diff options
author | Vlad Glagolev | 2019-02-26 22:36:01 +0000 |
---|---|---|
committer | Vlad Glagolev | 2019-02-26 22:36:01 +0000 |
commit | f49baac4efb48c4c7463eb441b1d0b50026da476 (patch) | |
tree | 99567400e7ec3d3832cc14ef336634e017b5676b /mail | |
parent | d16e6aae4f3e59c1dcc0cf4ff627622bcf2c6fba (diff) |
dovecot: => 2.2.36.1 [security]
Diffstat (limited to 'mail')
-rwxr-xr-x | mail/dovecot/BUILD | 7 | ||||
-rwxr-xr-x | mail/dovecot/CONFIGURE | 12 | ||||
-rwxr-xr-x | mail/dovecot/DETAILS | 19 | ||||
-rw-r--r-- | mail/dovecot/HISTORY | 9 | ||||
-rwxr-xr-x | mail/dovecot/INSTALL | 2 | ||||
-rw-r--r-- | mail/dovecot/dovecot.gpg | bin | 2294 -> 4539 bytes | |||
-rw-r--r-- | mail/dovecot/ssl_enhancedh.patch | 55 | ||||
-rw-r--r-- | mail/dovecot/ssl_protocols.patch | 150 |
8 files changed, 25 insertions, 229 deletions
diff --git a/mail/dovecot/BUILD b/mail/dovecot/BUILD index 6293e7d286..19ec465932 100755 --- a/mail/dovecot/BUILD +++ b/mail/dovecot/BUILD @@ -1,8 +1,3 @@ -if list_find "$DOVECOT_MAILSTORE" "all" ; then -OPTS="--with-storages=maildir,mbox,sdbox,mdbox,cydir $OPTS" -else -OPTS="--with-storages=$(echo $DOVECOT_MAILSTORE | tr " " ",") $OPTS" -fi && OPTS="--with-notify=$DOVECOT_NOTIFY $OPTS" #if [[ $DOVECOT_SSL == none ]]; then #OPTS="--without-ssl $OPTS" @@ -17,7 +12,7 @@ OPTS="--without-vpopmail \ $OPTS" && default_build && if [[ $DOVECOT_PIGEONHOLE == y ]]; then -pushd dovecot-${VERSION%.*}-pigeonhole-$VERSION2 && +pushd dovecot-${BRANCH}-pigeonhole-${VERSION2} && OPTS="$DOVECOT_PIGEONHOLE_OPTS --with-dovecot=.." && default_build && popd diff --git a/mail/dovecot/CONFIGURE b/mail/dovecot/CONFIGURE index db05b67118..42a5cbd780 100755 --- a/mail/dovecot/CONFIGURE +++ b/mail/dovecot/CONFIGURE @@ -1,4 +1,8 @@ . $GRIMOIRE/config_query_multi.function + +# drop obsolete configuration options +persistent_remove DOVECOT_MAILSTORE && + #if spell_ok gnutls ; then #config_query_list DOVECOT_SSL 'Which SSL provider do you want?' \ # gnutls openssl none @@ -15,14 +19,6 @@ config_query_option DOVECOT_PIGEONHOLE_OPTS \ "--without-managesieve" fi && -config_query_multi DOVECOT_MAILSTORE \ - 'What mail storage support do you want?' \ - all \ - maildir \ - mbox \ - sdbox \ - mdbox \ - cydir && config_query_list DOVECOT_NOTIFY \ 'What filesystem notification method do you want?' \ inotify \ diff --git a/mail/dovecot/DETAILS b/mail/dovecot/DETAILS index 30c32fe36a..a7c730b33b 100755 --- a/mail/dovecot/DETAILS +++ b/mail/dovecot/DETAILS @@ -1,18 +1,19 @@ SPELL=dovecot - VERSION=2.2.25 + VERSION=2.2.36.1 + BRANCH=`echo $VERSION|cut -d. -f1,2` + SECURITY_PATCH=1 SOURCE=$SPELL-$VERSION.tar.gz SOURCE2=$SOURCE.sig SOURCE2_IGNORE=signature SOURCE_GPG="dovecot.gpg:${SOURCE2}:UPSTREAM_KEY" - SOURCE_URL[0]=http://www.dovecot.org/releases/${VERSION%.*}/$SOURCE - SOURCE2_URL[0]=http://www.dovecot.org/releases/${VERSION%.