Compare commits

...

No commits in common. 'cs10' and 'c9' have entirely different histories.
cs10 ... c9

@ -1,2 +1,2 @@
e0707a46cb9e1342a74cb03803430f9198608e5e SOURCES/dovecot-2.3-pigeonhole-0.5.21.tar.gz
20300087e8575a42dc16245d05b0905b588396f9 SOURCES/dovecot-2.3.21.tar.gz
4673c244c6ea73ee3da0bb61d0206a1fe3d0be0e SOURCES/dovecot-2.3-pigeonhole-0.5.16.tar.gz
b5c598ae8b9901bfabdf2c93271f57cde0bde73e SOURCES/dovecot-2.3.16.tar.gz

4
.gitignore vendored

@ -1,2 +1,2 @@
SOURCES/dovecot-2.3-pigeonhole-0.5.21.tar.gz
SOURCES/dovecot-2.3.21.tar.gz
SOURCES/dovecot-2.3-pigeonhole-0.5.16.tar.gz
SOURCES/dovecot-2.3.16.tar.gz

@ -1,11 +1,11 @@
diff -up dovecot-2.3.19.1/dovecot.service.in.waitonline dovecot-2.3.19.1/dovecot.service.in
--- dovecot-2.3.19.1/dovecot.service.in.waitonline 2022-06-14 08:55:03.000000000 +0200
+++ dovecot-2.3.19.1/dovecot.service.in 2022-11-08 20:28:37.550081709 +0100
@@ -12,6 +12,7 @@ Description=Dovecot IMAP/POP3 email serv
Documentation=man:dovecot(1)
Documentation=https://doc.dovecot.org/
After=local-fs.target network-online.target
+Wants=network-online.target
diff -up dovecot-2.3.15/dovecot.service.in.waitonline dovecot-2.3.15/dovecot.service.in
--- dovecot-2.3.15/dovecot.service.in.waitonline 2021-06-21 20:19:19.560494654 +0200
+++ dovecot-2.3.15/dovecot.service.in 2021-06-21 20:21:17.443066248 +0200
@@ -15,6 +15,7 @@ After=local-fs.target network-online.tar
[Service]
Type=@systemdservicetype@
+ExecStartPre=/usr/libexec/dovecot/prestartscript
ExecStart=@sbindir@/dovecot -F
ExecReload=@bindir@/doveadm reload
ExecStop=@bindir@/doveadm stop

@ -25,9 +25,9 @@ diff -up dovecot-2.3.15/dovecot.service.in.initbysystemd dovecot-2.3.15/dovecot.
-After=local-fs.target network-online.target
+After=local-fs.target network-online.target dovecot-init.service
+Requires=dovecot-init.service
Wants=network-online.target
[Service]
Type=@systemdservicetype@
diff -up dovecot-2.3.15/Makefile.am.initbysystemd dovecot-2.3.15/Makefile.am
--- dovecot-2.3.15/Makefile.am.initbysystemd 2021-06-21 20:21:49.250680889 +0200
+++ dovecot-2.3.15/Makefile.am 2021-06-21 20:24:26.676765849 +0200

@ -1,48 +0,0 @@
diff -up dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/cmd-include.c.ph_optglob dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/cmd-include.c
--- dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/cmd-include.c.ph_optglob 2024-06-04 09:11:28.514189662 +0200
+++ dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/cmd-include.c 2024-06-04 09:18:23.219809778 +0200
@@ -368,11 +368,13 @@ static bool opc_include_dump
return FALSE;
sieve_code_descend(denv);
- sieve_code_dumpf(denv, "script: `%s' from %s %s%s[ID: %d, BLOCK: %d]",
+ sieve_code_dumpf(denv, "script: `%s' from %s %s%s%s[ID: %d, BLOCK: %d]",
sieve_script_name(included->script), sieve_script_location(included->script),
((flags & EXT_INCLUDE_FLAG_ONCE) != 0 ? "(once) " : ""),
((flags & EXT_INCLUDE_FLAG_OPTIONAL) != 0 ? "(optional) " : ""),
- include_id, sieve_binary_block_get_id(included->block));
+ (included->block == NULL ? "(missing) " : ""),
+ include_id,
+ (included->block == NULL ? -1 : sieve_binary_block_get_id(included->block)));
return TRUE;
}
diff -up dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c.ph_optglob dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c
--- dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c.ph_optglob 2023-09-14 15:18:26.000000000 +0200
+++ dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c 2024-06-04 09:10:45.187823805 +0200
@@ -693,6 +693,25 @@ int ext_include_execute_include(const st
}
ctx = ext_include_get_interpreter_context(this_ext, renv->interp);
+ if (included->block == NULL) {
+ if ((flags & EXT_INCLUDE_FLAG_OPTIONAL) != 0) {
+ sieve_runtime_trace(
+ renv, SIEVE_TRLVL_NONE,
+ "include: skipped include for script '%s' "
+ "[inc id: %d, block: NULL]; optional and unavailable",
+ sieve_script_name(included->script),
+ include_id);
+ return result;
+ } else {
+ sieve_runtime_trace(
+ renv, SIEVE_TRLVL_NONE,
+ "include: unavailable script '%s' "
+ "[inc id: %d, block: NULL]",
+ sieve_script_name(included->script),
+ include_id);
+ return SIEVE_EXEC_BIN_CORRUPT;
+ }
+ }
block_id = sieve_binary_block_get_id(included->block);
/* If :once modifier is specified, check for duplicate include */

@ -1,12 +0,0 @@
diff -up dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/storage/file/sieve-file-script.c.testfix4 dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/storage/file/sieve-file-script.c
--- dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/storage/file/sieve-file-script.c.testfix4 2024-06-03 13:35:24.408858593 +0200
+++ dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/storage/file/sieve-file-script.c 2024-06-03 13:35:24.434858849 +0200
@@ -800,7 +800,7 @@ static bool sieve_file_script_equals
(struct sieve_file_script *)other;
return ( CMP_DEV_T(fscript->st.st_dev, fother->st.st_dev) &&
- fscript->st.st_ino == fother->st.st_ino );
+ fscript->st.st_ino == fother->st.st_ino && (fscript->st.st_ino != 0 || script->location != NULL && other->location != NULL && strcmp(script->location, other->location) == 0));
}
/*

@ -1,11 +0,0 @@
diff -up dovecot-2.3.0.1/src/auth/mycrypt.c.libxcrypt dovecot-2.3.0.1/src/auth/mycrypt.c
--- dovecot-2.3.0.1/src/auth/mycrypt.c.libxcrypt 2018-02-28 15:28:58.000000000 +0100
+++ dovecot-2.3.0.1/src/auth/mycrypt.c 2018-03-27 10:57:38.447769201 +0200
@@ -14,6 +14,7 @@
# define _XPG6 /* Some Solaris versions require this, some break with this */
#endif
#include <unistd.h>
+#include <crypt.h>
#include "mycrypt.h"

@ -1,19 +1,19 @@
diff -up dovecot-2.3.17/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.17/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c
--- dovecot-2.3.17/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2021-11-02 21:51:36.109032050 +0100
+++ dovecot-2.3.17/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c 2021-11-02 21:52:28.409344118 +0100
@@ -114,7 +114,7 @@ static int sieve_dict_script_get_stream
diff -up dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c
--- dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.16/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2021-06-21 23:07:55.269814896 +0200
+++ dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.16/src/lib-sieve/storage/dict/sieve-dict-script.c 2021-06-21 23:07:55.298814544 +0200
@@ -109,7 +109,7 @@ static int sieve_dict_script_get_stream
{
struct sieve_dict_script *dscript =
(struct sieve_dict_script *)script;
struct sieve_dict_storage *dstorage =
(struct sieve_dict_storage *)script->storage;
- const char *path, *name = script->name, *data, *error;
+ const char *path, *name = script->name, *data, *error = NULL;
int ret;
dscript->data_pool =
diff -up dovecot-2.3.17/src/lib-storage/index/index-attribute.c.fixvalcond dovecot-2.3.17/src/lib-storage/index/index-attribute.c
--- dovecot-2.3.17/src/lib-storage/index/index-attribute.c.fixvalcond 2021-10-27 13:09:04.000000000 +0200
+++ dovecot-2.3.17/src/lib-storage/index/index-attribute.c 2021-11-02 21:51:36.109032050 +0100
@@ -248,7 +248,7 @@ int index_storage_attribute_get(struct m
diff -up dovecot-2.3.15/src/lib-storage/index/index-attribute.c.fixvalcond dovecot-2.3.15/src/lib-storage/index/index-attribute.c
--- dovecot-2.3.15/src/lib-storage/index/index-attribute.c.fixvalcond 2021-06-14 15:40:37.000000000 +0200
+++ dovecot-2.3.15/src/lib-storage/index/index-attribute.c 2021-06-21 21:52:22.963171229 +0200
@@ -249,7 +249,7 @@ int index_storage_attribute_get(struct m
struct mail_attribute_value *value_r)
{
struct dict *dict;

@ -0,0 +1,17 @@
diff --git a/src/lib-index/mail-index-sync.c b/src/lib-index/mail-index-sync.c
index 6322ee1869..c847f1cc01 100644
--- a/src/lib-index/mail-index-sync.c
+++ b/src/lib-index/mail-index-sync.c
@@ -544,6 +544,12 @@ static bool mail_index_sync_view_have_any(struct mail_index_view *view,
return TRUE;
mail_transaction_log_get_head(view->index->log, &log_seq, &log_offset);
+ if (log_seq < view->map->hdr.log_file_seq ||
+ ((log_seq == view->map->hdr.log_file_seq &&
+ log_offset < view->map->hdr.log_file_tail_offset))) {
+ /* invalid offsets - let the syncing handle the error */
+ return TRUE;
+ }
if (mail_transaction_log_view_set(view->log_view,
view->map->hdr.log_file_seq,
view->map->hdr.log_file_tail_offset,

@ -0,0 +1,53 @@
commit ec4595097067a736717ef202fe8542b1b4bc2dd5
Author: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Tue Aug 10 12:22:08 2021 +0300
lib-index: Fix storing cache fields' last_used with 64bit big endian CPUs
diff --git a/src/lib-index/mail-cache-fields.c b/src/lib-index/mail-cache-fields.c
index e929fb559d..429e0d234c 100644
--- a/src/lib-index/mail-cache-fields.c
+++ b/src/lib-index/mail-cache-fields.c
@@ -524,6 +524,19 @@ static void copy_to_buf_byte(struct mail_cache *cache, buffer_t *dest,
}
}
+static void
+copy_to_buf_last_used(struct mail_cache *cache, buffer_t *dest, bool add_new)
+{
+ size_t offset = offsetof(struct mail_cache_field, last_used);
+#if defined(WORDS_BIGENDIAN) && SIZEOF_VOID_P == 8
+ /* 64bit time_t with big endian CPUs: copy the last 32 bits instead of
+ the first 32 bits (that are always 0). The 32 bits are enough until
+ year 2106, so we're not in a hurry to use 64 bits on disk. */
+ offset += sizeof(uint32_t);
+#endif
+ copy_to_buf(cache, dest, add_new, offset, sizeof(uint32_t));
+}
+
static int mail_cache_header_fields_update_locked(struct mail_cache *cache)
{
buffer_t *buffer;
@@ -536,9 +549,7 @@ static int mail_cache_header_fields_update_locked(struct mail_cache *cache)
buffer = t_buffer_create(256);
- copy_to_buf(cache, buffer, FALSE,
- offsetof(struct mail_cache_field, last_used),
- sizeof(uint32_t));
+ copy_to_buf_last_used(cache, buffer, FALSE);
ret = mail_cache_write(cache, buffer->data, buffer->used,
offset + MAIL_CACHE_FIELD_LAST_USED());
if (ret == 0) {
@@ -599,9 +610,7 @@ void mail_cache_header_fields_get(struct mail_cache *cache, buffer_t *dest)
buffer_append(dest, &hdr, sizeof(hdr));
/* we have to keep the field order for the existing fields. */
- copy_to_buf(cache, dest, TRUE,
- offsetof(struct mail_cache_field, last_used),
- sizeof(uint32_t));
+ copy_to_buf_last_used(cache, dest, TRUE);
copy_to_buf(cache, dest, TRUE,
offsetof(struct mail_cache_field, field_size),
sizeof(uint32_t));

