Your message dated Sat, 10 Sep 2022 13:36:19 +0100
with message-id
<92fe43e7805e82e43100a6471ccbf91cd9a12944.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates in 11.5
has caused the Debian Bug report #1016458,
regarding bullseye-pu: package dovecot/2.3.13+dfsg1-2+deb11u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1016458: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016458
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
Dovecot 2.3.13+dfsg1-2+deb11u1 contains a backported fix for #1016351
(CVE-2022-30550). The fix is cherry-picked from upstream and is identical
to the fix recently uploaded to unstable in dovecot_2.3.19.1+dfsg1-2. The
stable security team and the package maintainers have determined that this
issue does not warrant a DSA and should be fixed in the next bullseye
point release.
Debdiff is attached. Note that it contains one additional minor change to
switch the salsa gitlab ci configuration to use bullseye runners.
noah
diff -Nru dovecot-2.3.13+dfsg1/debian/changelog
dovecot-2.3.13+dfsg1/debian/changelog
--- dovecot-2.3.13+dfsg1/debian/changelog 2021-07-20 08:05:19.000000000
-0700
+++ dovecot-2.3.13+dfsg1/debian/changelog 2022-07-31 17:47:06.000000000
-0700
@@ -1,3 +1,10 @@
+dovecot (1:2.3.13+dfsg1-2+deb11u1) bullseye; urgency=medium
+
+ * [4b5dac8] d/patches: cherry-pick fix for CVE-2022-30550 (Closes: #1016351)
+ * [597ba7f] salsa-ci: build with bullseye
+
+ -- Noah Meyerhans <no...@debian.org> Sun, 31 Jul 2022 17:47:06 -0700
+
dovecot (1:2.3.13+dfsg1-2) unstable; urgency=high
* Import upstream fixes for security issues (Closes: #990566):
diff -Nru
dovecot-2.3.13+dfsg1/debian/patches/auth-Add-a-comment-about-updating-userdb_find.patch
dovecot-2.3.13+dfsg1/debian/patches/auth-Add-a-comment-about-updating-userdb_find.patch
---
dovecot-2.3.13+dfsg1/debian/patches/auth-Add-a-comment-about-updating-userdb_find.patch
1969-12-31 16:00:00.000000000 -0800
+++
dovecot-2.3.13+dfsg1/debian/patches/auth-Add-a-comment-about-updating-userdb_find.patch
2022-07-31 17:47:06.000000000 -0700
@@ -0,0 +1,22 @@
+From: Timo Sirainen <timo.sirai...@open-xchange.com>
+Date: Mon, 16 May 2022 14:58:45 +0200
+Subject: auth: Add a comment about updating userdb_find()
+
+---
+ src/auth/userdb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: dovecot/src/auth/userdb.c
+===================================================================
+--- dovecot.orig/src/auth/userdb.c
++++ dovecot/src/auth/userdb.c
+@@ -162,7 +162,8 @@ userdb_preinit(pool_t pool, const struct
+ userdb->id = ++auth_userdb_id;
+ userdb->iface = iface;
+ userdb->args = p_strdup(pool, set->args);
+-
++ /* NOTE: if anything else than driver & args are added here,
++ userdb_find() also needs to be updated. */
+ array_push_back(&userdb_modules, &userdb);
+ return userdb;
+ }
diff -Nru
dovecot-2.3.13+dfsg1/debian/patches/auth-Fix-handling-passdbs-with-identical-driver-args-but-.patch
dovecot-2.3.13+dfsg1/debian/patches/auth-Fix-handling-passdbs-with-identical-driver-args-but-.patch
---
dovecot-2.3.13+dfsg1/debian/patches/auth-Fix-handling-passdbs-with-identical-driver-args-but-.patch
1969-12-31 16:00:00.000000000 -0800
+++
dovecot-2.3.13+dfsg1/debian/patches/auth-Fix-handling-passdbs-with-identical-driver-args-but-.patch
2022-07-31 17:47:06.000000000 -0700
@@ -0,0 +1,130 @@
+From: Timo Sirainen <timo.sirai...@open-xchange.com>
+Date: Mon, 9 May 2022 15:23:33 +0300
+Subject: auth: Fix handling passdbs with identical driver/args but different
+ mechanisms/username_filter
+
+The passdb was wrongly deduplicated in this situation, causing wrong
+mechanisms or username_filter setting to be used. This would be a rather
+unlikely configuration though.
+
+Fixed by moving mechanisms and username_filter from struct passdb_module
+to struct auth_passdb, which is where they should have been in the first
+place.
