diff options
| author | Juergen Daubert <jue@jue.li> | 2018-03-01 09:57:59 +0100 |
|---|---|---|
| committer | Juergen Daubert <jue@jue.li> | 2018-03-01 09:57:59 +0100 |
| commit | b927b2f2d7680a3241d70b6c70f1ec8602169831 (patch) | |
| tree | 776959825cff070ee4d850417929eebd4848483a /dovecot | |
| parent | 51cb8df9a8092c6bf91c955c67c9fb89976de1db (diff) | |
| download | opt-b927b2f2d7680a3241d70b6c70f1ec8602169831.tar.gz opt-b927b2f2d7680a3241d70b6c70f1ec8602169831.tar.xz | |
[notify] dovecot: update to 2.3.0.1, closes FS#1599
security fix, see
https://dovecot.org/list/dovecot-news/2018-February/000371.html
Diffstat (limited to 'dovecot')
| -rw-r--r-- | dovecot/.md5sum | 4 | ||||
| -rw-r--r-- | dovecot/.signature | 8 | ||||
| -rw-r--r-- | dovecot/CVE-2017-15132-1.patch | 57 | ||||
| -rw-r--r-- | dovecot/CVE-2017-15132.patch | 28 | ||||
| -rw-r--r-- | dovecot/Pkgfile | 11 |
5 files changed, 7 insertions, 101 deletions
diff --git a/dovecot/.md5sum b/dovecot/.md5sum index 3b4936f51..21943f3b4 100644 --- a/dovecot/.md5sum +++ b/dovecot/.md5sum @@ -1,5 +1,3 @@ -a1a5efc13766e3b2d0a154e9716f0f7a CVE-2017-15132-1.patch -f043e0bb2773cd38f74ada8c164524a6 CVE-2017-15132.patch ec342928dd97131f82dba41546741b5f dovecot -a8802617ddf68972f5f97bd8677e5856 dovecot-2.3.0.tar.gz +865d6ad94c98ac3289fa06a77b1c014e dovecot-2.3.0.1.tar.gz 1cc42484b5515bddf47edcf26b288b6b dovecot-config.patch diff --git a/dovecot/.signature b/dovecot/.signature index c9707c0a1..a7f0a14ea 100644 --- a/dovecot/.signature +++ b/dovecot/.signature @@ -1,9 +1,7 @@ untrusted comment: verify with /etc/ports/opt.pub -RWSE3ohX2g5d/SkROei+JVsseDKn6SIUNsjxW4JVhAKiDa6r4HZW5ka8HbQjpy6OBAAyHGpg/+/NM5m9pchHJcjlYyFH2k1VXQs= -SHA256 (Pkgfile) = f325affa0506d8e0a7f7ac40e81503af99fa2ee54a3a8c38a76205de6e8e396b +RWSE3ohX2g5d/d5N12tWoNTQhb7I2Fr15CI5nf6EiZ2gY+6Rhbz6ryRonaZ1C0T02UcuQeVDNq4sOW7xEVNd5IwW2K3Msih3vQE= +SHA256 (Pkgfile) = 4d2c31432a6ab2b7a42ea598e913f45ee22ddc15d7f1ba53d95ccf30896c884b SHA256 (.footprint) = d464c6eb14ad58ab166c901d6c1a6f66a010f3e934f3b1645a9cd20d24663b4b -SHA256 (dovecot-2.3.0.tar.gz) = de60cb470d025e4dd0f8e8fbbb4b9316dfd4930eb949d307330669ffbeaf8581 -SHA256 (CVE-2017-15132.patch) = ddbfdb187e1e763aa10364e57ed82bd37d264d66ed01559a7dbdeccb9f41e91f -SHA256 (CVE-2017-15132-1.patch) = 480980136322c3361ab334346218504397668df49d66afef0bca70b7e4d40fae +SHA256 (dovecot-2.3.0.1.tar.gz) = ab772b3e214683aba347203c9391295552255c4d69afb324c7b8c8fc5ad6f153 SHA256 (dovecot-config.patch) = a6f09e637f1ac15368d2d18736dc353e4a188959c5940dedd5306b689156e91c SHA256 (dovecot) = ead06d36290cca8be6be350f2c05edf53a4e9ce8aec5d5d663b1162ae96c17c7 diff --git a/dovecot/CVE-2017-15132-1.patch b/dovecot/CVE-2017-15132-1.patch deleted file mode 100644 index b1d8b4923..000000000 --- a/dovecot/CVE-2017-15132-1.patch +++ /dev/null @@ -1,57 +0,0 @@ -From a9b135760aea6d1790d447d351c56b78889dac22 Mon Sep 17 00:00:00 2001 -From: Aki Tuomi <aki.tuomi@dovecot.fi> -Date: Fri, 26 Jan 2018 10:55:54 +0200 -Subject: [PATCH] lib-auth: Remove request after abort - -Otherwise the request will still stay in hash table -and get dereferenced when all requests are aborted -causing an attempt to access free'd memory. - -Found by Apollon Oikonomopoulos <apoikos@debian.org> - -Broken in 1a29ed2f96da1be22fa5a4d96c7583aa81b8b060 ---- - src/lib-auth/auth-client-request.c | 2 ++ - src/lib-auth/auth-server-connection.c | 7 +++++++ - src/lib-auth/auth-server-connection.h | 2 ++ - 3 files changed, 11 insertions(+) - -diff --git a/src/lib-auth/auth-client-request.c