Commit Graph

40 Commits

Author SHA1 Message Date
Peter Korsgaard
28adb37be4 dovecot: add upstream security fix for CVE-2017-15132
A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0.  An abort of SASL
authentication results in a memory leak in dovecot's auth client used by
login processes.  The leak has impact in high performance configuration
where same login processes are reused and can cause the process to crash due
to memory exhaustion.

For more details, see:
http://www.openwall.com/lists/oss-security/2018/01/25/4

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-01-29 09:48:08 +01:00
Thomas Petazzoni
1c8dda3e43 Merge branch 'next'
This merges the next branch accumulated during the 2017.11 release
cycle back into the master branch.

A few conflicts had to be resolved:

 - In the DEVELOPERS file, because Fabrice Fontaine was added as a
   developer for libupnp in master, and for libupnp18 in
   next. Resolution is simple: add him for both.

 - linux/Config.in, because we updated the 4.13.x release used by
   default in master, while we moved to 4.14 in next. Resolution: use
   4.14.

 - package/libupnp/libupnp.hash: a hash for the license file was added
   in master, while the package was bumped into next. Resolution: keep
   the hash for the license file, and keep the hash for the newest
   version of libupnp.

 - package/linux-headers/Config.in.host: default version of the kernel
   headers for 4.13 was bumped to the latest 4.13.x in master, but was
   changed to 4.14 in next. Resolution: use 4.14.

 - package/samba4/: samba was bumped to 4.6.11 in master for security
   reasons, but was bumped to 4.7.3 in next. Resolution: keep 4.7.3.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-12-01 21:56:44 +01:00
Baruch Siach
6f452ffbf7 dovecot: add applicable licenses
List all code licenses mentioned in COPYING.

Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-11-24 09:13:52 +01:00
Bernd Kuhls
746f94c282 package/dovecot: bump version to 2.2.33.2
Added license hashes.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-11-23 21:53:51 +01:00
Bernd Kuhls
5723251f18 package/dovecot: bump version to 2.2.31
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-06-28 23:28:12 +02:00
Bernd Kuhls
64c476da40 package/dovecot: bump version to 2.2.30.2
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-06-06 22:15:03 +02:00
Bernd Kuhls
083e9c64f0 package/dovecot: bump version to 2.30.1
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-06-04 09:45:57 +02:00
Bernd Kuhls
bcded15090 package/dovecot: bump version to 2.2.30
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-05-31 08:51:44 +02:00
Adam Duskett
67f4794de1 package/d*/Config.in: fix help text wrapping
The check-package script when ran gives warnings on text wrapping
on all of these Config files.  This patch cleans up all warnings
related to the text wrapping for the Config files starting with
the letter d in the package directory.

The appropriate indentation is: <tab><2 spaces><62 chars>
See http://nightly.buildroot.org/#writing-rules-config-in for more
information.

Signed-off-by: Adam Duskett <aduskett@codeblue.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-05-11 23:29:21 +02:00
Adam Duskett
8fd62b4e37 package/d*/Config.in: fix ordering of statements
The check-package script when ran gives warnings on ordering issues
on all of these Config files.  This patch cleans up all warnings
related to the ordering in the Config files for packages starting with
the letter d in the package directory.

The appropriate ordering is: type, default, depends on, select, help
See http://nightly.buildroot.org/#_config_files for more information.

Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-04-29 21:15:31 +02:00
Vicente Olivert Riera
a1a1f484a9 dovecot: bump version to 2.2.29.1 (security)
Security fix:

  passdb/userdb dict: Don't double-expand %variables in keys. If dict
  was used as the authentication passdb, using specially crafted
  %variables in the username could be used to cause DoS (CVE-2017-2669)

Full ChangeLog 2.2.29 (including CVE fix):
  https://www.dovecot.org/list/dovecot-news/2017-April/000341.html

Full ChangeLog 2.2.29.1 (some fixes forgotten in the 2.2.29 release):

  https://www.dovecot.org/list/dovecot-news/2017-April/000344.html

Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-04-12 21:01:12 +02:00
Rahul Bedarkar
30a3e8d108 boot, package: use SPDX short identifier for LGPLv2.1/LGPLv2.1+
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for LGPLv2.1/LGPLv2.1+ is LGPL-2.1/LGPL-2.1+.