+---
+ src/auth/auth-request.c | 6 +++---
+ src/auth/auth.c | 18 ++++++++++++++++++
+ src/auth/auth.h | 5 +++++
+ src/auth/passdb.c | 15 ++-------------
+ src/auth/passdb.h | 4 ----
+ 5 files changed, 28 insertions(+), 20 deletions(-)
+
+Index: dovecot/src/auth/auth-request.c
+===================================================================
+--- dovecot.orig/src/auth/auth-request.c
++++ dovecot/src/auth/auth-request.c
+@@ -553,8 +553,8 @@ auth_request_want_skip_passdb(struct aut
+ struct auth_passdb *passdb)
+ {
+ /* if mechanism is not supported, skip */
+- const char *const *mechs = passdb->passdb->mechanisms;
+- const char *const *username_filter = passdb->passdb->username_filter;
++ const char *const *mechs = passdb->mechanisms;
++ const char *const *username_filter = passdb->username_filter;
+ const char *username;
+
+ username = request->fields.user;
+@@ -567,7 +567,7 @@ auth_request_want_skip_passdb(struct aut
+ return TRUE;
+ }
+
+- if (passdb->passdb->username_filter != NULL &&
++ if (passdb->username_filter != NULL &&
+ !auth_request_username_accepted(username_filter, username)) {
+ auth_request_log_debug(request,
+ request->mech != NULL ? AUTH_SUBSYS_MECH
+Index: dovecot/src/auth/auth.c
+===================================================================
+--- dovecot.orig/src/auth/auth.c
++++ dovecot/src/auth/auth.c
+@@ -93,6 +93,24 @@ auth_passdb_preinit(struct auth *auth, c
+ auth_passdb->override_fields_tmpl =
+ passdb_template_build(auth->pool, set->override_fields);
+
++ if (*set->mechanisms == '\0') {
++ auth_passdb->mechanisms = NULL;
++ } else if (strcasecmp(set->mechanisms, "none") == 0) {
++ auth_passdb->mechanisms = (const char *const[]){ NULL };
++ } else {
++ auth_passdb->mechanisms =
++ (const char *const *)p_strsplit_spaces(auth->pool,
++ set->mechanisms, " ,");
++ }
++
++ if (*set->username_filter == '\0') {
++ auth_passdb->username_filter = NULL;
++ } else {
++ auth_passdb->username_filter =
++ (const char *const *)p_strsplit_spaces(auth->pool,
++ set->username_filter, " ,");
++ }
++
+ /* for backwards compatibility: */
+ if (set->pass)
+ auth_passdb->result_success = AUTH_DB_RULE_CONTINUE;
+Index: dovecot/src/auth/auth.h
+===================================================================
+--- dovecot.orig/src/auth/auth.h
++++ dovecot/src/auth/auth.h
+@@ -41,6 +41,11 @@ struct auth_passdb {
+ struct passdb_template *default_fields_tmpl;
+ struct passdb_template *override_fields_tmpl;
+
++ /* Supported authentication mechanisms, NULL is all, {NULL} is none */
++ const char *const *mechanisms;
++ /* Username filter, NULL is no filter */
++ const char *const *username_filter;
++
+ enum auth_passdb_skip skip;
+ enum auth_db_rule result_success;
+ enum auth_db_rule result_failure;
+Index: dovecot/src/auth/passdb.c
+===================================================================
+--- dovecot.orig/src/auth/passdb.c
++++ dovecot/src/auth/passdb.c
+@@ -226,19 +226,8 @@ passdb_preinit(pool_t pool, const struct
+ passdb->id = ++auth_passdb_id;
+ passdb->iface = *iface;
+ passdb->args = p_strdup(pool, set->args);
+- if (*set->mechanisms == '\0') {
+- passdb->mechanisms = NULL;
+- } else if (strcasecmp(set->mechanisms, "none") == 0) {
+- passdb->mechanisms = (const char *const[]){NULL};
+- } else {
+- passdb->mechanisms = (const char*
const*)p_strsplit_spaces(pool, set->mechanisms, " ,");
+- }
+-
+- if (*set->username_filter == '\0') {
+- passdb->username_filter = NULL;
+- } else {
+- passdb->username_filter = (const char*
const*)p_strsplit_spaces(pool, set->username_filter, " ,");
+- }
++ /* NOTE: if anything else than driver & args are added here,
++ passdb_find() also needs to be updated. */
+ array_push_back(&passdb_modules, &passdb);
+ return passdb;
+ }
+Index: dovecot/src/auth/passdb.h
+===================================================================
+--- dovecot.orig/src/auth/passdb.h
++++ dovecot/src/auth/passdb.h
+@@ -63,10 +63,6 @@ struct passdb_module {
+ /* Default password scheme for this module.
+ If default_cache_key is set, must not be NULL. */
+ const char *default_pass_scheme;
+- /* Supported authentication mechanisms, NULL is all, [NULL] is none*/
+- const char *const *mechanisms;
+- /* Username filter, NULL is no filter */
+- const char *const *username_filter;
+
+ /* If blocking is set to TRUE, use child processes to access
+ this passdb. */
diff -Nru dovecot-2.3.13+dfsg1/debian/patches/series
dovecot-2.3.13+dfsg1/debian/patches/series
--- dovecot-2.3.13+dfsg1/debian/patches/series 2021-07-19 15:05:12.000000000
-0700
+++ dovecot-2.3.13+dfsg1/debian/patches/series 2022-07-31 17:47:06.000000000
-0700
@@ -18,3 +18,5 @@
Improve-cross-compile-support.patch
CVE-2021-29157.patch
CVE-2021-33515.patch
+auth-Fix-handling-passdbs-with-identical-driver-args-but-.patch
+auth-Add-a-comment-about-updating-userdb_find.patch
diff -Nru dovecot-2.3.13+dfsg1/debian/salsa-ci.yml
dovecot-2.3.13+dfsg1/debian/salsa-ci.yml
--- dovecot-2.3.13+dfsg1/debian/salsa-ci.yml 2021-07-19 06:46:55.000000000
-0700
+++ dovecot-2.3.13+dfsg1/debian/salsa-ci.yml 2022-07-31 17:47:06.000000000
-0700
@@ -6,3 +6,4 @@
variables:
SALSA_CI_LINTIAN_FAIL_WARNING: 1
SALSA_CI_DISABLE_REPROTEST: 1
+ RELEASE: 'bullseye'
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.5
Hi,
The updates referred to in each of these bugs were included in today's
11.5 point release.
Regards,
Adam
--- End Message ---
