Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package dovecot23 for openSUSE:Factory checked in at 2021-07-07 18:29:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dovecot23 (Old) and /work/SRC/openSUSE:Factory/.dovecot23.new.2625 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dovecot23" Wed Jul 7 18:29:57 2021 rev:40 rq:903106 version:2.3.15 Changes: -------- --- /work/SRC/openSUSE:Factory/dovecot23/dovecot23.changes 2021-05-15 23:17:32.544410164 +0200 +++ /work/SRC/openSUSE:Factory/.dovecot23.new.2625/dovecot23.changes 2021-07-07 18:31:19.942589473 +0200 @@ -1,0 +2,149 @@ +Tue Jun 22 15:13:47 UTC 2021 - Marcus Rueckert <mrueck...@suse.de> + +- use lua 5.1 for sle12 + +------------------------------------------------------------------- +Mon Jun 21 11:27:29 UTC 2021 - Michael Str??der <mich...@stroeder.com> + +- update to 2.3.15 and pigeonhole to 0.5.15: + * security fixes for CVE-2021-29157, CVE-2021-33515, and CVE-2020-28200 + * rebased patch dovecot-2.3.0-better_ssl_defaults.patch + * removed obsolete back-port patches + allow-tls1.3-only.patch and openssl-cnf-default_bits-2048.patch + * require lua53-devel for build + + Dovecot 2.3.15 + * CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in + JWT tokens. This may be used to supply attacker controlled keys to + validate tokens, if attacker has local access. + * CVE-2021-33515: On-path attacker could have injected plaintext commands + before STARTTLS negotiation that would be executed after STARTTLS + finished with the client. + * Disconnection log messages are now more standardized across services. + They also always now start with "Disconnected" prefix. + * Dovecot now depends on libsystemd for systemd integration. + * Removed support for Lua 5.2. Use version 5.1 or 5.3 instead. + * config: Some settings are now marked as "hidden". It's discouraged to + change these settings. They will no longer be visible in doveconf + output, except if they have been changed or if doveconf -s parameter + is used. See https://doc.dovecot.org/settings/advanced/ for details. + * imap-compress: Compression level is now algorithm specific. + See https://doc.dovecot.org/settings/plugin/compress-plugin/ + * indexer-worker: Convert "Indexed" info logs to an event named + "indexer_worker_indexing_finished". See + https://doc.dovecot.org/admin_manual/list_of_events/#indexer-worker-indexing-finished + + Add TSLv1.3 support to min_protocols. + + Allow configuring ssl_cipher_suites. (for TLSv1.3+) + + acl: Add acl_ignore_namespace setting which allows to entirely ignore + ACLs for the listed namespaces. + + imap: Support official RFC8970 preview/snippet syntax. Old methods of + retrieving preview information via IMAP commands ("SNIPPET and PREVIEW + with explicit algorithm selection") have been deprecated. + + imapc: Support INDEXPVT for imapc storage to enable private + message flags for cluster wide shared mailboxes. + + lib-storage: Add new events: mail_opened, mail_expunge_requested, + mail_expunged, mail_cache_lookup_finished. See + https://doc.dovecot.org/admin_manual/list_of_events/#mail + + zlib, imap-compression, fs-compress: Support compression levels that + the algorithm supports. Before, we would allow hardcoded value between + 1 to 9 and would default to 6. Now we allow using per-algorithm value + range and default to whatever default the algorithm specifies. + - *-login: Commands pipelined together with and just after the authenticate + command cause these commands to be executed twice. This applies to all + protocols that involve user login, which currently comprises of imap, + pop3, submisision and managesieve. + - *-login: Processes are supposed to disconnect the oldest non-logged in + connection when process_limit was reached. This didn't actually happen + with the default "high-security mode" (with service_count=1) where each + connection is handled by a separate process. + - *-login: When login process reaches client/process limits, oldest + client