Debian

Available patches from Ubuntu

To see Ubuntu differences wrt. to Debian, write down a grep-dctrl query identifying the packages you're interested in:
grep-dctrl -n -sPackage Sources.Debian
(e.g. -FPackage linux-ntfs or linux-ntfs)

Modified packages are listed below:

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: dovecot

dovecot (1:2.2.9-1ubuntu4) utopic; urgency=medium * Rename init.d script to work with the dh_installinit --name option, so that it comes back. (LP: #1323274) -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 26 May 2014 14:24:43 +0200 dovecot (1:2.2.9-1ubuntu3) utopic; urgency=medium * SECURITY UPDATE: denial of service via SSL connection exhaustion - debian/patches/CVE-2014-3430.patch: properly close connections in src/login-common/client-common.c, src/login-common/ssl-proxy-openssl.c, src/login-common/ssl-proxy.h. - CVE-2014-3430 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 15 May 2014 10:19:29 -0400 dovecot (1:2.2.9-1ubuntu2) trusty; urgency=medium * d/dovecot-core.config: Drop db_input for ssl-cert-exists; this message not actually an error, is documented in the README.Debian, and blocks automated upgrades (LP: #1278897). -- James Page <james.page@ubuntu.com> Fri, 07 Mar 2014 12:42:58 +0000 dovecot (1:2.2.9-1ubuntu1) trusty; urgency=medium * Merge from Debian unstable, remaining changes: + Add mail-stack-delivery package: - Update d/rules - d/control: convert existing dovecot-postfix package to a dummy package and add new mail-stack-delivery package. - Update maintainer scripts. - Rename d/dovecot-postfix.* to debian/mail-stack-delivery.* - d/mail-stack-delivery.preinst: Move previously installed backups and config files to a new package namespace. - d/mail-stack-delivery.prerm: Added to handle downgrades. + Use Snakeoil SSL certificates by default: - d/control: Depend on ssl-cert. - d/dovecot-core.postinst: Relax grep for SSL_* a bit. + Add autopkgtest to debian/tests/*. + Add ufw integration: - d/dovecot-core.ufw.profile: new ufw profile. - d/rules: install profile in dovecot-core. - d/control: dovecot-core - suggest ufw. + d/dovecot-core.dirs: Added usr/share/doc/dovecot-core + Add apport hook: - d/rules, d/source_dovecot.py + Add upstart job: - d/rules, d/dovecot-core.dovecot.upstart, d/control, d/dovecot-core.dirs, dovecot-imapd.{postrm, postinst, prerm}, d/dovecot-pop3d.{postinst, postrm, prerm}. d/mail-stack-deliver.postinst: Convert init script to upstart. + Use the autotools-dev dh addon to update config.guess/config.sub for arm64. * Dropped changes, included in Debian: - Update Dovecot name to reflect distribution in login greeting. - Update Drac plugin for >= 2.0.0 support. * d/control: Drop dovecot-postfix package as its no longer required. -- James Page <james.page@ubuntu.com> Wed, 08 Jan 2014 09:35:49 +0000

Modifications :
  1. Download patch debian/mail-stack-delivery.postinst

    --- 1:2.2.9-1/debian/mail-stack-delivery.postinst 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.9-1ubuntu4/debian/mail-stack-delivery.postinst 2014-03-07 12:26:37.000000000 +0000 @@ -0,0 +1,95 @@ +#!/bin/sh + +set -e + +POSTFIX_BCKFILE="/var/backups/mail-stack-delivery/main.cf-backup" + +set_postfix_option() { + opt="$1" + # Backup the existion value of the option + postconf $(echo ${opt} | cut -d= -f1) >> ${POSTFIX_BCKFILE} || true + # Set the new value of the option + postconf -e "${opt}" + echo -n '.' +} + +if [ "$1" = "configure" ]; then + # Create initial symlinks for certificates + SSL_CERT=$( (grep -m 1 "ssl_cert_file" /etc/dovecot/conf.d/10-ssl.conf || echo '/etc/dovecot/dovecot.pem') | cut -d'=' -f2) + SSL_KEY=$( (grep -m 1 "ssl_key_file" /etc/dovecot/conf.d/10-ssl.conf || echo '/etc/dovecot/private/dovecot.pem') | cut -d'=' -f2) + + if [ ! -e "${SSL_KEY}" ]; then + ln -s /etc/ssl/private/ssl-cert-snakeoil.key ${SSL_KEY} + fi + if [ ! -e "${SSL_CERT}" ]; then + ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem ${SSL_CERT} + fi + # Configure postfix either on new install + # or if the postfix backup file is no longer there + # (only deleted when the pkg is removed) + if [ -f "/etc/postfix/main.cf" ]; then + if [ -e "$POSTFIX_BCKFILE" ]; then + cp $POSTFIX_BCKFILE ${POSTFIX_BCKFILE}-$(date +%Y%m%d%H%M) + fi + if [ -z "$2" -o ! -e "$POSTFIX_BCKFILE" ]; then + if which postconf >/dev/null; then + # Setup postfix + echo 'Mail stack delivery changes some postfix settings.' + echo 'Old values are stored in '$POSTFIX_BCKFILE'.' + echo 'Feel free to revert any of them when the process is done.' + echo -n 'Configuring postfix for mail-stack-delivery integration: ' + set_postfix_option "home_mailbox = Maildir/" + set_postfix_option "smtpd_sasl_auth_enable = yes" + set_postfix_option "smtpd_sasl_type = dovecot" + set_postfix_option "smtpd_sasl_path = private/dovecot-auth" + set_postfix_option "smtpd_sasl_authenticated_header = yes" + set_postfix_option "smtpd_sasl_security_options = noanonymous" + set_postfix_option "smtpd_sasl_local_domain = \$myhostname" + set_postfix_option "broken_sasl_auth_clients = yes" + set_postfix_option "smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination" + set_postfix_option "smtpd_sender_restrictions = reject_unknown_sender_domain" + set_postfix_option "mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m \"\${EXTENSION}\"" + set_postfix_option "smtpd_tls_cert_file = ${SSL_CERT}" + set_postfix_option "smtpd_tls_key_file = ${SSL_KEY}" + set_postfix_option "smtpd_use_tls = yes" + set_postfix_option "smtp_use_tls = yes" + set_postfix_option "smtpd_tls_received_header = yes" + set_postfix_option "smtpd_tls_mandatory_protocols = SSLv3, TLSv1" + set_postfix_option "smtpd_tls_mandatory_ciphers = medium" + set_postfix_option "smtpd_tls_auth_only = yes" + set_postfix_option "tls_random_source = dev:/dev/urandom" + echo ' done.' + fi + fi + # Parameters that need to be changed on upgrades + if [ ! -z "$2" ] && dpkg --compare-versions $2 lt 1:2.1.7-7ubuntu1; then + set_postfix_option "mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m \"\${EXTENSION}\"" + fi + else + echo "" + echo "Postfix not configured. Run" + echo "sudo dpkg-reconfigure postfix and choose" + echo "the type of mail server. Then run" + echo "sudo dpkg-reconfigure mail-stack-delivery to" + echo "finish mail-stack-delivery installation." + echo "" + fi + + if [ -x "/etc/init.d/dovecot" ]; then + if [ -x /usr/sbin/invoke-rc.d ]; then + invoke-rc.d dovecot restart + else + service dovecot restart + fi + fi + if [ -x "/etc/init.d/postfix" ]; then + if [ -x /usr/sbin/invoke-rc.d ]; then + invoke-rc.d postfix restart + else + service postfix restart + fi + fi + +fi + +#DEBHELPER#
  2. Download patch debian/mail-stack-delivery.README.Debian

    --- 1:2.2.9-1/debian/mail-stack-delivery.README.Debian 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.9-1ubuntu4/debian/mail-stack-delivery.README.Debian 2014-03-07 12:26:37.000000000 +0000 @@ -0,0 +1,25 @@ +Introduction +------------------- + +Mail-stack-delivery will not install any binary or library files. This package +contains only configuration file /etc/dovecot/mail-stack-delivery.conf with +configuration prerpared by Ubuntu Server Team. + +dovecot's init script checks existance of +/etc/dovecot/mail-stack-delivery.conf and if that file exists, it reads it +instead of /etc/dovecot/dovecot.conf. + +During installation of package, it modifies postfix's configuration and +stores original version of /etc/postfix/main.cf in /var/backup/mail-stack-delivery. + +Features of mail-stack-delivery: +---------------------------- + +- IMAP4rev1 and POP3, including support for TLS and SSL +- SMTP, including support for TLS and SSL +- support for sieve scripting +- managesieve for managing sieve scripts directly on server +- dovecot MDA, including extensions separated with '+' +- Maildir storage engine +- SASL authentication (plain and login) +- support only for medium and high TLS/SSL ciphers
  3. Download patch debian/tests/testlib_dovecot.py

    --- 1:2.2.9-1/debian/tests/testlib_dovecot.py 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.9-1ubuntu4/debian/tests/testlib_dovecot.py 2014-03-07 12:26:37.000000000 +0000 @@ -0,0 +1,127 @@ +#!/usr/bin/python +''' + Packages required: dovecot-imapd dovecot-pop3d +''' + +import subprocess, shutil, grp, os, os.path, sys, time + +class Dovecot: + def get_mailbox(self): + return self.mailbox + + def __init__(self,user,config=None): + '''Create test scenario. + + dovecot is configured for all protocols (imap[s] and pop3[s]), a test + user is set up, and /var/mail/$user contains an unread and a read mail. + ''' + + self.old_version = False + if config == None: + if file("/etc/dovecot/dovecot.conf","r").read().find('auth_mechanisms = plain')>0: + # Old dovecot + config=''' +protocols = imap imaps pop3 pop3s +login = imap +login = pop3 +mail_extra_groups = mail + +auth = auth-cram +auth_mechanisms = cram-md5 +auth_passdb = passwd-file /etc/dovecot/test.passwd +auth_user = root + +auth = auth-plain +auth_mechanisms = plain +auth_passdb = pam +auth_user = root + +''' + self.old_version = True + else: + # Modern dovecot + config=''' +protocols = imap imaps pop3 pop3s +log_timestamp = "%Y-%m-%d %H:%M:%S " +mail_extra_groups = mail +protocol imap { +} +protocol pop3 { + pop3_uidl_format = %08Xu%08Xv +} +auth default { + mechanisms = plain cram-md5 + passdb passwd-file { + args = /etc/dovecot/test.passwd + } + passdb pam { + } + userdb passwd { + } + user = root +} +''' + + # make sure that /etc/inetd.conf exists to avoid init script errors + self.created_inetdconf = False + if not os.path.exists('/etc/inetd.conf'): + open('/etc/inetd.conf', 'a') + self.created_inetdconf = True + + # configure and restart dovecot + if not os.path.exists('/etc/dovecot/dovecot.conf.autotest'): + shutil.copyfile('/etc/dovecot/dovecot.conf', '/etc/dovecot/dovecot.conf.autotest') + cfgfile = open('/etc/dovecot/dovecot.conf', 'w') + cfgfile.write(config) + cfgfile.close() + + file('/etc/dovecot/test.passwd','w').write('%s:{plain}%s\n' % (user.login, user.password) ) + + # restart will fail if dovecot is not already running + subprocess.call(['/etc/init.d/dovecot', 'stop'], stdout=subprocess.PIPE) + assert subprocess.call(['/etc/init.d/dovecot', 'start'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT) == 0 + + # create test mailbox with one new and one old mail + self.mailbox = '/var/mail/' + user.login + self.orig_mbox = \ +'''From test1@test1.com Fri Nov 17 02:21:08 2006 +Date: Thu, 16 Nov 2006 17:12:23 -0800 +From: Test User 1 <test1@test1.com> +To: Dovecot tester <dovecot@test.com> +Subject: Test 1 +Status: N + +Some really important news. + +From test2@test1.com Tue Nov 28 11:29:34 2006 +Date: Tue, 28 Nov 2006 11:29:34 +0100 +From: Test User 2 <test2@test2.com> +To: Dovecot tester <dovecot@test.com> +Subject: Test 2 +Status: R + +More news. + +Get cracking! +''' + open(self.mailbox, 'w').write(self.orig_mbox) + os.chown(self.mailbox, user.uid, grp.getgrnam('mail')[2]) + os.chmod(self.mailbox, 0660) + + def __del__(self): + # restore original configuration and restart dovecot + os.rename('/etc/dovecot/dovecot.conf.autotest', '/etc/dovecot/dovecot.conf') + # quiesce, default configuration has no protocols + subprocess.call(['/etc/init.d/dovecot', 'restart'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT) + + if self.created_inetdconf: + os.unlink('/etc/inetd.conf') + + def get_ssl_fingerprint(self): + pem = '/etc/ssl/certs/dovecot.pem' + if not os.path.exists(pem): + pem = '/etc/ssl/certs/ssl-cert-snakeoil.pem' + + sp = subprocess.Popen(['openssl','x509','-in',pem,'-noout','-md5','-fingerprint'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, close_fds=True) + return sp.communicate(None)[0].split('=',1)[1].strip() +
  4. Download patch debian/dovecot-core.dovecot.init

