Compare commits

...

No commits in common. 'c8' and 'c9' have entirely different histories.
c8 ... c9

@ -1,7 +1,7 @@
diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf diff -up dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf
--- dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings 2018-02-28 15:28:57.000000000 +0100 --- dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf.default-settings 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf 2018-03-01 10:29:38.208368555 +0100 +++ dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf 2021-10-27 11:13:45.666956339 +0200
@@ -165,7 +165,7 @@ namespace inbox { @@ -175,7 +175,7 @@ namespace inbox {
# to make sure that users can't log in as daemons or other system users. # to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't # Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0. # be done even if first_valid_uid is set to 0.
@ -18,9 +18,9 @@ diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings
# Maximum time to wait for lock (all of them) before aborting. # Maximum time to wait for lock (all of them) before aborting.
#mbox_lock_timeout = 5 mins #mbox_lock_timeout = 5 mins
diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf diff -up dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf
--- dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings 2018-02-28 15:28:57.000000000 +0100 --- dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf.default-settings 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf 2018-03-01 10:33:54.779499044 +0100 +++ dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf 2021-10-27 11:13:02.834533975 +0200
@@ -3,7 +3,9 @@ @@ -3,7 +3,9 @@
## ##
@ -32,7 +32,7 @@ diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but # dropping root privileges, so keep the key file unreadable by anyone but
@@ -57,6 +59,7 @@ ssl_key = </etc/ssl/private/dovecot.pem @@ -64,6 +66,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# To disable non-EC DH, use: # To disable non-EC DH, use:
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH #ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

@ -1,13 +0,0 @@
diff -up dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c.aclfix dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c
--- dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c.aclfix 2018-09-18 15:00:08.778823903 +0200
+++ dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c 2018-09-18 15:00:08.814823737 +0200
@@ -161,8 +161,7 @@ acl_backend_vfile_object_init(struct acl
T_BEGIN {
if (*name == '\0' ||
mailbox_list_is_valid_name(_backend->list, name, &error)) {
- vname = *name == '\0' ? "" :
- mailbox_list_get_vname(_backend->list, name);
+ vname = mailbox_list_get_vname(_backend->list, name);
dir = acl_backend_vfile_get_local_dir(_backend, name, vname);
aclobj->local_path = dir == NULL ? NULL :

@ -0,0 +1,34 @@
diff -up dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3 dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c
--- dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3 2021-06-03 18:56:52.573174433 +0200
+++ dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c 2021-06-03 18:56:52.585174274 +0200
@@ -73,10 +73,30 @@
2<tab>key algo oid<tab>1<tab>symmetric algo name<tab>salt<tab>hash algo<tab>rounds<tab>E(RSA = i2d_PrivateKey, EC=Private Point)<tab>key id
**/
+#if OPENSSL_VERSION_MAJOR == 3
+static EC_KEY *EVP_PKEY_get0_EC_KEYv3(EVP_PKEY *key)
+{
+ EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key);
+ EVP_PKEY_set1_EC_KEY(key, eck);
+ EC_KEY_free(eck);
+ return eck;
+}
+
+static EC_KEY *EVP_PKEY_get1_EC_KEYv3(EVP_PKEY *key)
+{
+ EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key);
+ EVP_PKEY_set1_EC_KEY(key, eck);
+ return eck;
+}
+
+#define EVP_PKEY_get0_EC_KEY EVP_PKEY_get0_EC_KEYv3
+#define EVP_PKEY_get1_EC_KEY EVP_PKEY_get1_EC_KEYv3
+#else
#ifndef HAVE_EVP_PKEY_get0
#define EVP_PKEY_get0_EC_KEY(x) x->pkey.ec
#define EVP_PKEY_get0_RSA(x) x->pkey.rsa
#endif
+#endif
#ifndef HAVE_OBJ_LENGTH
#define OBJ_length(o) ((o)->length)

@ -0,0 +1,24 @@
diff -up dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c
--- dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.16/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2021-06-21 23:07:55.269814896 +0200
+++ dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.16/src/lib-sieve/storage/dict/sieve-dict-script.c 2021-06-21 23:07:55.298814544 +0200
@@ -109,7 +109,7 @@ static int sieve_dict_script_get_stream
{
struct sieve_dict_script *dscript =
(struct sieve_dict_script *)script;
- const char *path, *name = script->name, *data, *error;
+ const char *path, *name = script->name, *data, *error = NULL;
int ret;
dscript->data_pool =
diff -up dovecot-2.3.15/src/lib-storage/index/index-attribute.c.fixvalcond dovecot-2.3.15/src/lib-storage/index/index-attribute.c
--- dovecot-2.3.15/src/lib-storage/index/index-attribute.c.fixvalcond 2021-06-14 15:40:37.000000000 +0200
+++ dovecot-2.3.15/src/lib-storage/index/index-attribute.c 2021-06-21 21:52:22.963171229 +0200
@@ -249,7 +249,7 @@ int index_storage_attribute_get(struct m
struct mail_attribute_value *value_r)
{
struct dict *dict;
- const char *mailbox_prefix, *error;
+ const char *mailbox_prefix, *error = NULL;
int ret;
i_zero(value_r);

@ -0,0 +1,20 @@
diff -up dovecot-2.3.15/run-test-valgrind.supp.valbasherr dovecot-2.3.15/run-test-valgrind.supp
--- dovecot-2.3.15/run-test-valgrind.supp.valbasherr 2021-06-21 22:52:53.272707239 +0200
+++ dovecot-2.3.15/run-test-valgrind.supp 2021-06-21 22:54:19.786668430 +0200
@@ -1,4 +1,16 @@
{
+ <bashagin>
+ Memcheck:Leak
+ match-leak-kinds: definite
+ fun:malloc
+ fun:make_if_command
+ fun:yyparse
+ fun:parse_command
+ fun:read_command
+ fun:reader_loop
+ fun:main
+}
+{
<bash>
Memcheck:Leak
fun:malloc

@ -1,353 +0,0 @@
diff -up dovecot-2.3.16/configure.ac.keeplzma dovecot-2.3.16/configure.ac
--- dovecot-2.3.16/configure.ac.keeplzma 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/configure.ac 2022-02-28 13:58:02.337149927 +0100