connections are disconnected. If one of these was still doing + anvil lookup, this caused a crash. This could happen only if the login + process limits were very low or if the server was overloaded. + - Fixed building with link time optimizations (-flto). + - auth: Userdb iteration with passwd driver does not always return all + users with some nss drivers. + - dsync: Shared INBOX not synced when "mail_shared_explicit_inbox" was + disabled. If a user has a shared mailbox which is another user's INBOX, + dsync didn't include the mailbox in syncing unless explicit naming is + enabled with "mail_shared_explicit_inbox" set to "yes". + - dsync: Shared namespaces were not synced with "-n" flag. + - dsync: Syncing shared INBOX failed if mail_attribute_dict was not set. + If a user has a shared mailbox that is another user's INBOX, dsync + failed to export the mailbox if mail attributes are disabled. + - fts-solr, fts-tika: Using both Solr FTS and Tika may have caused HTTP + requests to assert-crash: Panic: file http-client-request.c: line 1232 + (http_client_request_send_more): assertion failed: (req->payload_input != NULL) + - fts-tika: 5xx errors returned by Tika server as indexing failures. + However, Tika can return 5xx for some attachments every time. + So the 5xx error should be retried once, but treated as success if it + happens on the retry as well. v2.3 regression. + - fts-tika: v2.3.11 regression: Indexing messages with fts-tika may have + resulted in Panic: file message-parser.c: line 802 (message_parser_deinit_from_parts): + assertion failed: (ctx->nested_parts_count == 0 || i_stream_have_bytes_left(ctx->input)) + - imap: SETMETADATA could not be used to unset metadata values. + Instead NIL was handled as a "NIL" string. v2.3.14 regression. + - imap: IMAP BINARY FETCH crashes at least on empty base64 body: + Panic: file index-mail-binary.c: line 358 (blocks_count_lines): + assertion failed: (block_count == 0 || block_idx+1 == block_count) + - imap: If IMAP client using the NOTIFY command was disconnected while + sending FETCH notifications to the client, imap could crash with + Panic: Trying to close mailbox INBOX with open transactions. + - imap: Using IMAP COMPRESS extension can cause IMAP connection to hang + when IMAP commands are >8 kB long. + - imapc: If remote server sent BYE but didn't immediately disconnect, it + could cause infinite busy-loop. + - lib-index: Corrupted cache record size in dovecot.index.cache file + could have caused a crash (segfault) when accessing it. + - lib-oauth2: JWT token time validation now works correctly with + 32-bit systems. + - lib-ssl-iostream: Checking hostnames against an SSL certificate was + case-sensitive. + - lib-storage: Corrupted mime.parts in dovecot.index.cache may have + resulted in Panic: file imap-bodystructure.c: line 206 (part_write_body): + assertion failed: (text == ((part->flags & MESSAGE_PART_FLAG_TEXT) != 0)) + - lib-storage: Index rebuilding (e.g. via doveadm force-resync) didn't + preserve the "hdr-pop3-uidl" header. Because of this, the next pop3 + session could have accessed all of the emails' metadata to read their + POP3 UIDL (opening dbox files). + - listescape: When using the listescape plugin and a shared namespace + the plugin didn't work properly anymore resulting in errors like: + "Invalid mailbox name: Name must not have '/' character." + - lmtp: Connection crashes if connection gets disconnected due to + multiple bad commands and the last bad command is BDAT. + - lmtp: The Dovecot-specific LMTP parameter XRCPTFORWARD was blindly + forwarded by LMTP proxy without checking that the backend has support. + This caused a command parameter error from the backend if it was + running an older Dovecot release. This could only occur in more complex + setups where the message was proxied twice; when the proxy generated + the XRCPTFORWARD parameter itself the problem did not occur, so this + only happened when it was forwarded. + - lmtp: The LMTP proxy crashes