robert pushed to zarafa (el5). "Merge remote branch 'origin/master' into f21"
notifications at fedoraproject.org
notifications at fedoraproject.org
Tue Apr 7 18:41:49 UTC 2015
>From e638a4f4d66a7f1f9c1615decfababd8809418d6 Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon at redhat.com>
Date: Tue, 26 Aug 2014 13:57:47 +0200
Subject: rebuild for ICU 53.1
diff --git a/zarafa.spec b/zarafa.spec
index 2750d7f..3da0cf1 100644
--- a/zarafa.spec
+++ b/zarafa.spec
@@ -1,5 +1,5 @@
%global beta_or_rc 0
-%global actual_release 4
+%global actual_release 5
%global svnrevision 44973
%global with_search 1
%global with_ldap 1
@@ -916,6 +916,9 @@ fi
%{python_sitearch}/*
%changelog
+* Tue Aug 26 2014 David Tardon <dtardon at redhat.com> - 7.1.10-5
+- rebuild for ICU 53.1
+
* Mon Aug 25 2014 Robert Scheck <robert at fedoraproject.org> 7.1.10-4
- Fixed multiple incorrect default permissions (#1133439)
--
cgit v0.10.2
>From 07cc7867537d78ea274413b6b2f451f97a61a8e0 Mon Sep 17 00:00:00 2001
From: Robert Scheck <robert at fedoraproject.org>
Date: Wed, 15 Oct 2014 03:13:44 +0200
Subject: - Upgrade to 7.1.11 (#1139442) - Removed bundled PHP PEAR
files/libraries - Added patch to allow mitigation of SSLv3/POODLE
vulnerability - Added patch to implement ECDHE support (depending on OpenSSL)
- Added patch to allow plaintext authentication from 127.0.0.1
diff --git a/zarafa-7.0.9-rpath.patch b/zarafa-7.0.9-rpath.patch
deleted file mode 100644
index 47c5c3b..0000000
--- a/zarafa-7.0.9-rpath.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-Patch by Robert Scheck <robert at fedoraproject.org> for zarafa >= 7.0.9, which works
-around the broken libtool of Debian. Multilib/multiarch systems like Fedora or Red
-Hat Enterprise Linux are using /usr/lib64 for 64 bit libraries and /usr/lib is used
-for 32 bit libraries. That allows to run 32 bit software on 64 bit systems. Debian
-systems only use /usr/lib which contains only 32 or 64 bit systems depending on the
-architecture.
-
-Libtool hardcodes the runtime search path in a library (rpath), if the library that
-is used for linking is not within the default system library path. The result is,
-that if aclocal.m4/configure files are generated by a Debian system, but used on a
-Fedora or Red Hat Enterprise Linux 64 bit system for compiling, "-rpath /usr/lib64"
-makes it into the binary.
-
-Fedora and EPEL (for Red Hat Enterprise Linux) do not allow binaries with rpath, as
-the Linux dynamic linker is usually smarter than the hardcoded path.
-
-The fix for this issue is to add the optional /lib64 and /usr/lib64 directories at/
-within libtool in front of the regular /lib and /usr/lib directories at the system
-library path. These libtool information are hold in aclocal.m4, which is generated
-by running aclocal. As the content of aclocal.m4 is included into configure during
-a run of autoconf, aclocal.m4 needs to be modified within the upstream build system
-each time after a aclocal run - until Debian's libtool is fixed at Debian upstream.
-
-Applying the fix is either possible by using the first hunk of the patch (second
-hunk is runtime-only if configure file has been already generated) or by running
-the following sed command after each aclocal run within the upstream build system:
-
- sed -e 's@\(# Append ld.so.conf contents to the search path\)@# Add ABI-specific directories to the system library path.\n sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"\n\n \1@' \
- -e 's@/lib /usr/lib $lt_ld_extra@$sys_lib_dlsearch_path_spec $lt_ld_extra@' -i zarafa-6.40.5/aclocal.m4
-
-More information regarding this topic can be found for example at:
-
- - http://osdir.com/ml/bug-libtool-gnu/2009-12/msg00034.html
- - http://lists.gnu.org/archive/html/libtool/2009-01/msg00039.html
- - http://thread.gmane.org/gmane.comp.gnu.libtool.general/8339/focus=8345
-
---- zarafa-7.0.9/aclocal.m4 2012-08-03 13:58:18.000000000 +0200
-+++ zarafa-7.0.9/aclocal.m4.rpath 2012-08-12 22:57:31.000000000 +0200
-@@ -2485,10 +2485,13 @@
- # before this can be enabled.
- hardcode_into_libs=yes
-
-+ # Add ABI-specific directories to the system library path.
-+ sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
-+
- # Append ld.so.conf contents to the search path
- if test -f /etc/ld.so.conf; then
- lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
-- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
-+ sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
- fi
-
- # We used to test for /lib/ld.so.1 and disable shared libraries on
---- zarafa-7.0.9/configure 2012-08-03 13:58:18.000000000 +0200
-+++ zarafa-7.0.9/configure.rpath 2012-08-12 22:59:05.000000000 +0200
-@@ -10097,10 +10097,13 @@
- # before this can be enabled.
- hardcode_into_libs=yes
-
-+ # Add ABI-specific directories to the system library path.