*}/$SOURCE2 + SOURCE_URL[0]=http://www.dovecot.org/releases/${BRANCH}/$SOURCE + SOURCE2_URL[0]=http://www.dovecot.org/releases/${BRANCH}/$SOURCE2 if [[ "$DOVECOT_PIGEONHOLE" == "y" ]]; then - VERSION2=0.2.6 - PATCHLEVEL=11 - SOURCE3=$SPELL-${VERSION%.*}-pigeonhole-$VERSION2.tar.gz - SOURCE4=$SPELL-${VERSION%.*}-pigeonhole-$VERSION2.tar.gz.sig - SOURCE3_URL[0]=http://pigeonhole.dovecot.org/releases/${VERSION%.*}/$SOURCE3 - SOURCE4_URL[0]=http://pigeonhole.dovecot.org/releases/${VERSION%.*}/$SOURCE4 + VERSION2=0.4.24.1 + SOURCE3=$SPELL-${BRANCH}-pigeonhole-${VERSION2}.tar.gz + SOURCE4=$SPELL-${BRANCH}-pigeonhole-${VERSION2}.tar.gz.sig + SOURCE3_URL[0]=http://pigeonhole.dovecot.org/releases/${BRANCH}/${SOURCE3} + SOURCE4_URL[0]=http://pigeonhole.dovecot.org/releases/${BRANCH}/${SOURCE4} SOURCE4_IGNORE=signature SOURCE3_GPG="dovecot.gpg:${SOURCE4}:UPSTREAM_KEY" fi diff --git a/mail/dovecot/HISTORY b/mail/dovecot/HISTORY index 52a1058484..04cafd18fe 100644 --- a/mail/dovecot/HISTORY +++ b/mail/dovecot/HISTORY @@ -1,3 +1,12 @@ +2019-02-26 Vlad Glagolev <stealth@sourcemage.org> + * DETAILS: updated spell to 2.2.36.1; SECURITY_PATCH=1; updated + pigeonhole to 0.4.24.1; corrected branch parsing + * BUILD, INSTALL: corrected branch parsing + * CONFIGURE: dropped no longer supported storage selection + * dovecot.gpg: imported ED409DA1 public key (Dovecot Community Edition + <dovecot-ce@dovecot.org>) + * ssl_protocols.patch, ssl_enhancedh.patch: really removed patches + 2016-08-30 Jeremy Blosser <jblosser@sourcemage.org> * DETAILS: 2.2.25 * PRE_BUILD: remove patches, they are in upstream diff --git a/mail/dovecot/INSTALL b/mail/dovecot/INSTALL index 8a2957db21..fed7b244af 100755 --- a/mail/dovecot/INSTALL +++ b/mail/dovecot/INSTALL @@ -2,7 +2,7 @@ default_install && create_account dovecot && create_account dovenull && if [[ $DOVECOT_PIGEONHOLE == y ]]; then -pushd dovecot-${VERSION%.*}-pigeonhole-$VERSION2 && +pushd dovecot-${BRANCH}-pigeonhole-${VERSION2} && default_install && popd fi diff --git a/mail/dovecot/dovecot.gpg b/mail/dovecot/dovecot.gpg Binary files differindex 05d41dd910..9059d1c416 100644 --- a/mail/dovecot/dovecot.gpg +++ b/mail/dovecot/dovecot.gpg diff --git a/mail/dovecot/ssl_enhancedh.patch b/mail/dovecot/ssl_enhancedh.patch deleted file mode 100644 index f9bbb61d7f..0000000000 --- a/mail/dovecot/ssl_enhancedh.patch +++ /dev/null @@ -1,55 +0,0 @@ ---- src/ssl-params/ssl-params-openssl.c.orig -+++ src/ssl-params/ssl-params-openssl.c -@@ -13,7 +13,7 @@ - default.. */ - #define DH_GENERATOR 2 - --static int dh_param_bitsizes[] = { 512, 1024 }; -+static int dh_param_bitsizes[] = { 512, 2048 }; - - static const char *ssl_last_error(void) - { ---- src/login-common/ssl-proxy-openssl.c.orig -+++ src/login-common/ssl-proxy-openssl.c -@@ -76,7 +76,7 @@ - time_t last_refresh; - int fd; - -- DH *dh_512, *dh_1024; -+ DH *dh_512, *dh_2048; - }; - - struct ssl_server_context { -@@ -182,8 +182,8 @@ - case 512: - params->dh_512 = d2i_DHparams(NULL, &cbuf, len); - break; -- case 1024: -- params->dh_1024 = d2i_DHparams(NULL, &cbuf, len); -+ case 2048: -+ params->dh_2048 = d2i_DHparams(NULL, &cbuf, len); - break; - default: - ssl_params_corrupted(); -@@ -199,9 +199,9 @@ - DH_free(params->dh_512); - params->dh_512 = NULL; - } -- if (params->dh_1024 != NULL) { -- DH_free(params->dh_1024); -- params->dh_1024 = NULL; -+ if (params->dh_2048 != NULL) { -+ DH_free(params->dh_2048); -+ params->dh_2048 = NULL; - } - } - -@@ -796,7 +796,7 @@ - if (is_export && keylength == 512 && ssl_params.dh_512 != NULL) - return ssl_params.dh_512; - -- return ssl_params.dh_1024; -+ return ssl_params.dh_2048; - } - - static void ssl_info_callback(const SSL *ssl, int where, int ret) diff --git a/mail/dovecot/ssl_protocols.patch b/mail/dovecot/ssl_protocols.patch deleted file mode 100644 index d400652a1f..0000000000 --- a/mail/dovecot/ssl_protocols.patch +++ /dev/null @@ -1,150 +0,0 @@ ---- doc/example-config/conf.d/10-ssl.conf.orig 2011-12-13 14:38:27.000000000 +0300 -+++ doc/example-config/conf.d/10-ssl.conf 2014-11-12 17:02:11.099183165 +0300 -@@ -37,5 +37,8 @@ - # entirely. - #ssl_parameters_regenerate = 168 - -+# SSL protocols to use -+#ssl_protocols = !SSLv2 !SSLv3 -+ - # SSL ciphers to use - #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL ---- src/login-common/login-settings.c.orig 2012-02-09 20:32:48.000000000 +0300 -+++ src/login-common/login-settings.c 2014-11-12 17:04:31.862715871 +0300 -@@ -31,6 +31,7 @@ - DEF(SET_STR, ssl_key), - DEF(SET_STR, ssl_key_password), - DEF(SET_STR, ssl_cipher_list), -+ DEF(SET_STR, ssl_protocols), - DEF(SET_STR, ssl_cert_username_field), - DEF(SET_STR, ssl_client_cert), - DEF(SET_STR, ssl_client_key), -@@ -62,6 +63,7 @@ - .ssl_key = "", - .ssl_key_password = "", - .ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL", -+ .ssl_protocols = "!SSLv2 !SSLv3", - .ssl_cert_username_field = "commonName", - .ssl_client_cert = "", - .ssl_client_key = "", ---- src/login-common/login-settings.h.orig 2012-02-09 20:32:48.000000000 +0300 -+++ src/login-common/login-settings.h 2014-11-12 17:04:57.913369657 +0300 -@@ -13,6 +13,7 @@ - const char *ssl_key; - const char *ssl_key_password; - const char *ssl_cipher_list; -+ const char *ssl_protocols; - const char *ssl_cert_username_field; - const char *ssl_client_cert; - const char *ssl_client_key; ---- src/login-common/ssl-proxy-openssl.c.orig 2012-05-14 21:08:02.000000000 +0300 -+++ src/login-common/ssl-proxy-openssl.c 2014-11-12 17:15:30.299304760 +0300 -@@ -88,6 +88,7 @@ - const char *key; - const char *ca; - const char *cipher_list; -+ const char *protocols; - bool verify_client_cert; - }; - -@@ -139,6 +140,8 @@ - return 1; - if (null_strcmp(ctx1->cipher_list, ctx2->cipher_list) != 0) - return 1; -+ if (null_strcmp(ctx1->protocols, ctx2->protocols) != 0) -+ return 1; - - return ctx1->verify_client_cert == ctx2->verify_client_cert ? 