    --- 1:2.2.9-1/debian/dovecot-core.dovecot.init 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.9-1ubuntu4/debian/dovecot-core.dovecot.init 2014-03-07 12:26:37.000000000 +0000 @@ -0,0 +1,185 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: dovecot +# Required-Start: $local_fs $remote_fs $network $syslog $time +# Required-Stop: $local_fs $remote_fs $network $syslog +# Should-Start: postgresql mysql slapd winbind nslcd +# Should-Stop: postgresql mysql slapd winbind nslcd +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Dovecot init script +# Description: Init script for dovecot services +### END INIT INFO + +# Author: Miquel van Smoorenburg <miquels@cistron.nl>. +# Modified for Debian GNU/Linux +# by Ian Murdock <imurdock@gnu.ai.mit.edu>. +# + +# Do NOT "set -e" + +# PATH should only include /usr/* if it runs after the mountnfs.sh script +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +DESC="IMAP/POP3 mail server" +NAME=dovecot +DAEMON=/usr/sbin/dovecot +DAEMON_ARGS="" +SCRIPTNAME=/etc/init.d/$NAME +CONF=/etc/dovecot/${NAME}.conf + +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME + +# Exit if the package is not installed +[ -x "$DAEMON" ] || exit 0 + +# Exit if the configuration file doesn't exist +[ -f "$CONF" ] || exit 0 + +# Exit if explicitly told to +[ "$ENABLED" != "0" ] || exit 0 + +# Allow core dumps if requested +[ "$ALLOW_COREDUMPS" != "1" ] || ulimit -c unlimited + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.0-6) to ensure that this file is present. +. /lib/lsb/init-functions + +# conf file readable? +if [ ! -r ${CONF} ]; then + log_daemon_msg "${CONF}: not readable" "$NAME" && log_end_msg 1; + exit 1; +fi + +# dont check for inetd.conf if its not installed +if [ -f /etc/inetd.conf ]; then + # The init script should do nothing if dovecot or another imap/pop3 server + # is being run from inetd, and dovecot is configured to run as an imap or + # pop3 service + for p in `sed -r "s/^ *(([^:]+|\[[^]]+]|\*):)?(pop3s?|imaps?)[ \t].*/\3/;t;d" \ + /etc/inetd.conf` + do + for q in `doveconf -n -h protocols` + do + if [ $p = $q ]; then + log_daemon_msg "protocol ${p} configured both in inetd and in dovecot" "$NAME" && log_end_msg 1 + exit 0 + fi + done + done +fi + +# determine the location of the PID file +# overide by setting base_dir in conf file or PIDBASE in /etc/defaults/$NAME +PIDBASE=${PIDBASE:-`doveconf -n -c ${CONF} -h base_dir`} +PIDFILE=${PIDBASE:-/var/run/dovecot}/master.pid + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test -- -c ${CONF} > /dev/null \ + || return 1 + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- -c ${CONF} \ + $DAEMON_ARGS \ + || return 2 +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name ${DAEMON##*/} + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + # Wait for children to finish too if this is a daemon that forks + # and if the daemon is only ever run from this initscript. + # If the above conditions are not satisfied then add some other code + # that waits for the process to drop all resources that could be + # needed by services started subsequently. A last resort is to + # sleep for some time. + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --pidfile $PIDFILE --name ${DAEMON##*/} + [ "$?" = 2 ] && return 2 + # Many daemons don't delete their pidfiles when they exit. + rm -f $PIDFILE + return "$RETVAL" +} + +# +# Function that sends a SIGHUP to the daemon/service +# +do_reload() { + # + # If the daemon can reload its configuration without + # restarting (for example, when it is sent a SIGHUP), + # then implement that here. + # + start-stop-daemon --stop --signal HUP --quiet --pidfile $PIDFILE --name $NAME + return 0 +} + + +case "$1" in + start) + log_daemon_msg "Starting $DESC" "$NAME" + do_start + case "$?" in + 0|1) log_end_msg 0 ;; + 2) log_end_msg 1 ;; + esac + ;; + stop) + log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) log_end_msg 0 ;; + 2) log_end_msg 1 ;; + esac + ;; + reload|force-reload) + log_daemon_msg "Reloading $DESC" "$NAME" + do_reload + log_end_msg $? + ;; + restart) + # + # If the "reload" option is implemented then remove the + # 'force-reload' alias + # + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) log_end_msg 0 ;; + 1) log_end_msg 1 ;; # Old process is still running + *) log_end_msg 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + log_end_msg 1 + ;; + esac + ;; + status) + status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $? + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload|status}" >&2 + exit 3 + ;; +esac
  5. Download patch debian/tests/general
  6. Download patch debian/tests/control

    --- 1:2.2.9-1/debian/tests/control 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.9-1ubuntu4/debian/tests/control 2014-03-07 12:26:37.000000000 +0000 @@ -0,0 +1,4 @@ +Tests: general +Restrictions: needs-root +Features: no-build-needed +Depends: python, dovecot-imapd, dovecot-pop3d
  7. Download patch debian/dovecot-core.config

    --- 1:2.2.9-1/debian/dovecot-core.config 2013-11-28 05:46:44.000000000 +0000 +++ 1:2.2.9-1ubuntu4/debian/dovecot-core.config 2014-03-07 12:41:33.000000000 +0000 @@ -16,8 +16,6 @@ else fi if [ -e "$OLD_SSL_CERT" ] || [ -e "$OLD_SSL_KEY" ]; then - db_input low dovecot-core/ssl-cert-exists || true - db_go || true db_set dovecot-core/create-ssl-cert false # Generate new certs if needed else
  8. Download patch debian/rules

    --- 1:2.2.9-1/debian/rules 2013-11-28 05:46:44.000000000 +0000 +++ 1:2.2.9-1ubuntu4/debian/rules 2014-05-26 12:24:27.000000000 +0000 @@ -2,6 +2,7 @@ # Sample debian/rules that uses debhelper. # GNU copyright 1997 to 1999 by Joey Hess. +export DEB_BUILD_HARDENING=1 # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 @@ -25,6 +26,8 @@ endif config-stamp: configure dh_testdir + dh_autotools-dev_updateconfig + autoconf # Dovecot $(shell $(dpkg_buildflags) --export=configure) sh configure \ --with-ldap=plugin \ @@ -83,6 +86,7 @@ clean: [ ! -f $(PIGEONHOLE_DIR)/Makefile ] || $(MAKE) -C $(PIGEONHOLE_DIR) distclean # Cleanup DRAC rm -f src/plugins/drac/drac_plugin.so + dh_autotools-dev_restoreconfig debconf-updatepo dh_clean @@ -107,6 +111,7 @@ install: build $(CURDIR)/debian/dovecot-core/usr/share/dovecot/conf.d/ install -o root -g root -m 0644 $(CURDIR)/$(PIGEONHOLE_DIR)/doc/example-config/conf.d/*.conf \ $(CURDIR)/debian/dovecot-core/usr/share/dovecot/conf.d/ + install -m644 debian/dovecot-core.ufw.profile debian/dovecot-core/etc/ufw/applications.d/dovecot-core install -D -m 0755 -o root -g root $(CURDIR)/debian/maildirmake.dovecot $(CURDIR)/debian/dovecot-core/usr/bin/maildirmake.dovecot mv $(CURDIR)/debian/dovecot-core/usr/share/doc/dovecot $(CURDIR)/debian/dovecot-core/usr/share/doc/dovecot-core cp $(PIGEONHOLE_DIR)/ChangeLog $(CURDIR)/debian/dovecot-core/usr/share/doc/dovecot-core/pigeonhole.ChangeLog @@ -172,8 +177,13 @@ install: build mv $(CURDIR)/debian/dovecot-core/usr/lib/dovecot/dovecot-config $(CURDIR)/debian/dovecot-dev/usr/lib/dovecot rmdir $(CURDIR)/debian/dovecot-core/usr/include + # Install apport hook + install -D -m 644 debian/source_dovecot.py $(CURDIR)/debian/dovecot-core/usr/share/apport/package-hooks/dovecot-core.py + # Build architecture-independent files here. binary-indep: build install + mkdir -p $(CURDIR)/debian/mail-stack-delivery/etc/dovecot/conf.d/ + cp $(CURDIR)/debian/99-mail-stack-delivery.conf $(CURDIR)/debian/mail-stack-delivery/etc/dovecot/conf.d/ dh_testdir -i dh_testroot -i dh_installchangelogs -i @@ -201,7 +211,7 @@ binary-arch: build install dh_installpam -a mv $(CURDIR)/debian/dovecot-core/etc/pam.d/dovecot-core $(CURDIR)/debian/dovecot-core/etc/pam.d/dovecot dh_systemd_enable - dh_installinit -pdovecot-core --init-script=dovecot -u"defaults 20" + dh_installinit -pdovecot-core --name=dovecot dh_systemd_start dh_installman -a dh_installman -p dovecot-core debian/maildirmake.dovecot.1
  9. Download patch debian/control