-+ sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
-+
- # Append ld.so.conf contents to the search path
- if test -f /etc/ld.so.conf; then
- lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
-- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
-+ sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
- fi
-
- # We used to test for /lib/ld.so.1 and disable shared libraries on
-@@ -15288,10 +15291,13 @@
- # before this can be enabled.
- hardcode_into_libs=yes
-
-+ # Add ABI-specific directories to the system library path.
-+ sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
-+
- # Append ld.so.conf contents to the search path
- if test -f /etc/ld.so.conf; then
- lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
-- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
-+ sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
- fi
-
- # We used to test for /lib/ld.so.1 and disable shared libraries on
diff --git a/zarafa-7.1.10-mariadb.patch b/zarafa-7.1.10-mariadb.patch
deleted file mode 100644
index 419017a..0000000
--- a/zarafa-7.1.10-mariadb.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-Patch by Robert Scheck <robert at fedoraproject.org> for zarafa >= 7.1.10 which really (!) adds support for
-MariaDB. In theory, Zarafa 7.1.10 supports MariaDB, see https://jira.zarafa.com/browse/ZCP-11934 for some
-upstream details. However it poorly fails if really trying it with e.g. MariaDB 5.5.38:
-
-Jul 10 23:40:40 tux zarafa-server[24633]: SQL [00000002] result failed: BIGINT UNSIGNED value is out of range in '(`zarafa`.`properties`.`tag` - 0x8501)', Query: "SELECT 0,properties.tag,properties.type,properties.val_ulong,properties.val_string,properties.val_binary,properties.val_double,properties.val_longint,properties.val_hi,properties.val_lo, hierarchyid, names.nameid, names.namestring, names.guid FROM properties FORCE INDEX (PRIMARY) LEFT JOIN names ON (properties.tag-0x8501)=names.id WHERE hierarchyid=3 AND (tag <= 0x8500 OR names.id IS NOT NULL)"
-Jul 10 23:40:40 tux zarafa-server[24633]: SQL [00000004] result failed: BIGINT UNSIGNED value is out of range in '(`zarafa`.`properties`.`tag` - 0x8501)', Query: "SELECT 0,properties.tag,properties.type,properties.val_ulong,properties.val_string,properties.val_binary,properties.val_double,properties.val_longint,properties.val_hi,properties.val_lo, hierarchyid, names.nameid, names.namestring, names.guid FROM properties FORCE INDEX (PRIMARY) LEFT JOIN names ON (properties.tag-0x8501)=names.id WHERE hierarchyid=4 AND (tag <= 0x8500 OR names.id IS NOT NULL)"
-Jul 10 23:40:40 tux zarafa-server[24633]: SQL [00000006] result failed: BIGINT UNSIGNED value is out of range in '(`zarafa`.`properties`.`tag` - 0x8501)', Query: "SELECT 0,properties.tag,properties.type,properties.val_ulong,properties.val_string,properties.val_binary,properties.val_double,properties.val_longint,properties.val_hi,properties.val_lo, hierarchyid, names.nameid, names.namestring, names.guid FROM properties FORCE INDEX (PRIMARY) LEFT JOIN names ON (properties.tag-0x8501)=names.id WHERE hierarchyid=4 AND (tag <= 0x8500 OR names.id IS NOT NULL)"
-
-Even this might not be a clean solution it at least makes Zarafa usable with MariaDB - which is important
-nowadays as Red Hat Enterprise Linux and CentOS 7 are only shipping MariaDB by default rather MySQL.
-
---- zarafa-7.1.10/provider/libserver/ECDatabaseMySQL.cpp 2014-05-23 15:56:38.000000000 +0200
-+++ zarafa-7.1.10/provider/libserver/ECDatabaseMySQL.cpp.mariadb 2014-07-10 23:44:19.000000000 +0200
-@@ -628,7 +628,7 @@
-
- if (m_lpMySQL.server_version && m_lpMySQL.server_version[0] >= '5') {
- // this option was introduced in mysql 5.0, so let's not even try on 4.1 servers
-- strQuery = "SET SESSION sql_mode = 'STRICT_ALL_TABLES'";
-+ strQuery = "SET SESSION sql_mode = 'STRICT_ALL_TABLES,NO_UNSIGNED_SUBTRACTION'";
- Query(strQuery); // ignore error
- }
-
diff --git a/zarafa-7.1.10-ssl_protocols_ciphers.patch b/zarafa-7.1.10-ssl_protocols_ciphers.patch
new file mode 100644
index 0000000..756d2fd
--- /dev/null
+++ b/zarafa-7.1.10-ssl_protocols_ciphers.patch
@@ -0,0 +1,446 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa <= 7.1.10 which implements much more
+fine granulated configuration settings for SSL/TLS protocol and cipher enabling and disabling. The
+currently available "ssl_enable_v2" setting allows either to disable SSLv2 (and enables SSLv3 only
+instead) or to enable all, thus SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 (TLSv1.1 and TLSv1.2 only
+if Zarafa was linked against OpenSSL 1.0.1 or later). Since SSLv2 has known protocol weaknesses it
+never should be enabled - but for Zarafa it currently must be enabled to support TLSv1 and better.
