec
|
|
.BR doveadm (1),
|
|
.BR dovecot (1),
|
|
.BR dovecot\-lda (1),
|
|
-.BR dsync (1)
|
|
\ No newline at end of file
|
|
+.BR dsync (1)
|
|
Index: dovecot-2.3.7.2/doc/mkcert.sh
|
|
===================================================================
|
|
--- dovecot-2.3.7.2.orig/doc/mkcert.sh
|
|
+++ dovecot-2.3.7.2/doc/mkcert.sh
|
|
@@ -8,10 +8,10 @@ OPENSSL=${OPENSSL-openssl}
|
|
SSLDIR=${SSLDIR-/etc/ssl}
|
|
OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}
|
|
|
|
-CERTDIR=$SSLDIR/certs
|
|
+CERTDIR=$SSLDIR/private
|
|
KEYDIR=$SSLDIR/private
|
|
|
|
-CERTFILE=$CERTDIR/dovecot.pem
|
|
+CERTFILE=$CERTDIR/dovecot.crt
|
|
KEYFILE=$KEYDIR/dovecot.pem
|
|
|
|
if [ ! -d $CERTDIR ]; then
|
|
Index: dovecot-2.3.7.2/doc/wiki/CompilingSource.txt
|
|
===================================================================
|
|
--- dovecot-2.3.7.2.orig/doc/wiki/CompilingSource.txt
|
|
+++ dovecot-2.3.7.2/doc/wiki/CompilingSource.txt
|
|
@@ -142,7 +142,7 @@ non-standard path. Make sure you have th
|
|
installed, and if it is not in the standard location, set 'CPPFLAGS' and
|
|
'LDFLAGS' as shown in <the first section above.> [CompilingSource.txt]
|
|
|
|
-By default the SSL certificate is read from '/etc/ssl/certs/dovecot.pem' and
|
|
+By default the SSL certificate is read from '/etc/ssl/private/dovecot.crt' and
|
|
the private key from '/etc/ssl/private/dovecot.pem'. The '/etc/ssl' directory
|
|
can be changed using the '--with-ssldir=DIR' configure option. Both can of
|
|
course be overridden from the configuration file.
|
|
Index: dovecot-2.3.7.2/doc/wiki/SSL.CertificateCreation.txt
|
|
===================================================================
|
|
--- dovecot-2.3.7.2.orig/doc/wiki/SSL.CertificateCreation.txt
|
|
+++ dovecot-2.3.7.2/doc/wiki/SSL.CertificateCreation.txt
|
|
@@ -39,7 +39,7 @@ CN matches the connected host name, othe
|
|
invalid. It's also possible to use wildcards (eg. *.domain.com) in the host
|
|
name. They should work with most clients.
|
|
|
|
-By default the certificate is created to '/etc/ssl/certs/dovecot.pem' and the
|
|
+By default the certificate is created to '/etc/ssl/private/dovecot.crt' and the
|
|
private key file is created to '/etc/ssl/private/dovecot.pem'. Also by default
|
|
the certificate will expire in 365 days. If you wish to change any of these,
|
|
modify the mkcert.sh script.
|
|
Index: dovecot-2.3.7.2/doc/wiki/SSL.DovecotConfiguration.txt
|
|
===================================================================
|
|
--- dovecot-2.3.7.2.orig/doc/wiki/SSL.DovecotConfiguration.txt
|
|
+++ dovecot-2.3.7.2/doc/wiki/SSL.DovecotConfiguration.txt
|
|
@@ -41,7 +41,7 @@ The most important SSL settings are (in
|
|
---%<-------------------------------------------------------------------------
|
|
ssl = yes
|
|
# Preferred permissions: root:root 0444
|
|
-ssl_cert = </etc/ssl/certs/dovecot.pem
|
|
+ssl_cert = </etc/ssl/private/dovecot.crt
|
|
# Preferred permissions: root:root 0400
|
|
ssl_key = </etc/ssl/private/dovecot.pem
|
|
---%<-------------------------------------------------------------------------
|
|
@@ -73,11 +73,11 @@ override the global setting.:
|
|
|
|
---%<-------------------------------------------------------------------------
|
|
protocol imap {
|
|
- ssl_cert = </etc/ssl/certs/imap.pem
|
|
+ ssl_cert = </etc/ssl/private/imap.crt
|
|
ssl_key = </etc/ssl/private/imap.pem
|
|
}
|
|
protocol pop3 {
|
|
- ssl_cert = </etc/ssl/certs/pop3.pem
|
|
+ ssl_cert = </etc/ssl/private/pop3.crt
|
|
ssl_key = </etc/ssl/private/pop3.pem
|
|
}
|
|
---%<-------------------------------------------------------------------------
|
|
@@ -194,11 +194,11 @@ support SNI.
|
|
|
|
---%<-------------------------------------------------------------------------
|
|
local_name imap.example.org {
|
|
- ssl_cert = </etc/ssl/certs/imap.example.org.crt
|
|
+ ssl_cert = </etc/ssl/private/imap.example.org.crt
|
|
ssl_key = </etc/ssl/private/imap.example.org.key
|
|
}
|
|
local_name imap.example2.org {
|
|
- ssl_cert = </etc/ssl/certs/imap.example2.org.crt
|
|
+ ssl_cert = </etc/ssl/private/imap.example2.org.crt
|
|
ssl_key = </etc/ssl/private/imap.example2.org.key
|
|
}
|
|
# ..etc..
|