@@ -173,7 +173,7 @@ AS_HELP_STRING([--with-bzlib], [Build wi
want_bzlib=auto)
AC_ARG_WITH(lzma,
-AS_HELP_STRING([--with-lzma], [Build with LZMA decompression support (auto)]),
+AS_HELP_STRING([--with-lzma], [Build with LZMA compression support (auto)]),
TEST_WITH(lzma, $withval),
want_lzma=auto)
diff -up dovecot-2.3.16/run-test-valgrind.supp.keeplzma dovecot-2.3.16/run-test-valgrind.supp
--- dovecot-2.3.16/run-test-valgrind.supp.keeplzma 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/run-test-valgrind.supp 2022-02-28 13:58:02.337149927 +0100
@@ -5,6 +5,17 @@
obj:*/bash
}
{
+ <liblzma>
+ Memcheck:Cond
+ obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
+ obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
+ obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
+ obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
+ obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
+ fun:lzma_stream_encoder
+ fun:lzma_easy_encoder
+}
+{
<openssl_centos6_i386_v1_0_1_compression_methods>
Memcheck:Leak
fun:malloc
diff -up dovecot-2.3.16/src/lib-compression/compression.c.keeplzma dovecot-2.3.16/src/lib-compression/compression.c
--- dovecot-2.3.16/src/lib-compression/compression.c.keeplzma 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/src/lib-compression/compression.c 2022-02-28 14:22:32.467944396 +0100
@@ -25,6 +25,7 @@
#endif
#ifndef HAVE_LZMA
# define i_stream_create_lzma NULL
+# define o_stream_create_lzma NULL
#endif
#ifndef HAVE_LZ4
# define i_stream_create_lz4 NULL
@@ -216,7 +217,7 @@ const struct compression_handler compres
.ext = ".xz",
.is_compressed = is_compressed_xz,
.create_istream = i_stream_create_lzma,
- .create_ostream = NULL,
+ .create_ostream = o_stream_create_lzma,
.get_min_level = compression_get_min_level_unsupported,
.get_default_level = compression_get_default_level_unsupported,
.get_max_level = compression_get_max_level_unsupported,
diff -up dovecot-2.3.16/src/lib-compression/Makefile.am.keeplzma dovecot-2.3.16/src/lib-compression/Makefile.am
--- dovecot-2.3.16/src/lib-compression/Makefile.am.keeplzma 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/src/lib-compression/Makefile.am 2022-02-28 13:58:02.337149927 +0100
@@ -13,6 +13,7 @@ libcompression_la_SOURCES = \
istream-zlib.c \
istream-bzlib.c \
istream-zstd.c \
+ ostream-lzma.c \
ostream-lz4.c \
ostream-zlib.c \
ostream-bzlib.c \
diff -up dovecot-2.3.16/src/lib-compression/ostream-lzma.c.keeplzma dovecot-2.3.16/src/lib-compression/ostream-lzma.c
--- dovecot-2.3.16/src/lib-compression/ostream-lzma.c.keeplzma 2022-02-28 13:58:02.338149934 +0100
+++ dovecot-2.3.16/src/lib-compression/ostream-lzma.c 2022-02-28 13:58:02.338149934 +0100
@@ -0,0 +1,263 @@
+/* Copyright (c) 2010-2018 Dovecot authors, see the included COPYING file */
+
+#include "lib.h"
+
+#ifdef HAVE_LZMA
+
+#include "ostream-private.h"
+#include "ostream-zlib.h"
+#include <lzma.h>
+
+#define CHUNK_SIZE (1024*64)
+
+struct lzma_ostream {
+ struct ostream_private ostream;
+ lzma_stream strm;
+
+ unsigned char outbuf[CHUNK_SIZE];
+ unsigned int outbuf_offset, outbuf_used;
+
+ bool flushed:1;
+};
+
+static void o_stream_lzma_close(struct iostream_private *stream,
+ bool close_parent)
+{
+ struct lzma_ostream *zstream = (struct lzma_ostream *)stream;
+ i_assert(zstream->ostream.finished ||
+ zstream->ostream.ostream.stream_errno != 0 ||
+ zstream->ostream.error_handling_disabled);
+ lzma_end(&zstream->strm);
+ if (close_parent)
+ o_stream_close(zstream->ostream.parent);
+}
+
+static int o_stream_zlib_send_outbuf(struct lzma_ostream *zstream)
+{
+ ssize_t ret;
+ size_t size;
+
+ if (zstream->outbuf_used == 0)
+ return 1;
+
+ size = zstream->outbuf_used - zstream->outbuf_offset;
+ i_assert(size > 0);
+ ret = o_stream_send(zstream->ostream.parent,
+ zstream->outbuf + zstream->outbuf_offset, size);
+ if (ret < 0) {
+ o_stream_copy_error_from_parent(&zstream->ostream);
+ return -1;
+ }
+ if ((size_t)ret != size) {
+ zstream->outbuf_offset += ret;
+ return 0;
+ }
+ zstream->outbuf_offset = 0;
+ zstream->outbuf_used = 0;
+ return 1;
+}
+
+static ssize_t
+o_stream_lzma_send_chunk(struct lzma_ostream *zstream,
+ const void *data, size_t size)
+{
+ lzma_stream *zs = &zstream->strm;
+ int ret;
+
+ i_assert(zstream->outbuf_used == 0);
+
+ zs->next_in = (void *)data;
+ zs->avail_in = size;
+ while (zs->avail_in > 0) {
+ if (zs->avail_out == 0) {
+ /* previous block was compressed. send it and start
+ compression for a new block. */
+ zs->next_out = zstream->outbuf;
+ zs->avail_out = sizeof(zstream->outbuf);
+
+ zstream->outbuf_used = sizeof(zstream->outbuf);
+ if ((ret = o_stream_zlib_send_outbuf(zstream)) < 0)
+ return -1;
+ if (ret == 0) {
+ /* parent stream's buffer full */
+ break;
+ }
+ }
+
+ ret = lzma_code(zs, LZMA_RUN);
+ switch (ret) {
+ case LZMA_OK:
+ break;
+ case LZMA_MEM_ERROR:
+ i_fatal_status(FATAL_OUTOFMEM,
+ "lzma.write(%s): Out of memory",
+ o_stream_get_name(&zstream->ostream.ostream));
+ default:
+ i_panic("lzma.write(%s) failed with unexpected code %d",
+ o_stream_get_name(&zstream->ostream.ostream), ret);
+ }
+ }
+ size -= zs->avail_in;
+
+ return size;
+}
+
+static int o_stream_lzma_send_flush(struct lzma_ostream *zstream, bool final)
+{
+ lzma_stream *zs = &zstream->strm;
+ size_t len;
+ bool done = FALSE;
+ int ret;
+
+ i_assert(zs->avail_in == 0);
+
+ if (zstream->flushed) {
+ i_assert(zstream->outbuf_used == 0);
+ return 1;
+ }
+
+ if ((ret = o_stream_flush_parent_if_needed(&zstream->ostream)) <= 0)
+ return ret;
+ if ((ret = o_stream_zlib_send_outbuf(zstream)) <= 0)
+ return ret;
+
+ if (!final)
+ return 1;
+
+ i_assert(zstream->outbuf_used == 0);
+ do {
+ len = sizeof(zstream->outbuf) - zs->avail_out;
+ if (len != 0) {
+ zs->next_out = zstream->outbuf;
+ zs->avail_out = sizeof(zstream->outbuf);
+
+ zstream->outbuf_used = len;
+ if ((ret = o_stream_zlib_send_outbuf(zstream)) <= 0)
+ return ret;
+ if (done)
+ break;
+ }
+ ret = lzma_code(zs, LZMA_FINISH);
+ switch (ret) {
+ case LZMA_OK:
+ /* still unfinished - need to call lzma_code() again */
+ break;
+ case LZMA_STREAM_END:
+ /* output is fully finished */