+
+This patch introduces the new setting "ssl_protocols" which replaces "ssl_enable_v2". The default
+is "!SSLv2" to simply disable SSLv2 by default. The setting can be filled either with SSL protocols
+that shall be enabled and/or disabled, e.g. "SSLv3 TLSv1" or "!SSLv2 !SSLv3". However only the more
+usual disable/exclude option should be used as this does not exclude future protocols by default.
+
+Further this patch introduces the completely new setting "ssl_ciphers". This one allows to set SSL
+cipher suites. Right now, all SSL ciphers are accepted which is just weak or might Zarafa even make
+even vulnerable to known SSL attacks. The German Federal Office for Information Security (BSI) says
+that RC4 should not be used anymore - but Zarafa does it by default. And without this patch there
+is also no way for Zarafa administrators to avoid that. Indeed this setting has the risk to get the
+administrators ending up in a cipher mismatch between different systems but this new setting still
+could be declared as officially unsupported and only for the brave ones who know what they do. Thus
+the default is already set to something less weak than before but still below BSI recommendations.
+
+Finally this patch introduces the also new setting "ssl_prefer_server_ciphers". It does what it is
+named after: When choosing a cipher during an SSL/TLS handshake, normally the client's preference
+is used. If this setting is enabled, the server's preference will be used instead. This comes handy
+to administrators for strange cipher orderings required for special configurations and clients - or
+new weaknesses where workarounds are required for the time being.
+
+Testing: Configure zarafa-gateway, zarafa-ical and zarafa-server for cleartext and SSL as usual.
+Try to login via POP3S, IMAPS, CalDAV-SSL and MAPI in SOAP over HTTPS. Change SSL protocols and the
+ciphers to something more weak ("SSLv2" and "LOW") or to something more strong ("TLSv1.2" and e.g.
+"HIGH"). During all my tests I did not figure out any newly introduced issue or Zarafa breakage.
+
+Important: The technical implementation of this patch might be not perfect as I am not really a C/
+C++ developer. The logic and the implementation is heavily based on Dovecot, Postfix and hints from
+https://docs.fedoraproject.org/en-US/Fedora_Security_Team/html/Defensive_Coding/. There should be
+a code review and code clean up by an experienced C/C++ developer before merging into Zarafa core.
+
+This patch should be only applied in conjuction with the POP3 RESP-CODES and AUTH-RESP-CODE patch,
+the POP3 CAPA (CAPABILITIES) patch as well as the POP3 STLS (STARTTLS) patch applied before.
+
+--- zarafa-7.1.10/caldav/CalDAV.cpp 2014-05-23 15:56:36.000000000 +0200
++++ zarafa-7.1.10/caldav/CalDAV.cpp.rsc 2014-08-12 19:45:04.000000000 +0200
+@@ -220,7 +220,9 @@
+ { "log_timestamp", "1" },
+ { "ssl_private_key_file", "/etc/zarafa/ical/privkey.pem" },
+ { "ssl_certificate_file", "/etc/zarafa/ical/cert.pem" },
+- { "ssl_enable_v2", "no" },
++ { "ssl_protocols", "!SSLv2" },
++ { "ssl_ciphers", "ALL:!LOW:!SSLv2:!EXP:!aNULL" },
++ { "ssl_prefer_server_ciphers", "no" },
+ { "ssl_verify_client", "no" },
+ { "ssl_verify_file", "" },
+ { "ssl_verify_path", "" },
+--- zarafa-7.1.10/common/ECChannel.cpp 2014-05-23 15:56:36.000000000 +0200
++++ zarafa-7.1.10/common/ECChannel.cpp.rsc 2014-08-12 19:48:00.000000000 +0200
+@@ -92,6 +92,11 @@
+ HRESULT hr = hrSuccess;
+ char *szFile = NULL;
+ char *szPath = NULL;
++ char *ssl_protocols = strdup(lpConfig->GetSetting("ssl_protocols"));
++ char *ssl_ciphers = lpConfig->GetSetting("ssl_ciphers");
++ char *ssl_name;
++ int ssl_proto, ssl_op = 0, ssl_include = 0, ssl_exclude = 0;
++ bool ssl_neg;
+
+ if (lpConfig == NULL) {
+ hr = MAPI_E_CALL_FAILED;
+@@ -107,11 +112,79 @@
+ SSL_load_error_strings();
+ lpCTX = SSL_CTX_new(SSLv23_server_method());
+ SSL_CTX_set_options(lpCTX, SSL_OP_ALL);
+- SSL_CTX_set_default_verify_paths(lpCTX);
+
+- // disable SSLv2 support
+- if (!parseBool(lpConfig->GetSetting("ssl_enable_v2", "", "no")))
+- SSL_CTX_set_options(lpCTX, SSL_OP_NO_SSLv2);
++ ssl_name = strtok(ssl_protocols, " ");
++ while(ssl_name != NULL) {
++ if (*ssl_name != '!')
