openSUSE Build Service

Marcus Rueckert (darix) committed over 4 years ago (revision 148)

add bugnumbers

Marcus Rueckert (darix) committed over 4 years ago (revision 147)

- update to 2.2.36.4
  * CVE-2019-11500: IMAP protocol parser does not properly handle
    NUL byte when scanning data in quoted strings, leading to out
    of bounds heap memory writes. Found by Nick Roessler and Rafi
    Rubin.
- update pigeonhole to 0.4.24.2
  * CVE-2019-11500: ManageSieve protocol parser does not properly
    handle NUL byte when scanning data in quoted strings, leading
    to out of bounds heap memory writes. Found by Nick Roessler and
    Rafi Rubin.
- refreshed patches to apply cleanly again:
  dovecot-2.2.18-better_ssl_defaults.patch
  dovecot-2.2.18-dont_use_etc_ssl_certs.patch
  dovecot-2.2.31-dhparams_fips_mode.patch

Marcus Rueckert (darix) committed about 5 years ago (revision 146)

- update dovecot to 2.2.36.3
  * CVE-2019-7524: Missing input buffer size validation leads into
    arbitrary buffer overflow when reading fts or pop3 uidl header
    from Dovecot index. Exploiting this requires direct write
    access to the index files.
  * CVE-2019-3814: If imap/pop3/managesieve/submission client has
    trusted certificate with missing username field
    (ssl_cert_username_field), under some configurations Dovecot
    mistakenly trusts the username provided via authentication
    instead of failing.
  * ssl_cert_username_field setting was ignored with external
    SMTP AUTH, because none of the MTAs (Postfix, Exim) currently
    send the cert_username field. This may have allowed users with
    trusted certificate to specify any username in the
    authentication. This bug didn't affect Dovecot's Submission
    service.
  - pop3_no_flag_updates=no: Don't expunge RETRed messages without
    QUIT
  - director: Kicking a user assert-crashes if login process is
    very slow
  - lda/lmtp: Fix assert-crash with some Sieve scripts when
    mail_attachment_detection_options=add-flags-on-save
  - fs-compress: Using maybe-gz assert-crashed when reading 0 sized
    file
  - Snippet generation crashed with invalid Content-Type:multipart
- update pigeonhole to 0.24.4.1
  + imapsieve: Added imapsieve_expunge_discarded setting which
    causes discarded messages to be expunged immediately.
  - Sieve scripts running in IMAPSIEVE or IMAP FILTER=SIEVE context
    that modify the message, store the message a second time,
    rather than replacing the originally stored unmodified message.
  - imapsieve: Fix crash when COPYing mails from a virtual mailbox
    when the source messages originate from more than a single real
    mailbox
  - imap_filter_sieve plugin: Implement the missing UID FILTER
    command.
  - imap_filter_sieve plugin: Fix FILTER to work with pipelining

Jan Engelhardt (jengelh) accepted request 652101 from

Johannes Weberhofer (weberho) over 5 years ago (revision 145)

- Removed uncommented and non-functional
  5ea089e1bdcb984d30b07ca1f0443f66749e5e55.diff
 - Re-based other patches

Peter Varkoly (varkoly) committed almost 6 years ago (revision 144)

Marcus Rueckert (darix) committed almost 6 years ago (revision 143)

- update to 2.2.36
- update pigeonhole to 0.4.24

Marcus Rueckert (darix) committed about 6 years ago (revision 142)

- update to 2.2.35
- update pigeonhole to 0.4.23

Marcus Rueckert (darix) committed about 6 years ago (revision 141)

fix typo here as well

Marcus Rueckert (darix) committed about 6 years ago (revision 140)

- update license tag to SPDX-3

Marcus Rueckert (darix) committed about 6 years ago (revision 139)

add bugnumbers

Marcus Rueckert (darix) committed about 6 years ago (revision 138)

actually delete the patch

Marcus Rueckert (darix) committed about 6 years ago (revision 137)

- drop 84703c2f19113ac731e4638ba782fa87e0748ba6.patch:
  included in update

- update to 2.2.34

Marcus Rueckert (darix) committed about 6 years ago (revision 136)

Marcus Rueckert (darix) committed over 6 years ago (revision 135)

  there. for newer distros the %prep scriptlet part will fix the

Marcus Rueckert (darix) committed over 6 years ago (revision 134)

- undo the patch change from the (boo#1070761) fix again:
  that means on older distros the SSLv2 disable is actually still
  there. for newer distros the %pre scriptlet part will fix the
  config after copying. also limit the pre scriptlet to
  suse_version 1500 and newer

Marcus Rueckert (darix) accepted request 547762 from

Arjen de Korte (adkorte) over 6 years ago (revision 133)

- openssl 1.1.0 does not support SSLv2 anymore (boo#1070761)
  * changed dovecot-2.2.18-better_ssl_defaults.patch
  * remove !SSLv2 from existing ssl_protocols configuration
    during upgrade

Marcus Rueckert (darix) accepted request 559674 from

Marcus Rueckert (darix) over 6 years ago (revision 132)

- Move the example-config + mkcert.sh to /usr/share/dovecot
  This makes the files no longer documentation and they actually
  exist on e.g. our docker image, where rpms are installed without
  documentation. (boo#1070871)

Marcus Rueckert (darix) committed over 6 years ago (revision 131)

- added https://github.com/dovecot/core/commit/84703c2f19113ac731e4638ba782fa87e0748ba6.patch
  backport fix for log reopen

buildservice-autocommit accepted request 535500 from

Marcus Rueckert (darix) over 6 years ago (revision 130)

baserev update by copy to link target

Marcus Rueckert (darix) committed over 6 years ago (revision 129)

- update to 2.2.33.2
  - doveadm: Fix crash in proxying (or dsync replication) if remote
    is running older than v2.2.33
  - auth: Fix memory leak in %{ldap_dn}
  - dict-sql: Fix data types to work correctly with Cassandra
- drop 187fbf157d5c42f9f06ce52884fefbb4f66c070d.patch:
  included in update

Places

Revisions of dovecot22

Places