- add dovecot-2.3.11.3-gssapi-nul.patch:
  Fix for bug introduced in v2.3.11.3. It appears GSSAPI can contain NUL.
  https://github.com/dovecot/core/pull/133

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- update to 2.3.11.3 and pigeonhole to 0.5.11 (boo#1174920 boo#1174922 boo#1174923)

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- update to 2.3.10.1 with security fixes for
  * CVE-2020-10957: lmtp/submission: A client can crash the server by
    sending a NOOP command with an invalid string parameter.
    (boo#1171457)
  * CVE-2020-10958: lmtp/submission: Sending many invalid or unknown
    commands can cause the server to access freed memory, which can lead
    to a server crash. (boo#1171458)
  * CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
    address that has the empty quoted string as local-part causes the
    lmtp service to crash. (boo#1171456)

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- Update dovecot-2.3.0-dont_use_etc_ssl_certs.patch: since we
  change CERTDIR to /etc/ssl/private, it is rather evil to then err
  out claiming /etc/ssl/certs would not exist. The error message
  should mention the directory it tested for. (forwarded request 779407 from dimstar)

• Files Changed
• Browse Source

- update to 2.3.9.3
  * CVE-2020-7046: Truncated UTF-8 can be used to DoS
    submission-login and lmtp processes.
  * CVE-2020-7957: Specially crafted mail can crash snippet generation. (forwarded request 773697 from adkorte)

• Files Changed
• Browse Source

• Files Changed
• Browse Source

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- update to 2.3.8 and pigeonhole to 0.5.8
  Dovecot 2.3.8
  + Added mail_delivery_started and mail_delivery_finished events, see
    https://doc.dovecot.org/admin_manual/list_of_events/ for details.
  + dsync-replication: Don't replicate users who have "noreplicate" extra
    field in userdb.
  + doveadm service status: Show total number of processes created.
  + When logging to syslog, use instance_name setting's value for the
    ident. This commonly is added as a log prefix.
  + Base64 encoding/decoding code was rewritten with additional features.
    It shouldn't cause any user visible changes.
  - v2.3.7 regression: If a folder only receives new mails without any
    other mail access, dovecot.index.log keeps growing forever and
    dovecot.index keeps being rewritten for every mail delivery.
  - dsync-replication may lose keywords after syncing mails restored from
    another replica. This only happened if the mail only had keywords and
    no system flags.
  - event filters: Non-textual event fields could not be filtered using
    wildcards.
  - auth: Scope parameter was missing from OAuth password grant
    request.
  - doveadm client-server communication may hang in some situations.
    It is also using unnecessarily small TCP/IP packet sizes.
  - doveadm who and kick did not flush protocol output correctly.
  - imap: SETMETADATA with literal value would delete the metadata value
    instead of updating it.
  - imap: When client issues FETCH PREVIEW (LAZY=FUZZY) command, the
    caching decisions should be updated so that newly saved mails will
    have the preview cached.
  - With mail_nfs_index=yes and/or mail_nfs_storage=yes setuid/setgid
    permission bits in some files may have become dropped with some NFS
    servers. Changed NFS flushing to now use chmod() instead of chown().
  - quota: warnings did not work if quota root was noenforcing
  - acl: Global ACL file ignored the last line if it didn't end with LF.
  - doveadm stats dump: With JSON formatter output numbers using the
    number type instead of as strings
  - lmtp_proxy: Ensure that real_* variables are correctly set when using
    lmtp_proxy.
  - event exporter: http-post driver had hardcoded timeout and did not
    support DNS lookups or TLS connections.
  - auth: Fix user iteration to work with userdb passwd with glibc v2.28.
  - auth: auth service can crash if auth-policy JSON response is invalid
    or returned too fast.
  - In some rare situations "ps" output could have shown a lot of "?"
    characters after Dovecot process titles.
  - When dovecot.index.pvt is empty, an unnecessary error is logged:
    Error: .../dovecot.index.pvt reset, view is now inconsistent
  - SMTP address encoder duplicated initial double quote character when
    the localpart of an address ended in '..'. For example
    "user+..@example.com" became ""user+.."@example.com in a
    sieve redirect.
  Pigeonhole 0.5.8
  - Sieve may leak resources in rare cases when a redirect, vacation or
    report action fails to send the message. This mainly applies when
    Sieve is executed in IMAP context; i.e., for the IMAPSIEVE or
    FILTER=SIEVE capabilities.

• Files Changed
• Browse Source

- update to 2.3.7.2
  * CVE-2019-11500: IMAP protocol parser does not properly handle
    NUL byte when scanning data in quoted strings, leading to out
    of bounds heap memory writes. Found by Nick Roessler and Rafi
    Rubin. (boo#1145559)
- update pigeonhole to 0.5.7.2
  * CVE-2019-11500: ManageSieve protocol parser does not properly
    handle NUL byte when scanning data in quoted strings, leading
    to out of bounds heap memory writes. Found by Nick Roessler and
    Rafi Rubin. (boo#1145559)
- refreshed patches to apply cleanly again:
  dovecot-2.3.0-better_ssl_defaults.patch
  dovecot-2.3.0-dont_use_etc_ssl_certs.patch

• Files Changed
• Browse Source

- update to 2.3.7.1 and pigeonhole to 0.5.7.1
  Dovecot 2.3.7.1
    - Fix TCP_NODELAY errors being logged on non-Linux OSes
    - lmtp proxy: Fix assert-crash when client uses BODY=8BITMIME
    - Remove wrongly added checks in namespace prefix checking
  Pigeonhole 0.5.7.1
    - dsync: Sieve script syncing failed if mailbox attributes weren't enabled.
  Dovecot 2.3.7
    * fts-solr: Removed break-imap-search parameter
    + Added more events for the new statistics, see
      https://doc.dovecot.org/admin_manual/list_of_events/
    + mail-lua: Add IMAP metadata accessors, see
      https://doc.dovecot.org/admin_manual/lua/
    + Add event exporters that allow exporting raw events to log files and
      external systems, see
      https://doc.dovecot.org/configuration_manual/event_export/
    + SNIPPET is now PREVIEW and size has been increased to 200 characters.
    + Add body option to fts_enforced. This triggers building FTS index only
      on body search, and an error using FTS index fails the search rather
      than reads through all the mails.
    - Submission/LMTP: Fixed crash when domain argument is invalid in a
      second EHLO/LHLO command.
    - Copying/moving mails using Maildir format loses IMAP keywords in the
      destination if the mail also has no system flags.
    - mail_attachment_detection_options=add-flags-on-save caused email body
      to be unnecessarily opened when FETCHing mail headers that were
      already cached.
    - mail attachment detection keywords not saved with maildir.
    - dovecot.index.cache may have grown excessively large in some
      situations. This happened especially when using autoexpunging with
      lazy_expunge folders. Also with mdbox format in general the cache file
      wasn't recreated as often as it should have.
    - Autoexpunged mails weren't immediately deleted from the disk. Instead,
      the deletion from disk happened the next time the folder was opened.
      This could have caused unnecessary delays if the opening was done by
      an interactive IMAP session.
    - Dovecot's TCP connections sometimes add extra 40ms latency due to not
      enabling TCP_NODELAY. HTTP and SMTP/LMTP connections weren't
      affected, but everything else was. This delay wasn't always visible -
      only in some situations with some message/packet sizes.
    - imapc: Fix various crash conditions
    - Dovecot builds were not always reproducible.
    - login-proxy: With shutdown_clients=no after config reload the
      existing connections could no longer be listed or kicked with doveadm.
    - "doveadm proxy kick" with -f parameter caused a crash in some
      situations.
    - Auth policy can cause segmentation fault crash during auth process
      shutdown if all auth requests have not been finished.
    - Fix various minor bugs leading into incorrect behaviour in mailbox
      list index handling. These rarely caused noticeable problems.
    - LDAP auth: Iteration accesses freed memory, possibly crashing
      auth-worker
    - local_name { .. } filter in dovecot.conf does not correctly support
      multiple names and wildcards were matched incorrectly.
    - replicator: dsync assert-crashes if it can't connect to remote TCP
      server.
    - config: Memory leak in config process when ssl_dh setting wasn't
      set and there was no ssl-parameters.dat file.
      This caused config process to die once in a while
      with "out of memory".
- bsc#1134242 - upgrade from 42.3 to 15.1: dovecot shows Unknown
  protocol 'SSLv2'
  * remove !SSLv2 from existing ssl_protocols configuration
    during upgrade
 

• Files Changed
• Browse Source

- update pigeonhole to 0.5.6
  + sieve: Redirect loop prevention is sometimes ineffective.
    Improve existing loop detection by also recognizing the
    X-Sieve-Redirected-From header in incoming messages and
    dropping redirect actions when it points to the sending
    account. This header is already added by the redirect action,
    so this improvement only adds an additional use of this header.
  - sieve: Prevent execution of implicit keep upon temporary
    failure occurring at runtime.

- update to 2.3.6: (boo#1133624 boo#1133625)
  * CVE-2019-11494: Submission-login crashed with signal 11 due to
    null pointer access when authentication was aborted by
    disconnecting.
  * CVE-2019-11499: Submission-login crashed when authentication
    was started over TLS secured channel and invalid authentication
    message was sent.
  * auth: Support password grant with passdb oauth2.
  + Use system default CAs for outbound TLS connections.
  + Simplify array handling with new helper macros.
  + fts_solr: Enable configuring batch_size and soft_commit features.
  - lmtp/submission: Fixed various bugs in XCLIENT handling,
    including a hang when XCLIENT commands were sent infinitely to
    the remote server.
  - lmtp/submission: Forwarded multi-line replies were erroneously
    sent as two replies to the client.
  - lib-smtp: client: Message was not guaranteed to contain CRLF
    consistently when CHUNKING was used.
  - fts_solr: Plugin was no longer compatible with Solr 7.
  - Make it possible to disable certificate checking without
    setting ssl_client_ca_* settings.
  - pop3c: SSL support was broken.
  - mysql: Closing connection twice lead to crash on some systems.
  - auth: Multiple oauth2 passdbs crashed auth process on deinit.
  - HTTP client connection errors infrequently triggered a
    segmentation fault when the connection was idle and not used
    for a particular client instance.

• Files Changed
• Browse Source

- update to 2.3.5.2 (boo#1132501)
  * CVE-2019-10691: Trying to login with 8bit username containing
    invalid UTF8 input causes auth process to crash if auth policy
    is enabled. This could be used rather easily to cause a DoS.
    Similar crash also happens during mail delivery when using
    invalid UTF8 in From or Subject header when OX push
    notification driver is used.

- update to 2.3.5.1 (boo#1130116)

• Files Changed
• Browse Source

- update to 2.3.5.1

• Files Changed
• Browse Source

- update to 2.3.4.1 (boo#1123022)
  * CVE-2019-3814: If imap/pop3/managesieve/submission client has
    trusted certificate with missing username field
    (ssl_cert_username_field), under some configurations Dovecot
    mistakenly trusts the username provided via authentication
    instead of failing.
  * ssl_cert_username_field setting was ignored with external
    SMTP AUTH, because none of the MTAs (Postfix, Exim) currently
    send the cert_username field. This may have allowed users with
    trusted certificate to specify any username in the
    authentication. This bug didn't affect Dovecot's Submission
    service.

• Files Changed
• Browse Source

• Files Changed
• Browse Source