    --- 1:2.2.9-1/debian/control 2013-11-28 05:46:44.000000000 +0000 +++ 1:2.2.9-1ubuntu4/debian/control 2014-03-07 12:26:37.000000000 +0000 @@ -1,9 +1,10 @@ Source: dovecot Section: mail Priority: optional -Maintainer: Dovecot Maintainers <jaldhar-dovecot@debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Dovecot Maintainers <jaldhar-dovecot@debian.org> Uploaders: Jaldhar H. Vyas <jaldhar@debian.org>, Fabio Tranchitella <kobold@debian.org>, Joel Johnson <mrjoel@lixil.net>, Marco Nenciarini <mnencia@debian.org> -Build-Depends: debhelper (>= 7.2.3~), dpkg-dev (>= 1.16.1), pkg-config, libssl-dev, libpam0g-dev, libldap2-dev, libpq-dev, libmysqlclient-dev, libsqlite3-dev, libsasl2-dev, zlib1g-dev, libkrb5-dev, drac-dev (>= 1.12-5), libbz2-dev, libdb-dev, libcurl4-gnutls-dev, libexpat-dev, libwrap0-dev, dh-systemd, po-debconf, lsb-release +Build-Depends: debhelper (>= 7.2.3~), dpkg-dev (>= 1.16.1), pkg-config, libssl-dev, libpam0g-dev, libldap2-dev, libpq-dev, libmysqlclient-dev, libsqlite3-dev, libsasl2-dev, zlib1g-dev, libkrb5-dev, drac-dev (>= 1.12-5), libbz2-dev, libdb-dev, libcurl4-gnutls-dev, libexpat-dev, libwrap0-dev, dh-systemd, po-debconf, lsb-release, hardening-wrapper, dh-autoreconf, autotools-dev Standards-Version: 3.9.4 Homepage: http://dovecot.org/ Vcs-Git: git://git.debian.org/git/collab-maint/dovecot.git @@ -11,8 +12,9 @@ Vcs-Browser: http://git.debian.org/?p=co Package: dovecot-core Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, libpam-runtime (>= 0.76-13.1), openssl, adduser, ucf (>= 2.0020) -Suggests: ntp, dovecot-gssapi, dovecot-sieve, dovecot-pgsql, dovecot-mysql, dovecot-sqlite, dovecot-ldap, dovecot-imapd, dovecot-pop3d, dovecot-lmtpd, dovecot-managesieved, dovecot-solr +Depends: ${shlibs:Depends}, ${misc:Depends}, libpam-runtime (>= 0.76-13.1), openssl, adduser, ucf (>= 2.0020), ssl-cert (>= 1.0-11ubuntu1), lsb-base (>= 3.2-12ubuntu3) +Suggests: ntp, dovecot-gssapi, dovecot-sieve, dovecot-pgsql, dovecot-mysql, dovecot-sqlite, dovecot-ldap, dovecot-imapd, dovecot-pop3d, dovecot-lmtpd, dovecot-managesieved, dovecot-solr, ufw +Recommends: ntpdate Provides: dovecot-common Replaces: dovecot-common (<< 1:2.0.14-2~), mailavenger (<< 0.8.1-4) Breaks: dovecot-common (<< 1:2.0.14-2~), mailavenger (<< 0.8.1-4) @@ -191,3 +193,18 @@ Description: secure POP3/IMAP server - d fast, extensible, and portable. . This package contains debug symbols for Dovecot. + +Package: mail-stack-delivery +Architecture: all +Depends: dovecot-core, dovecot-imapd, dovecot-pop3d, dovecot-managesieved, + postfix, ${misc:Depends} +Replaces: dovecot-postfix (<< 1:1.2.12-0ubuntu1~) +Description: mail server delivery agent stack provided by Ubuntu server team + Ubuntu's mail stack provides fully operational delivery with + safe defaults and additional options. Out of the box it supports IMAP, + POP3 and SMTP services with SASL authentication and Maildir as default + storage engine. + . + This package contains configuration files for dovecot. + . + This package modifies postfix's configuration to integrate with dovecot
  10. Download patch debian/mail-stack-delivery.dirs

    --- 1:2.2.9-1/debian/mail-stack-delivery.dirs 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.9-1ubuntu4/debian/mail-stack-delivery.dirs 2014-03-07 12:26:37.000000000 +0000 @@ -0,0 +1,2 @@ +var/backups +var/backups/mail-stack-delivery
  11. Download patch debian/patches/CVE-2014-3430.patch

    --- 1:2.2.9-1/debian/patches/CVE-2014-3430.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.9-1ubuntu4/debian/patches/CVE-2014-3430.patch 2014-05-14 17:13:56.000000000 +0000 @@ -0,0 +1,54 @@ + +# HG changeset patch +# User Timo Sirainen <tss@iki.fi> +# Date 1399472781 -10800 +# Node ID 41622541a7a3a938895b5fe045bbc633a9b6c022 +# Parent 7a08a481c133be4b8cb8415feaed1321d560cee5 +*-login: SSL connections didn't get closed when the client got destroyed. + +Index: dovecot-2.2.9/src/login-common/client-common.c +=================================================================== +--- dovecot-2.2.9.orig/src/login-common/client-common.c 2014-05-14 13:13:53.678153694 -0400 ++++ dovecot-2.2.9/src/login-common/client-common.c 2014-05-14 13:13:53.674153694 -0400 +@@ -171,6 +171,8 @@ + last_client = client->prev; + DLLIST_REMOVE(&clients, client); + ++ if (!client->login_success && client->ssl_proxy != NULL) ++ ssl_proxy_destroy(client->ssl_proxy); + if (client->input != NULL) + i_stream_close(client->input); + if (client->output != NULL) +Index: dovecot-2.2.9/src/login-common/ssl-proxy-openssl.c +=================================================================== +--- dovecot-2.2.9.orig/src/login-common/ssl-proxy-openssl.c 2014-05-14 13:13:53.678153694 -0400 ++++ dovecot-2.2.9/src/login-common/ssl-proxy-openssl.c 2014-05-14 13:13:53.674153694 -0400 +@@ -116,7 +116,6 @@ + static void ssl_read(struct ssl_proxy *proxy); + static void ssl_write(struct ssl_proxy *proxy); + static void ssl_step(struct ssl_proxy *proxy); +-static void ssl_proxy_destroy(struct ssl_proxy *proxy); + static void ssl_proxy_unref(struct ssl_proxy *proxy); + + static struct ssl_server_context * +@@ -805,7 +804,7 @@ + i_free(proxy); + } + +-static void ssl_proxy_destroy(struct ssl_proxy *proxy) ++void ssl_proxy_destroy(struct ssl_proxy *proxy) + { + if (proxy->destroyed) + return; +Index: dovecot-2.2.9/src/login-common/ssl-proxy.h +=================================================================== +--- dovecot-2.2.9.orig/src/login-common/ssl-proxy.h 2014-05-14 13:13:53.678153694 -0400 ++++ dovecot-2.2.9/src/login-common/ssl-proxy.h 2014-05-14 13:13:53.674153694 -0400 +@@ -34,6 +34,7 @@ + const char *ssl_proxy_get_security_string(struct ssl_proxy *proxy); + const char *ssl_proxy_get_compression(struct ssl_proxy *proxy); + const char *ssl_proxy_get_cert_error(struct ssl_proxy *proxy); ++void ssl_proxy_destroy(struct ssl_proxy *proxy); + void ssl_proxy_free(struct ssl_proxy **proxy); + + /* Return number of active SSL proxies */
  12. Download patch debian/dovecot-core.dovecot.upstart

    --- 1:2.2.9-1/debian/dovecot-core.dovecot.upstart 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.9-1ubuntu4/debian/dovecot-core.dovecot.upstart 2014-03-07 12:26:37.000000000 +0000 @@ -0,0 +1,39 @@ +# dovecot - pop3/imap mail server +# +# Dovecot is a mail server whose major goals are security and extreme reliability. + +description "dovecot - pop3/imap mail server" + +start on runlevel [2345] +stop on runlevel [!2345] + +respawn + +pre-start script + test -x /usr/sbin/dovecot || { stop ; exit 0; } + test -r /etc/dovecot/dovecot.conf || { stop ; exit 0; } + + # dont check for inetd.conf if its not installed + if [ -f /etc/inetd.conf ]; then + # The init script should do nothing if dovecot or another imap/pop3 server + # is being run from inetd, and dovecot is configured to run as an imap or + # pop3 service + for p in `sed -r "s/^ *(([^:]+|\[[^]]+]|\*):)?(pop3s?|imaps?)[ \t].*/\3/;t;d" \ + /etc/inetd.conf` + do + for q in `sed -r "s/^[ \t]*protocols[ \t]*=[ \t]*(([^\"]*)|\"(.*)\")/\2\3/;t;d" \ + /etc/dovecot/dovecot.conf` + do + if [ $p = $q ]; then + exit 0 + fi + done + done + fi + +end script + +script + test -x /usr/sbin/ntp-wait && ntp-wait -n 2 || true + exec /usr/sbin/dovecot -F -c /etc/dovecot/dovecot.conf +end script
  13. Download patch debian/99-mail-stack-delivery.conf

    --- 1:2.2.9-1/debian/99-mail-stack-delivery.conf 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.9-1ubuntu4/debian/99-mail-stack-delivery.conf 2014-03-07 12:26:37.000000000 +0000 @@ -0,0 +1,48 @@ +# Some general options +protocols = imap pop3 sieve +disable_plaintext_auth = yes +ssl = yes +ssl_cert = </etc/dovecot/dovecot.pem +ssl_key = </etc/dovecot/private/dovecot.pem +ssl_cipher_list = ALL:!LOW:!SSLv2:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM +mail_location = maildir:~/Maildir +auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ + +# IMAP configuration +protocol imap { + mail_max_userip_connections = 10 + imap_client_workarounds = delay-newmail +} + +# POP3 configuration +protocol pop3 { + mail_max_userip_connections = 10 + pop3_client_workarounds = outlook-no-nuls oe-ns-eoh +} + +# LDA configuration +protocol lda { + postmaster_address = postmaster + mail_plugins = sieve + quota_full_tempfail = yes + deliver_log_format = msgid=%m: %$ + rejection_reason = Your message to <%t> was automatically rejected:%n%r +} + +# Plugins configuration +plugin { + sieve=~/.dovecot.sieve + sieve_dir=~/sieve +} + +# Authentication configuration +auth_mechanisms = plain login + +service auth { + # Postfix smtp-auth + unix_listener /var/spool/postfix/private/dovecot-auth { + mode = 0660 + user = postfix + group = postfix + } +}
  14. Download patch .pc/applied-patches

    --- 1:2.2.9-1/.pc/applied-patches 2014-05-26 16:06:54.037857883 +0000 +++ 1:2.2.9-1ubuntu4/.pc/applied-patches 2014-05-26 16:06:56.045910694 +0000 @@ -8,3 +8,4 @@ default-mail_location.patch exampledir.patch mboxlocking.patch dovecot_name.patch +CVE-2014-3430.patch
  15. Download patch debian/dovecot-core.ufw.profile

    --- 1:2.2.9-1/debian/dovecot-core.ufw.profile 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.9-1ubuntu4/debian/dovecot-core.ufw.profile 2014-03-07 12:26:37.000000000 +0000 @@ -0,0 +1,23 @@ +[Dovecot POP3] +title=Secure mail server (POP3) +description=Dovecot is a mail server whose major goals are security and extreme + reliability. +ports=110/tcp + +[Dovecot Secure POP3] +title=Secure mail server (POP3S) +description=Dovecot is a mail server whose major goals are security and extreme + reliability. +ports=995/tcp + +[Dovecot IMAP] +title=Secure mail server (IMAP) +description=Dovecot is a mail server whose major goals are security and extreme + reliability. +ports=143/tcp + +[Dovecot Secure IMAP] +title=Secure mail server (IMAPS) +description=Dovecot is a mail server whose major goals are security and extreme + reliability. +ports=993/tcp
  16. Download patch src/login-common/ssl-proxy-openssl.c

    --- 1:2.2.9-1/src/login-common/ssl-proxy-openssl.c 2013-11-24 13:37:39.000000000 +0000 +++ 1:2.2.9-1ubuntu4/src/login-common/ssl-proxy-openssl.c 2014-05-26 16:06:54.000000000 +0000 @@ -116,7 +116,6 @@ static void plain_read(struct ssl_proxy static void ssl_read(struct ssl_proxy *proxy); static void ssl_write(struct ssl_proxy *proxy); static void ssl_step(struct ssl_proxy *proxy); -static void ssl_proxy_destroy(struct ssl_proxy *proxy); static void ssl_proxy_unref(struct ssl_proxy *proxy); static struct ssl_server_context * @@ -805,7 +804,7 @@ static void ssl_proxy_unref(struct ssl_p i_free(proxy); } -static void ssl_proxy_destroy(struct ssl_proxy *proxy) +void ssl_proxy_destroy(struct ssl_proxy *proxy) { if (proxy->destroyed) return;
  17. Download patch debian/dovecot-core.lintian-overrides

    --- 1:2.2.9-1/debian/dovecot-core.lintian-overrides 2013-11-28 05:46:44.000000000 +0000 +++ 1:2.2.9-1ubuntu4/debian/dovecot-core.lintian-overrides 2014-03-07 12:26:37.000000000 +0000 @@ -7,7 +7,6 @@ dovecot-core: hardening-no-fortify-funct dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/libdovecot-login.so.0.0.0 dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/libdovecot-sql.so.0.0.0 dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/modules/auth/libauthdb_imap.so -dovecot-core: hardening-no-relro usr/lib/dovecot/modules/drac.so dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/modules/lib05_pop3_migration_plugin.so dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/modules/lib10_quota_plugin.so dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/modules/lib11_trash_plugin.so
  18. Download patch debian/dovecot-core.dirs

    --- 1:2.2.9-1/debian/dovecot-core.dirs 2013-11-28 05:46:44.000000000 +0000 +++ 1:2.2.9-1ubuntu4/debian/dovecot-core.dirs 2014-03-07 12:26:37.000000000 +0000 @@ -1,3 +1,9 @@ etc/dovecot/private usr/sbin usr/share/dovecot/protocols.d +usr/share/doc/dovecot-core +etc/dovecot/conf.d +etc/ssl/certs +etc/ssl/private +etc/ufw/applications.d +
  19. Download patch debian/mail-stack-delivery.preinst

