diff --git a/SOURCES/dovecot-2.2.36-bigkey.patch b/SOURCES/dovecot-2.2.36-bigkey.patch new file mode 100644 index 0000000..c5b23d9 --- /dev/null +++ b/SOURCES/dovecot-2.2.36-bigkey.patch @@ -0,0 +1,10 @@ +diff -up dovecot-2.2.36/doc/dovecot-openssl.cnf.bigkey dovecot-2.2.36/doc/dovecot-openssl.cnf +--- dovecot-2.2.36/doc/dovecot-openssl.cnf.bigkey 2017-06-23 13:18:28.000000000 +0200 ++++ dovecot-2.2.36/doc/dovecot-openssl.cnf 2018-10-16 17:15:35.836205498 +0200 +@@ -1,5 +1,5 @@ + [ req ] +-default_bits = 1024 ++default_bits = 3072 + encrypt_key = yes + distinguished_name = req_dn + x509_extensions = cert_type diff --git a/SPECS/dovecot.spec b/SPECS/dovecot.spec index fe0e2be..399cc88 100644 --- a/SPECS/dovecot.spec +++ b/SPECS/dovecot.spec @@ -5,7 +5,7 @@ Name: dovecot Epoch: 1 Version: 2.2.36 %global prever %{nil} -Release: 6%{?dist} +Release: 7%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT and LGPLv2 Group: System Environment/Daemons @@ -55,6 +55,7 @@ Patch19: dovecot-2.2.36-cve2019_11500_part1of4.patch Patch20: dovecot-2.2.36-cve2019_11500_part2of4.patch Patch21: dovecot-2.2.36-cve2019_11500_part3of4.patch Patch22: dovecot-2.2.36-cve2019_11500_part4of4.patch +Patch23: dovecot-2.2.36-bigkey.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, xz-devel, libcap-devel @@ -161,6 +162,7 @@ This package provides the development files for dovecot. %patch16 -p1 -b .cve_2019_7524part2of2 %patch19 -p1 -b .cve2019_11500_part1of4 %patch20 -p1 -b .cve2019_11500_part2of4 +%patch23 -p1 -b .bigkey sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in #pigeonhole pushd dovecot-2*2-pigeonhole-%{pigeonholever} @@ -542,6 +544,9 @@ make check %changelog +* Mon Mar 02 2020 Michal Hlavinka - 1:2.2.36-7 +- generated key was too small (#1086365) + * Thu Aug 29 2019 Michal Hlavinka - 1:2.2.36-6 - fix CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap