From 3b1dbd6ba031898bfefa8d9ca91ccb221d9640a2 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Nov 09 2020 16:09:19 +0000
Subject: import cyrus-imapd-3.0.7-20.el8


---

diff --git a/SOURCES/cyrus-imapd-use_system_ciphers.patch b/SOURCES/cyrus-imapd-use_system_ciphers.patch
new file mode 100644
index 0000000..0058469
--- /dev/null
+++ b/SOURCES/cyrus-imapd-use_system_ciphers.patch
@@ -0,0 +1,68 @@
+diff --git a/lib/imapoptions b/lib/imapoptions
+index 37f8371..898b943 100644
+--- a/lib/imapoptions
++++ b/lib/imapoptions
+@@ -2207,12 +2207,12 @@ product version in the capabilities
+ { "tls_cert_file", NULL, STRING, "2.5.0", "tls_server_cert" }
+ /* Deprecated in favor of \fItls_server_cert\fR. */
+ 
+-{ "tls_cipher_list", "DEFAULT", STRING, "2.5.0", "tls_ciphers" }
++{ "tls_cipher_list", "PROFILE=SYSTEM", STRING, "2.5.0", "tls_ciphers" }
+ /* Deprecated in favor of \fItls_ciphers\fR. */
+ 
+-{ "tls_ciphers", "DEFAULT", STRING }
++{ "tls_ciphers", "PROFILE=SYSTEM", STRING }
+ /* The list of SSL/TLS ciphers to allow.  The format of the string
+-   (and definition of "DEFAULT") is described in \fBciphers(1)\fR.
++   (and definition of "PROFILE=SYSTEM") is described in \fBciphers(1)\fR.
+ .PP
+    See also Mozilla's server-side TLS recommendations:
+ .PP
+diff --git a/doc/html/_sources/imap/reference/manpages/configs/imapd.conf.txt b/doc/html/_sources/imap/reference/manpages/configs/imapd.conf.txt
+index c45d94b..495a2c7 100644
+--- a/doc/html/_sources/imap/reference/manpages/configs/imapd.conf.txt
++++ b/doc/html/_sources/imap/reference/manpages/configs/imapd.conf.txt
+@@ -4298,7 +4298,7 @@ FIELD DESCRIPTIONS
+ 
+     .. startblob tls_cipher_list
+ 
+-    ``tls_cipher_list:`` DEFAULT
++    ``tls_cipher_list:`` PROFILE=SYSTEM
+ 
+         Deprecated in favor of *tls_ciphers*. 
+ 
+@@ -4307,10 +4307,10 @@ FIELD DESCRIPTIONS
+ 
+     .. startblob tls_ciphers
+ 
+-    ``tls_ciphers:`` DEFAULT
++    ``tls_ciphers:`` PROFILE=SYSTEM
+ 
+         The list of SSL/TLS ciphers to allow.  The format of the string
+-        (and definition of "DEFAULT") is described in **ciphers(1)**.
++        (and definition of "PROFILE=SYSTEM") is described in **ciphers(1)**.
+ 
+         See also Mozilla's server-side TLS recommendations:
+ 
+diff --git a/doc/text/imap/reference/manpages/configs/imapd.conf.txt b/doc/text/imap/reference/manpages/configs/imapd.conf.txt
+index 1801cd7..7c77154 100644
+--- a/doc/text/imap/reference/manpages/configs/imapd.conf.txt
++++ b/doc/text/imap/reference/manpages/configs/imapd.conf.txt
+@@ -2675,14 +2675,14 @@ FIELD DESCRIPTIONS
+ 
+       Deprecated in favor of *tls_server_cert*.
+ 
+-   "tls_cipher_list:" DEFAULT
++   "tls_cipher_list:" PROFILE=SYSTEM
+ 
+       Deprecated in favor of *tls_ciphers*.
+ 
+-   "tls_ciphers:" DEFAULT
++   "tls_ciphers:" PROFILE=SYSTEM
+ 
+       The list of SSL/TLS ciphers to allow.  The format of the string
+-      (and definition of "DEFAULT") is described in **ciphers(1)**.
++      (and definition of "PROFILE=SYSTEM") is described in **ciphers(1)**.
+ 
+       See also Mozilla's server-side TLS recommendations:
+ 
diff --git a/SPECS/cyrus-imapd.spec b/SPECS/cyrus-imapd.spec
index c2c2d6e..6eeda6a 100644
--- a/SPECS/cyrus-imapd.spec
+++ b/SPECS/cyrus-imapd.spec
@@ -9,7 +9,7 @@
 
 Name: cyrus-imapd
 Version: 3.0.7
-Release: 19%{?dist}
+Release: 20%{?dist}
 
 %define ssl_pem_file_prefix /etc/pki/%name/%name
 
@@ -46,6 +46,7 @@ Patch7: cyrus-imapd-close_backup_fd_on_error.patch
 Patch8: cyrus-imapd-cve_2019_11356.patch
 Patch9: cyrus-imapd-CVE-2019-19783.patch
 Patch10: cyrus-imapd-CVE-2019-18928.patch
+Patch11: cyrus-imapd-use_system_ciphers.patch
 
 Source10: cyrus-imapd.logrotate
 Source11: cyrus-imapd.pam-config
@@ -246,7 +247,7 @@ popd
 # Drop expired certificates and generate new ones
 pushd cunit
 rm -rf *pem
-%{_bindir}/sscg --package %{name} --cert-file cert.pem --cert-key-file key.pem --ca-file cacert.pem 
+%{_bindir}/sscg --package %{name} --cert-file cert.pem --cert-key-file key.pem --ca-file cacert.pem
 popd
 
 ## Modify docs master --> cyrus-master
@@ -325,7 +326,7 @@ make -C tools/vzic
 # Modify docs master --> cyrus-master
 %{__perl} -pi -e "s@master\(8\)@cyrus-master(8)@" man/*5 man/*8 lib/imapoptions
 sed -i -e 's|\([^-]\)master|\1cyrus-master|g;s|^master|cyrus-master|g;s|Master|Cyrus-master|g;s|MASTER|CYRUS-MASTER|g' \
-        man/master.8 doc/legacy/man.html
+	man/master.8 doc/legacy/man.html
 
 %install
 make install DESTDIR=%buildroot
@@ -469,6 +470,8 @@ find %buildroot -name ".packlist" -exec rm {} \;
 
 
 %check
+## First of all check if imaptest is functional at all
+imaptest  -h 2>&1 > /dev/null || (echo "Imaptest is not functional" && exit 1)
 make %{?_smp_mflags} check || exit 1
 
 %if %{without cassandane}
@@ -677,6 +680,9 @@ getent passwd cyrus >/dev/null || /usr/sbin/useradd -c "Cyrus IMAP Server" -d /v
 
 
 %changelog
+* Fri Nov  6 2020 Pavel Zhukov <pzhukov@redhat.com> - 3.0.7-20
+- Use PROFILE=SYSTEM as default configuration for tls_ciphers
+
 * Thu Apr 23 2020 Pavel Zhukov <pzhukov@redhat.com> - 3.0.7-19
 - change ownership of pki files (#1710722)