+ done = TRUE;
+ break;
+ case LZMA_MEM_ERROR:
+ i_fatal_status(FATAL_OUTOFMEM,
+ "lzma.write(%s): Out of memory",
+ o_stream_get_name(&zstream->ostream.ostream));
+ default:
+ i_panic("lzma.write(%s) flush failed with unexpected code %d",
+ o_stream_get_name(&zstream->ostream.ostream), ret);
+ }
+ } while (zs->avail_out != sizeof(zstream->outbuf));
+
+ if (final)
+ zstream->flushed = TRUE;
+ i_assert(zstream->outbuf_used == 0);
+ return 1;
+}
+
+static int o_stream_lzma_flush(struct ostream_private *stream)
+{
+ struct lzma_ostream *zstream = (struct lzma_ostream *)stream;
+ int ret;
+
+ if ((ret = o_stream_lzma_send_flush(zstream, stream->finished)) < 0)
+ return -1;
+ else if (ret > 0)
+ return o_stream_flush_parent(stream);
+ return ret;
+}
+
+static size_t
+o_stream_lzma_get_buffer_used_size(const struct ostream_private *stream)
+{
+ const struct lzma_ostream *zstream =
+ (const struct lzma_ostream *)stream;
+
+ /* outbuf has already compressed data that we're trying to send to the
+ parent stream. We're not including lzma's internal compression
+ buffer size. */
+ return (zstream->outbuf_used - zstream->outbuf_offset) +
+ o_stream_get_buffer_used_size(stream->parent);
+}
+
+static size_t
+o_stream_lzma_get_buffer_avail_size(const struct ostream_private *stream)
+{
+ /* FIXME: not correct - this is counting compressed size, which may be
+ too larger than uncompressed size in some situations. Fixing would
+ require some kind of additional buffering. */
+ return o_stream_get_buffer_avail_size(stream->parent);
+}
+
+static ssize_t
+o_stream_lzma_sendv(struct ostream_private *stream,
+ const struct const_iovec *iov, unsigned int iov_count)
+{
+ struct lzma_ostream *zstream = (struct lzma_ostream *)stream;
+ ssize_t ret, bytes = 0;
+ unsigned int i;
+
+ if ((ret = o_stream_zlib_send_outbuf(zstream)) <= 0) {
+ /* error / we still couldn't flush existing data to
+ parent stream. */
+ return ret;
+ }
+
+ for (i = 0; i < iov_count; i++) {
+ ret = o_stream_lzma_send_chunk(zstream, iov[i].iov_base,
+ iov[i].iov_len);
+ if (ret < 0)
+ return -1;
+ bytes += ret;
+ if ((size_t)ret != iov[i].iov_len)
+ break;
+ }
+ stream->ostream.offset += bytes;
+
+ /* avail_in!=0 check is used to detect errors. if it's non-zero here
+ it simply means we didn't send all the data */
+ zstream->strm.avail_in = 0;
+ return bytes;
+}
+
+struct ostream *o_stream_create_lzma(struct ostream *output, int level)
+{
+ struct lzma_ostream *zstream;
+ lzma_ret ret;
+
+ i_assert(level >= 1 && level <= 9);
+
+ zstream = i_new(struct lzma_ostream, 1);
+ zstream->ostream.sendv = o_stream_lzma_sendv;
+ zstream->ostream.flush = o_stream_lzma_flush;
+ zstream->ostream.get_buffer_used_size =
+ o_stream_lzma_get_buffer_used_size;
+ zstream->ostream.get_buffer_avail_size =
+ o_stream_lzma_get_buffer_avail_size;
+ zstream->ostream.iostream.close = o_stream_lzma_close;
+
+ ret = lzma_easy_encoder(&zstream->strm, level, LZMA_CHECK_CRC64);
+ switch (ret) {
+ case LZMA_OK:
+ break;
+ case LZMA_MEM_ERROR:
+ i_fatal_status(FATAL_OUTOFMEM, "lzma: Out of memory");
+ case LZMA_OPTIONS_ERROR:
+ i_fatal("lzma: Invalid level");
+ default:
+ i_fatal("lzma_easy_encoder() failed with %d", ret);
+ }
+
+ zstream->strm.next_out = zstream->outbuf;
+ zstream->strm.avail_out = sizeof(zstream->outbuf);
+ return o_stream_create(&zstream->ostream, output,
+ o_stream_get_fd(output));
+}
+#endif
diff -up dovecot-2.3.16/src/lib-compression/ostream-zlib.h.keeplzma dovecot-2.3.16/src/lib-compression/ostream-zlib.h
--- dovecot-2.3.16/src/lib-compression/ostream-zlib.h.keeplzma 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/src/lib-compression/ostream-zlib.h 2022-02-28 13:58:02.338149934 +0100
@@ -4,6 +4,7 @@
struct ostream *o_stream_create_gz(struct ostream *output, int level);
struct ostream *o_stream_create_deflate(struct ostream *output, int level);
struct ostream *o_stream_create_bz2(struct ostream *output, int level);
+struct ostream *o_stream_create_lzma(struct ostream *output, int level);
struct ostream *o_stream_create_lz4(struct ostream *output, int level);
struct ostream *o_stream_create_zstd(struct ostream *output, int level);
diff -up dovecot-2.3.16/src/lib-compression/test-compression.c.keeplzma dovecot-2.3.16/src/lib-compression/test-compression.c
--- dovecot-2.3.16/src/lib-compression/test-compression.c.keeplzma 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/src/lib-compression/test-compression.c 2022-02-28 13:58:02.338149934 +0100
@@ -730,7 +730,6 @@ static void test_compression_int(bool au
for (i = 0; compression_handlers[i].name != NULL; i++) {
if (compression_handlers[i].create_istream != NULL &&
- compression_handlers[i].create_ostream != NULL &&
(!autodetect ||
compression_handlers[i].is_compressed != NULL)) T_BEGIN {
if (compression_handlers[i].is_compressed != NULL &&

@ -0,0 +1,9 @@
#Type Name ID GECOS Home directory Shell
g dovecot 97
u dovecot 97 "Dovecot IMAP server" /usr/libexec/dovecot /sbin/nologin
m dovecot dovecot
g dovenull -
u dovenull - "Dovecot - unauthorized user" /usr/libexec/dovecot /sbin/nologin
m dovenull dovenull

@ -1,26 +1,28 @@
%global __provides_exclude_from %{_docdir} %global __provides_exclude_from %{_docdir}
%global __requires_exclude_from %{_docdir} %global __requires_exclude_from %{_docdir}
Summary: Secure imap and pop3 server Summary: Secure imap and pop3 server
Name: dovecot Name: dovecot
Epoch: 1 Epoch: 1
Version: 2.3.16 Version: 2.3.16
%global prever %{nil} %global prever %{nil}
Release: 6%{?dist} Release: 11%{?dist}.1
#dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
License: MIT and LGPLv2 License: MIT and LGPLv2
Group: System Environment/Daemons
URL: http://www.dovecot.org/ URL: https://www.dovecot.org/
Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source: https://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz
Source1: dovecot.init Source1: dovecot.init
Source2: dovecot.pam Source2: dovecot.pam
%global pigeonholever 0.5.16 %global pigeonholever 0.5.16
Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source8: https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz
Source9: dovecot.sysconfig Source9: dovecot.sysconfig
Source10: dovecot.tmpfilesd Source10: dovecot.tmpfilesd
#our own #our own
Source14: dovecot.conf.5 Source14: dovecot.conf.5
Source15: prestartscript
Source16: dovecot.sysusers
# 3x Fedora/RHEL specific # 3x Fedora/RHEL specific
Patch1: dovecot-2.0-defaultconfig.patch Patch1: dovecot-2.0-defaultconfig.patch
@ -32,60 +34,65 @@ Patch6: dovecot-2.1.10-waitonline.patch
Patch8: dovecot-2.2.20-initbysystemd.patch Patch8: dovecot-2.2.20-initbysystemd.patch
Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch
Patch15: dovecot-2.3.11-bigkey.patch
# sent upstream, rhbz#1630380
Patch11: dovecot-2.2.36-aclfix.patch
Patch13: dovecot-2.2.36-bigkey.patch
# do not use own implementation of HMAC, use OpenSSL for certification purposes # do not use own implementation of HMAC, use OpenSSL for certification purposes
# not sent upstream as proper fix would use dovecot's lib-dcrypt but it introduces # not sent upstream as proper fix would use dovecot's lib-dcrypt but it introduces
# hard to break circular dependency between lib and lib-dcrypt # hard to break circular dependency between lib and lib-dcrypt
Patch14: dovecot-2.3.6-opensslhmac.patch Patch16: dovecot-2.3.6-opensslhmac.patch
# from upstream, for dovecot < 2.3.17, s390x FTBFS fix Patch17: dovecot-2.3.14-opensslv3.patch
Patch15: dovecot-2.3.16-ftbfsbigend.patch
Patch16: dovecot-2.3.16-keeplzma.patch # FTBFS
Patch18: dovecot-2.3.15-fixvalcond.patch
Patch19: dovecot-2.3.15-valbasherr.patch
Patch20: dovecot-2.3.16-ftbfsbigend.patch
# from upstream, for <= 2.3.19.1, rhbz#2106232 # from upstream, for <= 2.3.19.1, rhbz#2106232
Patch17: dovecot-2.3.19.1-7bad6a24.patch Patch21: dovecot-2.3.19.1-7bad6a24.patch
# from upstream, for < 2.3.19.1, rhbz#2128857 # from upstream, for < 2.3.19.1, rhbz#2128857
Patch18: dovecot-2.3.18-9f300239..4596d399.patch Patch22: dovecot-2.3.18-bdf447e4.patch
Patch19: dovecot-2.3.18-bdf447e4.patch Patch23: dovecot-2.3.18-9f300239..4596d399.patch
# from upstream, for < 2.3.21, RHEL-25434
Patch24: dovecot-2.3.16-d7705bc6.patch
# from upstream, for < 2.3.21, RHEL-22854 # fix test failing due to too long path with all the mock path prefixes
Patch20: dovecot-2.3.16-d7705bc6.patch Patch27: dovecot-2.3.21-test-socket-path.patch
# from upstream for < 2.3.21.1, RHEL-55206 # from upstream for < 2.3.21.1, RHEL-55211
# https://github.com/dovecot/core/compare/8e4c42d%5E...1481c04.patch # https://github.com/dovecot/core/compare/8e4c42d%5E...1481c04.patch
Patch21: dovecot-2.3.21.1-CVE-2024-23184.patch Patch28: dovecot-2.3.21.1-CVE-2024-23184.patch
# from upstream for < 2.3.21.1, RHEL-55219 # from upstream for < 2.3.21.1, RHEL-55225
# https://github.com/dovecot/core/compare/f020e13%5E...ce88c33.patch # https://github.com/dovecot/core/compare/f020e13%5E...ce88c33.patch
Patch22: dovecot-2.3.21.1-CVE-2024-23185.patch Patch29: dovecot-2.3.21.1-CVE-2024-23185.patch
# fix test failing due to too long path with all the mock path prefixes BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel
Patch23: dovecot-2.3.21-test-socket-path.patch
Source15: prestartscript
BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel
BuildRequires: libtool, autoconf, automake, pkgconfig BuildRequires: libtool, autoconf, automake, pkgconfig
BuildRequires: sqlite-devel BuildRequires: sqlite-devel
BuildRequires: postgresql-devel BuildRequires: libpq-devel
#BuildRequires: libpq-devel
BuildRequires: mariadb-connector-c-devel BuildRequires: mariadb-connector-c-devel
#BuildRequires: libxcrypt-devel BuildRequires: libxcrypt-devel
BuildRequires: openldap-devel BuildRequires: openldap-devel
BuildRequires: krb5-devel BuildRequires: krb5-devel
BuildRequires: quota-devel BuildRequires: quota-devel
BuildRequires: rpcgen
BuildRequires: xz-devel BuildRequires: xz-devel
BuildRequires: lz4-devel BuildRequires: lz4-devel
BuildRequires: libzstd-devel
%if %{?rhel}0 == 0
BuildRequires: libsodium-devel
%endif
BuildRequires: libicu-devel
BuildRequires: libexttextcat-devel
BuildRequires: libstemmer-devel
BuildRequires: multilib-rpm-config BuildRequires: multilib-rpm-config
#BuildRequires: libsodium-devel BuildRequires: flex, bison
#BuildRequires: libexttextcat-devel BuildRequires: systemd-devel
#BuildRequires: libstemmer-devel # for dovecot.sysusers
BuildRequires: systemd-rpm-macros
# gettext-devel is needed for running autoconf because of the # gettext-devel is needed for running autoconf because of the
# presence of AM_ICONV # presence of AM_ICONV
@ -96,33 +103,19 @@ Requires: openssl >= 0.9.7f-4
# Package includes an initscript service file, needs to require initscripts package # Package includes an initscript service file, needs to require initscripts package
Requires(pre): shadow-utils Requires(pre): shadow-utils
%if %{?fedora}0 > 140 || %{?rhel}0 > 60
Requires: systemd Requires: systemd
Requires(post): systemd-units Requires(post): systemd-units
Requires(preun): systemd-units Requires(preun): systemd-units
Requires(postun): systemd-units Requires(postun): systemd-units
%else
Requires: initscripts
Requires(post): chkconfig
Requires(preun): chkconfig initscripts
Requires(postun): initscripts
%endif
%if %{?fedora}0 > 150 || %{?rhel}0 >60
#clucene in fedora <=15 and rhel<=6 is too old
BuildRequires: clucene-core-devel BuildRequires: clucene-core-devel
%endif
%global ssldir %{_sysconfdir}/pki/%{name} %global ssldir %{_sysconfdir}/pki/%{name}
%if %{?fedora}00%{?rhel} < 6
%global _initddir %{_initrddir}
BuildRequires: curl-devel expat-devel
%else
BuildRequires: libcurl-devel expat-devel BuildRequires: libcurl-devel expat-devel
%endif BuildRequires: make
%global restart_flag /var/run/%{name}/%{name}-restart-after-rpm-install %global restart_flag /run/%{name}/%{name}-restart-after-rpm-install
%description %description
Dovecot is an IMAP server for Linux/UNIX-like systems, written with security Dovecot is an IMAP server for Linux/UNIX-like systems, written with security
@ -134,7 +127,6 @@ The SQL drivers and authentication plug-ins are in their subpackages.
