Friday 2nd March 2018
Fedora Project
Updated perl-Hash-FieldHash (0.15) and perl-Params-Classify (0.015) in Rawhide to explicitly build-require ExtUtils::CBuilder (https://bugzilla.redhat.com/show_bug.cgi?id=1547165#c7)
Local Packages
- Branched repository for Fedora 28
Updated dovecot (2.3.x):
Updated dovecot to 2.3.0.1:
CVE-2017-15130: TLS SNI config lookups may lead to excessive memory usage, causing imap-login/pop3-login VSZ limit to be reached and the process restarted; this happens only if Dovecot config has local_name { } or local { } configuration blocks and attacker uses randomly generated SNI servernames
CVE-2017-14461: Parsing invalid email addresses may cause a crash or leak memory contents to attacker, e.g. these memory contents might contain parts of an email from another user if the same imap process is reused for multiple users
CVE-2017-15132: Aborted SASL authentication leaks memory in login process
Linux: Core dumping is no longer enabled by default via PR_SET_DUMPABLE, because this may allow attackers to bypass chroot/group restrictions; nowadays core dumps can be safely enabled by using "sysctl -w fs.suid_dumpable=2", and if the old behaviour is wanted, it can still be enabled by setting: import_environment=$import_environment PR_SET_DUMPABLE=1
imap-login with SSL/TLS connections may end up in infinite loop
Updated pigeonhole to 0.5.0.1:
imap4flags extension: Fix binary corruption occurring when setflag/addflag/removeflag flag-list is a variable
sieve-extprograms plugin: Fix segfault occurring when used in IMAPSieve context
Updated dovecot (2.2.x):
Updated dovecot to 2.2.34:
CVE-2017-15130: TLS SNI config lookups may lead to excessive memory usage, causing imap-login/pop3-login VSZ limit to be reached and the process restarted; this happens only if Dovecot config has local_name { } or local { } configuration blocks and attacker uses randomly generated SNI servernames
CVE-2017-14461: Parsing invalid email addresses may cause a crash or leak memory contents to attacker, e.g. these memory contents might contain parts of an email from another user if the same imap process is reused for multiple users
CVE-2017-15132: Aborted SASL authentication leaks memory in login process
Linux: Core dumping is no longer enabled by default via PR_SET_DUMPABLE, because this may allow attackers to bypass chroot/group restrictions; nowadays core dumps can be safely enabled by using "sysctl -w fs.suid_dumpable=2", and if the old behaviour is wanted, it can still be enabled by setting: import_environment=$import_environment PR_SET_DUMPABLE=1
doveconf output now includes the hostname
New mail_attachment_detection_options setting controls when $HasAttachment and $HasNoAttachment keywords are set for mails
imap: Support fetching body snippets using FETCH (SNIPPET) or (SNIPPET (LAZY=FUZZY))
fs-compress: Automatically detect whether input is compressed or not; prefix the compression algorithm with "maybe-" to enable the detection, for example: "compress:maybe-gz:6:..."
Added settings to change dovecot.index* files' optimization behavior; see https://wiki2.dovecot.org/IndexFiles#Settings
Auth cache can now utilize auth workers to do password hash verification by setting auth_cache_verify_password_with_worker=yes
Added charset_alias plugin (https://wiki2.dovecot.org/Plugins/CharsetAlias)
imap_logout_format and pop3_logout_format settings now support all of the generic variables (e.g. %{rip}, %{session}, etc.)
Added auth_policy_check_before_auth, auth_policy_check_after_auth and auth_policy_report_after_auth settings
v2.2.33: doveadm-server: Various fixes related to log handling
v2.2.33: doveadm failed when trying to access UNIX socket that didn't require authentication
v2.2.33: doveadm log reopen stopped working
v2.2.30+: IMAP stopped advertising SPECIAL-USE capability
v2.2.30+: IMAP stopped sending untagged OK/NO storage notifications
replication: dsync sent unnecessary replication notification for changes it did internally (NOTE: Folder creates, renames, deletes and subscribes still trigger unnecessary replication notifications, but these should be rather rare)
mail_always/never_cache_fields setting changes weren't applied for existing dovecot.index.cache files
- Fix compiling and other problems with OpenSSL v1.1
- auth policy: With master user logins, lookup using login username
FTS reindexed all mails unnecessarily after loss of dovecot.index.cache file
- mdbox rebuild repeatedly failed with "missing map extension"
SSL connections may have been hanging with imapc or doveadm client
- cassandra: Using protocol v3 (Cassandra v2.1) caused memory leaks and also timestamps weren't set to queries
fs-crypt silently ignored public/private keys specified in configuration (mail_crypt_global_public/private_key) and just emitted plaintext output
lock_method=dotlock caused crashes
imapc: Reconnection may cause crashes and other errors
Updated pigeonhole to 0.4.22:
Fixed filesystem path handling problem: sieve plugin could have assert-crashed with specific path lengths with: "Panic: file realpath.c: line 86 (path_normalize): assertion failed: (npath_pos + 1 < npath + asize)"
Sieve extprograms plugin: Large output from "execute" command crashed delivery; fixed buffering issue in code that handles output from the external program
editheader extension: Extensively reworked the low-level implementation of adding and removing headers, which solved a few integer arithmetic problems reported by Clang runtime checks, but also improves code structure and reliability in general
imapsieve: Fix assert crash occurring when selected messages are expunged concurrently by the time Sieve filter is to be applied
imap4flags extension: Fix binary byte-code corruption occurring when the setflag, addflag, or removeflag command's flag-list is a variable
enotify extension: mailto method: Fixed parsing of mailto URI with only a header part
enotify extension: mailto method: Make sure "From:" header is set to a usable address and not "(null)"
- Fixed writing address headers to outgoing messages; it sometimes erroneously applied another layer of MIME header encoding
This build also removed tcp_wrappers support from the Fedora 28 build (Bug #1518761)
Updated libidn (1.33) to drop ldconfig scriptlets (replaced by RPM File Triggers) from Fedora 28 onwards
Updated libxml2 (2.9.7) to rebuild with new LDFLAGS from redhat-rpm-config
Updated nmap to add appdata file (Bug #1476506)
Updated perl-Hash-FieldHash (0.15) as per the Fedora version
Updated perl-Module-Build (0.4224) not to require a compiler if c_source is an empty list (Bug #1547165, CPAN RT#124625)
Updated perl-Params-Classify (0.015) and perl-Params-Validate (1.29) to explicitly build-require ExtUtils::CBuilder (https://bugzilla.redhat.com/show_bug.cgi?id=1547165#c7)