Commit Graph

57 Commits

Author SHA1 Message Date
Bernd Kuhls
4afd405eff package/dovecot: security bump version to 2.3.7.2
Release notes:
https://dovecot.org/pipermail/dovecot/2019-August/116874.html

Fixes
* CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
  when scanning data in quoted strings, leading to out of bounds heap
  memory writes. Found by Nick Roessler and Rafi Rubin.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 17:16:34 +02:00
Bernd Kuhls
d873c4d9ab package/dovecot: bump version to 2.3.7.1
Release notes:
https://dovecot.org/pipermail/dovecot/2019-July/116622.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-07-24 00:14:12 +02:00
Fabrice Fontaine
9ff28a4410 package/dovecot: add linux-pam optional dependency
Fixes:
 - http://autobuild.buildroot.org/results/bba0d54cab164d77caf7161596b22602875a7a85

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-07-20 18:45:20 +02:00
Bernd Kuhls
f24cb3414f package/dovecot: bump version to 2.3.7
Switched _SITE to dovecot.org according to release notes:
https://dovecot.org/pipermail/dovecot-news/2019-July/000412.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-14 12:15:03 +02:00
Bernd Kuhls
70784619bc package/dovecot: security bump to version 2.3.6
Fixes
* CVE-2019-11494: Submission-login crashed with signal 11 due to null
  pointer access when authentication was aborted by disconnecting.
* CVE-2019-11499: Submission-login crashed when authentication was
  started over TLS secured channel and invalid authentication message
  was sent.

Release notes:
https://dovecot.org/pipermail/dovecot-news/2019-April/000408.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-30 22:43:22 +02:00
Peter Korsgaard
89c7e417ed package/dovecot: security bump to version 2.3.5.2
Fixes the following security issue:

* CVE-2019-10691: Trying to login with 8bit username containing
  invalid UTF8 input causes auth process to crash if auth policy is
  enabled. This could be used rather easily to cause a DoS. Similar
  crash also happens during mail delivery when using invalid UTF8 in
  From or Subject header when OX push notification driver is used.

https://dovecot.org/pipermail/dovecot-news/2019-April/000406.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-04-26 09:13:57 +02:00
Peter Korsgaard
e3c53aa8a1 package/dovecot: security bump to version 2.3.5.1
Fixes the following security issue:

 * CVE-2019-7524: Missing input buffer size validation leads into
   arbitrary buffer overflow when reading fts or pop3 uidl header
   from Dovecot index. Exploiting this requires direct write access to
   the index files.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-03-31 12:06:53 +02:00
Bernd Kuhls
b404245d6f package/dovecot: bump version to 2.3.5
Release notes:
https://www.dovecot.org/list/dovecot-news/2019-March/000399.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-03-07 22:01:49 +01:00
Peter Korsgaard
a30d577a4b package/dovecot: security bump to version 2.3.4.1
Fixes the following security issues:

 * CVE-2019-3814: If imap/pop3/managesieve/submission client has
   trusted certificate with missing username field
   (ssl_cert_username_field), under some configurations Dovecot
   mistakenly trusts the username provided via authentication instead
   of failing.

 * ssl_cert_username_field setting was ignored with external SMTP AUTH,
   because none of the MTAs (Postfix, Exim) currently send the
   cert_username field. This may have allowed users with trusted
   certificate to specify any username in the authentication. This bug
   didn't affect Dovecot's Submission service.

For more details, see the announcement:
https://www.dovecot.org/list/dovecot-news/2019-February/000394.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-02-05 20:27:06 +01:00
Bernd Kuhls
5c47cabd17 package/{dovecot, dovecot-pigeonhole}: bump version to 2.3.4, 0.5.4
We need to bump both packages in one commit:

https://dovecot.org/pipermail/dovecot-news/2018-November/000392.html

 Adjustments to several changes in Dovecot v2.3.4 make this Pigeonhole
 release dependent on that Dovecot release; it will not compile against
 older Dovecot versions. And, conversely, you need to upgrade
 Pigeonhole when upgrading Dovecot to v2.3.4.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-11-24 10:13:10 +01:00
Bernd Kuhls
082e149e1c package/dovecot: bump version to 2.3.3
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-10-03 09:32:43 +02:00
Bernd Kuhls
1b5a8a44ea package/dovecot: bump version to 2.3.2.1
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-07-09 23:52:31 +02:00
Bernd Kuhls
326d466e46 package/dovecot: bump version to 2.3.2
Switched _SITE to https.