%package pigeonhole %package pigeonhole
Requires: %{name} = %{epoch}:%{version}-%{release} Requires: %{name} = %{epoch}:%{version}-%{release}
Summary: Sieve and managesieve plug-in for dovecot Summary: Sieve and managesieve plug-in for dovecot
Group: System Environment/Daemons
License: MIT and LGPLv2 License: MIT and LGPLv2
%description pigeonhole %description pigeonhole
@ -143,21 +135,18 @@ This package provides sieve and managesieve plug-in for dovecot LDA.
%package pgsql %package pgsql
Requires: %{name} = %{epoch}:%{version}-%{release} Requires: %{name} = %{epoch}:%{version}-%{release}
Summary: Postgres SQL back end for dovecot Summary: Postgres SQL back end for dovecot
Group: System Environment/Daemons
%description pgsql %description pgsql
This package provides the Postgres SQL back end for dovecot-auth etc. This package provides the Postgres SQL back end for dovecot-auth etc.
%package mysql %package mysql
Requires: %{name} = %{epoch}:%{version}-%{release} Requires: %{name} = %{epoch}:%{version}-%{release}
Summary: MySQL back end for dovecot Summary: MySQL back end for dovecot
Group: System Environment/Daemons
%description mysql %description mysql
This package provides the MySQL back end for dovecot-auth etc. This package provides the MySQL back end for dovecot-auth etc.
%package devel %package devel
Requires: %{name} = %{epoch}:%{version}-%{release} Requires: %{name} = %{epoch}:%{version}-%{release}
Summary: Development files for dovecot Summary: Development files for dovecot
Group: Development/Libraries
%description devel %description devel
This package provides the development files for dovecot. This package provides the development files for dovecot.
@ -169,22 +158,26 @@ This package provides the development files for dovecot.
%patch -P 6 -p1 -b .waitonline %patch -P 6 -p1 -b .waitonline
%patch -P 8 -p1 -b .initbysystemd %patch -P 8 -p1 -b .initbysystemd
%patch -P 9 -p1 -b .systemd_w_protectsystem %patch -P 9 -p1 -b .systemd_w_protectsystem
%patch -P 11 -p1 -b .aclfix %patch -P 15 -p1 -b .bigkey
%patch -P 13 -p1 -b .bigkey %patch -P 16 -p1 -b .opensslhmac
%patch -P 14 -p1 -b .opensslhmac %patch -P 17 -p1 -b .opensslv3
%patch -P 15 -p1 -b .ftbfsbigend %patch -P 18 -p1 -b .fixvalcond
%patch -P 16 -p1 -b .keeplzma %patch -P 19 -p1 -b .valbasherr
%patch -P 17 -p1 -b .7bad6a24 %patch -P 20 -p1 -b .ftbfsbigend
%patch -P 19 -p1 -b .bdf447e4 %patch -P 21 -p1 -b .7bad6a24
%patch -P 20 -p1 -b .d7705bc6 %patch -P 22 -p1 -b .bdf447e4
%patch -P 21 -p1 -b .CVE-2024-23184 %patch -P 24 -p1 -b .d7705bc6
%patch -P 22 -p1 -b .CVE-2024-23185 %patch -P 27 -p1 -b .test-socket-path
%patch -P 23 -p1 -b .test-socket-path %patch -P 28 -p1 -b .CVE-2024-23184
pushd dovecot-2*3-pigeonhole-%{pigeonholever} %patch -P 29 -p1 -b .CVE-2024-23185
%patch -P 18 -p1 -b .9f300239..4596d399
cp run-test-valgrind.supp dovecot-2.3-pigeonhole-%{pigeonholever}/
# valgrind would fail with shell wrapper
echo "testsuite" >dovecot-2.3-pigeonhole-%{pigeonholever}/run-test-valgrind.exclude
pushd dovecot-2*3-pigeonhole-%{pigeonholever}
%patch -P 23 -p1 -b .9f300239..4596d399
popd popd
sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in
%build %build
@ -192,11 +185,8 @@ sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src
%global _hardened_build 1 %global _hardened_build 1
export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none" export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none"
export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}" export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}"
# el6 autoconf too old to regen; use packaged files (#1082384)
%if %{?fedora}00%{?rhel} > 6
mkdir -p m4 mkdir -p m4
autoreconf -I . -fiv #required for aarch64 support autoreconf -I . -fiv #required for aarch64 support
%endif
%configure \ %configure \
INSTALL_DATA="install -c -p -m644" \ INSTALL_DATA="install -c -p -m644" \
--with-rundir=%{_rundir}/%{name} \ --with-rundir=%{_rundir}/%{name} \
@ -214,17 +204,18 @@ autoreconf -I . -fiv #required for aarch64 support
--with-mysql \ --with-mysql \
--with-sqlite \ --with-sqlite \
--with-zlib \ --with-zlib \
--with-zstd \
--with-libcap \ --with-libcap \
--with-icu \
--with-lucene \ --with-lucene \
--with-ssl=openssl \ --with-ssl=openssl \
--with-ssldir=%{ssldir} \ --with-ssldir=%{ssldir} \
--with-solr \ --with-solr \
--with-systemdsystemunitdir=%{_unitdir} \ --with-systemdsystemunitdir=%{_unitdir} \
--with-docs --with-docs
sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10-ssl.conf sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10-ssl.conf
make %{?_smp_mflags} %make_build
#pigeonhole #pigeonhole
pushd dovecot-2*3-pigeonhole-%{pigeonholever} pushd dovecot-2*3-pigeonhole-%{pigeonholever}
@ -239,13 +230,13 @@ pushd dovecot-2*3-pigeonhole-%{pigeonholever}
--with-dovecot=../ \ --with-dovecot=../ \
--without-unfinished-features --without-unfinished-features
make %{?_smp_mflags} %make_build
popd popd
%install %install
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
make install DESTDIR=$RPM_BUILD_ROOT %make_install
# move doc dir back to build dir so doc macro in files section can use it # move doc dir back to build dir so doc macro in files section can use it
mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/docinstall mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/docinstall
@ -254,17 +245,13 @@ mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/
%multilib_fix_c_header --file %{_includedir}/dovecot/config.h %multilib_fix_c_header --file %{_includedir}/dovecot/config.h
pushd dovecot-2*3-pigeonhole-%{pigeonholever} pushd dovecot-2*3-pigeonhole-%{pigeonholever}
make install DESTDIR=$RPM_BUILD_ROOT %make_install
mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole
install -m 644 AUTHORS ChangeLog COPYING COPYING.LGPL INSTALL NEWS README $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole install -m 644 AUTHORS ChangeLog COPYING COPYING.LGPL INSTALL NEWS README $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole
popd popd
%if %{?fedora}00%{?rhel} < 6
sed -i 's|password-auth|system-auth|' %{SOURCE2}
%endif
install -p -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/dovecot install -p -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/dovecot
#install man pages #install man pages
@ -273,6 +260,8 @@ install -p -D -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{_mandir}/man5/dovecot.conf.5
#install waitonline script #install waitonline script
install -p -D -m 755 %{SOURCE15} $RPM_BUILD_ROOT%{_libexecdir}/dovecot/prestartscript install -p -D -m 755 %{SOURCE15} $RPM_BUILD_ROOT%{_libexecdir}/dovecot/prestartscript
install -p -D -m 0644 %{SOURCE16} $RPM_BUILD_ROOT%{_sysusersdir}/dovecot.sysusers