@ -0,0 +1,578 @@
From 9f3002393fe1c1fe317121d03591569dac120739 Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Tue, 17 Aug 2021 19:09:13 +0200
Subject: [PATCH 01/12] lib-sieve: sieve-interpreter - Fix field mixup in debug
message.
---
src/lib-sieve/sieve-interpreter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib-sieve/sieve-interpreter.c b/src/lib-sieve/sieve-interpreter.c
index 9ee6c659..274e142d 100644
--- a/src/lib-sieve/sieve-interpreter.c
+++ b/src/lib-sieve/sieve-interpreter.c
@@ -1003,8 +1003,8 @@ int sieve_interpreter_continue(struct sieve_interpreter *interp,
}
e_debug(e->event(), "Finished running script `%s' "
"(status=%s, resource usage: %s)",
- sieve_execution_exitcode_to_str(ret),
sieve_binary_source(interp->runenv.sbin),
+ sieve_execution_exitcode_to_str(ret),
sieve_resource_usage_get_summary(&interp->rusage));
interp->running = FALSE;
}
From 54e020c1212f626049bffc6c6fea8e606a893af2 Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Wed, 18 Aug 2021 01:44:23 +0200
Subject: [PATCH 02/12] lib-sieve: sieve-result - Remove success parameter from
sieve_result_implicit_keep_execute().
---
src/lib-sieve/sieve-result.c | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
index 55eb9f54..d3f2f925 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1475,8 +1475,7 @@ void sieve_result_execution_destroy(struct sieve_result_execution **_rexec)
}
static void
-sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec,
- bool success)
+sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec)
{
const struct sieve_action_exec_env *aenv = &rexec->action_env;
struct sieve_result *result = aenv->result;
@@ -1486,6 +1485,7 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec,
struct sieve_action_execution *aexec_keep = &rexec->keep;
struct sieve_result_action *ract_keep = &rexec->keep_action;
struct sieve_action *act_keep = &ract_keep->action;
+ bool success = (rexec->status == SIEVE_EXEC_OK);
if (rexec->keep_equiv_action != NULL) {
e_debug(rexec->event, "No implicit keep needed "
@@ -1579,8 +1579,8 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec,
}
}
- e_debug(rexec->event, "Execute implicit keep (failure=%s)",
- (!success ? "yes" : "no"));
+ e_debug(rexec->event, "Execute implicit keep (status=%s)",
+ sieve_execution_exitcode_to_str(rexec->status));
/* Initialize side effects */
sieve_action_execution_add_side_effects(rexec, aexec_keep, ract_keep);
@@ -1633,7 +1633,7 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec,
/* Start keep if necessary */
if (act_keep->def == NULL ||
aexec_keep->state != SIEVE_ACTION_EXECUTION_STATE_EXECUTED) {
- sieve_result_implicit_keep_execute(rexec, success);
+ sieve_result_implicit_keep_execute(rexec);
/* Switch to failure keep if necessary. */
} else if (rexec->keep_success && !success){
e_debug(rexec->event, "Switch to failure implicit keep");
@@ -1645,7 +1645,7 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec,
i_zero(aexec_keep);
/* Start failure keep action. */
- sieve_result_implicit_keep_execute(rexec, success);
+ sieve_result_implicit_keep_execute(rexec);
}
if (act_keep->def == NULL)
return rexec->keep_status;
@@ -1931,10 +1931,8 @@ int sieve_result_execute(struct sieve_result_execution *rexec, int status,
/* Execute implicit keep if the transaction failed or when the
implicit keep was not canceled during transaction.
*/
- if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit) {
- sieve_result_implicit_keep_execute(
- rexec, (rexec->status == SIEVE_EXEC_OK));
- }
+ if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit)
+ sieve_result_implicit_keep_execute(rexec);
}
/* Transaction commit/rollback */
From 291f2fdb77b86db566dca7c028dd93fc741f6b31 Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Wed, 18 Aug 2021 01:40:57 +0200
Subject: [PATCH 03/12] lib-sieve: sieve-result - Remove success parameter from
sieve_result_implicit_keep_finalize().
---
src/lib-sieve/sieve-result.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
index d3f2f925..3cf2c02a 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1603,8 +1603,7 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec)
}
static int
-sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec,
- bool success)
+sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
{
const struct sieve_action_exec_env *aenv = &rexec->action_env;
const struct sieve_execute_env *eenv = aenv->exec_env;
@@ -1612,6 +1611,7 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec,
struct sieve_result_action *ract_keep = &rexec->keep_action;
struct sieve_action *act_keep = &ract_keep->action;
int commit_status = SIEVE_EXEC_OK;
+ bool success = (rexec->status == SIEVE_EXEC_OK);
if (rexec->keep_equiv_action != NULL) {
struct sieve_action_execution *ke_aexec =
@@ -1627,8 +1627,8 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec,
return rexec->keep_status;
}
- e_debug(rexec->event, "Finalize implicit keep (failure=%s)",
- (!success ? "yes" : "no"));
+ e_debug(rexec->event, "Finalize implicit keep (status=%s)",
+ sieve_execution_exitcode_to_str(rexec->status));
/* Start keep if necessary */
if (act_keep->def == NULL ||
@@ -1950,8 +1950,7 @@ int sieve_result_execute(struct sieve_result_execution *rexec, int status,
implicit keep was not canceled during transaction.
*/
if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit) {
- ret = sieve_result_implicit_keep_finalize(
- rexec, (rexec->status == SIEVE_EXEC_OK));
+ ret = sieve_result_implicit_keep_finalize(rexec);
switch (ret) {
case SIEVE_EXEC_OK:
if (result_status == SIEVE_EXEC_TEMP_FAILURE)
From 10e347e3c9eb5e7bf5bc6f178389005357f527fe Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Wed, 18 Aug 2021 02:07:01 +0200
Subject: [PATCH 04/12] lib-sieve: sieve-result - Move temp failure status
checks into sieve_result_implicit_keep_execute().
---
src/lib-sieve/sieve-result.c | 38 ++++++++++++++++++++++++------------
1 file changed, 26 insertions(+), 12 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
index 3cf2c02a..44afeef7 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -934,6 +934,7 @@ struct sieve_result_execution {
bool keep_success:1;
bool keep_explicit:1;
bool keep_implicit:1;
+ bool keep_finalizing:1;
bool seen_delivery:1;
bool executed:1;
bool executed_delivery:1;
@@ -1485,7 +1486,24 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec)
struct sieve_action_execution *aexec_keep = &rexec->keep;
struct sieve_result_action *ract_keep = &rexec->keep_action;
struct sieve_action *act_keep = &ract_keep->action;
- bool success = (rexec->status == SIEVE_EXEC_OK);
+ bool success = FALSE;
+
+ switch (rexec->status) {
+ case SIEVE_EXEC_OK:
+ success = TRUE;
+ break;
+ case SIEVE_EXEC_TEMP_FAILURE:
+ case SIEVE_EXEC_RESOURCE_LIMIT:
+ if (rexec->executed)
+ break;
+ if (rexec->committed)
+ break;
+ if (rexec->keep_finalizing)
+ break;
+ return;
+ default:
+ break;
+ }
if (rexec->keep_equiv_action != NULL) {
e_debug(rexec->event, "No implicit keep needed "
@@ -1630,6 +1648,8 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
e_debug(rexec->event, "Finalize implicit keep (status=%s)",
sieve_execution_exitcode_to_str(rexec->status));
+ rexec->keep_finalizing = TRUE;
+
/* Start keep if necessary */
if (act_keep->def == NULL ||
aexec_keep->state != SIEVE_ACTION_EXECUTION_STATE_EXECUTED) {
@@ -1923,17 +1943,11 @@ int sieve_result_execute(struct sieve_result_execution *rexec, int status,
return rexec->status;
}
- /* Execute implicit keep if necessary */
-
- if (rexec->executed ||
- (rexec->status != SIEVE_EXEC_TEMP_FAILURE &&
- rexec->status != SIEVE_EXEC_RESOURCE_LIMIT)) {
- /* Execute implicit keep if the transaction failed or when the
- implicit keep was not canceled during transaction.
- */
- if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit)
- sieve_result_implicit_keep_execute(rexec);
- }
+ /* Execute implicit keep if the transaction failed or when the
+ implicit keep was not canceled during transaction.
+ */
+ if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit)
+ sieve_result_implicit_keep_execute(rexec);
/* Transaction commit/rollback */
From c84e6e5d8d1d8b03a0ba5958804d200c6e1916d8 Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Wed, 18 Aug 2021 02:26:32 +0200
Subject: [PATCH 05/12] lib-sieve: sieve-result - Move temp failure status
checks into sieve_result_implicit_keep_finalize().
---
src/lib-sieve/sieve-result.c | 56 +++++++++++++++++++++---------------
1 file changed, 33 insertions(+), 23 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
index 44afeef7..10cc3b95 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1629,7 +1629,20 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
struct sieve_result_action *ract_keep = &rexec->keep_action;
struct sieve_action *act_keep = &ract_keep->action;
int commit_status = SIEVE_EXEC_OK;
- bool success = (rexec->status == SIEVE_EXEC_OK);
+ bool success = FALSE;
+
+ switch (rexec->status) {
+ case SIEVE_EXEC_OK:
+ success = TRUE;
+ break;
+ case SIEVE_EXEC_TEMP_FAILURE:
+ case SIEVE_EXEC_RESOURCE_LIMIT:
+ if (rexec->committed)
+ break;
+ return rexec->status;
+ default:
+ break;
+ }
if (rexec->keep_equiv_action != NULL) {
struct sieve_action_execution *ke_aexec =
@@ -1957,32 +1970,29 @@ int sieve_result_execute(struct sieve_result_execution *rexec, int status,
/* Commit implicit keep if necessary */
result_status = rexec->status;
- if (rexec->committed ||
- (rexec->status != SIEVE_EXEC_TEMP_FAILURE &&
- rexec->status != SIEVE_EXEC_RESOURCE_LIMIT)) {
- /* Commit implicit keep if the transaction failed or when the
- implicit keep was not canceled during transaction.
- */
- if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit) {
- ret = sieve_result_implicit_keep_finalize(rexec);
- switch (ret) {
- case SIEVE_EXEC_OK:
- if (result_status == SIEVE_EXEC_TEMP_FAILURE)
- result_status = SIEVE_EXEC_FAILURE;
+
+ /* Commit implicit keep if the transaction failed or when the
+ implicit keep was not canceled during transaction.
+ */
+ if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit) {
+ ret = sieve_result_implicit_keep_finalize(rexec);
+ switch (ret) {
+ case SIEVE_EXEC_OK:
+ if (result_status == SIEVE_EXEC_TEMP_FAILURE)
+ result_status = SIEVE_EXEC_FAILURE;
+ break;
+ case SIEVE_EXEC_TEMP_FAILURE:
+ if (!rexec->committed) {
+ result_status = ret;
break;
- case SIEVE_EXEC_TEMP_FAILURE:
- if (!rexec->committed) {
- result_status = ret;
- break;
- }
- /* fall through */
- default:
- result_status = SIEVE_EXEC_KEEP_FAILED;
}
+ /* fall through */
+ default:
+ result_status = SIEVE_EXEC_KEEP_FAILED;
}
- if (rexec->status == SIEVE_EXEC_OK)
- rexec->status = result_status;
}
+ if (rexec->status == SIEVE_EXEC_OK)
+ rexec->status = result_status;
/* Finish execution */
From 92b4b06d5d8deeefdd17d5fb18d7f0d23e8e414b Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Wed, 18 Aug 2021 02:46:18 +0200
Subject: [PATCH 06/12] lib-sieve: sieve-result - Skip implicit keep in
execution stage upon temp failure.
It will be executed in the commit phase if necessary; don't do it early; it will
only be rolled back.
---
src/lib-sieve/sieve-result.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
index 10cc3b95..82354831 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1494,8 +1494,6 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec)
break;
case SIEVE_EXEC_TEMP_FAILURE:
case SIEVE_EXEC_RESOURCE_LIMIT:
- if (rexec->executed)
- break;
if (rexec->committed)
break;
if (rexec->keep_finalizing)
From f2b81cc6ebaa3001bde693f7abdb990f467f7831 Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Wed, 18 Aug 2021 02:56:32 +0200
Subject: [PATCH 07/12] lib-sieve: sieve-result - Fix handling of resource
limit status after implicit keep commit.
---
src/lib-sieve/sieve-result.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
index 82354831..96582075 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1980,6 +1980,7 @@ int sieve_result_execute(struct sieve_result_execution *rexec, int status,
result_status = SIEVE_EXEC_FAILURE;
break;
case SIEVE_EXEC_TEMP_FAILURE:
+ case SIEVE_EXEC_RESOURCE_LIMIT:
if (!rexec->committed) {
result_status = ret;
break;
From 293f0027106a725e4cbcf56b673f1eedda00c317 Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Wed, 18 Aug 2021 02:54:25 +0200
Subject: [PATCH 08/12] lib-sieve: sieve-result - Fix resource leak occurring
when implicit keep is executed before temporary failure at commit.
In the commit phase the implicit keep was never finalized, meaning that it was
not rolled back and thus not cleaned up properly. This leads to a memory leak
and a mailbox reference leak. This in turn causes an assert crash at the end
of delivery when the mail user is destroyed.
---
src/lib-sieve/sieve-result.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
index 96582075..10ea349c 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1627,7 +1627,7 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
struct sieve_result_action *ract_keep = &rexec->keep_action;
struct sieve_action *act_keep = &ract_keep->action;
int commit_status = SIEVE_EXEC_OK;
- bool success = FALSE;
+ bool success = FALSE, temp_failure = FALSE;
switch (rexec->status) {
case SIEVE_EXEC_OK:
@@ -1637,7 +1637,15 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
case SIEVE_EXEC_RESOURCE_LIMIT:
if (rexec->committed)
break;
- return rexec->status;
+
+ if (aexec_keep->state !=
+ SIEVE_ACTION_EXECUTION_STATE_EXECUTED)
+ return rexec->status;
+ /* Roll back for temporary failure when no other action
+ is committed. */
+ commit_status = rexec->status;
+ temp_failure = TRUE;
+ break;
default:
break;
}
@@ -1662,8 +1670,10 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
rexec->keep_finalizing = TRUE;
/* Start keep if necessary */
- if (act_keep->def == NULL ||
- aexec_keep->state != SIEVE_ACTION_EXECUTION_STATE_EXECUTED) {
+ if (temp_failure) {
+ rexec->keep_status = rexec->status;
+ } else if (act_keep->def == NULL ||
+ aexec_keep->state != SIEVE_ACTION_EXECUTION_STATE_EXECUTED) {
sieve_result_implicit_keep_execute(rexec);
/* Switch to failure keep if necessary. */
} else if (rexec->keep_success && !success){
From 81bd53d6c9fa14fc6b32304e49dddb8fd022de91 Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Wed, 18 Aug 2021 13:29:41 +0200
Subject: [PATCH 09/12] lib-sieve: sieve-result - Assert that implicit keep is
executed in sieve_result_implicit_keep_finalize().
---
src/lib-sieve/sieve-result.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
index 10ea349c..de97d6ae 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1691,6 +1691,8 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
if (act_keep->def == NULL)
return rexec->keep_status;
+ i_assert(aexec_keep->state == SIEVE_ACTION_EXECUTION_STATE_EXECUTED);
+
/* Finalize keep action */
rexec->keep_status = sieve_result_action_commit_or_rollback(
rexec, aexec_keep, rexec->keep_status, &commit_status);
From dbf5b62ba82766a7d824e81005b2517d96984ef0 Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Wed, 18 Aug 2021 02:43:05 +0200
Subject: [PATCH 10/12] lib-sieve: sieve-result - Add debug messages for temp
failure handling.
---
src/lib-sieve/sieve-result.c | 28 +++++++++++++++++++++++++---
1 file changed, 25 insertions(+), 3 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
index de97d6ae..c21c8017 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1494,10 +1494,21 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec)
break;
case SIEVE_EXEC_TEMP_FAILURE:
case SIEVE_EXEC_RESOURCE_LIMIT:
- if (rexec->committed)
+ if (rexec->committed) {
+ e_debug(rexec->event,
+ "Temporary failure occurred (status=%s), "
+ "but other actions were already committed: "
+ "execute failure implicit keep",
+ sieve_execution_exitcode_to_str(rexec->status));
break;
+ }
if (rexec->keep_finalizing)
break;
+
+ e_debug(rexec->event,
+ "Skip implicit keep for temporary failure "
+ "(state=execute, status=%s)",
+ sieve_execution_exitcode_to_str(rexec->status));
return;
default:
break;
@@ -1635,12 +1646,23 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
break;
case SIEVE_EXEC_TEMP_FAILURE:
case SIEVE_EXEC_RESOURCE_LIMIT:
- if (rexec->committed)
+ if (rexec->committed) {
+ e_debug(rexec->event,
+ "Temporary failure occurred (status=%s), "
+ "but other actions were already committed: "
+ "commit failure implicit keep",
+ sieve_execution_exitcode_to_str(rexec->status));
break;
+ }
if (aexec_keep->state !=
- SIEVE_ACTION_EXECUTION_STATE_EXECUTED)
+ SIEVE_ACTION_EXECUTION_STATE_EXECUTED) {
+ e_debug(rexec->event,
+ "Skip implicit keep for temporary failure "
+ "(state=commit, status=%s)",
+ sieve_execution_exitcode_to_str(rexec->status));
return rexec->status;
+ }
/* Roll back for temporary failure when no other action
is committed. */
commit_status = rexec->status;
From 65d771c15bf443690580dbb0643556794106522b Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Wed, 18 Aug 2021 13:26:26 +0200
Subject: [PATCH 11/12] lib-sieve: sieve-result - Indicate in
sieve_result_transaction_execute() debug message whether actions were
executed.
---
src/lib-sieve/sieve-result.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
index c21c8017..6f3cb954 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1796,10 +1796,11 @@ sieve_result_transaction_execute(struct sieve_result_execution *rexec,
}
e_debug(rexec->event, "Finished executing actions "
- "(status=%s, keep=%s)",
+ "(status=%s, keep=%s, executed=%s)",
sieve_execution_exitcode_to_str(status),
(rexec->keep_explicit ? "explicit" :
- (rexec->keep_implicit ? "implicit" : "none")));
+ (rexec->keep_implicit ? "implicit" : "none")),
+ (rexec->executed ? "yes" : "no"));
return status;
}
From 4596d39908a868783fae9a0c2fd264409c0aaa96 Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Wed, 18 Aug 2021 13:27:50 +0200
Subject: [PATCH 12/12] lib-sieve: sieve-result - Indicate in
sieve_result_transaction_finalize() debug message whether actions were
committed.
---
src/lib-sieve/sieve-result.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
index 6f3cb954..effd6f28 100644
--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1859,10 +1859,11 @@ sieve_result_transaction_commit_or_rollback(
}
e_debug(rexec->event, "Finished finalizing actions "
- "(status=%s, keep=%s)",
+ "(status=%s, keep=%s, committed=%s)",
sieve_execution_exitcode_to_str(status),
(rexec->keep_explicit ? "explicit" :
- (rexec->keep_implicit ? "implicit" : "none")));
+ (rexec->keep_implicit ? "implicit" : "none")),
+ (rexec->committed ? "yes" : "no"));
return commit_status;
}