0 : 1; - } -@@ -606,6 +609,7 @@ - lookup_ctx.key = set->ssl_key; - lookup_ctx.ca = set->ssl_ca; - lookup_ctx.cipher_list = set->ssl_cipher_list; -+ lookup_ctx.protocols = set->ssl_protocols; - lookup_ctx.verify_client_cert = set->ssl_verify_client_cert; - - ctx = hash_table_lookup(ssl_servers, &lookup_ctx); -@@ -1021,8 +1025,7 @@ - - /* enable all SSL workarounds, except empty fragments as it - makes SSL more vulnerable against attacks */ -- SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2 | -- (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)); -+ SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); - #ifdef SSL_MODE_RELEASE_BUFFERS - SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS); - #endif -@@ -1196,6 +1199,57 @@ - } - #endif - -+enum { -+ DOVECOT_SSL_PROTO_SSLv2 = 0x01, -+ DOVECOT_SSL_PROTO_SSLv3 = 0x02, -+ DOVECOT_SSL_PROTO_TLSv1 = 0x04, -+ DOVECOT_SSL_PROTO_ALL = 0x07 -+}; -+ -+static void -+ssl_proxy_ctx_set_protocols(struct ssl_server_context *ssl_ctx, -+ const char *protocols) -+{ -+ const char *const *tmp; -+ int proto, op = 0, include = 0, exclude = 0; -+ bool neg; -+ -+ tmp = t_strsplit_spaces(protocols, " "); -+ for (; *tmp != NULL; tmp++) { -+ const char *name = *tmp; -+ -+ if (*name != '!') -+ neg = FALSE; -+ else { -+ name++; -+ neg = TRUE; -+ } -+ if (strcasecmp(name, SSL_TXT_SSLV2) == 0) -+ proto = DOVECOT_SSL_PROTO_SSLv2; -+ else if (strcasecmp(name, SSL_TXT_SSLV3) == 0) -+ proto = DOVECOT_SSL_PROTO_SSLv3; -+ else if (strcasecmp(name, SSL_TXT_TLSV1) == 0) -+ proto = DOVECOT_SSL_PROTO_TLSv1; -+ else { -+ i_fatal("Invalid ssl_protocols setting: " -+ "Unknown protocol '%s'", name); -+ } -+ if (neg) -+ exclude |= proto; -+ else -+ include |= proto; -+ } -+ if (include != 0) { -+ /* exclude everything, except those that are included -+ (and let excludes still override those) */ -+ exclude |= DOVECOT_SSL_PROTO_ALL & ~include; -+ } -+ if ((exclude & DOVECOT_SSL_PROTO_SSLv2) != 0) op |= SSL_OP_NO_SSLv2; -+ if ((exclude & DOVECOT_SSL_PROTO_SSLv3) != 0) op |= SSL_OP_NO_SSLv3; -+ if ((exclude & DOVECOT_SSL_PROTO_TLSv1) != 0) op |= SSL_OP_NO_TLSv1; -+ SSL_CTX_set_options(ssl_ctx->ctx, op); -+} -+ - static struct ssl_server_context * - ssl_server_context_init(const struct login_settings *set) - { -@@ -1211,6 +1265,7 @@ - ctx->key = p_strdup(pool, set->ssl_key); - ctx->ca = p_strdup(pool, set->ssl_ca); - ctx->cipher_list = p_strdup(pool, set->ssl_cipher_list); -+ ctx->protocols = p_strdup(pool, set->ssl_protocols); - ctx->verify_client_cert = set->ssl_verify_client_cert; - - ctx->ctx = ssl_ctx = SSL_CTX_new(SSLv23_server_method()); -@@ -1222,6 +1277,7 @@ - i_fatal("Can't set cipher list to '%s': %s", - ctx->cipher_list, ssl_last_error()); - } -+ ssl_proxy_ctx_set_protocols(ctx, ctx->protocols); - - if (ssl_proxy_ctx_use_certificate_chain(ctx->ctx, ctx->cert) != 1) { - i_fatal("Can't load ssl_cert: %s", |