# generate ghost .pem files # generate ghost .pem files
mkdir -p $RPM_BUILD_ROOT%{ssldir}/certs mkdir -p $RPM_BUILD_ROOT%{ssldir}/certs
mkdir -p $RPM_BUILD_ROOT%{ssldir}/private mkdir -p $RPM_BUILD_ROOT%{ssldir}/private
@ -281,14 +270,9 @@ chmod 600 $RPM_BUILD_ROOT%{ssldir}/certs/dovecot.pem
touch $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem touch $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem
chmod 600 $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem chmod 600 $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem
%if %{?fedora}0 > 140 || %{?rhel}0 > 60
install -p -D -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_tmpfilesdir}/dovecot.conf install -p -D -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_tmpfilesdir}/dovecot.conf
%else
install -p -D -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_initddir}/dovecot
install -p -D -m 600 %{SOURCE9} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/dovecot
%endif
mkdir -p $RPM_BUILD_ROOT/var/run/dovecot/{login,empty,token-login} mkdir -p $RPM_BUILD_ROOT/run/dovecot/{login,empty,token-login}
# Install dovecot configuration and dovecot-openssl.cnf # Install dovecot configuration and dovecot-openssl.cnf
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d
@ -315,79 +299,64 @@ popd
%pre %pre
#dovecot uid and gid are reserved, see /usr/share/doc/setup-*/uidgid #dovecot uid and gid are reserved, see /usr/share/doc/setup-*/uidgid
getent group dovecot >/dev/null || groupadd -r --gid 97 dovecot %sysusers_create_compat %{SOURCE16}
getent passwd dovecot >/dev/null || \
useradd -r --uid 97 -g dovecot -d /usr/libexec/dovecot -s /sbin/nologin -c "Dovecot IMAP server" dovecot
getent group dovenull >/dev/null || groupadd -r dovenull if [ -z "$LEAPP_IPU_IN_PROGRESS" ]
getent passwd dovenull >/dev/null || \ then
useradd -r -g dovenull -d /usr/libexec/dovecot -s /sbin/nologin -c "Dovecot's unauthorized user" dovenull # during LEAPP upgrade, services are not running anyway
# do not let dovecot run during upgrade rhbz#134325 # do not let dovecot run during upgrade rhbz#134325
if [ "$1" = "2" ]; then if [ "$1" = "2" ]; then
rm -f %restart_flag rm -f %restart_flag
%if %{?fedora}0 > 140 || %{?rhel}0 > 60
/bin/systemctl is-active %{name}.service >/dev/null 2>&1 && touch %restart_flag ||: /bin/systemctl is-active %{name}.service >/dev/null 2>&1 && touch %restart_flag ||:
/bin/systemctl stop %{name}.service >/dev/null 2>&1 /bin/systemctl stop %{name}.service >/dev/null 2>&1
%else fi
/sbin/service %{name} status >/dev/null 2>&1 && touch %restart_flag ||:
/sbin/service %{name} stop >/dev/null 2>&1
%endif
fi fi
%post %post
if [ $1 -eq 1 ] if [ $1 -eq 1 ]
then then
%if %{?fedora}0 > 140 || %{?rhel}0 > 60
%systemd_post dovecot.service %systemd_post dovecot.service
%else
/sbin/chkconfig --add %{name}
%endif
fi fi
install -d -m 0755 -g dovecot -d /var/run/dovecot install -d -m 0755 -g dovecot -d /run/dovecot
install -d -m 0755 -d /var/run/dovecot/empty install -d -m 0755 -d /run/dovecot/empty
install -d -m 0750 -g dovenull -d /var/run/dovecot/login install -d -m 0750 -g dovenull -d /run/dovecot/login
install -d -m 0750 -g dovenull -d /var/run/dovecot/token-login install -d -m 0750 -g dovenull -d /run/dovecot/token-login
[ -x /sbin/restorecon ] && /sbin/restorecon -R /var/run/dovecot ||: [ -x /sbin/restorecon ] && /sbin/restorecon -R /run/dovecot ||:
%preun %preun
if [ $1 = 0 ]; then if [ $1 = 0 ]; then
%if %{?fedora}0 > 140 || %{?rhel}0 > 60
/bin/systemctl disable dovecot.service dovecot.socket >/dev/null 2>&1 || : /bin/systemctl disable dovecot.service dovecot.socket >/dev/null 2>&1 || :
/bin/systemctl stop dovecot.service dovecot.socket >/dev/null 2>&1 || : /bin/systemctl stop dovecot.service dovecot.socket >/dev/null 2>&1 || :
%else rm -rf /run/dovecot
/sbin/service %{name} stop > /dev/null 2>&1
/sbin/chkconfig --del %{name}
%endif
rm -rf /var/run/dovecot
fi fi
%postun %postun
%if %{?fedora}0 > 140 || %{?rhel}0 > 60 if [ -z "$LEAPP_IPU_IN_PROGRESS" ]
then
# during LEAPP upgrade, services are not running anyway
/bin/systemctl daemon-reload >/dev/null 2>&1 || : /bin/systemctl daemon-reload >/dev/null 2>&1 || :
%endif
if [ "$1" -ge "1" -a -e %restart_flag ]; then if [ "$1" -ge "1" -a -e %restart_flag ]; then
%if %{?fedora}0 > 140 || %{?rhel}0 > 60
/bin/systemctl start dovecot.service >/dev/null 2>&1 || : /bin/systemctl start dovecot.service >/dev/null 2>&1 || :
%else
/sbin/service %{name} start >/dev/null 2>&1 || :
%endif
rm -f %restart_flag rm -f %restart_flag
fi fi
fi
%posttrans %posttrans
if [ -z "$LEAPP_IPU_IN_PROGRESS" ]
then
# during LEAPP upgrade, services are not running anyway
# dovecot should be started again in %%postun, but it's not executed on reinstall # dovecot should be started again in %%postun, but it's not executed on reinstall
# if it was already started, restart_flag won't be here, so it's ok to test it again # if it was already started, restart_flag won't be here, so it's ok to test it again
if [ -e %restart_flag ]; then if [ -e %restart_flag ]; then
%if %{?fedora}0 > 140 || %{?rhel}0 > 60
/bin/systemctl start dovecot.service >/dev/null 2>&1 || : /bin/systemctl start dovecot.service >/dev/null 2>&1 || :
%else
/sbin/service %{name} start >/dev/null 2>&1 || :
%endif
rm -f %restart_flag rm -f %restart_flag
fi fi
fi
%check %check
make check make check
@ -404,15 +373,11 @@ make check
%{_bindir}/dovecot-sysreport %{_bindir}/dovecot-sysreport
%if %{?fedora}0 > 140 || %{?rhel}0 > 60
%_tmpfilesdir/dovecot.conf %_tmpfilesdir/dovecot.conf
%{_sysusersdir}/dovecot.sysusers
%{_unitdir}/dovecot.service %{_unitdir}/dovecot.service
%{_unitdir}/dovecot-init.service %{_unitdir}/dovecot-init.service
%{_unitdir}/dovecot.socket %{_unitdir}/dovecot.socket
%else
%{_initddir}/dovecot
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/dovecot
%endif
%dir %{_sysconfdir}/dovecot %dir %{_sysconfdir}/dovecot
%dir %{_sysconfdir}/dovecot/conf.d %dir %{_sysconfdir}/dovecot/conf.d
@ -483,10 +448,10 @@ make check
%{_libexecdir}/%{name} %{_libexecdir}/%{name}
%exclude %{_libexecdir}/%{name}/managesieve* %exclude %{_libexecdir}/%{name}/managesieve*
%dir %attr(0755,root,dovecot) %ghost /var/run/dovecot %dir %attr(0755,root,dovecot) %ghost /run/dovecot
%attr(0750,root,dovenull) %ghost /var/run/dovecot/login %attr(0750,root,dovenull) %ghost /run/dovecot/login
%attr(0750,root,dovenull) %ghost /var/run/dovecot/token-login %attr(0750,root,dovenull) %ghost /run/dovecot/token-login
%attr(0755,root,root) %ghost /var/run/dovecot/empty %attr(0755,root,root) %ghost /run/dovecot/empty
%attr(0750,dovecot,dovecot) /var/lib/dovecot %attr(0750,dovecot,dovecot) /var/lib/dovecot
@ -544,117 +509,257 @@ make check
%{_libdir}/%{name}/dict/libdriver_pgsql.so %{_libdir}/%{name}/dict/libdriver_pgsql.so