++ ssl_neg = FALSE;
++ else {
++ ssl_name++;
++ ssl_neg = TRUE;
++ }
++
++ if (strcasecmp(ssl_name, SSL_TXT_SSLV2) == 0)
++ ssl_proto = 0x01;
++ else if (strcasecmp(ssl_name, SSL_TXT_SSLV3) == 0)
++ ssl_proto = 0x02;
++ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1) == 0)
++ ssl_proto = 0x04;
++#ifdef SSL_TXT_TLSV1_1
++ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1_1) == 0)
++ ssl_proto = 0x08;
++#endif
++#ifdef SSL_TXT_TLSV1_2
++ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1_2) == 0)
++ ssl_proto = 0x10;
++#endif
++ else {
++ lpLogger->Log(EC_LOGLEVEL_ERROR, "Unknown protocol '%s' in ssl_protocols setting", ssl_name);
++ hr = MAPI_E_CALL_FAILED;
++ goto exit;
++ }
++
++ if (ssl_neg)
++ ssl_exclude |= ssl_proto;
++ else
++ ssl_include |= ssl_proto;
++
++ ssl_name = strtok(NULL, " ");
++ }
++
++ if (ssl_include != 0) {
++ // Exclude everything, except those that are included (and let excludes still override those)
++ ssl_exclude |= 0x1f & ~ssl_include;
++ }
++
++ if ((ssl_exclude & 0x01) != 0)
++ ssl_op |= SSL_OP_NO_SSLv2;
++ if ((ssl_exclude & 0x02) != 0)
++ ssl_op |= SSL_OP_NO_SSLv3;
++ if ((ssl_exclude & 0x04) != 0)
++ ssl_op |= SSL_OP_NO_TLSv1;
++#ifdef SSL_OP_NO_TLSv1_1
++ if ((ssl_exclude & 0x08) != 0)
++ ssl_op |= SSL_OP_NO_TLSv1_1;
++#endif
++#ifdef SSL_OP_NO_TLSv1_2
++ if ((ssl_exclude & 0x10) != 0)
++ ssl_op |= SSL_OP_NO_TLSv1_2;
++#endif
++
++ if (ssl_protocols) {
++ SSL_CTX_set_options(lpCTX, ssl_op);
++ }
++
++ if (ssl_ciphers && SSL_CTX_set_cipher_list(lpCTX, ssl_ciphers) != 1) {
++ lpLogger->Log(EC_LOGLEVEL_ERROR, "Can not set SSL cipher list to '%s': %s", ssl_ciphers, ERR_error_string(ERR_get_error(), 0));
++ hr = MAPI_E_CALL_FAILED;
++ goto exit;
++ }
++
++ if (parseBool(lpConfig->GetSetting("ssl_prefer_server_ciphers"))) {
++ SSL_CTX_set_options(lpCTX, SSL_OP_CIPHER_SERVER_PREFERENCE);
++ }
++
++ SSL_CTX_set_default_verify_paths(lpCTX);
+
+ if (SSL_CTX_use_certificate_chain_file(lpCTX, lpConfig->GetSetting("ssl_certificate_file")) != 1) {
+ lpLogger->Log(EC_LOGLEVEL_ERROR, "SSL CTX certificate file error: %s", ERR_error_string(ERR_get_error(), 0));
+--- zarafa-7.1.10/doc/manual.xml 2014-05-23 15:01:13.000000000 +0200
++++ zarafa-7.1.10/doc/manual.xml.rsc 2014-08-12 19:45:04.000000000 +0200
+@@ -4226,11 +4226,33 @@
+ </varlistentry>
+
+ <varlistentry>
+- <term><option>server_ssl_enable_v2</option></term>
++ <term><option>server_ssl_protocols</option></term>
+ <listitem>
+- <para>Incoming SSL connections normally are v3.</para>
+- <para>Default: <replaceable>no</replaceable>
+- </para>
++ <para>Disabled or enabled protocol names. Supported protocol names
++ are <replaceable>SSLv2</replaceable>, <replaceable>SSLv3</replaceable>
++ and <replaceable>TLSv1</replaceable>. If Zarafa was linked against
++ OpenSSL 1.0.1 or later there is additional support for the new protocols
++ <replaceable>TLSv1.1</replaceable> and <replaceable>TLSv1.2</replaceable>.
++ To exclude both, SSLv2 and SSLv3 set <option>server_ssl_protocols</option>
++ to <replaceable>!SSLv2 !SSLv3</replaceable>. SSLv2 is considered unsafe
++ and these connections should not be accepted.</para>
++ <para>Default: <replaceable>!SSLv2</replaceable></para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term><option>server_ssl_ciphers</option></term>
++ <listitem>
++ <para>SSL ciphers to use, set to <replaceable>ALL</replaceable> for backward compatibility.</para>
++ <para>Default: <replaceable>ALL:!LOW:!SSLv2:!EXP:!aNULL</replaceable></para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term><option>server_ssl_prefer_server_ciphers</option></term>
++ <listitem>
++ <para>Prefer the server's order of SSL ciphers over client's.</para>
++ <para>Default: <replaceable>no</replaceable></para>
+ </listitem>
+ </varlistentry>
+
+@@ -8070,11 +8092,32 @@
+ </varlistentry>
+
+ <varlistentry>
+- <term><option>ssl_enable_v2</option></term>
++ <term><option>ssl_protocols</option></term>
++ <listitem>
++ <para>Disabled or enabled protocol names. Supported protocol names
++ are <replaceable>SSLv2</replaceable>, <replaceable>SSLv3</replaceable>
++ and <replaceable>TLSv1</replaceable>. If Zarafa was linked against
++ OpenSSL 1.0.1 or later there is additional support for the new protocols
++ <replaceable>TLSv1.1</replaceable> and <replaceable>TLSv1.2</replaceable>.