@ -0,0 +1,31 @@
From bdf4474ed82aaf964e7d94e72ca56b496e3815f9 Mon Sep 17 00:00:00 2001
From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Fri, 1 Oct 2021 15:08:45 +0300
Subject: [PATCH] virtual: Fix leaking mailboxes if virtual mailbox can't be
opened
Fixes also a crash at deinit:
Panic: file mail-user.c: line 232 (mail_user_deinit): assertion failed: ((*user)->refcount == 1)
---
src/plugins/virtual/virtual-storage.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/plugins/virtual/virtual-storage.c b/src/plugins/virtual/virtual-storage.c
index 2f31503d53..a0779cc186 100644
--- a/src/plugins/virtual/virtual-storage.c
+++ b/src/plugins/virtual/virtual-storage.c
@@ -495,12 +495,12 @@ static int virtual_mailbox_open(struct mailbox *box)
ret = virtual_mailboxes_open(mbox, box->flags);
array_pop_back(&mbox->storage->open_stack);
}
+ if (ret == 0)
+ ret = index_storage_mailbox_open(box, FALSE);
if (ret < 0) {
virtual_mailbox_close_internal(mbox);
return -1;
}
- if (index_storage_mailbox_open(box, FALSE) < 0)
- return -1;
mbox->virtual_ext_id =
mail_index_ext_register(mbox->box.index, "virtual", 0,

@ -1,295 +0,0 @@
diff -up dovecot-2.3.20/configure.ac.nolibotp dovecot-2.3.20/configure.ac
--- dovecot-2.3.20/configure.ac.nolibotp 2022-12-21 09:49:12.000000000 +0100
+++ dovecot-2.3.20/configure.ac 2023-02-14 16:54:02.118531016 +0100
@@ -854,7 +854,6 @@ src/lib-lua/Makefile
src/lib-mail/Makefile
src/lib-master/Makefile
src/lib-program-client/Makefile
-src/lib-otp/Makefile
src/lib-dovecot/Makefile
src/lib-sasl/Makefile
src/lib-settings/Makefile
diff -up dovecot-2.3.20/src/auth/main.c.nolibotp dovecot-2.3.20/src/auth/main.c
--- dovecot-2.3.20/src/auth/main.c.nolibotp 2022-12-21 09:49:12.000000000 +0100
+++ dovecot-2.3.20/src/auth/main.c 2023-02-14 16:54:02.118531016 +0100
@@ -19,8 +19,6 @@
#include "password-scheme.h"
#include "passdb-cache.h"
#include "mech.h"
-#include "otp.h"
-#include "mech-otp-common.h"
#include "auth.h"
#include "auth-penalty.h"
#include "auth-token.h"
@@ -283,7 +281,6 @@ static void main_deinit(void)
auth_policy_deinit();
mech_register_deinit(&mech_reg);
- mech_otp_deinit();
mech_deinit(global_auth_settings);
/* allow modules to unregister their dbs/drivers/etc. before freeing
diff -up dovecot-2.3.20/src/auth/Makefile.am.nolibotp dovecot-2.3.20/src/auth/Makefile.am
--- dovecot-2.3.20/src/auth/Makefile.am.nolibotp 2022-12-21 09:49:12.000000000 +0100
+++ dovecot-2.3.20/src/auth/Makefile.am 2023-02-14 16:54:02.118531016 +0100
@@ -45,7 +45,6 @@ AM_CPPFLAGS = \
-I$(top_srcdir)/src/lib-sql \
-I$(top_srcdir)/src/lib-settings \
-I$(top_srcdir)/src/lib-old-stats \
- -I$(top_srcdir)/src/lib-otp \
-I$(top_srcdir)/src/lib-master \
-I$(top_srcdir)/src/lib-oauth2 \
-I$(top_srcdir)/src/lib-ssl-iostream \
@@ -67,7 +66,6 @@ libpassword_la_SOURCES = \
password-scheme-crypt.c \
password-scheme-md5crypt.c \
password-scheme-scram.c \
- password-scheme-otp.c \
password-scheme-pbkdf2.c \
password-scheme-sodium.c
libpassword_la_CFLAGS = $(AM_CPPFLAGS) $(LIBSODIUM_CFLAGS)
@@ -76,7 +74,6 @@ auth_libs = \
libauth.la \
libstats_auth.la \
libpassword.la \
- ../lib-otp/libotp.la \
$(AUTH_LUA_LIBS) \
$(LIBDOVECOT_SQL)
@@ -95,7 +92,6 @@ libauth_la_SOURCES = \
auth-client-connection.c \
auth-master-connection.c \
auth-policy.c \
- mech-otp-common.c \
mech-plain-common.c \
auth-penalty.c \
auth-request.c \
@@ -122,7 +118,6 @@ libauth_la_SOURCES = \
mech-digest-md5.c \
mech-external.c \
mech-gssapi.c \
- mech-otp.c \
mech-scram.c \
mech-apop.c \
mech-winbind.c \
@@ -161,7 +156,6 @@ headers = \
auth-client-connection.h \
auth-common.h \
auth-master-connection.h \
- mech-otp-common.h \
mech-plain-common.h \
mech-digest-md5-private.h \
mech-scram.h \
@@ -260,7 +254,6 @@ test_libs = \
test_libpassword_SOURCES = test-libpassword.c
test_libpassword_LDADD = \
libpassword.la \
- ../lib-otp/libotp.la \
$(CRYPT_LIBS) \
$(LIBDOVECOT_SQL) \
$(LIBSODIUM_LIBS) \
diff -up dovecot-2.3.20/src/auth/mech.c.nolibotp dovecot-2.3.20/src/auth/mech.c
--- dovecot-2.3.20/src/auth/mech.c.nolibotp 2023-02-14 16:55:38.421231797 +0100
+++ dovecot-2.3.20/src/auth/mech.c 2023-02-14 16:55:38.434231892 +0100
@@ -71,7 +71,6 @@ extern const struct mech_module mech_apo
extern const struct mech_module mech_cram_md5;
extern const struct mech_module mech_digest_md5;
extern const struct mech_module mech_external;
-extern const struct mech_module mech_otp;
extern const struct mech_module mech_scram_sha1;
extern const struct mech_module mech_scram_sha256;
extern const struct mech_module mech_anonymous;
@@ -206,7 +205,6 @@ void mech_init(const struct auth_setting
mech_register_module(&mech_gssapi_spnego);
#endif
}
- mech_register_module(&mech_otp);
mech_register_module(&mech_scram_sha1);
mech_register_module(&mech_scram_sha256);
mech_register_module(&mech_anonymous);
@@ -233,7 +231,6 @@ void mech_deinit(const struct auth_setti
mech_unregister_module(&mech_gssapi_spnego);
#endif
}
- mech_unregister_module(&mech_otp);
mech_unregister_module(&mech_scram_sha1);
mech_unregister_module(&mech_scram_sha256);
mech_unregister_module(&mech_anonymous);
diff -up dovecot-2.3.20/src/auth/password-scheme.c.nolibotp dovecot-2.3.20/src/auth/password-scheme.c
--- dovecot-2.3.20/src/auth/password-scheme.c.nolibotp 2023-02-14 16:54:02.109530950 +0100
+++ dovecot-2.3.20/src/auth/password-scheme.c 2023-02-14 16:54:02.119531023 +0100
@@ -13,7 +13,6 @@
#include "randgen.h"
#include "sha1.h"
#include "sha2.h"
-#include "otp.h"
#include "str.h"
#include "password-scheme.h"
@@ -709,32 +708,6 @@ plain_md5_generate(const char *plaintext
*size_r = MD5_RESULTLEN;
}
-static int otp_verify(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED,
- const unsigned char *raw_password, size_t size,
- const char **error_r)
-{
- const char *password, *generated;
-
- password = t_strndup(raw_password, size);
- if (password_generate_otp(plaintext, password, UINT_MAX, &generated) < 0) {
- *error_r = "Invalid OTP data in passdb";
- return -1;
- }
-
- return strcasecmp(password, generated) == 0 ? 1 : 0;
-}
-
-static void
-otp_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED,
- const unsigned char **raw_password_r, size_t *size_r)
-{
- const char *password;
-
- if (password_generate_otp(plaintext, NULL, OTP_HASH_SHA1, &password) < 0)
- i_unreached();
- *raw_password_r = (const unsigned char *)password;
- *size_r = strlen(password);
-}
static const struct password_scheme builtin_schemes[] = {
{ "MD5", PW_ENCODING_NONE, 0, md5_verify, md5_crypt_generate },
@@ -770,7 +743,6 @@ static const struct password_scheme buil
NULL, plain_md5_generate },
{ "LDAP-MD5", PW_ENCODING_BASE64, MD5_RESULTLEN,
NULL, plain_md5_generate },
- { "OTP", PW_ENCODING_NONE, 0, otp_verify, otp_generate },
{ "PBKDF2", PW_ENCODING_NONE, 0, pbkdf2_verify, pbkdf2_generate },
};
diff -up dovecot-2.3.20/src/auth/password-scheme.h.nolibotp dovecot-2.3.20/src/auth/password-scheme.h
--- dovecot-2.3.20/src/auth/password-scheme.h.nolibotp 2023-02-14 16:56:50.929759540 +0100
+++ dovecot-2.3.20/src/auth/password-scheme.h 2023-02-14 16:56:50.947759671 +0100
@@ -92,9 +92,6 @@ void password_set_encryption_rounds(unsi
/* INTERNAL: */
const char *password_generate_salt(size_t len);
const char *password_generate_md5_crypt(const char *pw, const char *salt);
-int password_generate_otp(const char *pw, const char *state_data,
- unsigned int algo, const char **result_r)
- ATTR_NULL(2);
int crypt_verify(const char *plaintext,
const struct password_generate_params *params,
diff -up dovecot-2.3.20/src/auth/test-libpassword.c.nolibotp dovecot-2.3.20/src/auth/test-libpassword.c
--- dovecot-2.3.20/src/auth/test-libpassword.c.nolibotp 2023-02-14 16:54:55.880922175 +0100
+++ dovecot-2.3.20/src/auth/test-libpassword.c 2023-02-14 16:54:55.896922291 +0100
@@ -106,7 +106,6 @@ static void test_password_schemes(void)
test_password_scheme("SHA512", "{SHA512}7iaw3Ur350mqGo7jwQrpkj9hiYB3Lkc/iBml1JQODbJ6wYX4oOHV+E+IvIh/1nsUNzLDBMxfqa2Ob1f1ACio/w==", "test");
test_password_scheme("SSHA", "{SSHA}H/zrDv8FXUu1JmwvVYijfrYEF34jVZcO", "test");
test_password_scheme("MD5-CRYPT", "{MD5-CRYPT}$1$GgvxyNz8$OjZhLh4P.gF1lxYEbLZ3e/", "test");
- test_password_scheme("OTP", "{OTP}sha1 1024 ae6b49aa481f7233 f69fc7f98b8fbf54", "test");
test_password_scheme("PBKDF2", "{PBKDF2}$1$bUnT4Pl7yFtYX0KU$5000$50a83cafdc517b9f46519415e53c6a858908680a", "test");
test_password_scheme("CRAM-MD5", "{CRAM-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6", "test");
test_password_scheme("DIGEST-MD5", "{DIGEST-MD5}77c1a8c437c9b08ba2f460fe5d58db5d", "test");
diff -up dovecot-2.3.20/src/auth/test-mech.c.nolibotp dovecot-2.3.20/src/auth/test-mech.c
--- dovecot-2.3.20/src/auth/test-mech.c.nolibotp 2022-12-21 09:49:12.000000000 +0100
+++ dovecot-2.3.20/src/auth/test-mech.c 2023-02-14 16:54:02.119531023 +0100
@@ -8,8 +8,6 @@
#include "auth-request-handler-private.h"
#include "auth-settings.h"
#include "mech-digest-md5-private.h"
-#include "otp.h"
-#include "mech-otp-common.h"
#include "settings-parser.h"
#include "password-scheme.h"
#include "auth-token.h"
@@ -27,7 +25,6 @@ extern const struct mech_module mech_dov
extern const struct mech_module mech_external;
extern const struct mech_module mech_login;
extern const struct mech_module mech_oauthbearer;
-extern const struct mech_module mech_otp;
extern const struct mech_module mech_plain;
extern const struct mech_module mech_scram_sha1;
extern const struct mech_module mech_scram_sha256;
@@ -65,10 +62,7 @@ request_handler_reply_mock_callback(stru
if (request->passdb_result == PASSDB_RESULT_OK)
request->failed = FALSE;
- else if (request->mech == &mech_otp) {
- if (null_strcmp(request->fields.user, "otp_phase_2") == 0)
- request->failed = FALSE;
- } else if (request->mech == &mech_oauthbearer) {
+ else if (request->mech == &mech_oauthbearer) {
}
};
@@ -224,10 +218,6 @@ static void test_mechs(void)
{&mech_plain, UCHAR_LEN("\0testuser\0testpass"), "testuser", NULL, TRUE, FALSE, FALSE},
{&mech_plain, UCHAR_LEN("normaluser\0masteruser\0masterpass"), "masteruser", NULL, TRUE, FALSE, FALSE},
{&mech_plain, UCHAR_LEN("normaluser\0normaluser\0masterpass"), "normaluser", NULL, TRUE, FALSE, FALSE},
- {&mech_otp, UCHAR_LEN("hex:5Bf0 75d9 959d 036f"), "otp_phase_2", NULL, TRUE, TRUE, FALSE},
- {&mech_otp, UCHAR_LEN("word:BOND FOGY DRAB NE RISE MART"), "otp_phase_2", NULL, TRUE, TRUE, FALSE},
- {&mech_otp, UCHAR_LEN("init-hex:f6bd 6b33 89b8 7203:md5 499 ke6118:23d1 b253 5ae0 2b7e"), "otp_phase_2", NULL, TRUE, TRUE, FALSE},
- {&mech_otp, UCHAR_LEN("init-word:END KERN BALM NICK EROS WAVY:md5 499 ke1235:BABY FAIN OILY NIL TIDY DADE"), "otp_phase_2", NULL , TRUE, TRUE, FALSE},
{&mech_oauthbearer, UCHAR_LEN("n,a=testuser,p=cHJvb2Y=,f=nonstandart\x01host=server\x01port=143\x01""auth=Bearer vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==\x01\x01"), "testuser", NULL, FALSE, TRUE, FALSE},
{&mech_scram_sha1, UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", NULL, TRUE, FALSE, FALSE},
{&mech_scram_sha256, UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", NULL, TRUE, FALSE, FALSE},
@@ -242,8 +232,6 @@ static void test_mechs(void)
{&mech_external, UCHAR_LEN(""), "testuser", NULL, FALSE, TRUE, FALSE},
{&mech_external, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE},
{&mech_login, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE},
- {&mech_otp, UCHAR_LEN(""), NULL, "invalid input", FALSE, FALSE, FALSE},
- {&mech_otp, UCHAR_LEN(""), "testuser", "invalid input", FALSE, FALSE, FALSE},
{&mech_plain, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE},
{&mech_oauthbearer, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE},
{&mech_xoauth2, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE},
@@ -255,7 +243,6 @@ static void test_mechs(void)
{&mech_apop, UCHAR_LEN("1.1.1\0testuser\0tooshort"), NULL, NULL, FALSE, FALSE, FALSE},
{&mech_apop, UCHAR_LEN("1.1.1\0testuser\0responseoflen16-"), NULL, NULL, FALSE, FALSE, FALSE},
{&mech_apop, UCHAR_LEN("1.1.1"), NULL, NULL, FALSE, FALSE, FALSE},
- {&mech_otp, UCHAR_LEN("somebody\0testuser"), "testuser", "otp(testuser): unsupported response type", FALSE, TRUE, FALSE},
{&mech_cram_md5, UCHAR_LEN("testuser\0response"), "testuser", NULL, FALSE, FALSE, FALSE},
{&mech_plain, UCHAR_LEN("testuser\0"), "testuser", NULL, FALSE, FALSE, FALSE},
@@ -297,9 +284,7 @@ static void test_mechs(void)
{&mech_plain, UCHAR_LEN("\0fa\0il\0ing\0withthis"), NULL, NULL, FALSE, FALSE, FALSE},
{&mech_plain, UCHAR_LEN("failingwiththis"), NULL, NULL, FALSE, FALSE, FALSE},
{&mech_plain, UCHAR_LEN("failing\0withthis"), NULL, NULL, FALSE, FALSE, FALSE},
- {&mech_otp, UCHAR_LEN("someb\0ody\0testuser"), NULL, "invalid input", FALSE, FALSE, FALSE},
/* phase 2 */
- {&mech_otp, UCHAR_LEN("someb\0ody\0testuser"), "testuser", "otp(testuser): unsupported response type", FALSE, TRUE, FALSE},
{&mech_scram_sha1, UCHAR_LEN("c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts="), NULL, NULL, FALSE, FALSE, FALSE},
{&mech_scram_sha1, UCHAR_LEN("iws0X8v3Bz2T0CJGbJQyF0X+HI4Ts=,,,,"), NULL, NULL, FALSE, FALSE, FALSE},
{&mech_scram_sha1, UCHAR_LEN("n,a=masteruser,,"), NULL, NULL, FALSE, FALSE, FALSE},
@@ -387,7 +372,6 @@ static void test_mechs(void)
test_end();
} T_END;
- mech_otp_deinit();
auths_deinit();
auth_token_deinit();
password_schemes_deinit();
diff -up dovecot-2.3.20/src/doveadm/Makefile.am.nolibotp dovecot-2.3.20/src/doveadm/Makefile.am
--- dovecot-2.3.20/src/doveadm/Makefile.am.nolibotp 2022-12-21 09:49:12.000000000 +0100
+++ dovecot-2.3.20/src/doveadm/Makefile.am 2023-02-14 16:54:02.119531023 +0100
@@ -36,8 +36,7 @@ AM_CPPFLAGS = \
$(BINARY_CFLAGS)
cmd_pw_libs = \
- ../auth/libpassword.la \
- ../lib-otp/libotp.la
+ ../auth/libpassword.la
libs = \
dsync/libdsync.la \
diff -up dovecot-2.3.20/src/Makefile.am.nolibotp dovecot-2.3.20/src/Makefile.am
--- dovecot-2.3.20/src/Makefile.am.nolibotp 2022-12-21 09:49:12.000000000 +0100
+++ dovecot-2.3.20/src/Makefile.am 2023-02-14 16:54:02.119531023 +0100
@@ -40,7 +40,6 @@ SUBDIRS = \
lib-index \
lib-storage \
lib-sql \
- lib-otp \
lib-lda \
lib-dict-backend \
anvil \