%changelog %changelog
* Tue Aug 20 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-6 * Mon Sep 02 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-11.1
- fix CVE-2024-23185: very large headers can cause resource exhaustion when parsing message (RHEL-55219) - fix CVE-2024-23184: using a large number of address headers may trigger a denial of service (RHEL-55211)
- fix CVE-2024-23184: using a large number of address headers may trigger a denial of service (RHEL-55206) - fix CVE-2024-23185: very large headers can cause resource exhaustion when parsing message (RHEL-55225)
* Fri Feb 16 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-11
- fixes assert-crash when IMAP client uses QRESYNC (#RHEL-25434)
* Tue Aug 15 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-10
- fix leaking mailboxes if virtual mailbox can't be opened (#2231408)
* Sat May 27 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-9
- add buildrequire of rpcgen to enable rquota support(#2157045)
* Tue Sep 13 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-8
- do not run systemd commands during leapp upgrade (#2119385)
* Fri Feb 16 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-5 * Tue Jul 12 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-7
- fixes assert-crash when IMAP client uses QRESYNC (#RHEL-22854) - fix possible privilege escalation when similar master and non-master passdbs are used (#2106232)
* Fri Aug 04 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-4 * Wed Jul 06 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-6
- fix leaking mailboxes if virtual mailbox can't be opened (#2128857) - fix possible nonzero return value of postinst script(#2053368)
* Tue Jul 19 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-3 * Tue Jul 05 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-5
- fix possible privilege escalation when similar master and non-master passdbs are used (#2106231) - workaround sysuers macro defficiency (#2095399)
* Wed Dec 08 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-2 * Tue Jul 05 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-4
- do not disable xz/lzma for now despite being deprecated - use systemd-sysusers for user creation (#2095399)
* Wed Dec 08 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-1 * Wed Nov 03 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-3
- re-enable LTO build (#1990080)
* Wed Oct 27 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-2
- set first_valid_uid to 1000 to match system default (#2009716)
* Fri Aug 20 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-1
- dovecot updated to 2.3.16, pigeonhole to 0.5.16 - dovecot updated to 2.3.16, pigeonhole to 0.5.16
- fix CVE-2021-33515 plaintext commands injection (#1980014) - fixes several regressions (#1997583)
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:2.3.15-2
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jul 21 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.15-1
- dovecot updated to 2.3.15, pigeonhole updated to 0.5.15
- CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
JWT tokens. This may be used to supply attacker controlled keys to
validate tokens, if attacker has local access (#1979833)
- CVE-2021-33515: On-path attacker could have injected plaintext commands
before STARTTLS negotiation that would be executed after STARTTLS
finished with the client
- Add TSLv1.3 support to min_protocols.
* Wed Jul 14 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.14-5
- fix mail storage block count parsing (#1974281)
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:2.3.14-4
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Fri Jun 04 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.14-3
- compatibility with openssl 3.0 (#1962035)
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1:2.3.14-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Mon Mar 22 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.14-1
- dovecot updated to 2.3.14, pigeonhole to 0.5.14
- use OpenSSL's implementation of HMAC
- Remove autocreate, expire, snarf and mail-filter plugins.
- Remove cydir storage driver.
- Remove XZ/LZMA write support. Read support will be removed in future release.
* Mon Feb 08 2021 Pavel Raiskup <praiskup@redhat.com> - 1:2.3.13-7
- rebuild for libpq ABI fix rhbz#1908268
* Mon Feb 01 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-6
- use make macros
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.13-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Jan 18 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-4
- fix multilib issues
* Mon Jan 18 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-3
- bump release and rebuild
* Thu Jan 07 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-2
- fix rundir location
* Wed Jan 06 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-1
- fix release number
* Mon Jan 04 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-0
- dovecot updated to 2.3.13, pigeonhole to 0.5.13
- CVE-2020-24386: Specially crafted command can cause IMAP hibernate to
allow logged in user to access other people's emails and filesystem
information.
- Metric filter and global event filter variable syntax changed to a
SQL-like format.
- auth: Added new aliases for %{variables}. Usage of the old ones is
possible, but discouraged.
- auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth
mechanism and related password schemes.
- auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail.
- auth: Removed postfix postmap socket
* Wed Oct 21 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-7
- change run directory from /var/run to /run (#1777922)
* Wed Oct 21 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-6
- use bigger default key size (#1882939)
* Wed Sep 02 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-5
- fix gssapi issue
* Wed Aug 26 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-4
- fix FTBFS on 32bit systems
* Mon Aug 17 2020 Jeff Law <law@redhat.com> - 1:2.3.11.3-2
- Disable LTO
* Sat Aug 15 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-1
- CVE-2020-12100: Parsing mails with a large number of MIME parts could
have resulted in excessive CPU usage or a crash due to running out of
stack memory.
- CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
message buffer size, which leads to reading past allocation which can
lead to crash.
- CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
address that has the empty quoted string as local-part causes the lmtp
service to crash.
- CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
zero-length message, which leads to assert-crash later on.