This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/LGPLv2.1(\+)?/LGPL-2.1\1/g'

Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-04-01 15:18:10 +02:00
Bernd Kuhls
87b60b2586 package/dovecot: bump version to 2.2.28
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-03-06 21:16:02 +01:00
Bernd Kuhls
f93cd820d1 package/dovecot: needs OpenSSL
The latest version bump to 2.27 introduced a bug in the configure
script which occurs when OpenSSL support is missing:
http://lists.busybox.net/pipermail/buildroot/2016-December/179397.html

This patch makes OpenSSL mandatory following the upstream advice:
http://www.dovecot.org/list/dovecot/2016-December/106346.html
"Nobody really should be building without OpenSSL nowadays anyway"

Fixes
http://autobuild.buildroot.net/results/85f/85f2f176c108ab36520f02d975f27c27cddce84b/

[Peter: drop legacy handling]
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-12-12 12:02:24 +01:00
Vicente Olivert Riera
e244d79cd8 dovecot: bump version to 2.2.27 (security)
Fixes CVE-2016-8652 : http://www.securityfocus.com/bid/94639/

Release notes:
  http://www.dovecot.org/list/dovecot-news/2016-December/000333.html

Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-12-09 18:13:52 +01:00
Bernd Kuhls
178054f61f package/dovecot: bump version to 2.2.25
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-07-03 11:17:08 +02:00
Bernd Kuhls
9f235bc764 package/dovecot: bump version to 2.2.24
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-04-27 22:15:59 +02:00
Bernd Kuhls
b557bbf99c package/dovecot: bump version to 2.2.23
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-03-31 03:47:03 +02:00
Bernd Kuhls
9779aaf0d0 package/dovecot: bump version to 2.2.22
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-03-20 14:57:03 +01:00
Bernd Kuhls
829f21ca83 package/dovecot: add optional support for lz4
When lz4 was compiled before, dovecot will use it as optional dependency:

$ output/host/usr/bin/i586-buildroot-linux-uclibc-readelf -a output/target/usr/lib/dovecot/lib30_imap_zlib_plugin.so | grep NEEDED
 0x00000001 (NEEDED)                     Shared library: [libz.so.1]
 0x00000001 (NEEDED)                     Shared library: [liblzma.so.5]
 0x00000001 (NEEDED)                     Shared library: [liblz4.so.1]
 0x00000001 (NEEDED)                     Shared library: [libc.so.1]

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-02-16 23:07:01 +01:00
Bernd Kuhls
b9ddfddf9d package/dovecot: add optional support for xz
When xz was compiled before, dovecot will use it as optional dependency:

$ output/host/usr/bin/i586-buildroot-linux-uclibc-readelf -a output/target/usr/lib/dovecot/lib30_imap_zlib_plugin.so | grep NEEDED
 0x00000001 (NEEDED)                     Shared library: [libz.so.1]
 0x00000001 (NEEDED)                     Shared library: [liblzma.so.5]
 0x00000001 (NEEDED)                     Shared library: [liblz4.so.1]
 0x00000001 (NEEDED)                     Shared library: [libc.so.1]

(lz4 support will be added with the next patch of this series)

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-02-16 23:06:55 +01:00
Bernd Kuhls
f39ac4d288 package/dovecot: Remove bzip2 and zlib options
The next patch of this series will add optional xz and lz4 support, to
avoid adding new options for these compression packages simplify the
configuration of dovecot by removing the options handling optional
compression support.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-02-16 23:06:40 +01:00
Bernd Kuhls
1e04afdfad package/dovecot: bump version to 2.2.21
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-12-13 14:33:26 +01:00
Vicente Olivert Riera
09a8abe4ab dovecot: bump to version 2.2.19
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Acked-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-10-03 23:20:52 +02:00
Bernd Kuhls
61a9a4cb29 package/dovecot: Add optional support for icu
Optional dependency added to fts plugin since Dovecot 2.2.17:
http://hg.dovecot.org/dovecot-2.2/diff/b179bbd226e5/configure.ac

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-07-13 18:48:05 +02:00
Bernd Kuhls
a89263f7f0 package/dovecot: bump version to 2.2.18
Removed patch applied upstream:
http://hg.dovecot.org/dovecot-2.2/rev/e4ad83ed88c9