++ To exclude both, SSLv2 and SSLv3 set <option>ssl_protocols</option>
++ to <replaceable>!SSLv2 !SSLv3</replaceable>. SSLv2 is considered unsafe
++ and these connections should not be accepted.</para>
++ <para>Default: <replaceable>!SSLv2</replaceable></para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term><option>ssl_ciphers</option></term>
++ <listitem>
++ <para>SSL ciphers to use, set to <replaceable>ALL</replaceable> for backward compatibility.</para>
++ <para>Default: <replaceable>ALL:!LOW:!SSLv2:!EXP:!aNULL</replaceable></para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term><option>ssl_prefer_server_ciphers</option></term>
+ <listitem>
+- <para>Accept SSLv2 only connections. SSLv2 is considered
+- unsafe, and these connections should not be
+- accepted.</para>
++ <para>Prefer the server's order of SSL ciphers over client's.</para>
+ <para>Default: <replaceable>no</replaceable></para>
+ </listitem>
+ </varlistentry>
+@@ -10075,11 +10118,32 @@
+ </varlistentry>
+
+ <varlistentry>
+- <term><option>ssl_enable_v2</option></term>
++ <term><option>ssl_protocols</option></term>
++ <listitem>
++ <para>Disabled or enabled protocol names. Supported protocol names
++ are <replaceable>SSLv2</replaceable>, <replaceable>SSLv3</replaceable>
++ and <replaceable>TLSv1</replaceable>. If Zarafa was linked against
++ OpenSSL 1.0.1 or later there is additional support for the new protocols
++ <replaceable>TLSv1.1</replaceable> and <replaceable>TLSv1.2</replaceable>.
++ To exclude both, SSLv2 and SSLv3 set <option>ssl_protocols</option>
++ to <replaceable>!SSLv2 !SSLv3</replaceable>. SSLv2 is considered unsafe
++ and these connections should not be accepted.</para>
++ <para>Default: <replaceable>!SSLv2</replaceable></para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term><option>ssl_ciphers</option></term>
++ <listitem>
++ <para>SSL ciphers to use, set to <replaceable>ALL</replaceable> for backward compatibility.</para>
++ <para>Default: <replaceable>ALL:!LOW:!SSLv2:!EXP:!aNULL</replaceable></para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term><option>ssl_prefer_server_ciphers</option></term>
+ <listitem>
+- <para>Accept SSLv2 only connections. SSLv2 is considered
+- unsafe, and these connections should not be
+- accepted.</para>
++ <para>Prefer the server's order of SSL ciphers over client's.</para>
+ <para>Default: <replaceable>no</replaceable></para>
+ </listitem>
+ </varlistentry>
+--- zarafa-7.1.10/gateway/Gateway.cpp 2014-05-23 15:56:37.000000000 +0200
++++ zarafa-7.1.10/gateway/Gateway.cpp.rsc 2014-08-12 19:45:04.000000000 +0200
+@@ -365,7 +365,9 @@
+ { "ssl_verify_client", "no" },
+ { "ssl_verify_file", "" },
+ { "ssl_verify_path", "" },
+- { "ssl_enable_v2", "no" },
++ { "ssl_protocols", "!SSLv2" },
++ { "ssl_ciphers", "ALL:!LOW:!SSLv2:!EXP:!aNULL" },
++ { "ssl_prefer_server_ciphers", "no" },
+ { "log_method", "file" },
+ { "log_file", "-" },
+ { "log_level", "2", CONFIGSETTING_RELOADABLE },
+--- zarafa-7.1.10/installer/linux/gateway.cfg 2014-05-23 15:03:19.000000000 +0200
++++ zarafa-7.1.10/installer/linux/gateway.cfg.rsc 2014-08-12 19:45:04.000000000 +0200
+@@ -84,8 +84,14 @@
+ ssl_verify_file =
+ ssl_verify_path =
+
+-# Accept SSLv2 only incoming connections
+-ssl_enable_v2 = no
++# SSL protocols to use, set to '!SSLv2' for 'ssl_enable_v2 = no'
++ssl_protocols = !SSLv2
++
++# SSL ciphers to use, set to 'ALL' for backward compatibility
++ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL
++
++# Prefer the server's order of SSL ciphers over client's
++ssl_prefer_server_ciphers = no
+
+ # Process model, using pthreads (thread) or processes (fork)
+ process_model = fork
+--- zarafa-7.1.10/installer/linux/ical.cfg 2014-05-23 15:03:19.000000000 +0200
++++ zarafa-7.1.10/installer/linux/ical.cfg.rsc 2014-08-12 19:45:04.000000000 +0200
+@@ -66,8 +66,14 @@
+ ssl_verify_file =
+ ssl_verify_path =
+
+-# Accept SSLv2 only incoming connections
+-ssl_enable_v2 = no
++# SSL protocols to use, set to '!SSLv2' for 'ssl_enable_v2 = no'
++ssl_protocols = !SSLv2
++
++# SSL ciphers to use, set to 'ALL' for backward compatibility
++ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL
++
++# Prefer the server's order of SSL ciphers over client's
++ssl_prefer_server_ciphers = no
+
+ ##############################################################
+ # OTHER ICAL SETTINGS
+--- zarafa-7.1.10/installer/linux/server.cfg 2014-05-23 15:03:19.000000000 +0200
++++ zarafa-7.1.10/installer/linux/server.cfg.rsc 2014-08-12 19:45:04.000000000 +0200
+@@ -154,8 +154,14 @@
+ # Path with CA certificates, e.g. /etc/ssl/certs
+ server_ssl_ca_path =
+
+-# Accept SSLv2 only connections. Normally v3 connections are used.
