robert pushed to zarafa (el6). "- Added multiple minor enhancement and bugfix patches (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Tue Apr 7 18:41:03 UTC 2015
>From ce0e01723f2fe9e281c4e63436caa81558cb7a9f Mon Sep 17 00:00:00 2001
From: Robert Scheck <robert at fedoraproject.org>
Date: Mon, 23 Feb 2015 00:55:48 +0100
Subject: - Added multiple minor enhancement and bugfix patches - Added patch
to fix CVE-2014-0103 for PHP < 5.3 (#1073618)
diff --git a/zarafa-7.1.10-imap-badcharset.patch b/zarafa-7.1.10-imap-badcharset.patch
new file mode 100644
index 0000000..76b5a36
--- /dev/null
+++ b/zarafa-7.1.10-imap-badcharset.patch
@@ -0,0 +1,19 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa <= 7.1.10 which fixes the RFC-
+violating reply of the Zarafa IMAP gateway in response to a failed SEARCH CHARSET request.
+This is documented at http://tools.ietf.org/html/rfc3501#page-64: "BADCHARSET: Optionally
+followed by a parenthesized list of charsets. [...]". This patch adds missing parenthesis.
+
+Proposed to upstream via e-mail on Sun, 27 Jul 2014 23:58:01 +0200, patch was put into the
+upstream ticket https://jira.zarafa.com/browse/ZCP-12504.
+
+--- zarafa-7.1.10/gateway/IMAP.cpp 2014-05-23 15:56:37.000000000 +0200
++++ zarafa-7.1.10/gateway/IMAP.cpp.imap-badcharset 2014-07-27 23:42:30.000000000 +0200
+@@ -2409,7 +2409,7 @@
+ if (lstSearchCriteria[1] != "WINDOWS-1252") {
+ iconv = new ECIConv("windows-1252", lstSearchCriteria[1]);
+ if (!iconv->canConvert()) {
+- hr2 = HrResponse(RESP_TAGGED_NO, strTag, "[BADCHARSET WINDOWS-1252] "+strMode+"SEARCH charset not supported");
++ hr2 = HrResponse(RESP_TAGGED_NO, strTag, "[BADCHARSET (WINDOWS-1252)] "+strMode+"SEARCH charset not supported");
+ hr = MAPI_E_CALL_FAILED;
+ goto exit;
+ }
diff --git a/zarafa-7.1.10-imap-fetch-body.patch b/zarafa-7.1.10-imap-fetch-body.patch
new file mode 100644
index 0000000..da4e2fa
--- /dev/null
+++ b/zarafa-7.1.10-imap-fetch-body.patch
@@ -0,0 +1,93 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa <= 7.1.10 which fixes the RFC-
+violating reply of the Zarafa IMAP gateway in response to a body fetch request. This is
+documented at http://tools.ietf.org/html/rfc3501#page-55. Additionally this has been also
+compared with the Dovecot IMAP server as a nearly (or even de facto) IMAP server reference
+implementation. Please note that this is NOT a duplicate of ZCP-11590/ZCP-11739/ZCP-12365!
+
+Wrong behaviour of Zarafa <= 7.1.10rc1-44973 (without this patch):
+> A4 FETCH 1 (BODY.PEEK[HEADER.FIELDS (FROM FROM)])
+< * 1 FETCH (BODY[HEADER.FIELDS (FROM FROM)] {66}
+From: User1 <user1 at domain.org>
+From: User1 <user1 at domain.org>
+
+)
+< A4 OK FETCH completed
+
+Comparison with IMAP server Dovecot 2.2.13:
+> A4 FETCH 1 (BODY.PEEK[HEADER.FIELDS (FROM FROM)])
+< * 1 FETCH (BODY[HEADER.FIELDS (FROM FROM)] {34}
+From: User1 <user1 at domain.org>
+
+)
+< A4 OK Fetch completed.