@ -1,200 +0,0 @@
diff -up dovecot-2.3.21/src/lib-dcrypt/dcrypt-openssl.c.noengine dovecot-2.3.21/src/lib-dcrypt/dcrypt-openssl.c
--- dovecot-2.3.21/src/lib-dcrypt/dcrypt-openssl.c.noengine 2024-07-23 13:18:35.040720598 -0400
+++ dovecot-2.3.21/src/lib-dcrypt/dcrypt-openssl.c 2024-07-23 13:20:16.250720598 -0400
@@ -20,7 +20,6 @@
#include <openssl/bio.h>
#include <openssl/pem.h>
#include <openssl/x509.h>
-#include <openssl/engine.h>
#include <openssl/hmac.h>
#include <openssl/objects.h>
#include <openssl/bn.h>
diff -up dovecot-2.3.21/m4/ssl.m4.noengine dovecot-2.3.21/m4/ssl.m4
--- dovecot-2.3.21/m4/ssl.m4.noengine 2024-05-06 17:39:59.362886891 +0200
+++ dovecot-2.3.21/m4/ssl.m4 2024-05-06 17:42:17.945312656 +0200
@@ -233,6 +233,27 @@ AC_DEFUN([DOVECOT_SSL], [
AC_CHECK_LIB(ssl, ECDSA_SIG_set0, [
AC_DEFINE(HAVE_ECDSA_SIG_SET0,, [Build with ECDSA_SIG_set0 support])
],, $SSL_LIBS)
+ AC_CHECK_LIB(ssl, OSSL_PROVIDER_try_load, [
+ AC_DEFINE(HAVE_OSSL_PROVIDER_try_load,, [Build with OSSL_PROVIDER_try_load support])
+ ],, $SSL_LIBS)
+ AC_CHECK_LIB(ssl, OPENSSL_init_ssl, [
+ AC_DEFINE(HAVE_OPENSSL_init_ssl,, [Build with OPENSSL_init_ssl support])
+ ],, $SSL_LIBS)
+ AC_CHECK_LIB(ssl, OPENSSL_cleanup, [
+ AC_DEFINE(HAVE_OPENSSL_cleanup,, [OpenSSL supports OPENSSL_cleanup()])
+ ],, $SSL_LIBS)
+ AC_CHECK_LIB(ssl, OPENSSL_thread_stop, [
+ AC_DEFINE(HAVE_OPENSSL_thread_stop,, [OpenSSL supports OPENSSL_thread_stop()])
+ ],, $SSL_LIBS)
+ AC_CHECK_LIB(ssl, ERR_remove_thread_state, [
+ AC_DEFINE(HAVE_ERR_remove_thread_state,, [OpenSSL supports ERR_remove_thread_state()])
+ ],, $SSL_LIBS)
+ AC_CHECK_LIB(ssl, ERR_remove_state, [
+ AC_DEFINE(HAVE_ERR_remove_state,, [OpenSSL supports ERR_remove_state()])
+ ],, $SSL_LIBS)
+ AC_CHECK_LIB(ssl, ENGINE_by_id_DISABLED, [
+ AC_DEFINE(HAVE_ENGINE_by_id,, [OpenSSL supports ENGINE_by_id() - !!!EXPLICITELY DISABLED!!! ])
+ ],, $SSL_LIBS)
AC_CHECK_LIB(ssl, EC_GROUP_order_bits, [
AC_DEFINE(HAVE_EC_GROUP_order_bits,, [Build with EC_GROUP_order_bits support])
],, $SSL_LIBS)
diff -up dovecot-2.3.21/src/lib-ssl-iostream/dovecot-openssl-common.c.noengine dovecot-2.3.21/src/lib-ssl-iostream/dovecot-openssl-common.c
--- dovecot-2.3.21/src/lib-ssl-iostream/dovecot-openssl-common.c.noengine 2023-09-14 15:17:46.000000000 +0200
+++ dovecot-2.3.21/src/lib-ssl-iostream/dovecot-openssl-common.c 2024-05-06 17:39:59.363886901 +0200
@@ -3,13 +3,23 @@
#include "lib.h"
#include "randgen.h"
#include "dovecot-openssl-common.h"
+#include "iostream-openssl.h"
#include <openssl/ssl.h>
-#include <openssl/engine.h>
+#include <openssl/err.h>
+#ifdef HAVE_OSSL_PROVIDER_try_load
+# include <openssl/provider.h>
+#else
+# include <openssl/engine.h>
+#endif
#include <openssl/rand.h>
static int openssl_init_refcount = 0;
-static ENGINE *dovecot_openssl_engine;
+#ifdef HAVE_OSSL_PROVIDER_try_load
+static OSSL_PROVIDER *dovecot_openssl_engine = NULL;
+#else
+static ENGINE *dovecot_openssl_engine = NULL;
+#endif
#ifdef HAVE_SSL_NEW_MEM_FUNCS
static void *dovecot_openssl_malloc(size_t size, const char *u0 ATTR_UNUSED, int u1 ATTR_UNUSED)
@@ -17,12 +27,14 @@ static void *dovecot_openssl_malloc(size
static void *dovecot_openssl_malloc(size_t size)
#endif
{
+ if (size == 0)
+ return NULL;
/* this may be performance critical, so don't use
i_malloc() or calloc() */
void *mem = malloc(size);
- if (mem == NULL) {
+ if (unlikely(mem == NULL)) {
i_fatal_status(FATAL_OUTOFMEM,
- "OpenSSL: malloc(%zu): Out of memory", size);
+ "OpenSSL: malloc(%zu): Out of memory", size);
}
return mem;
}
@@ -33,10 +45,14 @@ static void *dovecot_openssl_realloc(voi
static void *dovecot_openssl_realloc(void *ptr, size_t size)
#endif
{
+ if (size == 0) {
+ free(ptr);
+ return NULL;
+ }
void *mem = realloc(ptr, size);
- if (mem == NULL) {
+ if (unlikely(mem == NULL)) {
i_fatal_status(FATAL_OUTOFMEM,
- "OpenSSL: realloc(%zu): Out of memory", size);
+ "OpenSSL: realloc(%zu): Out of memory", size);
}
return mem;
}
@@ -63,9 +79,13 @@ void dovecot_openssl_common_global_ref(v
/*i_warning("CRYPTO_set_mem_functions() was called too late");*/
}
+#ifdef HAVE_OPENSSL_init_ssl
+ OPENSSL_init_ssl(0, NULL);
+#else
SSL_library_init();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
+#endif
}
bool dovecot_openssl_common_global_unref(void)
@@ -76,30 +96,35 @@ bool dovecot_openssl_common_global_unref
return TRUE;
if (dovecot_openssl_engine != NULL) {
+#ifdef HAVE_OSSL_PROVIDER_try_load
+ OSSL_PROVIDER_unload(dovecot_openssl_engine);
+#else
ENGINE_finish(dovecot_openssl_engine);
+#endif
dovecot_openssl_engine = NULL;
}
+#ifdef HAVE_OPENSSL_cleanup
+ OPENSSL_cleanup();
+#else
/* OBJ_cleanup() is called automatically by EVP_cleanup() in
newer versions. Doesn't hurt to call it anyway. */
OBJ_cleanup();
-#ifdef HAVE_SSL_COMP_FREE_COMPRESSION_METHODS
+# if !defined(OPENSSL_NO_COMP)
SSL_COMP_free_compression_methods();
-#endif
+# endif
ENGINE_cleanup();
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
-#ifdef HAVE_OPENSSL_AUTO_THREAD_DEINIT
+# ifdef HAVE_OPENSSL_thread_stop
/* no cleanup needed */
-#elif defined(HAVE_OPENSSL_ERR_REMOVE_THREAD_STATE)
+# elif defined(HAVE_ERR_remove_thread_state)
/* This was marked as deprecated in v1.1. */
ERR_remove_thread_state(NULL);
-#else
+# elif defined(HAVE_ERR_remove_state)
/* This was deprecated by ERR_remove_thread_state(NULL) in v1.0.0. */
ERR_remove_state(0);
-#endif
+# endif
ERR_free_strings();
-#ifdef HAVE_OPENSSL_CLEANUP
- OPENSSL_cleanup();
#endif
return FALSE;
}
@@ -110,6 +135,7 @@ int dovecot_openssl_common_global_set_en
if (dovecot_openssl_engine != NULL)
return 1;
+#ifdef HAVE_ENGINE_by_id
ENGINE_load_builtin_engines();
dovecot_openssl_engine = ENGINE_by_id(engine);
if (dovecot_openssl_engine == NULL) {
@@ -128,5 +154,15 @@ int dovecot_openssl_common_global_set_en
dovecot_openssl_engine = NULL;
return -1;
}
+#elif defined(HAVE_OSSL_PROVIDER_try_load)
+ if ((dovecot_openssl_engine = OSSL_PROVIDER_try_load(NULL, engine, 1)) == NULL) {
+ *error_r = t_strdup_printf("Cannot load '%s': %s", engine,
+ openssl_iostream_error());
+ return 0;
+ }
+ return 1;
+#else
+ *error_r = t_strdup_printf("Cannot load '%s': No engine/provider support available", engine);
+#endif
return 1;
}
diff -up dovecot-2.3.21/src/lib-ssl-iostream/Makefile.am.noengine dovecot-2.3.21/src/lib-ssl-iostream/Makefile.am
--- dovecot-2.3.21/src/lib-ssl-iostream/Makefile.am.noengine 2023-09-14 15:17:46.000000000 +0200
+++ dovecot-2.3.21/src/lib-ssl-iostream/Makefile.am 2024-05-06 17:39:59.363886901 +0200
@@ -5,7 +5,8 @@ NOPLUGIN_LDFLAGS =
AM_CPPFLAGS = \
-I$(top_srcdir)/src/lib \
-I$(top_srcdir)/src/lib-test \
- -DMODULE_DIR=\""$(moduledir)"\"
+ -DMODULE_DIR=\""$(moduledir)"\" \
+ $(SSL_CFLAGS)
if BUILD_OPENSSL
module_LTLIBRARIES = libssl_iostream_openssl.la