Release notes:
https://www.dovecot.org/list/dovecot-news/2018-June/000383.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-07-01 15:00:07 +02:00
Bernd Kuhls
14d43aea0a package/dovecot: add optional support for libsodium
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-03-31 20:46:14 +02:00
Bernd Kuhls
0a4d16698d package/dovecot: bump version to 2.3.1
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-03-30 13:12:32 +02:00
Bernd Kuhls
76101f71ef package/dovecot: bump version to 2.2.35
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-03-24 21:38:33 +01:00
Bernd Kuhls
7c970b06ea package/dovecot: security bump to version 2.3.4
Fixes CVE-2017-15130, CVE-2017-14461 & CVE-2017-15132:
https://www.dovecot.org/list/dovecot-news/2018-February/000370.html

Removed patch applied upstream:
a008617e81

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-03-01 21:37:38 +01:00
Peter Korsgaard
28adb37be4 dovecot: add upstream security fix for CVE-2017-15132
A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0.  An abort of SASL
authentication results in a memory leak in dovecot's auth client used by
login processes.  The leak has impact in high performance configuration
where same login processes are reused and can cause the process to crash due
to memory exhaustion.

For more details, see:
http://www.openwall.com/lists/oss-security/2018/01/25/4

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-01-29 09:48:08 +01:00
Thomas Petazzoni
1c8dda3e43 Merge branch 'next'
This merges the next branch accumulated during the 2017.11 release
cycle back into the master branch.

A few conflicts had to be resolved:

 - In the DEVELOPERS file, because Fabrice Fontaine was added as a
   developer for libupnp in master, and for libupnp18 in
   next. Resolution is simple: add him for both.

 - linux/Config.in, because we updated the 4.13.x release used by
   default in master, while we moved to 4.14 in next. Resolution: use
   4.14.

 - package/libupnp/libupnp.hash: a hash for the license file was added
   in master, while the package was bumped into next. Resolution: keep
   the hash for the license file, and keep the hash for the newest
   version of libupnp.

 - package/linux-headers/Config.in.host: default version of the kernel
   headers for 4.13 was bumped to the latest 4.13.x in master, but was
   changed to 4.14 in next. Resolution: use 4.14.

 - package/samba4/: samba was bumped to 4.6.11 in master for security
   reasons, but was bumped to 4.7.3 in next. Resolution: keep 4.7.3.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-12-01 21:56:44 +01:00
Baruch Siach
6f452ffbf7 dovecot: add applicable licenses
List all code licenses mentioned in COPYING.

Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-11-24 09:13:52 +01:00
Bernd Kuhls
746f94c282 package/dovecot: bump version to 2.2.33.2
Added license hashes.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-11-23 21:53:51 +01:00
Bernd Kuhls
5723251f18 package/dovecot: bump version to 2.2.31
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-06-28 23:28:12 +02:00
Bernd Kuhls
64c476da40 package/dovecot: bump version to 2.2.30.2
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-06-06 22:15:03 +02:00
Bernd Kuhls
083e9c64f0 package/dovecot: bump version to 2.30.1
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-06-04 09:45:57 +02:00
Bernd Kuhls
bcded15090 package/dovecot: bump version to 2.2.30
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-05-31 08:51:44 +02:00
Adam Duskett
67f4794de1 package/d*/Config.in: fix help text wrapping
The check-package script when ran gives warnings on text wrapping
on all of these Config files.  This patch cleans up all warnings
related to the text wrapping for the Config files starting with
the letter d in the package directory.

The appropriate indentation is: <tab><2 spaces><62 chars>
See http://nightly.buildroot.org/#writing-rules-config-in for more
information.