    --- 1:2.2.9-1/debian/mail-stack-delivery.preinst 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.9-1ubuntu4/debian/mail-stack-delivery.preinst 2014-03-07 12:26:37.000000000 +0000 @@ -0,0 +1,76 @@ +#!/bin/sh + +set -e + +# Prepare to move a conffile without triggering a dpkg question +prep_mv_conffile() { + PKGNAME="$1" + CONFFILE="$2" + if [ -e "$CONFFILE" ]; then + md5sum="`md5sum \"$CONFFILE\" | sed -e \"s/ .*//\"`" + old_md5sum="`dpkg-query -W -f='${Conffiles}' $PKGNAME | sed -n -e \"\\\\' $CONFFILE'{s/ obsolete$//;s/.* //p}\"`" + if [ "$md5sum" = "$old_md5sum" ]; then + rm -f "$CONFFILE" + else + if [ -e "$CONFFILE" ]; then + if [ "$CONFFILE" = "/etc/dovecot/conf.d/01-dovecot-postfix.conf" ]; then + mv -f "$CONFFILE" "/etc/dovecot/conf.d/01-mail-stack-delivery.conf" + fi + if [ "$CONFFILE" = "/etc/dovecot/auth.d/01-dovecot-postfix.auth" ]; then + mv -f "$CONFFILE" "/etc/dovecot/auth.d/01-mail-stack-delivery.auth" + fi + fi + fi + fi +} +case "$1" in +install|upgrade) + if dpkg --compare-versions "$2" lt "1:1.2.9-1ubuntu8"; then + prep_mv_conffile mail-stack-delivery "/etc/dovecot/conf.d/01-dovecot-postfix.conf" + prep_mv_conffile mail-stack-delivery "/etc/dovecot/auth.d/01-dovecot-postfix.auth" + if [ -f "/usr/share/dovecot/dovecot-postfix.conf" ]; then + mv -f "/usr/share/dovecot/dovecot-postfix.conf" "/usr/share/dovecot/mail-stack-delivery.conf" + fi + if [ -f "/etc/dovecot/dovecot-postfix.conf" ]; then + mv -f "/etc/dovecot/dovecot-postfix.conf" "/etc/dovecot/mail-stack-delivery.conf" + fi + if [ -e "/var/backups/dovecot-postfix/main.cf-backup" ]; then + if [ -n "//var/backups/mail-stack-delivery/" ]; then + mkdir "/var/backups/mail-stack-delivery/" + fi + mv -f "/var/backups/dovecot-postfix/main.cf-backup" "/var/backups/mail-stack-delivery/main.cf-backup" + test -d /var/backups/dovecot-postfix/ && rmdir --ignore-fail-on-non-empty /var/backups/dovecot-postfix/ + fi + fi + + + # Check if mail-stack-delivery.conf had any customizations + if [ -f "/usr/share/dovecot/mail-stack-delivery.conf" ]; then + if [ -f "/etc/dovecot/mail-stack-delivery.conf" ]; then + mv /etc/dovecot/mail-stack-delivery.conf /etc/dovecot/mail-stack-delivery.conf.bak + DIR=`mktemp -d` + egrep -v ^protocol /etc/dovecot/mail-stack-delivery.conf.bak > $DIR/mail-stack-delivery-custom.conf + egrep -v ^protocol /usr/share/dovecot/mail-stack-delivery.conf > $DIR/mail-stack-delivery.conf + if diff -qur $DIR/mail-stack-delivery-dist.conf $DIR/mail-stack-delivery-custom.conf 1>/dev/null 2>&1; then + rm -f /etc/dovecot/mail-stack-delivery.conf.bak + else + awk ' /^auth default/ {flag=1;next} /^}/{flag=0} flag { print }' /etc/dovecot/mail-stack-delivery.conf.bak > /etc/dovecot/auth.d/01-mail-stack-delivery.auth + awk ' /^## Dovecot conf/{flag=1} /^auth default/{flag=0} flag { print }' /etc/dovecot/mail-stack-delivery.conf.bak > /etc/dovecot/conf.d/01-mail-stack-delivery.conf + awk ' /^# If you wish to use another authentication server than dovecot-auth/{flag=1} flag { print }' /etc/dovecot/mail-stack-delivery.conf.bak >> /etc/dovecot/conf.d/01-mail-stack-delivery.conf + fi + rm -rf $DIR + fi + + fi + ;; + + abort-upgrade) + ;; + + *) + echo "preinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER#
  20. Download patch debian/dovecot-core.init

    --- 1:2.2.9-1/debian/dovecot-core.init 2013-11-28 05:46:44.000000000 +0000 +++ 1:2.2.9-1ubuntu4/debian/dovecot-core.init 1970-01-01 00:00:00.000000000 +0000 @@ -1,185 +0,0 @@ -#! /bin/sh -### BEGIN INIT INFO -# Provides: dovecot -# Required-Start: $local_fs $remote_fs $network $syslog $time -# Required-Stop: $local_fs $remote_fs $network $syslog -# Should-Start: postgresql mysql slapd winbind nslcd -# Should-Stop: postgresql mysql slapd winbind nslcd -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Dovecot init script -# Description: Init script for dovecot services -### END INIT INFO - -# Author: Miquel van Smoorenburg <miquels@cistron.nl>. -# Modified for Debian GNU/Linux -# by Ian Murdock <imurdock@gnu.ai.mit.edu>. -# - -# Do NOT "set -e" - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin -DESC="IMAP/POP3 mail server" -NAME=dovecot -DAEMON=/usr/sbin/dovecot -DAEMON_ARGS="" -SCRIPTNAME=/etc/init.d/$NAME -CONF=/etc/dovecot/${NAME}.conf - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Exit if the configuration file doesn't exist -[ -f "$CONF" ] || exit 0 - -# Exit if explicitly told to -[ "$ENABLED" != "0" ] || exit 0 - -# Allow core dumps if requested -[ "$ALLOW_COREDUMPS" != "1" ] || ulimit -c unlimited - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.0-6) to ensure that this file is present. -. /lib/lsb/init-functions - -# conf file readable? -if [ ! -r ${CONF} ]; then - log_daemon_msg "${CONF}: not readable" "$NAME" && log_end_msg 1; - exit 1; -fi - -# dont check for inetd.conf if its not installed -if [ -f /etc/inetd.conf ]; then - # The init script should do nothing if dovecot or another imap/pop3 server - # is being run from inetd, and dovecot is configured to run as an imap or - # pop3 service - for p in `sed -r "s/^ *(([^:]+|\[[^]]+]|\*):)?(pop3s?|imaps?)[ \t].*/\3/;t;d" \ - /etc/inetd.conf` - do - for q in `doveconf -n -h protocols` - do - if [ $p = $q ]; then - log_daemon_msg "protocol ${p} configured both in inetd and in dovecot" "$NAME" && log_end_msg 1 - exit 0 - fi - done - done -fi - -# determine the location of the PID file -# overide by setting base_dir in conf file or PIDBASE in /etc/defaults/$NAME -PIDBASE=${PIDBASE:-`doveconf -n -c ${CONF} -h base_dir`} -PIDFILE=${PIDBASE:-/var/run/dovecot}/master.pid - -# -# Function that starts the daemon/service -# -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test -- -c ${CONF} > /dev/null \ - || return 1 - start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- -c ${CONF} \ - $DAEMON_ARGS \ - || return 2 -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name ${DAEMON##*/} - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --pidfile $PIDFILE --name ${DAEMON##*/} - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal HUP --quiet --pidfile $PIDFILE --name $NAME - return 0 -} - - -case "$1" in - start) - log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) log_end_msg 0 ;; - 2) log_end_msg 1 ;; - esac - ;; - stop) - log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) log_end_msg 0 ;; - 2) log_end_msg 1 ;; - esac - ;; - reload|force-reload) - log_daemon_msg "Reloading $DESC" "$NAME" - do_reload - log_end_msg $? - ;; - restart) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - status) - status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $? - ;; - *) - echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload|status}" >&2 - exit 3 - ;; -esac
  21. Download patch .pc/CVE-2014-3430.patch/src/login-common/ssl-proxy.h