@ -1,20 +1,7 @@
From f020e139c519121d9630a966310ea8e100ee33b7 Mon Sep 17 00:00:00 2001
From: Marco Bettini <marco.bettini@open-xchange.com>
Date: Fri, 12 Apr 2024 15:06:43 +0000
Subject: [PATCH 1/2] lib-mail: message-header-parser - Limit header block to
10MB by default
---
src/lib-mail/message-header-parser.c | 48 ++++++++++++----
src/lib-mail/message-header-parser.h | 10 ++++
src/lib-mail/test-message-header-parser.c | 67 +++++++++++++++++++++++
3 files changed, 114 insertions(+), 11 deletions(-)
diff --git a/src/lib-mail/message-header-parser.c b/src/lib-mail/message-header-parser.c
index c5026f1bb7..5e020bbeb3 100644
--- a/src/lib-mail/message-header-parser.c
+++ b/src/lib-mail/message-header-parser.c
@@ -21,6 +21,9 @@ struct message_header_parser_ctx {
diff -up dovecot-2.3.16/src/lib-mail/message-header-parser.c.CVE-2024-23185 dovecot-2.3.16/src/lib-mail/message-header-parser.c
--- dovecot-2.3.16/src/lib-mail/message-header-parser.c.CVE-2024-23185 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/src/lib-mail/message-header-parser.c 2024-08-20 23:29:25.214183880 +0200
@@ -17,6 +17,9 @@ struct message_header_parser_ctx {
string_t *name;
buffer_t *value_buf;
@ -24,7 +11,7 @@ index c5026f1bb7..5e020bbeb3 100644
enum message_header_parser_flags flags;
bool skip_line:1;
bool has_nuls:1;
@@ -38,6 +41,7 @@ message_parse_header_init(struct istream *input, struct message_size *hdr_size,
@@ -34,6 +37,7 @@ message_parse_header_init(struct istream
ctx->name = str_new(default_pool, 128);
ctx->flags = flags;
ctx->value_buf = buffer_create_dynamic(default_pool, 4096);
@ -32,7 +19,7 @@ index c5026f1bb7..5e020bbeb3 100644
i_stream_ref(input);
if (hdr_size != NULL)
@@ -45,6 +49,21 @@ message_parse_header_init(struct istream *input, struct message_size *hdr_size,
@@ -41,6 +45,21 @@ message_parse_header_init(struct istream
return ctx;
}
@ -54,7 +41,7 @@ index c5026f1bb7..5e020bbeb3 100644
void message_parse_header_deinit(struct message_header_parser_ctx **_ctx)
{
struct message_header_parser_ctx *ctx = *_ctx;
@@ -77,6 +96,7 @@ int message_parse_header_next(struct message_header_parser_ctx *ctx,
@@ -73,6 +92,7 @@ int message_parse_header_next(struct mes
/* new header line */
line->name_offset = ctx->input->v_offset;
colon_pos = UINT_MAX;
@ -62,8 +49,8 @@ index c5026f1bb7..5e020bbeb3 100644
buffer_set_used_size(ctx->value_buf, 0);
}
@@ -342,33 +362,39 @@ int message_parse_header_next(struct message_header_parser_ctx *ctx,
}
@@ -326,33 +346,39 @@ int message_parse_header_next(struct mes
line->middle = str_data(ctx->name) + line->name_len + 1;
}
+ line->value_len = I_MIN(line->value_len, ctx->header_block_max_size);
@ -113,10 +100,9 @@ index c5026f1bb7..5e020bbeb3 100644
line->full_value = ctx->value_buf->data;
line->full_value_len = ctx->value_buf->used;
} else {
diff --git a/src/lib-mail/message-header-parser.h b/src/lib-mail/message-header-parser.h
index ce0825c8e5..43cf95e56a 100644
--- a/src/lib-mail/message-header-parser.h
+++ b/src/lib-mail/message-header-parser.h
diff -up dovecot-2.3.16/src/lib-mail/message-header-parser.h.CVE-2024-23185 dovecot-2.3.16/src/lib-mail/message-header-parser.h
--- dovecot-2.3.16/src/lib-mail/message-header-parser.h.CVE-2024-23185 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/src/lib-mail/message-header-parser.h 2024-08-20 22:55:36.530652449 +0200
@@ -1,6 +1,9 @@
#ifndef MESSAGE_HEADER_PARSER_H
#define MESSAGE_HEADER_PARSER_H
@ -127,7 +113,7 @@ index ce0825c8e5..43cf95e56a 100644
#define IS_LWSP(c) \
((c) == ' ' || (c) == '\t')
@@ -48,6 +51,13 @@ message_parse_header_init(struct istream *input, struct message_size *hdr_size,
@@ -48,6 +51,13 @@ message_parse_header_init(struct istream
enum message_header_parser_flags flags) ATTR_NULL(2);
void message_parse_header_deinit(struct message_header_parser_ctx **ctx);
@ -141,11 +127,85 @@ index ce0825c8e5..43cf95e56a 100644
/* Read and return next header line. Returns 1 if header is returned, 0 if
input stream is non-blocking and more data needs to be read, -1 when all is
done or error occurred (see stream's error status). */
diff --git a/src/lib-mail/test-message-header-parser.c b/src/lib-mail/test-message-header-parser.c
index 700d3413f1..93d8842002 100644
--- a/src/lib-mail/test-message-header-parser.c
+++ b/src/lib-mail/test-message-header-parser.c
@@ -463,6 +463,71 @@ static void test_message_header_parser_extra_crlf_in_name(void)
diff -up dovecot-2.3.16/src/lib-mail/message-parser.c.CVE-2024-23185 dovecot-2.3.16/src/lib-mail/message-parser.c
--- dovecot-2.3.16/src/lib-mail/message-parser.c.CVE-2024-23185 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/src/lib-mail/message-parser.c 2024-08-20 22:55:36.531652458 +0200
@@ -617,7 +617,18 @@ static int parse_next_header(struct mess
}
if (ret < 0) {
/* no boundary */
+ size_t headers_available =
+ ctx->all_headers_max_size > ctx->all_headers_total_size ?
+ ctx->all_headers_max_size - ctx->all_headers_total_size : 0;
+ message_parse_header_lower_limit(ctx->hdr_parser_ctx, headers_available);
ret = message_parse_header_next(ctx->hdr_parser_ctx, &hdr);
+ if (ret > 0) {
+ if (!hdr->continues) {
+ ctx->all_headers_total_size += hdr->name_len;
+ ctx->all_headers_total_size += hdr->middle_len;
+ }
+ ctx->all_headers_total_size += hdr->value_len;
+ }
if (ret == 0 || (ret < 0 && ctx->input->stream_errno != 0)) {
ctx->want_count = i_stream_get_data_size(ctx->input) + 1;
return ret;
@@ -762,6 +773,9 @@ message_parser_init_int(struct istream *
ctx->max_total_mime_parts = set->max_total_mime_parts != 0 ?
set->max_total_mime_parts :
MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS;
+ ctx->all_headers_max_size = set->all_headers_max_size != 0 ?
+ set->all_headers_max_size :
+ MESSAGE_PARSER_DEFAULT_ALL_HEADERS_MAX_SIZE;
ctx->input = input;
i_stream_ref(input);
return ctx;
@@ -779,6 +793,7 @@ message_parser_init(pool_t part_pool, st
ctx->next_part = &ctx->part->children;
ctx->parse_next_block = parse_next_header_init;
ctx->total_parts_count = 1;
+ ctx->all_headers_total_size = 0;
i_array_init(&ctx->next_part_stack, 4);
return ctx;
}
diff -up dovecot-2.3.16/src/lib-mail/message-parser.h.CVE-2024-23185 dovecot-2.3.16/src/lib-mail/message-parser.h
--- dovecot-2.3.16/src/lib-mail/message-parser.h.CVE-2024-23185 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/src/lib-mail/message-parser.h 2024-08-20 22:55:36.531652458 +0200
@@ -19,6 +19,7 @@ enum message_parser_flags {
#define MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS 100
#define MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS 10000
+#define MESSAGE_PARSER_DEFAULT_ALL_HEADERS_MAX_SIZE ((size_t) 50 * 1024*1024)
struct message_parser_settings {
enum message_header_parser_flags hdr_flags;
@@ -30,6 +31,11 @@ struct message_parser_settings {
/* Maximum MIME parts in total.
0 = MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS. */
unsigned int max_total_mime_parts;
+
+ /* Maximum bytes fore headers in top header plus all
+ MIME sections headers
+ 0 = MESSAGE_PARSER_DEFAULT_ALL_HEADERS_MAX_SIZE */
+ size_t all_headers_max_size;
};
struct message_parser_ctx;
diff -up dovecot-2.3.16/src/lib-mail/message-parser-private.h.CVE-2024-23185 dovecot-2.3.16/src/lib-mail/message-parser-private.h
--- dovecot-2.3.16/src/lib-mail/message-parser-private.h.CVE-2024-23185 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/src/lib-mail/message-parser-private.h 2024-08-20 22:55:36.531652458 +0200
@@ -30,6 +30,8 @@ struct message_parser_ctx {
enum message_parser_flags flags;
unsigned int max_nested_mime_parts;
unsigned int max_total_mime_parts;
+ size_t all_headers_max_size;
+ size_t all_headers_total_size;
char *last_boundary;
struct message_boundary *boundaries;
diff -up dovecot-2.3.16/src/lib-mail/test-message-header-parser.c.CVE-2024-23185 dovecot-2.3.16/src/lib-mail/test-message-header-parser.c
--- dovecot-2.3.16/src/lib-mail/test-message-header-parser.c.CVE-2024-23185 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/src/lib-mail/test-message-header-parser.c 2024-08-20 23:23:18.169196280 +0200
@@ -332,6 +332,71 @@ static void test_message_header_parser_n
test_end();
}
@ -217,112 +277,18 @@ index 700d3413f1..93d8842002 100644
int main(void)
{
static void (*const test_functions[])(void) = {
@@ -473,6 +538,8 @@ int main(void)
@@ -341,6 +406,8 @@ int main(void)
test_message_header_parser_extra_cr_in_eoh,
test_message_header_parser_no_eoh,
test_message_header_parser_nul,
test_message_header_parser_extra_crlf_in_name,
+ test_message_header_truncation_flag0,
+ test_message_header_truncation_clean_oneline,
NULL
};
return test_run(test_functions);
From ce88c33abc37e408592eff70aeefa28f803effb9 Mon Sep 17 00:00:00 2001
From: Marco Bettini <marco.bettini@open-xchange.com>
Date: Wed, 24 Apr 2024 10:45:46 +0000
Subject: [PATCH 2/2] lib-mail: message-parser - Limit headers total count to
50MB by default
(including top headers and all mime-sections headers)
---
src/lib-mail/message-parser-private.h | 2 +
src/lib-mail/message-parser.c | 15 +++
src/lib-mail/message-parser.h | 6 +
src/lib-mail/test-message-parser.c | 154 ++++++++++++++++++++++++++
4 files changed, 177 insertions(+)
diff --git a/src/lib-mail/message-parser-private.h b/src/lib-mail/message-parser-private.h
index 41c32daf3a..8b362a9e71 100644
--- a/src/lib-mail/message-parser-private.h
+++ b/src/lib-mail/message-parser-private.h
@@ -30,6 +30,8 @@ struct message_parser_ctx {
enum message_parser_flags flags;
unsigned int max_nested_mime_parts;
unsigned int max_total_mime_parts;
+ size_t all_headers_max_size;
+ size_t all_headers_total_size;
char *last_boundary;
struct message_boundary *boundaries;
diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
index 9a9c9a3515..c7e3b1e96a 100644
--- a/src/lib-mail/message-parser.c
+++ b/src/lib-mail/message-parser.c
@@ -617,7 +617,18 @@ static int parse_next_header(struct message_parser_ctx *ctx,
}
if (ret < 0) {
/* no boundary */
+ size_t headers_available =
+ ctx->all_headers_max_size > ctx->all_headers_total_size ?
+ ctx->all_headers_max_size - ctx->all_headers_total_size : 0;
+ message_parse_header_lower_limit(ctx->hdr_parser_ctx, headers_available);
ret = message_parse_header_next(ctx->hdr_parser_ctx, &hdr);
+ if (ret > 0) {
+ if (!hdr->continues) {
+ ctx->all_headers_total_size += hdr->name_len;
+ ctx->all_headers_total_size += hdr->middle_len;
+ }
+ ctx->all_headers_total_size += hdr->value_len;
+ }
if (ret == 0 || (ret < 0 && ctx->input->stream_errno != 0)) {
ctx->want_count = i_stream_get_data_size(ctx->input) + 1;
return ret;
@@ -762,6 +773,9 @@ message_parser_init_int(struct istream *input,
ctx->max_total_mime_parts = set->max_total_mime_parts != 0 ?
set->max_total_mime_parts :
MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS;
+ ctx->all_headers_max_size = set->all_headers_max_size != 0 ?
+ set->all_headers_max_size :
+ MESSAGE_PARSER_DEFAULT_ALL_HEADERS_MAX_SIZE;
ctx->input = input;
i_stream_ref(input);
return ctx;
@@ -779,6 +793,7 @@ message_parser_init(pool_t part_pool, struct istream *input,
ctx->next_part = &ctx->part->children;
ctx->parse_next_block = parse_next_header_init;
ctx->total_parts_count = 1;
+ ctx->all_headers_total_size = 0;
i_array_init(&ctx->next_part_stack, 4);
return ctx;
}
diff --git a/src/lib-mail/message-parser.h b/src/lib-mail/message-parser.h
index f19e526284..8d70d73f05 100644
--- a/src/lib-mail/message-parser.h
+++ b/src/lib-mail/message-parser.h
@@ -19,6 +19,7 @@ enum message_parser_flags {
#define MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS 100
#define MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS 10000
+#define MESSAGE_PARSER_DEFAULT_ALL_HEADERS_MAX_SIZE ((size_t) 50 * 1024*1024)
struct message_parser_settings {
enum message_header_parser_flags hdr_flags;
@@ -30,6 +31,11 @@ struct message_parser_settings {
/* Maximum MIME parts in total.
0 = MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS. */
unsigned int max_total_mime_parts;
+
+ /* Maximum bytes fore headers in top header plus all
+ MIME sections headers
+ 0 = MESSAGE_PARSER_DEFAULT_ALL_HEADERS_MAX_SIZE */
+ size_t all_headers_max_size;
};
struct message_parser_ctx;
diff --git a/src/lib-mail/test-message-parser.c b/src/lib-mail/test-message-parser.c
index 663bfe8c5a..b6bada2303 100644
--- a/src/lib-mail/test-message-parser.c
+++ b/src/lib-mail/test-message-parser.c
diff -up dovecot-2.3.16/src/lib-mail/test-message-parser.c.CVE-2024-23185 dovecot-2.3.16/src/lib-mail/test-message-parser.c
--- dovecot-2.3.16/src/lib-mail/test-message-parser.c.CVE-2024-23185 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/src/lib-mail/test-message-parser.c 2024-08-20 22:55:36.531652458 +0200
@@ -1369,6 +1369,158 @@ static const char input_msg[] =
test_end();
}

@ -1,6 +1,6 @@
diff -up dovecot-2.3.18/src/auth/auth-token.c.opensslhmac dovecot-2.3.18/src/auth/auth-token.c
--- dovecot-2.3.18/src/auth/auth-token.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.18/src/auth/auth-token.c 2022-02-09 09:27:15.887883359 +0100
diff -up dovecot-2.3.14/src/auth/auth-token.c.opensslhmac dovecot-2.3.14/src/auth/auth-token.c
--- dovecot-2.3.14/src/auth/auth-token.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/auth/auth-token.c 2021-03-22 20:44:13.022912242 +0100
@@ -161,17 +161,17 @@ void auth_token_deinit(void)
const char *auth_token_get(const char *service, const char *session_pid,
const char *username, const char *session_id)
@ -26,9 +26,9 @@ diff -up dovecot-2.3.18/src/auth/auth-token.c.opensslhmac dovecot-2.3.18/src/aut
return binary_to_hex(result, sizeof(result));
}
diff -up dovecot-2.3.18/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.18/src/auth/mech-cram-md5.c
--- dovecot-2.3.18/src/auth/mech-cram-md5.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.18/src/auth/mech-cram-md5.c 2022-02-09 09:27:15.887883359 +0100
diff -up dovecot-2.3.14/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.14/src/auth/mech-cram-md5.c
--- dovecot-2.3.14/src/auth/mech-cram-md5.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/auth/mech-cram-md5.c 2021-03-22 20:44:13.022912242 +0100
@@ -51,7 +51,7 @@ static bool verify_credentials(struct cr
{
@ -52,10 +52,10 @@ diff -up dovecot-2.3.18/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.18/src/
response_hex = binary_to_hex(digest, sizeof(digest));
diff -up dovecot-2.3.18/src/auth/mech-scram.c.opensslhmac dovecot-2.3.18/src/auth/mech-scram.c
--- dovecot-2.3.18/src/auth/mech-scram.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.18/src/auth/mech-scram.c 2022-02-09 09:31:50.927146858 +0100
@@ -93,7 +93,7 @@ get_scram_server_first(struct scram_auth
diff -up dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac dovecot-2.3.14/src/auth/mech-scram.c
--- dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/auth/mech-scram.c 2021-03-22 20:44:13.022912242 +0100
@@ -78,7 +78,7 @@ static const char *get_scram_server_firs
static const char *get_scram_server_final(struct scram_auth_request *request)
{
const struct hash_method *hmethod = request->hash_method;
@ -64,7 +64,7 @@ diff -up dovecot-2.3.18/src/auth/mech-scram.c.opensslhmac dovecot-2.3.18/src/aut
const char *auth_message;
unsigned char server_signature[hmethod->digest_size];
string_t *str;
@@ -109,9 +109,9 @@ static const char *get_scram_server_fina
@@ -87,9 +87,9 @@ static const char *get_scram_server_fina
request->server_first_message, ",",
request->client_final_message_without_proof, NULL);
@ -75,9 +75,9 @@ diff -up dovecot-2.3.18/src/auth/mech-scram.c.opensslhmac dovecot-2.3.18/src/aut
+ openssl_hmac_update(&ctx, auth_message, strlen(auth_message));
+ openssl_hmac_final(&ctx, server_signature);
/* RFC 5802, Section 7:
@@ -292,7 +292,7 @@ parse_scram_client_first(struct scram_au
str = t_str_new(MAX_BASE64_ENCODED_SIZE(sizeof(server_signature)));
str_append(str, "v=");
@@ -228,7 +228,7 @@ static bool parse_scram_client_first(str
static bool verify_credentials(struct scram_auth_request *request)
{
const struct hash_method *hmethod = request->hash_method;
@ -86,7 +86,7 @@ diff -up dovecot-2.3.18/src/auth/mech-scram.c.opensslhmac dovecot-2.3.18/src/aut
const char *auth_message;
unsigned char client_key[hmethod->digest_size];
unsigned char client_signature[hmethod->digest_size];
@@ -310,9 +310,9 @@ static bool verify_credentials(struct sc
@@ -239,9 +239,9 @@ static bool verify_credentials(struct sc
request->server_first_message, ",",
request->client_final_message_without_proof, NULL);
@ -97,11 +97,11 @@ diff -up dovecot-2.3.18/src/auth/mech-scram.c.opensslhmac dovecot-2.3.18/src/aut
+ openssl_hmac_update(&ctx, auth_message, strlen(auth_message));
+ openssl_hmac_final(&ctx, client_signature);
/* ClientProof := ClientKey XOR ClientSignature */
const unsigned char *proof_data = request->proof->data;
diff -up dovecot-2.3.18/src/auth/password-scheme.c.opensslhmac dovecot-2.3.18/src/auth/password-scheme.c
--- dovecot-2.3.18/src/auth/password-scheme.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.18/src/auth/password-scheme.c 2022-02-09 09:27:15.888883345 +0100
for (i = 0; i < sizeof(client_signature); i++)
diff -up dovecot-2.3.14/src/auth/password-scheme.c.opensslhmac dovecot-2.3.14/src/auth/password-scheme.c
--- dovecot-2.3.14/src/auth/password-scheme.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/auth/password-scheme.c 2021-03-22 20:44:13.022912242 +0100
@@ -639,11 +639,11 @@ static void
cram_md5_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED,
const unsigned char **raw_password_r, size_t *size_r)
@ -116,9 +116,9 @@ diff -up dovecot-2.3.18/src/auth/password-scheme.c.opensslhmac dovecot-2.3.18/sr
strlen(plaintext), &hash_method_md5);
hmac_md5_get_cram_context(&ctx, context_digest);
diff -up dovecot-2.3.18/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3.18/src/auth/password-scheme-scram.c
--- dovecot-2.3.18/src/auth/password-scheme-scram.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.18/src/auth/password-scheme-scram.c 2022-02-09 09:27:15.888883345 +0100
diff -up dovecot-2.3.14/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3.14/src/auth/password-scheme-scram.c
--- dovecot-2.3.14/src/auth/password-scheme-scram.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/auth/password-scheme-scram.c 2021-03-22 20:44:13.023912229 +0100
@@ -30,23 +30,23 @@ Hi(const struct hash_method *hmethod, co
const unsigned char *salt, size_t salt_size, unsigned int i,
unsigned char *result)
@ -208,9 +208,9 @@ diff -up dovecot-2.3.18/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3
str_append_c(str, ',');
base64_encode(server_key, sizeof(server_key), str);
diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c
--- dovecot-2.3.18/src/lib/hmac.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.18/src/lib/hmac.c 2022-02-09 09:27:15.888883345 +0100
diff -up dovecot-2.3.14/src/lib/hmac.c.opensslhmac dovecot-2.3.14/src/lib/hmac.c
--- dovecot-2.3.14/src/lib/hmac.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib/hmac.c 2021-03-22 20:44:13.023912229 +0100
@@ -7,6 +7,10 @@
* This software is released under the MIT license.
*/
@ -448,9 +448,9 @@ diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c
- safe_memset(prk, 0, sizeof(prk));
- safe_memset(okm, 0, sizeof(okm));
}
diff -up dovecot-2.3.18/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.18/src/lib/hmac-cram-md5.c
--- dovecot-2.3.18/src/lib/hmac-cram-md5.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.18/src/lib/hmac-cram-md5.c 2022-02-09 09:27:15.888883345 +0100
diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.14/src/lib/hmac-cram-md5.c
--- dovecot-2.3.14/src/lib/hmac-cram-md5.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib/hmac-cram-md5.c 2021-03-22 20:44:13.023912229 +0100
@@ -9,10 +9,10 @@
#include "md5.h"
#include "hmac-cram-md5.h"
@ -477,9 +477,9 @@ diff -up dovecot-2.3.18/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.18/src/l
const unsigned char *cdp;
struct md5_context *ctx = (void*)hmac_ctx->ctx;
diff -up dovecot-2.3.18/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.18/src/lib/hmac-cram-md5.h
--- dovecot-2.3.18/src/lib/hmac-cram-md5.h.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.18/src/lib/hmac-cram-md5.h 2022-02-09 09:27:15.888883345 +0100
diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.14/src/lib/hmac-cram-md5.h
--- dovecot-2.3.14/src/lib/hmac-cram-md5.h.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib/hmac-cram-md5.h 2021-03-22 20:44:13.023912229 +0100
@@ -5,9 +5,9 @@
#define CRAM_MD5_CONTEXTLEN 32
@ -492,9 +492,9 @@ diff -up dovecot-2.3.18/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.18/src/l
const unsigned char context_digest[CRAM_MD5_CONTEXTLEN]);
diff -up dovecot-2.3.18/src/lib/hmac.h.opensslhmac dovecot-2.3.18/src/lib/hmac.h
--- dovecot-2.3.18/src/lib/hmac.h.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.18/src/lib/hmac.h 2022-02-09 09:27:15.888883345 +0100
diff -up dovecot-2.3.14/src/lib/hmac.h.opensslhmac dovecot-2.3.14/src/lib/hmac.h
--- dovecot-2.3.14/src/lib/hmac.h.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib/hmac.h 2021-03-22 20:44:13.023912229 +0100
@@ -4,60 +4,97 @@
#include "hash-method.h"
#include "sha1.h"
@ -606,9 +606,9 @@ diff -up dovecot-2.3.18/src/lib/hmac.h.opensslhmac dovecot-2.3.18/src/lib/hmac.h
okm_buffer, okm_len);
return okm_buffer;
}
diff -up dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c
--- dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c 2022-02-09 09:27:15.888883345 +0100
diff -up dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c
--- dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c 2021-03-22 20:44:13.023912229 +0100
@@ -85,15 +85,15 @@ imap_urlauth_internal_generate(const cha
const unsigned char mailbox_key[IMAP_URLAUTH_KEY_LEN],
size_t *token_len_r)
@ -629,10 +629,10 @@ diff -up dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-
*token_len_r = SHA1_RESULTLEN + 1;
return token;
diff -up dovecot-2.3.18/src/lib/Makefile.am.opensslhmac dovecot-2.3.18/src/lib/Makefile.am
--- dovecot-2.3.18/src/lib/Makefile.am.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.18/src/lib/Makefile.am 2022-02-09 09:27:15.889883331 +0100
@@ -354,6 +354,9 @@ headers = \
diff -up dovecot-2.3.14/src/lib/Makefile.am.opensslhmac dovecot-2.3.14/src/lib/Makefile.am
--- dovecot-2.3.14/src/lib/Makefile.am.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib/Makefile.am 2021-03-22 20:44:13.023912229 +0100
@@ -352,6 +352,9 @@ headers = \
wildcard-match.h \
write-full.h
@ -642,10 +642,10 @@ diff -up dovecot-2.3.18/src/lib/Makefile.am.opensslhmac dovecot-2.3.18/src/lib/M
test_programs = test-lib
noinst_PROGRAMS = $(test_programs)
diff -up dovecot-2.3.18/src/lib-oauth2/oauth2-jwt.c.opensslhmac dovecot-2.3.18/src/lib-oauth2/oauth2-jwt.c
--- dovecot-2.3.18/src/lib-oauth2/oauth2-jwt.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.18/src/lib-oauth2/oauth2-jwt.c 2022-02-09 09:27:15.889883331 +0100
@@ -144,14 +144,14 @@ oauth2_validate_hmac(const struct oauth2
diff -up dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c.opensslhmac dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c
--- dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c 2021-03-22 20:44:13.024912217 +0100
@@ -106,14 +106,14 @@ oauth2_validate_hmac(const struct oauth2
if (oauth2_lookup_hmac_key(set, azp, alg, key_id, &key, error_r) < 0)
return -1;
@ -666,10 +666,10 @@ diff -up dovecot-2.3.18/src/lib-oauth2/oauth2-jwt.c.opensslhmac dovecot-2.3.18/s
buffer_t *their_digest =
t_base64url_decode_str(BASE64_DECODE_FLAG_NO_PADDING, blobs[2]);
diff -up dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c
--- dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c 2022-02-09 09:27:15.889883331 +0100
@@ -248,7 +248,7 @@ static void save_key_azp_to(const char *
diff -up dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c
--- dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c 2021-03-22 20:46:09.524440794 +0100
@@ -236,7 +236,7 @@ static void save_key_to(const char *algo
static void sign_jwt_token_hs256(buffer_t *tokenbuf, buffer_t *key)
{
i_assert(key != NULL);
@ -678,7 +678,7 @@ diff -up dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3
tokenbuf);
buffer_append(tokenbuf, ".", 1);
base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX,
@@ -258,7 +258,7 @@ static void sign_jwt_token_hs256(buffer_
@@ -246,7 +246,7 @@ static void sign_jwt_token_hs256(buffer_
static void sign_jwt_token_hs384(buffer_t *tokenbuf, buffer_t *key)
{
i_assert(key != NULL);
@ -687,7 +687,7 @@ diff -up dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3
tokenbuf);
buffer_append(tokenbuf, ".", 1);
base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX,
@@ -268,7 +268,7 @@ static void sign_jwt_token_hs384(buffer_
@@ -256,7 +256,7 @@ static void sign_jwt_token_hs384(buffer_
static void sign_jwt_token_hs512(buffer_t *tokenbuf, buffer_t *key)
{
i_assert(key != NULL);
@ -696,9 +696,9 @@ diff -up dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3
tokenbuf);
buffer_append(tokenbuf, ".", 1);
base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX,
diff -up dovecot-2.3.18/src/lib/pkcs5.c.opensslhmac dovecot-2.3.18/src/lib/pkcs5.c
--- dovecot-2.3.18/src/lib/pkcs5.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.18/src/lib/pkcs5.c 2022-02-09 09:27:15.889883331 +0100
diff -up dovecot-2.3.14/src/lib/pkcs5.c.opensslhmac dovecot-2.3.14/src/lib/pkcs5.c
--- dovecot-2.3.14/src/lib/pkcs5.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib/pkcs5.c 2021-03-22 20:44:13.024912217 +0100
@@ -52,7 +52,7 @@ int pkcs5_pbkdf2(const struct hash_metho
size_t l = (length + hash->digest_size - 1)/hash->digest_size; /* same as ceil(length/hash->digest_size) */
unsigned char dk[l * hash->digest_size];
@ -733,9 +733,9 @@ diff -up dovecot-2.3.18/src/lib/pkcs5.c.opensslhmac dovecot-2.3.18/src/lib/pkcs5
for(i = 0; i < hash->digest_size; i++)
block[i] ^= U_c[i];
}
diff -up dovecot-2.3.18/src/lib/test-hmac.c.opensslhmac dovecot-2.3.18/src/lib/test-hmac.c
--- dovecot-2.3.18/src/lib/test-hmac.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100
+++ dovecot-2.3.18/src/lib/test-hmac.c 2022-02-09 09:27:15.889883331 +0100
diff -up dovecot-2.3.14/src/lib/test-hmac.c.opensslhmac dovecot-2.3.14/src/lib/test-hmac.c
--- dovecot-2.3.14/src/lib/test-hmac.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib/test-hmac.c 2021-03-22 20:44:13.024912217 +0100
@@ -206,11 +206,11 @@ static void test_hmac_rfc(void)
test_begin("hmac sha256 rfc4231 vectors");
for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) {

@ -1,25 +0,0 @@
m4: crypt_xxpg6.m4: Define _DEFAULT_SOURCE for current glibc
Current glibc no longer implements the CRYPT extension, so it does not
declare crypt in <unistd.h> in strict standard modes. The check
defines _XOPEN_SOURCE, which enables one of these modes. Defining
_DEFAULT_SOURCE as well again makes available the crypt function
prototype.
This avoids a configure check result change with compilers which do
not support implicit function declarations.
Submitted upstream: <https://github.com/dovecot/core/pull/193>
diff --git a/m4/crypt_xpg6.m4 b/m4/crypt_xpg6.m4
index 0085b2ac76..3a288a3713 100644
--- a/m4/crypt_xpg6.m4
+++ b/m4/crypt_xpg6.m4
@@ -6,6 +6,7 @@ AC_DEFUN([DOVECOT_CRYPT_XPG6], [
#define _XOPEN_SOURCE 4
#define _XOPEN_SOURCE_EXTENDED 1
#define _XOPEN_VERSION 4
+ #define _DEFAULT_SOURCE
#define _XPG4_2
#define _XPG6
#include <unistd.h>