+
+Correct behaviour of Zarafa (after having this patch applied):
+> A4 FETCH 1 (BODY.PEEK[HEADER.FIELDS (FROM FROM)])
+< * 1 FETCH (BODY[HEADER.FIELDS (FROM FROM)] {34}
+From: User1 <user1 at domain.org>
+
+)
+< A4 OK FETCH completed
+
+Testing: Full IMAP dialog example from the client perspective (after this patch applied):
+< * OK [CAPABILITY IMAP4rev1 LITERAL+ AUTH=PLAIN] Zarafa IMAP gateway ready
+> A0 LOGIN robert robert
+< A0 OK [CAPABILITY IMAP4rev1 LITERAL+ CHILDREN XAOL-OPTION NAMESPACE QUOTA IDLE] LOGIN completed
+> A1 LIST "" INBOX
+< * LIST (\HasNoChildren) "/" "INBOX"
+< A1 OK LIST completed
+> A2 SELECT INBOX
+< * 2 EXISTS
+< * 0 RECENT
+< * FLAGS (\Seen \Draft \Deleted \Flagged \Answered $Forwarded)
+< * OK [PERMANENTFLAGS (\Seen \Draft \Deleted \Flagged \Answered $Forwarded)] Permanent flags
+< * OK [UIDNEXT 4343] Predicted next UID
+< * OK [UNSEEN 1] First unseen message
+< * OK [UIDVALIDITY 9313] UIDVALIDITY value
+< A2 OK [READ-WRITE] SELECT completed
+> A3 SEARCH UNSEEN ALL
+< * SEARCH 1 2
+< A3 OK SEARCH completed
+> A4 FETCH 1 (BODY.PEEK[HEADER.FIELDS (FROM FROM)])
+< * 1 FETCH (BODY[HEADER.FIELDS (FROM FROM)] {34}
+From: User1 <user1 at domain.org>
+
+)
+< A4 OK FETCH completed
+> A5 CLOSE
+< A5 OK CLOSE completed
+> A6 LOGOUT
+< * BYE Zarafa server logging out
+< A6 OK LOGOUT completed
+
+IMPORTANT: This patch has been very carefully and extensively tested but it might not be
+perfect nevertheless as I am not really a C/C++ developer. There should be a code review
+by an experienced C/C++ developer before merging into Zarafa core.
+
+Proposed to upstream via e-mail on Thu, 29 May 2014 01:55:35 +0200, patch was put into the
+upstream ticket https://jira.zarafa.com/browse/ZCP-12398.
+
+--- zarafa-7.1.10/gateway/IMAP.cpp 2014-05-12 12:06:03.000000000 +0200
++++ zarafa-7.1.10/gateway/IMAP.cpp.imap-fetch-body 2014-05-29 00:49:29.000000000 +0200
+@@ -5253,10 +5253,21 @@
+ } else {
+ vector<string> lstReqFields;
+ vector<string>::iterator iterReqField;
++ vector<string>::iterator r, w;
++ set<string> tmpset;
+
+ // Get fields as vector
+ lstReqFields = tokenize(strFields, " ");
+
++ // Make elements of vector unique
++ for(r = lstReqFields.begin(), w = lstReqFields.begin(); r != lstReqFields.end(); ++r) {
++ if(tmpset.insert(*r).second) {
++ *w++ = *r;
++ }
++ }
++
++ lstReqFields.erase(w, lstReqFields.end());
++
+ // Output headers specified, in order of field set
+ for(iterReqField = lstReqFields.begin(); iterReqField != lstReqFields.end(); iterReqField++) {
+ for(iterField = lstFields.begin(); iterField != lstFields.end(); iterField++) {
diff --git a/zarafa-7.1.10-kyotocabinet.patch b/zarafa-7.1.10-kyotocabinet.patch
index 43e62a3..00cdeab 100644
--- a/zarafa-7.1.10-kyotocabinet.patch
+++ b/zarafa-7.1.10-kyotocabinet.patch
@@ -4,6 +4,9 @@ broken on the given system and/or architecture. Interestingly that patch is not
in 2012 the first time, proposed them as a patch to Zarafa and got merged. With a recent Zarafa release it
seems they silently removed it again...
+Proposed to upstream via e-mail on Fri, 11 Jul 2014 01:03:43 +0200, patch was put into the upstream ticket
+https://jira.zarafa.com/browse/ZCP-12463.