Signed-off-by: Adam Duskett <aduskett@codeblue.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-05-11 23:29:21 +02:00
Adam Duskett
8fd62b4e37 package/d*/Config.in: fix ordering of statements
The check-package script when ran gives warnings on ordering issues
on all of these Config files.  This patch cleans up all warnings
related to the ordering in the Config files for packages starting with
the letter d in the package directory.

The appropriate ordering is: type, default, depends on, select, help
See http://nightly.buildroot.org/#_config_files for more information.

Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-04-29 21:15:31 +02:00
Vicente Olivert Riera
a1a1f484a9 dovecot: bump version to 2.2.29.1 (security)
Security fix:

  passdb/userdb dict: Don't double-expand %variables in keys. If dict
  was used as the authentication passdb, using specially crafted
  %variables in the username could be used to cause DoS (CVE-2017-2669)

Full ChangeLog 2.2.29 (including CVE fix):
  https://www.dovecot.org/list/dovecot-news/2017-April/000341.html

Full ChangeLog 2.2.29.1 (some fixes forgotten in the 2.2.29 release):

  https://www.dovecot.org/list/dovecot-news/2017-April/000344.html

Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-04-12 21:01:12 +02:00
Rahul Bedarkar
30a3e8d108 boot, package: use SPDX short identifier for LGPLv2.1/LGPLv2.1+
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for LGPLv2.1/LGPLv2.1+ is LGPL-2.1/LGPL-2.1+.

This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/LGPLv2.1(\+)?/LGPL-2.1\1/g'

Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-04-01 15:18:10 +02:00
Bernd Kuhls
87b60b2586 package/dovecot: bump version to 2.2.28
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-03-06 21:16:02 +01:00
Bernd Kuhls
f93cd820d1 package/dovecot: needs OpenSSL
The latest version bump to 2.27 introduced a bug in the configure
script which occurs when OpenSSL support is missing:
http://lists.busybox.net/pipermail/buildroot/2016-December/179397.html

This patch makes OpenSSL mandatory following the upstream advice:
http://www.dovecot.org/list/dovecot/2016-December/106346.html
"Nobody really should be building without OpenSSL nowadays anyway"

Fixes
http://autobuild.buildroot.net/results/85f/85f2f176c108ab36520f02d975f27c27cddce84b/

[Peter: drop legacy handling]
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-12-12 12:02:24 +01:00
Vicente Olivert Riera
e244d79cd8 dovecot: bump version to 2.2.27 (security)
Fixes CVE-2016-8652 : http://www.securityfocus.com/bid/94639/

Release notes:
  http://www.dovecot.org/list/dovecot-news/2016-December/000333.html

Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-12-09 18:13:52 +01:00
Bernd Kuhls
178054f61f package/dovecot: bump version to 2.2.25
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-07-03 11:17:08 +02:00
Bernd Kuhls
9f235bc764 package/dovecot: bump version to 2.2.24
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-04-27 22:15:59 +02:00
Bernd Kuhls
b557bbf99c package/dovecot: bump version to 2.2.23
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-03-31 03:47:03 +02:00
Bernd Kuhls
9779aaf0d0 package/dovecot: bump version to 2.2.22
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-03-20 14:57:03 +01:00
Bernd Kuhls
829f21ca83 package/dovecot: add optional support for lz4
When lz4 was compiled before, dovecot will use it as optional dependency:

$ output/host/usr/bin/i586-buildroot-linux-uclibc-readelf -a output/target/usr/lib/dovecot/lib30_imap_zlib_plugin.so | grep NEEDED
 0x00000001 (NEEDED)                     Shared library: [libz.so.1]
 0x00000001 (NEEDED)                     Shared library: [liblzma.so.5]
 0x00000001 (NEEDED)                     Shared library: [liblz4.so.1]
 0x00000001 (NEEDED)                     Shared library: [libc.so.1]

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-02-16 23:07:01 +01:00
Bernd Kuhls
b9ddfddf9d package/dovecot: add optional support for xz
When xz was compiled before, dovecot will use it as optional dependency:

$ output/host/usr/bin/i586-buildroot-linux-uclibc-readelf -a output/target/usr/lib/dovecot/lib30_imap_zlib_plugin.so | grep NEEDED
 0x00000001 (NEEDED)                     Shared library: [libz.so.1]
 0x00000001 (NEEDED)                     Shared library: [liblzma.so.5]
 0x00000001 (NEEDED)                     Shared library: [liblz4.so.1]
 0x00000001 (NEEDED)                     Shared library: [libc.so.1]

(lz4 support will be added with the next patch of this series)

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-02-16 23:06:55 +01:00
Bernd Kuhls
f39ac4d288 package/dovecot: Remove bzip2 and zlib options
The next patch of this series will add optional xz and lz4 support, to
avoid adding new options for these compression packages simplify the
configuration of dovecot by removing the options handling optional
compression support.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-02-16 23:06:40 +01:00
Bernd Kuhls
1e04afdfad package/dovecot: bump version to 2.2.21
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-12-13 14:33:26 +01:00
Vicente Olivert Riera
09a8abe4ab dovecot: bump to version 2.2.19
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Acked-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-10-03 23:20:52 +02:00
Bernd Kuhls
61a9a4cb29 package/dovecot: Add optional support for icu
Optional dependency added to fts plugin since Dovecot 2.2.17:
http://hg.dovecot.org/dovecot-2.2/diff/b179bbd226e5/configure.ac

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-07-13 18:48:05 +02:00
Bernd Kuhls
a89263f7f0 package/dovecot: bump version to 2.2.18
Removed patch applied upstream:
http://hg.dovecot.org/dovecot-2.2/rev/e4ad83ed88c9

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-07-11 15:03:01 +02:00
Bernd Kuhls
1814da768b package/dovecot: Fix broken logic for comment display
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-04-26 12:17:02 +02:00
Bernd Kuhls
bfb5d066fc package/dovecot: not available on static-only build
Fixes
http://autobuild.buildroot.net/results/53f/53fd9003a4cf7d128f4d64d43209fe26d859a829/

http://autobuild.buildroot.net/results/53f/53fd9003a4cf7d128f4d64d43209fe26d859a829/dovecot-2.2.16/config.log
shows this pthread related link error during configure

sqlite3.c:(.text+0x5106): undefined reference to `pthread_mutex_trylock'
/home/test/autobuild/instance-2/output/host/usr/i686-buildroot-linux-uclibc/sysroot/usr/lib/libsqlite3.a(sqlite3.o): In function `pthreadMutexAlloc':
sqlite3.c:(.text+0x91fb): undefined reference to `pthread_mutexattr_init'
sqlite3.c:(.text+0x9205): undefined reference to `pthread_mutexattr_settype'
sqlite3.c:(.text+0x920e): undefined reference to `pthread_mutex_init'
sqlite3.c:(.text+0x9216): undefined reference to `pthread_mutexattr_destroy'
sqlite3.c:(.text+0x9234): undefined reference to `pthread_mutex_init'

Trying to fix it in dovecot.mk by

+# dovecot forgets to compile/link with -pthread breaking static linking
+DOVECOT_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -pthread" LIBS="-pthread"

results in a build error later on
setresgid.c:(.text+0x0): multiple definition of `setresgid'

which might be fixed in uclibc by porting
http://git.buildroot.net/buildroot/tree/package/uclibc/1.0.2/0001-fix-static-linking-of-pthread-apps.patch

but, at the end, I think it is better to not build Dovecot as a static
binary since it is heavy modularized and not worth the effort. Therefore
remove two patches fixing static linking, since they are not needed anymore.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-04-25 10:18:28 +02:00
Gustavo Zacarias
79ce08bbdc packages: remove non-IPv6 dependencies and tweaks
Now that IPv6 is mandatory remove package dependencies and conditionals
for it.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-04-22 23:06:35 +02:00
Bernd Kuhls
9c820091d1 package/dovecot: fix hash typo
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-03-27 18:47:38 +01:00
Bernd Kuhls
49fedc613e package/dovecot: add hash
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-03-27 17:41:14 +01:00
Bernd Kuhls
9b8481671e package/dovecot: bump version to 2.2.16
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-03-17 13:03:02 +01:00
Yann E. MORIN
9863553fe8 packages: all salute the passing of avr32
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-02-14 17:43:11 +01:00