@ -4,17 +4,17 @@
Summary: Secure imap and pop3 server
Name: dovecot
Epoch: 1
Version: 2.3.21
Version: 2.3.16
%global prever %{nil}
Release: 15%{?dist}
Release: 11%{?dist}.1
#dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
License: MIT AND LGPL-2.1-only
License: MIT and LGPLv2
URL: https://www.dovecot.org/
Source: https://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz
Source1: dovecot.init
Source2: dovecot.pam
%global pigeonholever 0.5.21
%global pigeonholever 0.5.16
Source8: https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz
Source9: dovecot.sysconfig
Source10: dovecot.tmpfilesd
@ -34,7 +34,6 @@ Patch6: dovecot-2.1.10-waitonline.patch
Patch8: dovecot-2.2.20-initbysystemd.patch
Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch
Patch10: dovecot-2.3.0.1-libxcrypt.patch
Patch15: dovecot-2.3.11-bigkey.patch
# do not use own implementation of HMAC, use OpenSSL for certification purposes
@ -42,31 +41,31 @@ Patch15: dovecot-2.3.11-bigkey.patch
# hard to break circular dependency between lib and lib-dcrypt
Patch16: dovecot-2.3.6-opensslhmac.patch
Patch17: dovecot-2.3.14-opensslv3.patch
# FTBFS
Patch17: dovecot-2.3.15-fixvalcond.patch
Patch18: dovecot-2.3.15-valbasherr.patch
Patch20: dovecot-2.3.14-opensslv3.patch
Patch21: dovecot-2.3.19.1-7bad6a24.patch
Patch22: dovecot-configure-c99.patch
Patch18: dovecot-2.3.15-fixvalcond.patch
Patch19: dovecot-2.3.15-valbasherr.patch
Patch20: dovecot-2.3.16-ftbfsbigend.patch
# Fedora/RHEL specific, drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes
Patch23: dovecot-2.3.20-nolibotp.patch
# from upstream, for <= 2.3.19.1, rhbz#2106232
Patch21: dovecot-2.3.19.1-7bad6a24.patch
# adapted from 2.4 dovecot, issue #RHEL-33733
Patch24: dovecot-2.3.21-noengine.patch
# from upstream, for < 2.3.19.1, rhbz#2128857
Patch22: dovecot-2.3.18-bdf447e4.patch
Patch23: dovecot-2.3.18-9f300239..4596d399.patch
# sent upstream, issue #RHEL-52541
Patch25: dovecot-2.3-ph_optglob.patch
Patch26: dovecot-2.3-ph_scriptcmp.patch
# from upstream, for < 2.3.21, RHEL-25434
Patch24: dovecot-2.3.16-d7705bc6.patch
# fix test failing due to too long path with all the mock path prefixes
Patch27: dovecot-2.3.21-test-socket-path.patch
# from upstream for < 2.3.21.1, RHEL-55205
# from upstream for < 2.3.21.1, RHEL-55211
# https://github.com/dovecot/core/compare/8e4c42d%5E...1481c04.patch
Patch28: dovecot-2.3.21.1-CVE-2024-23184.patch
# from upstream for < 2.3.21.1, RHEL-55218
# from upstream for < 2.3.21.1, RHEL-55225
# https://github.com/dovecot/core/compare/f020e13%5E...ce88c33.patch
Patch29: dovecot-2.3.21.1-CVE-2024-23185.patch
@ -79,22 +78,21 @@ BuildRequires: libxcrypt-devel
BuildRequires: openldap-devel
BuildRequires: krb5-devel
BuildRequires: quota-devel
BuildRequires: rpcgen
BuildRequires: xz-devel
BuildRequires: lz4-devel
BuildRequires: libzstd-devel
%if %{?rhel}0 == 0
BuildRequires: libsodium-devel
BuildRequires: lua-devel
%endif
BuildRequires: libicu-devel
%if 0%{?rhel} == 0 && 0%{?fedora}0 < 38
BuildRequires: libexttextcat-devel
BuildRequires: clucene-core-devel
%endif
BuildRequires: libstemmer-devel
BuildRequires: multilib-rpm-config
BuildRequires: flex, bison
BuildRequires: systemd-devel
BuildRequires: systemd-rpm-macros
# for dovecot.sysusers
BuildRequires: systemd-rpm-macros
# gettext-devel is needed for running autoconf because of the
# presence of AM_ICONV
@ -110,6 +108,8 @@ Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
BuildRequires: clucene-core-devel
%global ssldir %{_sysconfdir}/pki/%{name}
BuildRequires: libcurl-devel expat-devel
@ -127,7 +127,7 @@ The SQL drivers and authentication plug-ins are in their subpackages.
%package pigeonhole
Requires: %{name} = %{epoch}:%{version}-%{release}
Summary: Sieve and managesieve plug-in for dovecot
License: MIT AND LGPL-2.1-only
License: MIT and LGPLv2
%description pigeonhole
This package provides sieve and managesieve plug-in for dovecot LDA.
@ -152,10 +152,6 @@ This package provides the development files for dovecot.
%prep
%setup -q -n %{name}-%{version}%{?prever} -a 8
# standardize name, so we don't have to update patches and scripts
mv dovecot-2.3-pigeonhole-%{pigeonholever} dovecot-pigeonhole
%patch -P 1 -p1 -b .default-settings
%patch -P 2 -p1 -b .mkcert-permissions
%patch -P 3 -p1 -b .mkcert-paths
@ -164,31 +160,25 @@ mv dovecot-2.3-pigeonhole-%{pigeonholever} dovecot-pigeonhole
%patch -P 9 -p1 -b .systemd_w_protectsystem
%patch -P 15 -p1 -b .bigkey
%patch -P 16 -p1 -b .opensslhmac
%patch -P 17 -p1 -b .fixvalcond
%patch -P 18 -p1 -b .valbasherr
%patch -P 20 -p1 -b .opensslv3
%patch -P 17 -p1 -b .opensslv3
%patch -P 18 -p1 -b .fixvalcond
%patch -P 19 -p1 -b .valbasherr
%patch -P 20 -p1 -b .ftbfsbigend
%patch -P 21 -p1 -b .7bad6a24
%patch -P 22 -p1 -b .c99
%patch -P 23 -p1 -b .nolibotp
%patch -P 24 -p1 -b .noengine
%patch -P 25 -p1 -b .ph_optglob
%patch -P 26 -p1 -b .ph_scriptcmp
%patch -P 22 -p1 -b .bdf447e4
%patch -P 24 -p1 -b .d7705bc6
%patch -P 27 -p1 -b .test-socket-path
%patch -P 28 -p1 -b .CVE-2024-23184
%patch -P 29 -p1 -b .CVE-2024-23185
cp run-test-valgrind.supp dovecot-pigeonhole/
cp run-test-valgrind.supp dovecot-2.3-pigeonhole-%{pigeonholever}/
# valgrind would fail with shell wrapper
echo "testsuite" >dovecot-pigeonhole/run-test-valgrind.exclude
echo "testsuite" >dovecot-2.3-pigeonhole-%{pigeonholever}/run-test-valgrind.exclude
#pushd dovecot-pigeonhole
#popd
%if 0%{?rhel} == 0 && 0%{?fedora}0 < 38
pushd dovecot-2*3-pigeonhole-%{pigeonholever}
%patch -P 23 -p1 -b .9f300239..4596d399
popd
sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in
%endif
# drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes
rm -rf src/lib-otp
%build
#required for fdpass.c line 125,190: dereferencing type-punned pointer will break strict-aliasing rules
@ -217,29 +207,18 @@ autoreconf -I . -fiv #required for aarch64 support
--with-zstd \
--with-libcap \
--with-icu \
%if %{?rhel}0 == 0
--with-lua=plugin \
%endif
%if 0%{?rhel} == 0 && 0%{?fedora}0 < 38
--with-lucene \
--with-exttextcat \
%else
--without-lucene \
--without-exttextcat \
%endif
--without-libstemmer \
--with-ssl=openssl \
--with-ssldir=%{ssldir} \
--with-solr \
--with-docs \
systemdsystemunitdir=%{_unitdir}
--with-systemdsystemunitdir=%{_unitdir} \
--with-docs
sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10-ssl.conf
%make_build
#pigeonhole
pushd dovecot-pigeonhole
pushd dovecot-2*3-pigeonhole-%{pigeonholever}
# required for snapshot
[ -f configure ] || autoreconf -fiv
@ -265,7 +244,7 @@ mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/
# fix multilib issues
%multilib_fix_c_header --file %{_includedir}/dovecot/config.h
pushd dovecot-pigeonhole
pushd dovecot-2*3-pigeonhole-%{pigeonholever}
%make_install
mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole
@ -380,12 +359,9 @@ then
fi
%check
%ifnarch aarch64
# some aarch64 tests timeout, skip for now
make check
cd dovecot-pigeonhole
cd dovecot-2*3-pigeonhole-%{pigeonholever}
make check
%endif
%files
%doc docinstall/* AUTHORS ChangeLog COPYING COPYING.LGPL COPYING.MIT NEWS README
@ -453,9 +429,6 @@ make check
%{_libdir}/dovecot/auth/lib20_auth_var_expand_crypt.so
%{_libdir}/dovecot/auth/libauthdb_imap.so
%{_libdir}/dovecot/auth/libauthdb_ldap.so
%if %{?rhel}0 == 0
%{_libdir}/dovecot/auth/libauthdb_lua.so
%endif
%{_libdir}/dovecot/auth/libmech_gssapi.so
%{_libdir}/dovecot/auth/libdriver_sqlite.so
%{_libdir}/dovecot/dict/libdriver_sqlite.so
@ -536,151 +509,70 @@ make check
%{_libdir}/%{name}/dict/libdriver_pgsql.so
%changelog
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1:2.3.21-15
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Tue Aug 20 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-14
- fix CVE-2024-23185: very large headers can cause resource exhaustion
when parsing message (RHEL-55218)
- fix CVE-2024-23184: using a large number of address headers may trigger
a denial of service (RHEL-55205)
* Mon Aug 05 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-13
- fix crash when user has sieve script that includes two missing scripts (RHEL-52541)
* Tue Jul 23 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-12
- fix building with noengine openssl
* Mon Sep 02 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-11.1
- fix CVE-2024-23184: using a large number of address headers may trigger a denial of service (RHEL-55211)
- fix CVE-2024-23185: very large headers can cause resource exhaustion when parsing message (RHEL-55225)
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1:2.3.21-11
- Bump release for June 2024 mass rebuild
* Fri Feb 16 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-11
- fixes assert-crash when IMAP client uses QRESYNC (#RHEL-25434)
* Tue Jun 18 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-10
- set min uid to 1000
* Tue Aug 15 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-10
- fix leaking mailboxes if virtual mailbox can't be opened (#2231408)
* Thu Jun 13 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-9
- do not run during systemd commands during leap upgrade
* Sat May 27 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-9
- add buildrequire of rpcgen to enable rquota support(#2157045)
* Tue Jun 11 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-8
- drop dependency on libstemmer (#RHEL-40657)
* Tue Sep 13 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-8
- do not run systemd commands during leapp upgrade (#2119385)
* Mon May 13 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-7
- do not use deprecated openssl v3 engine api (#RHEL-33733)
* Tue Jul 12 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-7
- fix possible privilege escalation when similar master and non-master passdbs are used (#2106232)
* Wed Jan 31 2024 Pete Walter <pwalter@fedoraproject.org> - 1:2.3.21-6
- Rebuild for ICU 74
* Wed Jul 06 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-6
- fix possible nonzero return value of postinst script(#2053368)
* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.21-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Tue Jul 05 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-5
- workaround sysuers macro defficiency (#2095399)
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.21-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Tue Jul 05 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-4
- use systemd-sysusers for user creation (#2095399)
* Tue Oct 24 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-3
- drop lucene to reduce dependency, use solr for fts instead
* Wed Nov 03 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-3
- re-enable LTO build (#1990080)
* Thu Oct 05 2023 Remi Collet <remi@remirepo.net> - 1:2.3.21-2
- rebuild for new libsodium
* Mon Sep 18 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-1
- updated to 2.3.21(2239134)
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.20-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Tue Jul 11 2023 František Zatloukal <fzatlouk@redhat.com> - 1:2.3.20-5
- Rebuilt for ICU 73.2
* Wed Apr 26 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.20-4
- update license tag format (SPDX migration) for https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1
* Tue Feb 14 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.20-3
- drop SHA1 OTP
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.20-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Mon Jan 02 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.20-1
- updated to 2.3.20, pigeonhole to 0.5.20
* Mon Jan 02 2023 Florian Weimer <fweimer@redhat.com> - 1:2.3.19.1-8
- Port configure script to C99
* Sat Dec 31 2022 Pete Walter <pwalter@fedoraproject.org> - 1:2.3.19.1-7
- Rebuild for ICU 72
* Tue Nov 08 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.19.1-6
- use Wants=network-online.target instead of preexec nm-online (#2095949)
* Tue Oct 11 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.19.1-5
- build with lua support (#2132420)
* Mon Aug 01 2022 Frantisek Zatloukal <fzatlouk@redhat.com> - 1:2.3.19.1-4
- Rebuilt for ICU 71.1
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.19.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Tue Jul 12 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.19.1-2
- fix possible privilege escalation when similar master and non-master passdbs are used
* Mon Jun 20 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.19.1-1
- updated to 2.3.19.1
* Mon May 30 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.19-1
- updated to 2.3.19, pigeonhole to 0.5.19
* Wed Feb 09 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.18-1
- updated to 2.3.18, pigeonhole to 0.5.18
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.17.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Tue Dec 07 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.17.1-1
- dovecot updated to 2.3.17.1, pigeonhole to 0.5.17.1
- dsync: Add back accidentically removed parameters.
- lib-ssl-iostream: Fix assert-crash when OpenSSL returned syscall error
without errno.
- dovecot, managesieve and sieve-tool failed to run if ssl_ca was too large.
* Tue Nov 02 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.17-1
- dovecot updated to 2.3.17, pigeonhole to 0.5.17
* Tue Sep 28 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-4
- reenable LTO
* Mon Sep 27 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-3
- fix OpenSSLv3 issues 2005884
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1:2.3.16-2
- Rebuilt with OpenSSL 3.0.0
* Wed Oct 27 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-2
- set first_valid_uid to 1000 to match system default (#2009716)
* Fri Aug 20 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-1
- dovecot updated to 2.3.16, pigeonhole to 0.5.16
- fixes several regressions
- fixes several regressions (#1997583)
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.15-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:2.3.15-2
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Mon Jun 21 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.15-1
* Wed Jul 21 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.15-1
- dovecot updated to 2.3.15, pigeonhole updated to 0.5.15
- CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
JWT tokens. This may be used to supply attacker controlled keys to
validate tokens, if attacker has local access.
validate tokens, if attacker has local access (#1979833)
- CVE-2021-33515: On-path attacker could have injected plaintext commands
before STARTTLS negotiation that would be executed after STARTTLS
finished with the client.
finished with the client
- Add TSLv1.3 support to min_protocols.
- Allow configuring ssl_cipher_suites. (for TLSv1.3+)
* Wed May 19 2021 Pete Walter <pwalter@fedoraproject.org> - 1:2.3.14-4
- Rebuild for ICU 69
* Wed Jul 14 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.14-5
- fix mail storage block count parsing (#1974281)
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:2.3.14-4
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Wed May 19 2021 Pete Walter <pwalter@fedoraproject.org> - 1:2.3.14-3
- Rebuild for ICU 69
* Fri Jun 04 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.14-3
- compatibility with openssl 3.0 (#1962035)
* Mon May 10 2021 Jeff Law <jlaw@tachyum.com> - 1:2.3.14-2
- Re-enable LTO
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1:2.3.14-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Mon Mar 22 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.14-1
- dovecot updated to 2.3.14, pigeonhole to 0.5.14

Loading…
Cancel
Save