+
--- zarafa-7.1.10/ECtools/zarafa-search/Makefile.am 2014-05-23 15:03:49.000000000 +0200
+++ zarafa-7.1.10/ECtools/zarafa-search/Makefile.am.kyotocabinet 2014-07-10 21:48:42.000000000 +0200
@@ -1,4 +1,8 @@
diff --git a/zarafa-7.1.10-ssl_protocols_ciphers.patch b/zarafa-7.1.10-ssl_protocols_ciphers.patch
index 756d2fd..876df60 100644
--- a/zarafa-7.1.10-ssl_protocols_ciphers.patch
+++ b/zarafa-7.1.10-ssl_protocols_ciphers.patch
@@ -38,6 +38,9 @@ a code review and code clean up by an experienced C/C++ developer before merging
This patch should be only applied in conjuction with the POP3 RESP-CODES and AUTH-RESP-CODE patch,
the POP3 CAPA (CAPABILITIES) patch as well as the POP3 STLS (STARTTLS) patch applied before.
+Proposed to upstream via e-mail on Sat, 8 Mar 2014 14:30:29 +0100, patch was put into the upstream
+ticket https://jira.zarafa.com/browse/ZCP-12143.
+
--- zarafa-7.1.10/caldav/CalDAV.cpp 2014-05-23 15:56:36.000000000 +0200
+++ zarafa-7.1.10/caldav/CalDAV.cpp.rsc 2014-08-12 19:45:04.000000000 +0200
@@ -220,7 +220,9 @@
diff --git a/zarafa-7.1.10-webaccess-fail2ban.patch b/zarafa-7.1.10-webaccess-fail2ban.patch
new file mode 100644
index 0000000..b0bb26e
--- /dev/null
+++ b/zarafa-7.1.10-webaccess-fail2ban.patch
@@ -0,0 +1,38 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa <= 7.1.0 which logs authentication
+failures of Zarafa WebAccess into the error log of the webserver. This is basically a backport of
+https://jira.zarafa.com/browse/WA-6908 from WebApp to WebAccess. In difference to original patch
+there is no inappropriate space before a punctuation mark also known as "plenken".
+
+The second part of this patch is a backport of Zarafa WebApp 1.6 which ensures that authentication
+is only performed if username and password are filled. This avoids a) strange looking results of
+error_log() from the first part and b) reduces the possible risk of denial of service given that
+PHP is not connecting the Zarafa server if not really needed.
+
+I guess the usage of isset() rather !empty() was accidential because isset() is always true once
+the HTTP POST via the login formular happens.
+
+Proposed to upstream via e-mail on Wed, 13 Aug 2014 22:56:09 +0200, patch was put into the upstream
+ticket https://jira.zarafa.com/browse/ZCP-12543.
+
+--- zarafa-7.1.10/php-webclient-ajax/client/login.php 2014-05-23 15:56:38.000000000 +0200
++++ zarafa-7.1.10/php-webclient-ajax/client/login.php 2014-08-13 22:11:38.000000000 +0200
+@@ -86,6 +86,8 @@
+ switch($_SESSION["hresult"]){
+ case MAPI_E_LOGON_FAILED:
+ case MAPI_E_UNCONFIGURED:
++ // Print error message to error_log of webserver
++ error_log('user '.$_POST["username"].': authentication failure at MAPI');
+ echo _("Logon failed, please check your name/password.");
+ break;
+ case MAPI_E_NETWORK_ERROR:
+--- zarafa-7.1.10/php-webclient-ajax/index.php 2014-05-23 15:56:38.000000000 +0200
++++ zarafa-7.1.10/php-webclient-ajax/index.php 2014-08-13 22:11:11.000000000 +0200
+@@ -153,7 +153,7 @@
+
+ // Create global mapi object. This object is used in many other files
+ $GLOBALS["mapisession"] = new MAPISession();
+- if (isset($_SESSION["username"]) && isset($_SESSION["password"])) {
++ if (!empty($_SESSION["username"]) && !empty($_SESSION["password"])) {
+ $sslcert_file = defined('SSLCERT_FILE') ? SSLCERT_FILE : null;
+ $sslcert_pass = defined('SSLCERT_PASS') ? SSLCERT_PASS : null;
+ $hresult = $GLOBALS["mapisession"]->logon($_SESSION["username"], $_SESSION["password"], DEFAULT_SERVER, $sslcert_file, $sslcert_pass);
diff --git a/zarafa-7.1.10-webaccess-mcrypt.patch b/zarafa-7.1.10-webaccess-mcrypt.patch
new file mode 100644
index 0000000..49bed4e
--- /dev/null
+++ b/zarafa-7.1.10-webaccess-mcrypt.patch
@@ -0,0 +1,58 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa >= 7.1.10 which fixes the fix that fixes CVE-2014-0103. Ush,
+that was complicated, so: CVE-2014-0103 exists because Zarafa WebAccess < 7.1.10 and Zarafa WebApp < 1.6 storing passwords
+in cleartext on server (in the PHP session). Zarafa solved this flaw by using openssl_encrypt() and openssl_decrypt() from
+PHP's OpenSSL bindings. However these functions are only available in PHP 5.3 or later. Without this patch suggestion, any
+older but still supported Linux distribution like Red Hat Enterprise Linux 5 or SuSE Linux Enterprise Server 10 (which are
+both shipping PHP < 5.3 by default) would still be left vulnerable.