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.10.1-3
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.10.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon May 18 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.10.1-1
- dovecot updated to 2.3.10.1
- fixes CVE-2020-10967, CVE-2020-10958, CVE-2020-10957
* Tue Apr 21 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.10-1
- dovecot updated to 2.3.10, pigeonhole updated to 0.5.10
* Wed Feb 12 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.9.3-1
- dovecot updated to 2.3.9.3
- fixes CVE-2020-7046: Truncated UTF-8 can be used to DoS
submission-login and lmtp processes.
- fixes CVE-2020-7957: Specially crafted mail can crash snippet generation.
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.9.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Wed Feb 03 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-9 * Thu Dec 19 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.9.2-1
- fix CVE-2020-24386 IMAP hibernation function allows mail access (#1913534) - CVE-2019-19722: Mails with group addresses in From or To fields
caused crash in push notification drivers.
* Wed Dec 04 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.9-1
- dovecot updated to 2.3.9, pigeonhole updated to 0.5.9
* Thu Oct 10 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-1
- dovecot updated to 2.3.8, pigeonhole 0.5.8
* Thu Aug 29 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.7.2-1
- dovecot updated to 2.3.7.2, pigeonhole 0.5.7.2
- fixes CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
when scanning data in quoted strings, leading to out of bounds heap
memory writes
* Tue Jan 12 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-8 * Mon Aug 19 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:1-2.3.7.1
- fix CVE-2020-25275 denial of service via mail MIME parsing (#1914019) - dovecot updated to 2.3.7.1, pigeonhole updated to 0.5.7.1
* Thu Jan 07 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-7 * Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.6-4
- change run directory from /var/run to /run (#1805947) - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Dec 02 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-6 * Fri May 31 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.6-3
- fix mail storage block count parsing (#1894418) - disable gcc 9 stack reuse temporarily
- MIME parser crashed when boundaries were wrong (#1888111)
* Mon Nov 02 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-5 * Mon May 13 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.6-2
- multilib compatibility (#1853137) - use /run instead of /var/run (#1706372)
* Fri Aug 07 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-4 * Thu May 02 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.6-1
- fix CVE-2020-12100 resource exhaustion via deeply nested MIME parts (#1866756) - dovecot updated to 2.3.6, pigeonhole updated to 0.5.6
- fix CVE-2020-12673 out of bound reads in dovecot NTLM implementation (#1866761)
- fix CVE-2020-12674 crash due to assert in RPA implementation (#1866768)
* Mon Jun 01 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-3 * Thu Apr 18 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.5.2-1
- fix CVE-2020-10957 dovecot: malformed NOOP commands leads to DoS (#1840354) - dovecot updated to 2.3.5.2
- fix CVE-2020-10958 dovecot: command followed by sufficient number of newlines - fixes CVE-2019-10691: Trying to login with 8bit username containing
leads to use-after-free (#1840357) invalid UTF8 input causes auth process to crash if auth policy is enabled.
- fix CVE-2020-10967 dovecot: sending mail with empty quoted localpart
leads to DoS (#1840356)
* Thu Jan 09 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-2 * Thu Mar 28 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.5.1-1
- fix default attributes for ghost files - dovecot updated to 2.3.5.1
- CVE-2019-7524: Missing input buffer size validation leads into
arbitrary buffer overflow when reading fts or pop3 uidl header
from Dovecot index.
* Tue Nov 19 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-1 * Wed Mar 06 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.5-1
- dovecot updated to 2.3.8 with pigeonhole updated to 0.5.8 (#1653117) - dovecot updated to 2.3.5, pigeonhole updated to 0.5.5
* Thu Aug 29 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-10 * Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.4-3
- fix CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
when scanning data in quoted strings, leading to out of bounds heap
memory writes (#1741788) * Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 1:2.3.4-2
- Rebuilt for libcrypt.so.2 (#1666033)
* Fri Aug 23 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-9 * Wed Jan 09 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.4-1
- reset errno before iterating through users (#1630410) - dovecot updated to 2.3.4, pigeonhole updated to 0.5.4
* Mon Jun 17 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-8 * Tue Oct 02 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.3-1
- fix CVE-2019-3814: improper certificate validation (#1674370) - dovecot updated to 2.3.3, pigeonhole pdated to 0.5.3
- doveconf hides more secrets now in the default output
- NUL bytes in mail headers can cause truncated replies when fetched.
- virtual plugin: Some searches used 100% CPU for many seconds
- dsync assert-crashed with acl plugin in some situations.
- imapc: Fixed various assert-crashes when reconnecting to server.
* Fri Jun 14 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-7
- do not print error message when restorecon is not present
during install (#1626395)
- change default config to use minimal UID = 1000 (#1630410)
* Mon Jun 10 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-6 * Tue Oct 02 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.2.1-4
- use OpenSSl implementation of HMAC, disable CRAM-MD5 when FIPS is enabled (#1618749) - fix dovecot-init service syntax error (#1635017)
* Tue Oct 16 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-5 * Mon Aug 13 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.2.1-3
- make key not that bigger (#1618714) - do not try to generate ssl-params as its obsolete (#1614640)
* Tue Oct 16 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-4 * Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.2.1-2
- generated key was too small (#1618714) - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Sep 19 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-3 * Tue Jul 10 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.2.1-1
- fix global ACL directory configuration search path (#1630383) - SSL/TLS servers may have crashed during client disconnection
- update first/last_valid_gid range patch (#1630410)
* Mon Jul 30 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-2 * Mon Jul 09 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.2-1
- fix defaut permissions of gost run files - dovecot updated to 2.3.2, pigeonhole to 0.5.2
* Thu Jun 28 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-1 * Wed Mar 28 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.1-2
- dovecot updated to 2.2.36, pigeonhole to 0.4.24 - fix ftbfs - murmurhash3 check fail
* Thu May 24 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.35-3 * Wed Mar 28 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.1-1
- disable tcp_wrappers as it's not available in rhel8 - dovecot updated to 2.3.1, pigeonhole updated to 0.5.1
* Thu Apr 19 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.35-2 * Tue Mar 27 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.0.1-3
- include crypt.h explicitely - use libxcrypt for Fedora >= 28, part of ftbfs fix (#1548520)
* Wed Mar 21 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.35-1 * Wed Mar 07 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.0.1-2
- dovecot updated to 2.2.35, pigeonhole updated to 0.4.23 - add gcc buildrequire
* Thu Mar 01 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.34-1 * Thu Mar 01 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.0.1-1
- dovecot updated to 2.2.34, pigeonhole updated to 0.4.22 - dovecot updated to 2.3.0.1, pigeonhole updated to 0.5.0.1
- fixes CVE-2017-15130: TLS SNI config lookups may lead to excessive
memory usage, causing imap-login/pop3-login VSZ limit to be reached
and the process restarted. This happens only if Dovecot config has
local_name { } or local { } configuration blocks and attacker uses
randomly generated SNI servernames.
- fixes CVE-2017-14461: Parsing invalid email addresses may cause a crash or
leak memory contents to attacker. For example, these memory contents
might contain parts of an email from another user if the same imap
process is reused for multiple users.
- fixes CVE-2017-15132: Aborted SASL authentication leaks memory in login
process.
* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1:2.2.33.2-5 * Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1:2.2.33.2-5
- Escape macros in %%changelog - Escape macros in %%changelog

Loading…
Cancel
Save