    --- 1:2.2.9-1/.pc/CVE-2014-3430.patch/src/login-common/ssl-proxy.h 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.9-1ubuntu4/.pc/CVE-2014-3430.patch/src/login-common/ssl-proxy.h 2013-11-24 13:37:39.000000000 +0000 @@ -0,0 +1,45 @@ +#ifndef SSL_PROXY_H +#define SSL_PROXY_H + +struct ip_addr; +struct ssl_proxy; +struct master_service_ssl_settings; +struct login_settings; +struct client; + +extern bool ssl_initialized; + +typedef int ssl_handshake_callback_t(void *context); + +/* establish SSL connection with the given fd, returns a new fd which you + must use from now on, or -1 if error occurred. Unless -1 is returned, + the given fd must be simply forgotten. */ +int ssl_proxy_alloc(int fd, const struct ip_addr *ip, pool_t set_pool, + const struct login_settings *login_set, + const struct master_service_ssl_settings *ssl_set, + struct ssl_proxy **proxy_r); +int ssl_proxy_client_alloc(int fd, struct ip_addr *ip, pool_t set_pool, + const struct login_settings *login_set, + const struct master_service_ssl_settings *ssl_set, + ssl_handshake_callback_t *callback, void *context, + struct ssl_proxy **proxy_r); +void ssl_proxy_start(struct ssl_proxy *proxy); +void ssl_proxy_set_client(struct ssl_proxy *proxy, struct client *client); +bool ssl_proxy_has_valid_client_cert(const struct ssl_proxy *proxy) ATTR_PURE; +bool ssl_proxy_has_broken_client_cert(struct ssl_proxy *proxy); +int ssl_proxy_cert_match_name(struct ssl_proxy *proxy, const char *verify_name); +const char *ssl_proxy_get_peer_name(struct ssl_proxy *proxy); +bool ssl_proxy_is_handshaked(const struct ssl_proxy *proxy) ATTR_PURE; +const char *ssl_proxy_get_last_error(const struct ssl_proxy *proxy) ATTR_PURE; +const char *ssl_proxy_get_security_string(struct ssl_proxy *proxy); +const char *ssl_proxy_get_compression(struct ssl_proxy *proxy); +const char *ssl_proxy_get_cert_error(struct ssl_proxy *proxy); +void ssl_proxy_free(struct ssl_proxy **proxy); + +/* Return number of active SSL proxies */ +unsigned int ssl_proxy_get_count(void) ATTR_PURE; + +void ssl_proxy_init(void); +void ssl_proxy_deinit(void); + +#endif
  22. Download patch debian/tests/testlib.py

    --- 1:2.2.9-1/debian/tests/testlib.py 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.9-1ubuntu4/debian/tests/testlib.py 2014-03-07 12:26:37.000000000 +0000 @@ -0,0 +1,101 @@ +'''Common classes and functions for package tests.''' + +import string, random, crypt, subprocess, pwd, signal, time + +class TimedOutException(Exception): + def __init__(self, value = "Timed Out"): + self.value = value + def __str__(self): + return repr(self.value) + +def timeout(secs, f, *args): + def handler(signum, frame): + raise TimedOutException() + + old = signal.signal(signal.SIGALRM, handler) + result = None + signal.alarm(secs) + try: + result = f(*args) + finally: + signal.alarm(0) + signal.signal(signal.SIGALRM, old) + + return result + +def random_string(length): + '''Return a random string, consisting of ASCII letters, with given + length.''' + + s = '' + maxind = len(string.letters)-1 + for l in range(length): + s += string.letters[random.randint(0, maxind)] + return s + +def login_exists(login): + '''Checks whether the given login exists on the system.''' + + try: + pwd.getpwnam(login) + return True + except KeyError: + return False + +def cmd(command, input = None, stderr = subprocess.STDOUT): + '''Try to execute given command (array) and return its stdout, or return + a textual error if it failed.''' + + try: + sp = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=stderr, close_fds=True) + except OSError, e: + return [127, str(e)] + + out = sp.communicate(input)[0] + return [sp.returncode,out] + +class TestUser: + '''Create a temporary test user and remove it again in the dtor.''' + + def __init__(self, login=None, home=True): + '''Create a new user account with a random password. + + By default, the login name is random, too, but can be explicitly + specified with 'login'. By default, a home directory is created, this + can be suppressed with 'home=False'.''' + + self.login = None + + if login: + if login_exists(login): + raise ValueError, 'login name already exists' + else: + while(True): + login = random_string(8) + if not login_exists(login): + break + + self.salt = random_string(2) + self.password = random_string(8) + self.crypted = crypt.crypt(self.password, self.salt) + + if home: + assert subprocess.call(['useradd', '-p', self.crypted, '-m', login]) == 0 + else: + assert subprocess.call(['useradd', '-p', self.crypted, login]) == 0 + + self.login = login + p = pwd.getpwnam(self.login) + self.uid = p[2] + self.gid = p[3] + + def __del__(self): + '''Remove the created user account.''' + + if self.login: + # seems to already have gone here + try: + import subprocess + except: + pass + assert subprocess.call(['userdel', '-r', self.login]) == 0
  23. Download patch src/login-common/ssl-proxy.h

    --- 1:2.2.9-1/src/login-common/ssl-proxy.h 2013-11-24 13:37:39.000000000 +0000 +++ 1:2.2.9-1ubuntu4/src/login-common/ssl-proxy.h 2014-05-26 16:06:54.000000000 +0000 @@ -34,6 +34,7 @@ const char *ssl_proxy_get_last_error(con const char *ssl_proxy_get_security_string(struct ssl_proxy *proxy); const char *ssl_proxy_get_compression(struct ssl_proxy *proxy); const char *ssl_proxy_get_cert_error(struct ssl_proxy *proxy); +void ssl_proxy_destroy(struct ssl_proxy *proxy); void ssl_proxy_free(struct ssl_proxy **proxy); /* Return number of active SSL proxies */
  24. Download patch debian/patches/series

    --- 1:2.2.9-1/debian/patches/series 2013-11-28 05:46:44.000000000 +0000 +++ 1:2.2.9-1ubuntu4/debian/patches/series 2014-05-14 17:13:52.000000000 +0000 @@ -8,3 +8,4 @@ default-mail_location.patch exampledir.patch mboxlocking.patch dovecot_name.patch +CVE-2014-3430.patch
  25. Download patch .pc/CVE-2014-3430.patch/src/login-common/ssl-proxy-openssl.c
  26. Download patch debian/dovecot-core.postinst

    --- 1:2.2.9-1/debian/dovecot-core.postinst 2013-11-28 05:46:44.000000000 +0000 +++ 1:2.2.9-1ubuntu4/debian/dovecot-core.postinst 2014-03-07 12:26:37.000000000 +0000 @@ -118,12 +118,40 @@ if [ "$1" = "configure" ]; then delgroup imapd || true fi + ## SSL Certs + # Certs and key file + OLD_SSL_CERT="/etc/ssl/certs/dovecot.pem" + OLD_SSL_KEY="/etc/ssl/private/dovecot.pem" + SSL_CERT=$( (grep -m 1 "ssl_cert_file" /etc/dovecot/conf.d/10-ssl.conf || echo '/etc/dovecot/dovecot.pem') | cut -d'=' -f2) + SSL_KEY=$( (grep -m 1 "ssl_key_file" /etc/dovecot/conf.d/10-ssl.conf || echo '/etc/dovecot/private/dovecot.pem') | cut -d'=' -f2) + if [ ! -e /etc/dovecot/private ]; then install -d -o root -g root -m0700 /etc/dovecot/private fi - SSL_CERT=`doveconf -S ssl_cert | sed -e 's/^ssl_cert=<//'` - SSL_KEY=`doveconf -S ssl_key | sed -e 's/^ssl_key=<//'` + if [ -e $OLD_SSL_CERT ] || [ -e $OLD_SSL_KEY ]; then + echo "You already have ssl certs for dovecot." + echo "However you should move them out of /etc/ssl" + echo "and into /etc/dovecot and update the configuration" + echo "in /etc/dovecot/conf.d/10-ssl.conf accordingly." + echo "See /usr/share/doc/dovecot-core/README.Debian.gz for details." + # Create backward compatible symlinks to keep dovecot functioning + if [ ! -e $SSL_CERT ]; then + echo "Creating compat symlink for $OLD_SSL_CERT" + ln -s $OLD_SSL_CERT $SSL_CERT + fi + if [ ! -e $SSL_KEY ]; then + echo "Creating compat symlink for $OLD_SSL_KEY" + ln -s $OLD_SSL_KEY $SSL_KEY + fi + fi + # Generate new certs if needed + if [ -e $SSL_CERT ] || [ -e $SSL_KEY ]; then + echo "You already have ssl certs for dovecot." + else + echo "Creating generic self-signed certificate: $SSL_CERT" + echo "This certificate will expire in 10 years." + echo "(replace with hand-crafted or authorized one if needed)." db_get dovecot-core/create-ssl-cert if [ "$RET" = "true" ]; then @@ -135,7 +163,7 @@ if [ "$1" = "configure" ]; then COMMONNAME="$RET" MAILNAME="$(cat /etc/mailname 2> /dev/null || echo "$COMMONNAME")" (openssl req -newkey rsa:2048 -x509 -days 3652.5 -nodes \ - -rand /dev/urandom -out $SSL_CERT -keyout $SSL_KEY > /dev/null 2>&1 <<+ + -rand /dev/urandom -out $SSL_CERT -keyout $SSL_KEY > /dev/null 2>&1 <<+ . . . @@ -156,6 +184,7 @@ root@$MAILNAME fi db_stop || true + fi fi if [ "$1" = "triggered" ]; then
  27. Download patch debian/docs