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-07-11 15:03:01 +02:00
Bernd Kuhls
1814da768b package/dovecot: Fix broken logic for comment display
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-04-26 12:17:02 +02:00
Bernd Kuhls
bfb5d066fc package/dovecot: not available on static-only build
Fixes
http://autobuild.buildroot.net/results/53f/53fd9003a4cf7d128f4d64d43209fe26d859a829/

http://autobuild.buildroot.net/results/53f/53fd9003a4cf7d128f4d64d43209fe26d859a829/dovecot-2.2.16/config.log
shows this pthread related link error during configure

sqlite3.c:(.text+0x5106): undefined reference to `pthread_mutex_trylock'
/home/test/autobuild/instance-2/output/host/usr/i686-buildroot-linux-uclibc/sysroot/usr/lib/libsqlite3.a(sqlite3.o): In function `pthreadMutexAlloc':
sqlite3.c:(.text+0x91fb): undefined reference to `pthread_mutexattr_init'
sqlite3.c:(.text+0x9205): undefined reference to `pthread_mutexattr_settype'
sqlite3.c:(.text+0x920e): undefined reference to `pthread_mutex_init'
sqlite3.c:(.text+0x9216): undefined reference to `pthread_mutexattr_destroy'
sqlite3.c:(.text+0x9234): undefined reference to `pthread_mutex_init'

Trying to fix it in dovecot.mk by

+# dovecot forgets to compile/link with -pthread breaking static linking
+DOVECOT_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -pthread" LIBS="-pthread"

results in a build error later on
setresgid.c:(.text+0x0): multiple definition of `setresgid'

which might be fixed in uclibc by porting
http://git.buildroot.net/buildroot/tree/package/uclibc/1.0.2/0001-fix-static-linking-of-pthread-apps.patch

but, at the end, I think it is better to not build Dovecot as a static
binary since it is heavy modularized and not worth the effort. Therefore
remove two patches fixing static linking, since they are not needed anymore.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-04-25 10:18:28 +02:00
Gustavo Zacarias
79ce08bbdc packages: remove non-IPv6 dependencies and tweaks
Now that IPv6 is mandatory remove package dependencies and conditionals
for it.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-04-22 23:06:35 +02:00
Bernd Kuhls
9c820091d1 package/dovecot: fix hash typo
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-03-27 18:47:38 +01:00
Bernd Kuhls
49fedc613e package/dovecot: add hash
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-03-27 17:41:14 +01:00
Bernd Kuhls
9b8481671e package/dovecot: bump version to 2.2.16
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-03-17 13:03:02 +01:00
Yann E. MORIN
9863553fe8 packages: all salute the passing of avr32
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-02-14 17:43:11 +01:00
Arnout Vandecappelle
3b7313439b dovecot: add missing indirect dependency on !avr32 for mysql
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-02-07 21:15:32 +01:00
Bernd Kuhls
337d40e7ad package/dovecot: Fix symbol conflict in static build with MySQL enabled
Fixes
http://autobuild.buildroot.net/results/9b5/9b536926b3b2bf82c683b48e9697a220f1b4bf33/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-11-21 21:45:21 +01:00
Baruch Siach
8d4942cc41 dovecot: fix static build
Add a patch removing reference to MODULE_SUFFIX when it is undefined.

Fixes:
http://autobuild.buildroot.net/results/c68/c6844bbffff1cd4f738a5fced011d28f73c90b16/

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-11-14 14:56:37 +01:00
Bernd Kuhls
c5278753c2 package/dovecot: Adjust LIBDOVECOT in dovecot-config to STAGING_DIR
Fixes
http://autobuild.buildroot.net/results/3e6/3e6c258d7636fedbb87ba62069094291666e6a85/
http://autobuild.buildroot.net/results/410/410b68afece06ddb03a00245cfdc3de4d9a4e5f1/
http://autobuild.buildroot.net/results/bd3/bd37ee92eeb00adb1558dbb61315465a0cdfe635/
http://autobuild.buildroot.net/results/fd1/fd18c3678eded431476b4e61a10c48e160ffd51a//
and many others

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-11-09 00:06:54 +01:00
Bernd Kuhls
7d5af94c81 package/dovecot: Fix build error in SQLite module
Patch occured with "make dovecot" using this defconfig:
http://autobuild.buildroot.net/results/bd3/bd37ee92eeb00adb1558dbb61315465a0cdfe635/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-11-08 23:54:16 +01:00
Bernd Kuhls
9fd587606e package/dovecot-pigeonhole: New package
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2014-10-30 22:22:48 +01:00
Bernd Kuhls
b94e18ecda package/dovecot: New package
[Thomas:
 - slightly adjust the prompt of options in the Config.in file
 - fix license: it's just LGPLv2.1, no exceptions. Parts of the code
   are under public domain, or under the MIT license, but the
   combination is under LGPLv2.1.
 - rewrap one comment in the .mk file.]

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2014-10-30 22:18:52 +01:00