+
+Given that I am personally more a fan of OpenSSL rather mcrypt, I am not absolutely sure if this implementation is really
+correct even it works fine on my test system. So please explicitly review this code to avoid introducing another security
+flaw by trying to fix one! A thing that I generally question for myself is the usage of "des-ede3-cbc"/"MCRYPT_TRIPLEDES"
+instead of e.g. MCRYPT_RIJNDAEL_128. Given that this decision was initially made by Zarafa I am just following that here.
+
+Important: To get this patch really powerful the install-time requirement needs to be adapted like this (this example is
+based on Fedora's build system so the macros %{?rhel} and %{?fedora} might not exist at Zarafa but need to be replaced by
+other macros):
+
+%if 0%{?rhel}%{?fedora} < 6
+Requires: php-mcrypt
+%else
+Requires: php-openssl
+%endif
+
+This requires php-openssl (provided by php-common) on RHEL 6 (and later) and php-mcrypt (separate package) before RHEL 6.
+
+Proposed to upstream via e-mail on Thu, 5 Jun 2014 00:24:32 +0200, patch was put into the (non-disclosed) upstream ticket
+https://jira.zarafa.com/browse/ZCP-12407.
+
+--- zarafa-7.1.10/php-webclient-ajax/index.php 2014-05-23 15:56:38.000000000 +0200
++++ zarafa-7.1.10/php-webclient-ajax/index.php.webaccess-mcrypt 2014-06-05 00:08:18.000000000 +0200
+@@ -135,6 +135,8 @@
+ // if user has openssl module installed
+ if(function_exists("openssl_encrypt")) {
+ $_SESSION['password'] = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
++ } elseif(function_exists("mcrypt_encrypt")) {
++ $_SESSION['password'] = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV));
+ } else {
+ $_SESSION["password"] = $password;
+ }
+--- zarafa-7.1.10/php-webclient-ajax/server/core/class.mapisession.php 2014-05-23 15:56:38.000000000 +0200
++++ zarafa-7.1.10/php-webclient-ajax/server/core/class.mapisession.php.webaccess-mcrypt 2014-06-05 00:08:57.000000000 +0200
+@@ -132,6 +132,8 @@
+ if(is_string($username) && is_string($password)) {
+ if(function_exists("openssl_decrypt")) {
+ $password = openssl_decrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
++ } elseif(function_exists("mcrypt_decrypt")) {
++ $password = trim(mcrypt_decrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, base64_decode($password), MCRYPT_MODE_CBC, PASSWORD_IV));
+ }
+ // logon
+ $this->session = mapi_logon_zarafa($username, $password, $server, $sslcert_file, $sslcert_pass);
+@@ -139,6 +141,8 @@
+
+ if(function_exists("openssl_encrypt")) {
+ $password = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
++ } elseif(function_exists("mcrypt_encrypt")) {
++ $password = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV));
+ }
+
+ if ($result == NOERROR && $this->session !== false){
diff --git a/zarafa-7.1.11-gsoap-sslv3.patch b/zarafa-7.1.11-gsoap-sslv3.patch
new file mode 100644
index 0000000..e4875ee
--- /dev/null
+++ b/zarafa-7.1.11-gsoap-sslv3.patch
@@ -0,0 +1,20 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for zarafa >= 7.1.11 which removes the Zarafa-
+specific override/limitation that forces SSLv3-only SOAP connection between the Zarafa services.
+The pristine gSOAP library itself uses SSLv23_method() instead and thus allows TLSv1.0, TLSv1.1
+as well as TLSv1.2.