    --- 1:2.2.9-1/debian/docs 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.9-1ubuntu4/debian/docs 2014-03-07 12:26:37.000000000 +0000 @@ -0,0 +1,3 @@ +NEWS +README +TODO
  28. Download patch .pc/CVE-2014-3430.patch/src/login-common/client-common.c
  29. Download patch debian/mail-stack-delivery.prerm

    --- 1:2.2.9-1/debian/mail-stack-delivery.prerm 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.9-1ubuntu4/debian/mail-stack-delivery.prerm 2014-03-07 12:26:37.000000000 +0000 @@ -0,0 +1,32 @@ +#! /bin/sh + +set -e + +# conffile renamed in 1:1.2.9-1ubuntu8 +if dpkg --compare-versions "$2" lt-nl "1:1.2.9-1ubuntu8"; then + # "$1" is equal to "upgrade" (which means downgrading in this case) or "abort-upgrade" + # downgrading to <1:1.2.9-1ubuntu8 -- restore old conffile name + if [ -f "/etc/dovecot/conf.d/01-mail-stack-delivery.conf" ]; then + mv -f "/etc/dovecot/conf.d/01-mail-stack-delivery.conf" "/etc/dovecot/conf.d/01-dovecot-postfix.conf" + fi + if [ -f "/etc/dovecot/conf.d/01-mail-stack-delivery.auth" ]; then + mv -f "/etc/dovecot/conf.d/01-mail-stack-delivery.auth" "/etc/dovecot/conf.d/01-dovecot-postfix.auth" + fi + if [ -f "/usr/share/dovecot/mail-stack-delivery.conf" ]; then + mv -f "/usr/share/dovecot/mail-stack-delivery.conf" "/usr/share/dovecot/dovecot-postfix.conf" + fi + if [ -f "/etc/dovecot/mail-stack-delivery.conf" ]; then + mv -f "/etc/dovecot/mail-stack-delivery.conf" "/etc/dovecot/dovecot-postfix.conf" + fi + if [ -e "/var/backups/mail-stack-delivery/main.cf-backup" ]; then + if [ -n "//var/backups/dovecot-postfix/" ]; then + mkdir "/var/backups/dovecot-postfix/" + fi + mv -f "/var/backups/mail-stack-delivery/main.cf-backup" "/var/backups/dovecot-postfix/main.cf-backup" + test -d /var/backups/mail-stack-delivery/ && rmdir /var/backups/mail-stack-delivery/ + fi +fi + +#DEBHELPER# + +exit 0
  30. Download patch debian/source_dovecot.py

    --- 1:2.2.9-1/debian/source_dovecot.py 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.9-1ubuntu4/debian/source_dovecot.py 2014-03-07 12:26:37.000000000 +0000 @@ -0,0 +1,39 @@ +#!/usr/bin/python + +'''Dovecot Apport interface + +Copyright (C) 2010 Canonical Ltd/ +Author: Chuck Short <chuck.short@canonical.com> + +This program is free software; you can redistribute it and/or modify it +under the terms of the GNU General Public License as published by the +Free Software Foundation; either version 2 of the License, or (at your +option) any later version. See http://www.gnu.org/copyleft/gpl.html for +the full text of the license. +''' + +from apport.hookutils import * + +def add_info(report, ui): + response = ui.yesno("The output of dovecot -n may help developers diagnose your bug more quickly, however, it may contain sensitive information. Do you want to include it in your bug report?") + + if response == None: #user canceled + raise StopIteration + + elif response == True: + report['DovecotConf'] = root_command_output(['/usr/sbin/dovecot', '-n']) + + + elif response == False: + ui.information("The contents of dovecot -n will NOT be includeded in the bug report") + + packages=['dovecot-common', 'dovecot-core', 'dovecot-dev', 'dovecot-pop3d', 'dovecot-imapd', 'mail-stack-delivery', 'dovecot-postfix'] + versions = '' + for package in packages: + try: + version = package.get_version(package) + except: + version = 'N/A' + versions += '%s %s\n' %(package, version) + report['DovecotInstalledVersions'] = versions +
  31. Download patch src/login-common/client-common.c

    --- 1:2.2.9-1/src/login-common/client-common.c 2013-11-24 13:37:39.000000000 +0000 +++ 1:2.2.9-1ubuntu4/src/login-common/client-common.c 2014-05-26 16:06:54.000000000 +0000 @@ -171,6 +171,8 @@ void client_destroy(struct client *clien last_client = client->prev; DLLIST_REMOVE(&clients, client); + if (!client->login_success && client->ssl_proxy != NULL) + ssl_proxy_destroy(client->ssl_proxy); if (client->input != NULL) i_stream_close(client->input); if (client->output != NULL)
  32. Download patch debian/mail-stack-delivery.postrm

    --- 1:2.2.9-1/debian/mail-stack-delivery.postrm 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.2.9-1ubuntu4/debian/mail-stack-delivery.postrm 2014-03-07 12:26:37.000000000 +0000 @@ -0,0 +1,35 @@ +#!/bin/sh +set -e + +POSTFIX_BCKFILE="/var/backups/mail-stack-delivery/main.cf-backup" + +PATH=/usr/sbin:$PATH +export PATH + +if [ "$1" = "remove" -o "$1" = "purge" ]; then + # Restore postfix configuration + if [ "$1" = "remove" ]; then + if which postconf >/dev/null && [ -f "${POSTFIX_BCKFILE}" ]; then + while read line; do + postconf -e "$line" + done < "${POSTFIX_BCKFILE}" + rm -f "${POSTFIX_BCKFILE}" + fi + fi + if [ -x "/etc/init.d/dovecot" ]; then + if [ -x /usr/sbin/invoke-rc.d ]; then + invoke-rc.d dovecot restart + else + service dovecot restart + fi + fi + if [ -x "/etc/init.d/postfix" ]; then + if [ -x /usr/sbin/invoke-rc.d ]; then + invoke-rc.d postfix restart + else + service postfix restart + fi + fi +fi + +#DEBHELPER#
  1. dovecot