+-server_ssl_enable_v2 = no
++# SSL protocols to use, set to '!SSLv2' for 'server_ssl_enable_v2 = no'
++server_ssl_protocols = !SSLv2
++
++# SSL ciphers to use, set to 'ALL' for backward compatibility
++server_ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL
++
++# Prefer the server's order of SSL ciphers over client's
++server_ssl_prefer_server_ciphers = no
+
+ # Path of SSL Public keys of clients
+ sslkeys_path = /etc/zarafa/sslkeys
+--- zarafa-7.1.10/provider/server/ECServer.cpp 2014-05-23 15:56:37.000000000 +0200
++++ zarafa-7.1.10/provider/server/ECServer.cpp.rsc 2014-08-12 19:45:04.000000000 +0200
+@@ -919,7 +919,9 @@
+ { "server_ssl_key_pass", "server", CONFIGSETTING_EXACT },
+ { "server_ssl_ca_file", "/etc/zarafa/ssl/cacert.pem" },
+ { "server_ssl_ca_path", "" },
+- { "server_ssl_enable_v2", "no" },
++ { "server_ssl_protocols", "!SSLv2" },
++ { "server_ssl_ciphers", "ALL:!LOW:!SSLv2:!EXP:!aNULL" },
++ { "server_ssl_prefer_server_ciphers", "no" },
+ { "sslkeys_path", "/etc/zarafa/sslkeys" }, // login keys
+ // Database options
+ { "database_engine", "mysql" },
+--- zarafa-7.1.10/provider/server/ECSoapServerConnection.cpp 2014-05-23 15:56:37.000000000 +0200
++++ zarafa-7.1.10/provider/server/ECSoapServerConnection.cpp.rsc 2014-08-12 19:45:04.000000000 +0200
+@@ -240,6 +240,11 @@
+ ECRESULT er = erSuccess;
+ int socket = SOAP_INVALID_SOCKET;
+ struct soap *lpsSoap = NULL;
++ char *server_ssl_protocols = strdup(m_lpConfig->GetSetting("server_ssl_protocols"));
++ char *server_ssl_ciphers = m_lpConfig->GetSetting("server_ssl_ciphers");
++ char *ssl_name;
++ int ssl_proto, ssl_op = 0, ssl_include = 0, ssl_exclude = 0;
++ bool ssl_neg;
+
+ if(lpServerName == NULL) {
+ er = ZARAFA_E_INVALID_PARAMETER;
+@@ -270,10 +275,79 @@
+ goto exit;
+ }
+
+- // disable SSLv2 support
+- if (!parseBool(m_lpConfig->GetSetting("server_ssl_enable_v2", "", "no")))
+- SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_NO_SSLv2);
+-
++ SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_ALL);
++
++ ssl_name = strtok(server_ssl_protocols, " ");
++ while(ssl_name != NULL) {
++ if (*ssl_name != '!')
++ ssl_neg = FALSE;
++ else {
++ ssl_name++;
++ ssl_neg = TRUE;
++ }
++
++ if (strcasecmp(ssl_name, SSL_TXT_SSLV2) == 0)
++ ssl_proto = 0x01;
++ else if (strcasecmp(ssl_name, SSL_TXT_SSLV3) == 0)
++ ssl_proto = 0x02;
++ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1) == 0)
++ ssl_proto = 0x04;
++#ifdef SSL_TXT_TLSV1_1
++ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1_1) == 0)
++ ssl_proto = 0x08;
++#endif
++#ifdef SSL_TXT_TLSV1_2
++ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1_2) == 0)
++ ssl_proto = 0x10;
++#endif
++ else {
++ m_lpLogger->Log(EC_LOGLEVEL_FATAL, "Unknown protocol '%s' in server_ssl_protocols setting", ssl_name);
++ er = ZARAFA_E_CALL_FAILED;
++ goto exit;
++ }
++
++ if (ssl_neg)
++ ssl_exclude |= ssl_proto;
++ else
++ ssl_include |= ssl_proto;
++
++ ssl_name = strtok(NULL, " ");
++ }
++
++ if (ssl_include != 0) {
++ // Exclude everything, except those that are included (and let excludes still override those)
++ ssl_exclude |= 0x1f & ~ssl_include;
++ }
++
++ if ((ssl_exclude & 0x01) != 0)
++ ssl_op |= SSL_OP_NO_SSLv2;
++ if ((ssl_exclude & 0x02) != 0)
++ ssl_op |= SSL_OP_NO_SSLv3;
++ if ((ssl_exclude & 0x04) != 0)
++ ssl_op |= SSL_OP_NO_TLSv1;
++#ifdef SSL_OP_NO_TLSv1_1
++ if ((ssl_exclude & 0x08) != 0)
++ ssl_op |= SSL_OP_NO_TLSv1_1;
++#endif
++#ifdef SSL_OP_NO_TLSv1_2
++ if ((ssl_exclude & 0x10) != 0)
++ ssl_op |= SSL_OP_NO_TLSv1_2;
++#endif
++
++ if (server_ssl_protocols) {
++ SSL_CTX_set_options(lpsSoap->ctx, ssl_op);
++ }
++
++ if (server_ssl_ciphers && SSL_CTX_set_cipher_list(lpsSoap->ctx, server_ssl_ciphers) != 1) {
++ m_lpLogger->Log(EC_LOGLEVEL_FATAL, "Can not set SSL cipher list to '%s': %s", server_ssl_ciphers, ERR_error_string(ERR_get_error(), 0));
++ er = ZARAFA_E_CALL_FAILED;
++ goto exit;
++ }
++
++ if (parseBool(m_lpConfig->GetSetting("server_ssl_prefer_server_ciphers"))) {
++ SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
++ }
++
+ // request certificate from client, is OK if not present.