+
+Proposed to upstream via e-mail on Wed, 2 Apr 2014 11:35:40 +0200, initial patch was put into the
+upstream ticket Ticket#2014040210000266.
+
+--- zarafa-7.1.11/provider/common/SOAPSock.cpp 2014-09-03 10:45:06.000000000 +0200
++++ zarafa-7.1.11/provider/common/SOAPSock.cpp.gsoap-sslv3 2015-02-18 01:15:50.000000000 +0100
+@@ -162,9 +162,6 @@
+
+ lpCmd->endpoint = strdup(strServerPath.c_str());
+
+- // override the gsoap default v23 method to the force safer v3 only method.
+- lpCmd->soap->ctx = SSL_CTX_new(SSLv3_method());
+-
+ #ifdef WITH_OPENSSL
+ if (strncmp("https:", lpCmd->endpoint, 6) == 0) {
+ // no need to add certificates to call, since soap also calls SSL_CTX_set_default_verify_paths()
diff --git a/zarafa-7.1.11-plaintext_auth_localhost.patch b/zarafa-7.1.11-plaintext_auth_localhost.patch
index 9b6aae0..c5fefd3 100644
--- a/zarafa-7.1.11-plaintext_auth_localhost.patch
+++ b/zarafa-7.1.11-plaintext_auth_localhost.patch
@@ -15,6 +15,9 @@ Important: The technical implementation of this patch might be not perfect as I
C++ developer. There should be a code review by an experienced C/C++ developer before merging into
Zarafa core.
+Proposed to upstream via e-mail on Thu, 16 Oct 2014 00:00:05 +0200, patch was put into the upstream
+ticket https://jira.zarafa.com/browse/ZCP-12473.
+
--- zarafa-7.1.11/gateway/IMAP.cpp 2014-09-03 10:45:06.000000000 +0200
+++ zarafa-7.1.11/gateway/IMAP.cpp.plaintext_auth_localhost 2014-09-24 01:29:10.000000000 +0200
@@ -757,7 +757,7 @@
diff --git a/zarafa-7.1.11-vacation-headers.patch b/zarafa-7.1.11-vacation-headers.patch
new file mode 100644
index 0000000..924ff1d
--- /dev/null
+++ b/zarafa-7.1.11-vacation-headers.patch
@@ -0,0 +1,32 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa >= 7.1.11 which restricts replies by
+zarafa-autorespond to automated processes and mailing lists according to RFC 5230, section 4.6. For
+further details please have a look to http://tools.ietf.org/html/rfc5230#page-8 as well.
+
+Proposed to upstream via e-mail on Wed, 27 Aug 2014 23:30:31 +0200, patch was put into the upstream
+ticket https://jira.zarafa.com/browse/ZCP-12590.
+
+--- zarafa-7.1.11/spooler/DAgent.cpp 2014-08-24 12:27:06.000000000 +0200
++++ zarafa-7.1.11/spooler/DAgent.cpp.vacation-headers 2014-08-27 23:20:18.000000000 +0200
+@@ -1422,11 +1422,19 @@
+
+ // See if we're looping
+ if (lpMessageProps[0].ulPropTag == PR_TRANSPORT_MESSAGE_HEADERS_A) {
+- if ( (strstr(lpMessageProps[0].Value.lpszA, "X-Zarafa-Vacation:") != NULL) ||
+- (strstr(lpMessageProps[0].Value.lpszA, "Auto-Submitted:") != NULL) ||
+- (strstr(lpMessageProps[0].Value.lpszA, "Precedence:") != NULL) )
++ if ( (strstr(lpMessageProps[0].Value.lpszA, "X-Zarafa-Vacation:") != NULL) || // Zarafa
++ (strstr(lpMessageProps[0].Value.lpszA, "Auto-Submitted:") != NULL) || // RFC 3834
++ (strstr(lpMessageProps[0].Value.lpszA, "List-Id:") != NULL) || // RFC 2919
++ (strstr(lpMessageProps[0].Value.lpszA, "List-Help:") != NULL) || // RFC 2369
++ (strstr(lpMessageProps[0].Value.lpszA, "List-Subscribe:") != NULL) || // RFC 2369
++ (strstr(lpMessageProps[0].Value.lpszA, "List-Unsubscribe:") != NULL) || // RFC 2369
++ (strstr(lpMessageProps[0].Value.lpszA, "List-Post:") != NULL) || // RFC 2369
