diff --git a/SOURCES/dovecot-2.2.36-bigkey.patch b/SOURCES/dovecot-2.2.36-bigkey.patch new file mode 100644 index 0000000..c5b23d9 --- /dev/null +++ b/SOURCES/dovecot-2.2.36-bigkey.patch @@ -0,0 +1,10 @@ +diff -up dovecot-2.2.36/doc/dovecot-openssl.cnf.bigkey dovecot-2.2.36/doc/dovecot-openssl.cnf +--- dovecot-2.2.36/doc/dovecot-openssl.cnf.bigkey 2017-06-23 13:18:28.000000000 +0200 ++++ dovecot-2.2.36/doc/dovecot-openssl.cnf 2018-10-16 17:15:35.836205498 +0200 +@@ -1,5 +1,5 @@ + [ req ] +-default_bits = 1024 ++default_bits = 3072 + encrypt_key = yes + distinguished_name = req_dn + x509_extensions = cert_type diff --git a/SPECS/dovecot.spec b/SPECS/dovecot.spec index bf8e7b3..0ab0d65 100644 --- a/SPECS/dovecot.spec +++ b/SPECS/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.2.36 %global prever %{nil} -Release: 6%{?dist}.1 +Release: 8%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -53,6 +53,7 @@ Patch19: dovecot-2.2.36-cve2019_11500_part1of4.patch Patch20: dovecot-2.2.36-cve2019_11500_part2of4.patch Patch21: dovecot-2.2.36-cve2019_11500_part3of4.patch Patch22: dovecot-2.2.36-cve2019_11500_part4of4.patch +Patch23: dovecot-2.2.36-bigkey.patch # from upstream, for dovecot <= 2.3.10.1 Patch24: dovecot-2.3.8-CVE_2020_12100prereq.patch @@ -167,6 +168,7 @@ This package provides the development files for dovecot. %patch16 -p1 -b .cve_2019_7524part2of2 %patch19 -p1 -b .cve2019_11500_part1of4 %patch20 -p1 -b .cve2019_11500_part2of4 +%patch23 -p1 -b .bigkey sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in #pigeonhole pushd dovecot-2*2-pigeonhole-%{pigeonholever} @@ -557,10 +559,16 @@ make check %changelog -* Wed Aug 26 2020 Michal Hlavinka - 1:2.2.36-6.1 -- fix CVE-2020-12100 resource exhaustion via deeply nested MIME parts (#1871841) -- fix CVE-2020-12673 out of bound reads in dovecot NTLM implementation (#1871843) -- fix CVE-2020-12674 crash due to assert in RPA implementation (#1871842) +* Mon Aug 24 2020 Michal Hlavinka - 1:2.2.36-8 +- update release number + +* Mon Aug 10 2020 Michal Hlavinka - 1:2.2.36-7.1 +- fix CVE-2020-12100 resource exhaustion via deeply nested MIME parts (#1866752) +- fix CVE-2020-12673 out of bound reads in dovecot NTLM implementation (#1866757) +- fix CVE-2020-12674 crash due to assert in RPA implementation (#1866764) + +* Mon Mar 02 2020 Michal Hlavinka - 1:2.2.36-7 +- generated key was too small (#1086365) * Thu Aug 29 2019 Michal Hlavinka - 1:2.2.36-6 - fix CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte