Your message dated Sat, 26 Sep 2020 11:36:30 +0100
with message-id
<d50ba4de424290cd2840a09ef19950156fcf51ab.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.6 point release
has caused the Debian Bug report #969066,
regarding buster-pu: package dovecot/1:2.3.4.1-5+deb10u4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
969066: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969066
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
I'd like to fix two upstream regressions in the dovecot version in buster.
These are documented in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930919
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928492
The changes are small and the relevant upstream commits apply cleanly. Both
issues have been confirmed fixed in unstable and testing, as well as in the
proposed buster updates.
There's already a buster security upload queued for the next buster point
release. The included debdiff is against that version, but I expect that
the upload should include the .changes content since the latest one actually
in the archive. Please confirm that. (That would be changelog entries for
both 1:2.3.4.1-5+deb10u3 and 1:2.3.4.1-5+deb10u4.)
noah
diff -Nru dovecot-2.3.4.1/debian/changelog dovecot-2.3.4.1/debian/changelog
--- dovecot-2.3.4.1/debian/changelog 2020-08-10 18:03:03.000000000 -0700
+++ dovecot-2.3.4.1/debian/changelog 2020-08-26 13:54:40.000000000 -0700
@@ -1,5 +1,14 @@
+dovecot (1:2.3.4.1-5+deb10u4) buster; urgency=medium
+
+ * Import upstream fix for dsync sieve filter sync regression
+ (Closes: #930919)
+ * userdb-passwd: Fix getpwent errno handling (Closes: #928492)
+
+ -- Noah Meyerhans <[email protected]> Wed, 26 Aug 2020 13:54:40 -0700
+
dovecot (1:2.3.4.1-5+deb10u3) buster-security; urgency=high
+ * Stable security update (Closes: #968302)
* Fix CVE-2020-12100 - Receiving mail with deeply nested MIME parts leads to
resource exhaustion as Dovecot attempts to parse it.
* CVE-2020-12673 - Dovecot's NTLM implementation does not correctly check
diff -Nru dovecot-2.3.4.1/debian/patches/bug928492.patch
dovecot-2.3.4.1/debian/patches/bug928492.patch
--- dovecot-2.3.4.1/debian/patches/bug928492.patch 1969-12-31
16:00:00.000000000 -0800
+++ dovecot-2.3.4.1/debian/patches/bug928492.patch 2020-08-26
13:54:40.000000000 -0700
@@ -0,0 +1,46 @@
+From 414a7db1d15e57433dfc222bd6bf253c83166408 Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <[email protected]>
+Date: Fri, 5 Oct 2018 10:18:35 +0300
+Subject: [PATCH] userdb-passwd: Fix getpwent errno handling
+
+In https://bugs.gentoo.org/667118 Reuben Farrelly
+noticed that running
+ # doveadm user '*'
+causes auth daemon to generate errors like:
+ auth-worker(3585): Error: getpwent() failed: Invalid argument
+
+This happens because on successful call getpwent()
+now sets errno=EINVAL starting from glibc-2.28.
+See https://sourceware.org/PR16004 for details.
+
+The fix is to reset 'errno' before 'getpwent()' is called.
+
+Reported-by: Reuben Farrelly
+Bug: https://bugs.gentoo.org/667118
+Bug: https://sourceware.org/PR16004
+Original-Author: Sergei Trofimovich <[email protected]>
+---
+ src/auth/userdb-passwd.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/auth/userdb-passwd.c b/src/auth/userdb-passwd.c
+index ee8edf04ee..708762b84a 100644
+--- a/src/auth/userdb-passwd.c
++++ b/src/auth/userdb-passwd.c
+@@ -172,12 +172,16 @@ static void passwd_iterate_next(struct
userdb_iterate_context *_ctx)
+ return;
+ }
+
++ /* reset errno since it might have been set when we got here */
+ errno = 0;
+ while ((pw = getpwent()) != NULL) {
+ if (passwd_iterate_want_pw(pw, set)) {
+ _ctx->callback(pw->pw_name, _ctx->context);
+ return;
+ }
++ /* getpwent might set errno to something even if it
++ returns non-NULL. */
++ errno = 0;
+ }
+ if (errno != 0) {
+ i_error("getpwent() failed: %m");
diff -Nru dovecot-2.3.4.1/debian/patches/debian-changes
dovecot-2.3.4.1/debian/patches/debian-changes
--- dovecot-2.3.4.1/debian/patches/debian-changes 2020-08-10
18:03:03.000000000 -0700
+++ dovecot-2.3.4.1/debian/patches/debian-changes 2020-08-26
13:54:40.000000000 -0700
@@ -93780,7 +93780,7 @@
+#endif
--- /dev/null
+++ dovecot-2.3.4.1/pigeonhole/src/plugins/doveadm-sieve/doveadm-sieve-sync.c
-@@ -0,0 +1,747 @@
+@@ -0,0 +1,746 @@
+/* Copyright (c) 2002-2018 Pigeonhole authors, see the included COPYING file
+ */
+
@@ -94390,8 +94390,7 @@
+ siter->super = sbox->super.attribute_iter_init(box, type, prefix);
+
+ if (box->storage->user->dsyncing &&
-+ type == MAIL_ATTRIBUTE_TYPE_PRIVATE &&
-+ str_begins(prefix, MAILBOX_ATTRIBUTE_PREFIX_SIEVE)) {
++ type == MAIL_ATTRIBUTE_TYPE_PRIVATE) {
+ if (sieve_attribute_iter_script_init(siter) < 0)
+ siter->failed = TRUE;
+ }
diff -Nru dovecot-2.3.4.1/debian/patches/series
dovecot-2.3.4.1/debian/patches/series
--- dovecot-2.3.4.1/debian/patches/series 2020-08-10 18:03:03.000000000
-0700
+++ dovecot-2.3.4.1/debian/patches/series 2020-08-26 13:54:40.000000000
-0700
@@ -51,4 +51,5 @@
CVE-2020-12100/0016-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch
CVE-2020-12673.patch
CVE-2020-12674/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch
+bug928492.patch
debian-changes
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.6
Hi,
Each of these bugs relates to an update that was included in today's
stable point release.
Regards,
Adam
--- End Message ---