b/src/lib-auth/auth-client-request.c -index 046f7c307d..f6d0290a13 100644 ---- a/src/lib-auth/auth-client-request.c -+++ b/src/lib-auth/auth-client-request.c -@@ -186,6 +186,8 @@ void auth_client_request_abort(struct auth_client_request **_request) - - auth_client_send_cancel(request->conn->client, request->id); - call_callback(request, AUTH_REQUEST_STATUS_ABORT, NULL, NULL); -+ /* remove the request */ -+ auth_server_connection_remove_request(request->conn, request->id); - pool_unref(&request->pool); - } - -diff --git a/src/lib-auth/auth-server-connection.c b/src/lib-auth/auth-server-connection.c -index 9d65450fb3..7eea061cad 100644 ---- a/src/lib-auth/auth-server-connection.c -+++ b/src/lib-auth/auth-server-connection.c -@@ -483,3 +483,10 @@ auth_server_connection_add_request(struct auth_server_connection *conn, - hash_table_insert(conn->requests, POINTER_CAST(id), request); - return id; - } -+ -+void auth_server_connection_remove_request(struct auth_server_connection *conn, -+ unsigned int id) -+{ -+ i_assert(conn->handshake_received); -+ hash_table_remove(conn->requests, POINTER_CAST(id)); -+} -diff --git a/src/lib-auth/auth-server-connection.h b/src/lib-auth/auth-server-connection.h -index 179b5dbd4c..c2c533a41d 100644 ---- a/src/lib-auth/auth-server-connection.h -+++ b/src/lib-auth/auth-server-connection.h -@@ -40,4 +40,6 @@ void auth_server_connection_disconnect(struct auth_server_connection *conn, - unsigned int - auth_server_connection_add_request(struct auth_server_connection *conn, - struct auth_client_request *request); -+void auth_server_connection_remove_request(struct auth_server_connection *conn, -+ unsigned int id); - #endif diff --git a/dovecot/CVE-2017-15132.patch b/dovecot/CVE-2017-15132.patch deleted file mode 100644 index 6b147abef..000000000 --- a/dovecot/CVE-2017-15132.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 1a29ed2f96da1be22fa5a4d96c7583aa81b8b060 Mon Sep 17 00:00:00 2001 -From: Timo Sirainen <timo.sirainen@dovecot.fi> -Date: Mon, 18 Dec 2017 16:50:51 +0200 -Subject: [PATCH] lib-auth: Fix memory leak in auth_client_request_abort() - -This caused memory leaks when authentication was aborted. For example -with IMAP: - -a AUTHENTICATE PLAIN -* - -Broken by 9137c55411aa39d41c1e705ddc34d5bd26c65021 ---- - src/lib-auth/auth-client-request.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/lib-auth/auth-client-request.c b/src/lib-auth/auth-client-request.c -index 480fb42b30..046f7c307d 100644 ---- a/src/lib-auth/auth-client-request.c -+++ b/src/lib-auth/auth-client-request.c -@@ -186,6 +186,7 @@ void auth_client_request_abort(struct auth_client_request **_request) - - auth_client_send_cancel(request->conn->client, request->id); - call_callback(request, AUTH_REQUEST_STATUS_ABORT, NULL, NULL); -+ pool_unref(&request->pool); - } - - unsigned int auth_client_request_get_id(struct auth_client_request *request) diff --git a/dovecot/Pkgfile b/dovecot/Pkgfile index a9f4f109e..4c0b42b99 100644 --- a/dovecot/Pkgfile +++ b/dovecot/Pkgfile @@ -4,18 +4,13 @@ # Depends on: zlib bzip2 openssl libcap name=dovecot -version=2.3.0 -release=3 +version=2.3.0.1 +release=1 source=(https://dovecot.org/releases/2.3/$name-$version.tar.gz - CVE-2017-15132.patch CVE-2017-15132-1.patch dovecot-config.patch dovecot) build () { - cd $name-ce-$version - - patch -p1 -i $SRC/CVE-2017-15132.patch - patch -p1 -i $SRC/CVE-2017-15132-1.patch - patch -p1 -i $SRC/$name-config.patch + cd $name-$version ./configure --prefix=/usr \ --libexecdir=/usr/lib \ |