+ SSL_CTX_set_verify(lpsSoap->ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, NULL);
+
diff --git a/zarafa-7.1.11-php-unbundle.patch b/zarafa-7.1.11-php-unbundle.patch
new file mode 100644
index 0000000..0934c0e
--- /dev/null
+++ b/zarafa-7.1.11-php-unbundle.patch
@@ -0,0 +1,39 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for zarafa >= 7.1.11 which removes the bundled PHP PEAR files/libraries
+and replaces them by files and libraries shipped by the distribution. From file server/PEAR/JSON.php only the function
+json_decode() is used, which can be provided by the php-json RPM package. The file server/PEAR/XML/Unserializer.php can
+be provided by the php-pear-XML-Serializer RPM package. The rest of the PHP PEAR files/libraries are only dependencies of
+these two files mentioned before (which are satisfied by the two newly required RPM packages).
+
+--- zarafa-7.1.11.rsc/php-webclient-ajax/config.php.dist 2014-09-03 09:56:49.000000000 +0200
++++ zarafa-7.1.11.rsc/php-webclient-ajax/config.php.dist.php-unbundle 2014-09-07 18:24:28.000000000 +0200
+@@ -56,7 +56,7 @@
+
+ // Define the server paths
+ set_include_path(BASE_PATH. PATH_SEPARATOR .
+- BASE_PATH."server/PEAR/" . PATH_SEPARATOR .
++ "/usr/share/pear/" . PATH_SEPARATOR .
+ "/usr/share/php/");
+
+ // Define the relative URL for dialogs, this string is appended with HTTP GET arguments
+--- zarafa-7.1.11.rsc/php-webclient-ajax/zarafa.php 2014-09-03 10:45:06.000000000 +0200
++++ zarafa-7.1.11.rsc/php-webclient-ajax/zarafa.php.php-unbundle 2014-09-07 18:21:36.000000000 +0200
+@@ -59,7 +59,7 @@
+ include("config.php");
+ include("defaults.php");
+ include("server/util.php");
+- require("server/PEAR/JSON.php");
++ @include("server/PEAR/JSON.php");
+
+ require("mapi/mapi.util.php");
+ require("mapi/mapicode.php");
+--- zarafa-7.1.11.rsc/php-webclient-ajax/server/core/class.xmlparser.php 2014-09-03 10:45:06.000000000 +0200
++++ zarafa-7.1.11.rsc/php-webclient-ajax/server/core/class.xmlparser.php.php-unbundle 2014-09-07 18:22:40.000000000 +0200
+@@ -50,7 +50,7 @@
+
+ ?>
+ <?php
+- require_once("server/PEAR/XML/Unserializer.php");
++ require_once("XML/Unserializer.php");
+
+ /**
+ * XML Parser
diff --git a/zarafa-7.1.11-plaintext_auth_localhost.patch b/zarafa-7.1.11-plaintext_auth_localhost.patch
new file mode 100644
index 0000000..9b6aae0
--- /dev/null
+++ b/zarafa-7.1.11-plaintext_auth_localhost.patch
@@ -0,0 +1,88 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa <= 7.1.11 which enhances my earlier
+this year implemented "disable_plaintext_auth" feature (new option in Zarafa >= 7.1.10 to disable
+all plaintext authentications unless SSL/TLS is used), https://jira.zarafa.com/browse/ZCP-12142
+contains the initial implementation and a more verbose feature description.
+
+Given that there are unfortunately still Zarafa systems around using saslauthd without pam_mapi
+but rimap instead the "disable_plaintext_auth" feature prevents them from enabling this option as
+rimap doesn't support SSL/TLS; https://jira.zarafa.com/browse/ZCP-12473 contains an example report
+by a Zarafa customer. Thus this patch adds an exception if the source IPv4 address is "127.0.0.1"
+and allows even if "disable_plaintext_auth" is enabled a cleartext authentication. It was a design
+decision to check only for 127.0.0.1/32 rather 127.0.0.0/8 because there seem to be systems where
+the loopback network except 127.0.0.1/32 is routable?!
+
+Important: The technical implementation of this patch might be not perfect as I am not really a C/
+C++ developer. There should be a code review by an experienced C/C++ developer before merging into
+Zarafa core.