++ (strstr(lpMessageProps[0].Value.lpszA, "List-Owner:") != NULL) || // RFC 2369
++ (strstr(lpMessageProps[0].Value.lpszA, "List-Archive:") != NULL) || // RFC 2369
++ (strstr(lpMessageProps[0].Value.lpszA, "Precedence:") != NULL) ) // RFC 3834
+ // Vacation header already present, do not send vacation reply
+ // Precedence: list/bulk/junk, do not reply to these mails
++ // See also http://tools.ietf.org/html/rfc5230#page-8 for details
+ goto exit;
+ // save headers to a file so they can also be tested from the script we're runing
+ snprintf(szTemp, PATH_MAX, "%s/autorespond-headers.XXXXXX", getenv("TEMP") == NULL ? "/tmp" : getenv("TEMP"));
diff --git a/zarafa-7.1.11-vacation-headers2.patch b/zarafa-7.1.11-vacation-headers2.patch
new file mode 100644
index 0000000..7fcae17
--- /dev/null
+++ b/zarafa-7.1.11-vacation-headers2.patch
@@ -0,0 +1,44 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa >= 7.1.11 which adds anti-loop headers
+for automatic responses by zarafa-autorespond for Microsoft Exchange and all vacation(1) compatible
+implementations.
+
+For the Microsoft Exchange related part useful links are:
+ - http://msdn.microsoft.com/en-us/library/ee219609(v=exchg.80).aspx
+ - https://www.jitbit.com/maxblog/18-detecting-outlook-autoreplyout-of-office-emails-and-x-auto-response-suppress-header/
+
+For vacation(1) compatible implementations useful links are:
+ - http://www.daemon-systems.org/man/vacation.1.html
+ - Book "sendmail" (written by Bryan Costales, Claus Assmann, George Jansen, Gregory Neil Shapiro), ISBN 0596555342
+
+Proposed to upstream via e-mail on Wed, 27 Aug 2014 23:59:58 +0200, patch was put into the upstream
+ticket https://jira.zarafa.com/browse/ZCP-12591.
+
+--- zarafa-7.1.11/spooler/DAgent.cpp 2014-08-24 12:27:06.000000000 +0200
++++ zarafa-7.1.11/spooler/DAgent.cpp.vacation-headers2 2014-08-27 23:52:42.000000000 +0200
+@@ -1469,12 +1469,25 @@
+ if (hr != hrSuccess)
+ goto exit;
+
+- // add anti-loop header
++ // add anti-loop header for Zarafa
+ snprintf(szHeader, PATH_MAX, "\nX-Zarafa-Vacation: autorespond");
+ hr = WriteOrLogError(fd, szHeader, strlen(szHeader));
+ if (hr != hrSuccess)
+ goto exit;
+
++ // add anti-loop header for Exchange, see http://msdn.microsoft.com/en-us/library/ee219609(v=exchg.80).aspx
++ snprintf(szHeader, PATH_MAX, "\nX-Auto-Response-Suppress: All");
++ hr = WriteOrLogError(fd, szHeader, strlen(szHeader));
++ if (hr != hrSuccess)
++ goto exit;
++
++ // add anti-loop header for vacation(1) compatible implementations, see section 10.9 of book "sendmail" (written
++ // by Bryan Costales, Claus Assmann, George Jansen, Gregory Neil Shapiro), ISBN 0596555342
++ snprintf(szHeader, PATH_MAX, "\nPrecedence: bulk");
++ hr = WriteOrLogError(fd, szHeader, strlen(szHeader));
++ if (hr != hrSuccess)
++ goto exit;
++
+ if (lpMessageProps[3].ulPropTag == PR_SUBJECT_W) {
+ // convert as one string because of [] characters
+ swprintf(szwHeader, PATH_MAX, L"%ls [%ls]", szSubject, lpMessageProps[3].Value.lpszW);
diff --git a/zarafa-7.1.9-ssl_ecdhe.patch b/zarafa-7.1.9-ssl_ecdhe.patch
index f1a1a8e..6596637 100644
--- a/zarafa-7.1.9-ssl_ecdhe.patch
+++ b/zarafa-7.1.9-ssl_ecdhe.patch
@@ -22,6 +22,9 @@ by an experienced C/C++ and OpenSSL developer before merging into Zarafa core.