with a panic when the remote server + replies with an error while the mail is still being forwarded through + a DATA/BDAT command. + - lmtp: Username may have been missing from lmtp log line prefixes when + it was performing autoexpunging. + - master: Dovecot would incorrectly fail with haproxy 2.0.14 service + checks. + - master: Systemd service: Dovecot announces readiness for accepting + connections earlier than it should. The following environment variables + are now imported automatically and can be omitted from + import_environment setting: NOTIFY_SOCKET LISTEN_FDS LISTEN_PID. + - master: service { process_min_avail } was launching processes too + slowly when master was forking a lot of processes. + - util: Make the health-check.sh example script POSIX shell compatible. + + Pigeonhole 0.5.15 + * CVE-2020-28200: Sieve interpreter is not protected against abusive + scripts that claim excessive resource usage. Fixed by limiting the + user CPU time per single script execution and cumulatively over + several script runs within a configurable timeout period. Sufficiently + large CPU time usage is summed in the Sieve script binary and execution + is blocked when the sum exceeds the limit within that time. The block + is lifted when the script is updated after the resource usage times out. + * Disconnection log messages are now more standardized across services. + They also always now start with "Disconnected" prefix. + - managesieve: Commands pipelined together with and just after the + authenticate command cause these commands to be executed twice. + +------------------------------------------------------------------- Old: ---- allow-tls1.3-only.patch dovecot-2.3-pigeonhole-0.5.14.tar.gz dovecot-2.3-pigeonhole-0.5.14.tar.gz.sig dovecot-2.3.14.tar.gz dovecot-2.3.14.tar.gz.sig openssl-cnf-default_bits-2048.patch New: ---- dovecot-2.3-pigeonhole-0.5.15.tar.gz dovecot-2.3-pigeonhole-0.5.15.tar.gz.sig dovecot-2.3.15.tar.gz dovecot-2.3.15.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dovecot23.spec ++++++ --- /var/tmp/diff_new_pack.HGlsVv/_old 2021-07-07 18:31:20.498585110 +0200 +++ /var/tmp/diff_new_pack.HGlsVv/_new 2021-07-07 18:31:20.502585078 +0200 @@ -19,11 +19,11 @@ %global _lto_cflags %{nil} Name: dovecot23 -Version: 2.3.14 +Version: 2.3.15 Release: 0 %define pkg_name dovecot -%define dovecot_version 2.3.14 -%define dovecot_pigeonhole_version 0.5.14 +%define dovecot_version 2.3.15 +%define dovecot_pigeonhole_version 0.5.15 %define dovecot_branch 2.3 %define dovecot_pigeonhole_source_dir %{pkg_name}-%{dovecot_branch}-pigeonhole-%{dovecot_pigeonhole_version} %define dovecot_pigeonhole_docdir %{_docdir}/%{pkg_name}/dovecot-pigeonhole @@ -105,7 +105,11 @@ %if 0%{?suse_version} > 1020 BuildRequires: libbz2-devel %endif -BuildRequires: lua-devel +%if 0%{?suse_version} >= 1500 +BuildRequires: lua53-devel +%else +BuildRequires: lua51-devel +%endif %if %{with solr} BuildRequires: curl-devel BuildRequires: libexpat-devel @@ -148,10 +152,6 @@ Source12: dovecot23.keyring Patch: dovecot-2.3.0-dont_use_etc_ssl_certs.patch Patch1: dovecot-2.3.0-better_ssl_defaults.patch -# https://github.com/dovecot/core/pull/126 -Patch2: allow-tls1.3-only.patch -# https://github.com/dovecot/core/pull/161 -Patch3: openssl-cnf-default_bits-2048.patch Summary: IMAP and POP3 Server Written Primarily with Security in Mind License: BSD-3-Clause AND LGPL-2.1-or-later AND MIT Group: Productivity/Networking/Email/Servers ++++++ dovecot-2.3-pigeonhole-0.5.14.tar.gz -> dovecot-2.3-pigeonhole-0.5.15.tar.gz ++++++ ++++ 15400 lines of diff (skipped) ++++++ dovecot-2.3.0-better_ssl_defaults.patch ++++++ --- /var/tmp/diff_new_pack.HGlsVv/_old 2021-07-07 18:31:20.934581688 +0200 +++ /var/tmp/diff_new_pack.HGlsVv/_new 2021-07-07 18:31:20.934581688 +0200 @@ -1,19 +1,18 @@ -Index: dovecot-2.3.7.2/doc/example-config/conf.d/10-ssl.conf -=================================================================== ---- dovecot-2.3.7.2.orig/doc/example-config/conf.d/10-ssl.conf -+++ dovecot-2.3.7.2/doc/example-config/conf.d/10-ssl.conf +diff -ur dovecot-2.3.15.orig/doc/example-config/conf.d/10-ssl.conf dovecot-2.3.15/doc/example-config/conf.d/10-ssl.conf +--- dovecot-2.3.15.orig/doc/example-config/conf.d/10-ssl.conf ++++ dovecot-2.3.15/doc/example-config/conf.d/10-ssl.conf @@ -9,8 +9,8 @@ # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf --ssl_cert = </etc/ssl/private/dovecot.crt +-ssl_cert = </etc/ssl/certs/dovecot.pem -ssl_key = </etc/ssl/private/dovecot.pem +#ssl_cert = </etc/ssl/private/dovecot.crt +#ssl_key = </etc/ssl/private/dovecot.pem # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often -@@ -60,6 +60,7 @@ ssl_key = </etc/ssl/private/dovecot.pem +@@ -64,6 +64,7 @@ #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH # To disable non-EC DH, use: #ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH @@ -21,29 +20,29 @@ # Colon separated list of elliptic curves to use. Empty value (the default) # means use the defaults from the SSL library. P-521:P-384:P-256 would be an -@@ -68,6 +69,7 @@ ssl_key = </etc/ssl/private/dovecot.pem +@@ -71,7 +72,7 @@ + #ssl_curve_list = # Prefer the server's order of ciphers over client's. - #ssl_prefer_server_ciphers = no +-#ssl_prefer_server_ciphers = no +ssl_prefer_server_ciphers = yes # SSL crypto device to use, for valid values run "openssl engine" #ssl_crypto_device = -@@ -76,3 +78,4 @@ ssl_key = </etc/ssl/private/dovecot.pem +@@ -80,3 +81,4 @@ # compression - Enable compression. # no_ticket - Disable SSL session tickets. #ssl_options = +ssl_options = no_compression -Index: dovecot-2.3.7.2/src/lib-master/master-service-ssl-settings.c -=================================================================== ---- dovecot-2.3.7.2.orig/src/lib-master/master-service-ssl-settings.c -+++ dovecot-2.3.7.2/src/lib-master/master-service-ssl-settings.c -@@ -61,7 +61,7 @@ static const struct master_service_ssl_s +diff -ur dovecot-2.3.15.orig/src/lib-master/master-service-ssl-settings.c dovecot-2.3.15/src/lib-master/master-service-ssl-settings.c +--- dovecot-2.3.15.orig/src/lib-master/master-service-ssl-settings.c 2021-06-14 15:40:37.000000000 +0200 ++++ dovecot-2.3.15/src/lib-master/master-service-ssl-settings.c 2021-06-21 14:09:29.663825041 +0200 +@@ -62,7 +62,7 @@ .ssl_client_cert = "", .ssl_client_key = "", .ssl_dh = "", - .ssl_cipher_list = "ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH", + .ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH", + .ssl_cipher_suites = "", /* Use TLS library provided value */ .ssl_curve_list = "", - .ssl_min_protocol = "TLSv1", - .ssl_cert_username_field = "commonName", + .ssl_min_protocol = "TLSv1.2", ++++++ dovecot-2.3.0-dont_use_etc_ssl_certs.patch ++++++ --- /var/tmp/diff_new_pack.HGlsVv/_old 2021-07-07 18:31:20.942581625 +0200 +++ /var/tmp/diff_new_pack.HGlsVv/_new 2021-07-07 18:31:20.946581594 +0200 @@ -1,16 +1,3 @@ -Index: dovecot-2.3.9.3/doc/example-config/conf.d/10-ssl.conf -=================================================================== ---- dovecot-2.3.9.3.orig/doc/example-config/conf.d/10-ssl.conf -+++ dovecot-2.3.9.3/doc/example-config/conf.d/10-ssl.conf -@@ -9,7 +9,7 @@ - # dropping root privileges, so keep the key file unreadable by anyone but - # root. Included doc/mkcert.sh can be used to easily generate self-signed - # certificate, just make sure to update the domains in dovecot-openssl.cnf --ssl_cert = </etc/ssl/certs/dovecot.pem -+ssl_cert = </etc/ssl/private/dovecot.crt - ssl_key = </etc/ssl/private/dovecot.pem - - # If key file is password protected, give the password here. Alternatively Index: dovecot-2.3.9.3/doc/man/doveconf.1.in =================================================================== --- dovecot-2.3.9.3.orig/doc/man/doveconf.1.in ++++++ dovecot-2.3-pigeonhole-0.5.14.tar.gz -> dovecot-2.3.15.tar.gz ++++++ /work/SRC/openSUSE:Factory/dovecot23/dovecot-2.3-pigeonhole-0.5.14.tar.gz /work/SRC/openSUSE:Factory/.dovecot23.new.2625/dovecot-2.3.15.tar.gz differ: char 5, line 1