This patch should be only applied after ZCP-12143 and its dependencies. However this patch might maybe
not directly apply due to some previous merge issues as mentioned in Ticket#2014030810000131.
+Proposed to upstream via e-mail on Mon, 14 Apr 2014 12:04:17 +0200, patch was put into the upstream
+ticket https://jira.zarafa.com/browse/ZCP-12237.
+
--- zarafa-7.1.9/common/ECChannel.cpp 2014-04-13 23:46:59.000000000 +0200
+++ zarafa-7.1.9/common/ECChannel.cpp.ssl_ecdhe 2014-04-13 23:59:43.000000000 +0200
@@ -97,6 +97,9 @@
diff --git a/zarafa.spec b/zarafa.spec
index 13819dc..4bbf0e1 100644
--- a/zarafa.spec
+++ b/zarafa.spec
@@ -1,5 +1,5 @@
%global beta_or_rc 0
-%global actual_release 2
+%global actual_release 3
%global svnrevision 46050
%global with_search 1
%global with_ldap 1
@@ -60,6 +60,13 @@ Patch2: zarafa-7.1.10-kyotocabinet.patch
Patch3: zarafa-7.1.10-ssl_protocols_ciphers.patch
Patch4: zarafa-7.1.9-ssl_ecdhe.patch
Patch5: zarafa-7.1.11-plaintext_auth_localhost.patch
+Patch6: zarafa-7.1.10-imap-badcharset.patch
+Patch7: zarafa-7.1.10-imap-fetch-body.patch
+Patch8: zarafa-7.1.11-vacation-headers.patch
+Patch9: zarafa-7.1.11-vacation-headers2.patch
+Patch10: zarafa-7.1.10-webaccess-fail2ban.patch
+Patch11: zarafa-7.1.10-webaccess-mcrypt.patch
+Patch12: zarafa-7.1.11-gsoap-sslv3.patch
BuildRequires: bison
BuildRequires: gcc-c++
@@ -315,7 +322,7 @@ Group: Applications/Productivity
Requires: httpd, php-mapi = %{version}-%{release}
# Bug: php53 from RHEL 5 does not provide php (#717158)
%if 0%{?rhel} == 5
-Requires: mod_php >= 4.3
+Requires: mod_php >= 4.3, php-mcrypt
%else
Requires: php >= 4.3, php-openssl
%endif
@@ -391,6 +398,14 @@ touch -c -r aclocal.m4.rpath aclocal.m4
%patch3 -p1 -b .ssl_protocols_ciphers
%patch4 -p1 -b .ssl_ecdhe
%patch5 -p1 -b .disable_plaintext_auth-localhost
+%patch6 -p1 -b .imap-badcharset
+%patch7 -p1 -b .imap-fetch-body
+%patch8 -p1 -b .vacation-headers
+%patch9 -p1 -b .vacation-headers2
+%patch10 -p1 -b .webaccess-fail2ban
+%patch11 -p1 -b .webaccess-mcrypt
+rm -f php-webclient-ajax/{.,*,*/*}/*.webaccess-*
+%patch12 -p1 -b .gsoap-sslv3
%build
%if 0%{?rhel}%{?fedora} < 6
@@ -725,7 +740,8 @@ fi
%files common
%defattr(-,root,root,-)
-%doc installer/licenseagreement/AGPL-3
+%{!?_licensedir:%global license %%doc}
+%license installer/licenseagreement/AGPL-3
%dir %{_sysconfdir}/%{name}/
%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
%config(noreplace) %{_sysconfdir}/sysconfig/%{name}
@@ -934,6 +950,10 @@ fi
%{python_sitearch}/*
%changelog
+* Sun Feb 22 2015 Robert Scheck <robert at fedoraproject.org> 7.1.11-3
+- Added multiple minor enhancement and bugfix patches
+- Added patch to fix CVE-2014-0103 for PHP < 5.3 (#1073618)
+
* Sat Oct 25 2014 Kevin Kofler <Kevin at tigcc.ticalc.org> 7.1.11-2
- Rebuild for reference-counting-enabled clucene09
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/zarafa.git/commit/?h=el6&id=ce0e01723f2fe9e281c4e63436caa81558cb7a9f
More information about the scm-commits
mailing list