+
+--- zarafa-7.1.11/gateway/IMAP.cpp 2014-09-03 10:45:06.000000000 +0200
++++ zarafa-7.1.11/gateway/IMAP.cpp.plaintext_auth_localhost 2014-09-24 01:29:10.000000000 +0200
+@@ -757,7 +757,7 @@
+ if (!lpChannel->UsingSsl() && lpChannel->sslctx())
+ strCapabilities += " STARTTLS";
+
+- if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0)
++ if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && strcmp(lpChannel->GetIPAddress().c_str(), "127.0.0.1") != 0)
+ strCapabilities += " LOGINDISABLED";
+ else
+ strCapabilities += " AUTH=PLAIN";
+@@ -923,7 +923,7 @@
+ char *plain = lpConfig->GetSetting("disable_plaintext_auth");
+
+ // If plaintext authentication was disabled any authentication attempt must be refused very soon
+- if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0) {
++ if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && strcmp(lpChannel->GetIPAddress().c_str(), "127.0.0.1") != 0) {
+ hr2 = HrResponse(RESP_TAGGED_NO, strTag, "[PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure "
+ "(SSL/TLS) connections.");
+ if (hr2 != hrSuccess)
+@@ -1002,7 +1002,7 @@
+ }
+
+ // If plaintext authentication was disabled any login attempt must be refused very soon
+- if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0) {
++ if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && strcmp(lpChannel->GetIPAddress().c_str(), "127.0.0.1") != 0) {
+ hr2 = HrResponse(RESP_UNTAGGED, "BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client "
+ "did it anyway. If anyone was listening, the password was exposed.");
+ if (hr2 != hrSuccess)
+--- zarafa-7.1.11/gateway/POP3.cpp 2014-09-03 10:45:06.000000000 +0200
++++ zarafa-7.1.11/gateway/POP3.cpp.plaintext_auth_localhost 2014-09-24 01:30:41.000000000 +0200
+@@ -320,7 +320,7 @@
+ if (!lpChannel->UsingSsl() && lpChannel->sslctx())
+ strCapabilities += "STLS\r\n";
+
+- if (!(!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0))
++ if (!(!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && strcmp(lpChannel->GetIPAddress().c_str(), "127.0.0.1") != 0))
+ strCapabilities += "USER\r\n";
+ }
+
+@@ -402,7 +402,7 @@
+ HRESULT hr = hrSuccess;
+ char *plain = lpConfig->GetSetting("disable_plaintext_auth");
+
+- if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0) {
++ if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && strcmp(lpChannel->GetIPAddress().c_str(), "127.0.0.1") != 0) {
+ hr = HrResponse(POP3_RESP_AUTH_ERROR, "Plaintext authentication disallowed on non-secure (SSL/TLS) connections");
+ lpLogger->Log(EC_LOGLEVEL_ERROR, "Aborted login from %s with username \"%s\" (tried to use disallowed plaintext auth)",
+ lpChannel->GetIPAddress().c_str(), strUser.c_str());
+@@ -431,7 +431,7 @@
+ HRESULT hr = hrSuccess;
+ char *plain = lpConfig->GetSetting("disable_plaintext_auth");
+
+- if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0) {
++ if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && strcmp(lpChannel->GetIPAddress().c_str(), "127.0.0.1") != 0) {
+ hr = HrResponse(POP3_RESP_AUTH_ERROR, "Plaintext authentication disallowed on non-secure (SSL/TLS) connections");
+ if(szUser.empty())
+ lpLogger->Log(EC_LOGLEVEL_ERROR, "Aborted login from %s without username (tried to use disallowed "
+--- zarafa-7.1.11/doc/manual.xml 2014-09-03 09:56:28.000000000 +0200
++++ zarafa-7.1.11/doc/manual.xml.plaintext_auth_localhost 2014-10-15 01:22:14.000000000 +0200
+@@ -8024,7 +8024,9 @@
+ <term><option>disable_plaintext_auth</option></term>
+ <listitem>
+ <para>Disable all plaintext POP3 and IMAP authentications unless
+- SSL/TLS is used. Obviously this requires at least
++ SSL/TLS is used (except for connections originating from
++ <replaceable>127.0.0.1</replaceable> to allow saslauthd with rimap).
++ Obviously enabling this configuration option requires at least
+ <replaceable>ssl_private_key_file</replaceable> and
+ <replaceable>ssl_certificate_file</replaceable> to take effect.</para>
+ <para>Default: <replaceable>no</replaceable></para>
diff --git a/zarafa-7.1.11-rpath.patch b/zarafa-7.1.11-rpath.patch
new file mode 100644
index 0000000..88ac16f
--- /dev/null
+++ b/zarafa-7.1.11-rpath.patch
@@ -0,0 +1,85 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for zarafa >= 7.1.11, which works
+around the broken libtool of Debian. Multilib/multiarch systems like Fedora or Red
+Hat Enterprise Linux are using /usr/lib64 for 64 bit libraries and /usr/lib is used
+for 32 bit libraries. That allows to run 32 bit software on 64 bit systems. Debian
+systems only use /usr/lib which contains only 32 or 64 bit systems depending on the
+architecture.
+
+Libtool hardcodes the runtime search path in a library (rpath), if the library that
+is used for linking is not within the default system library path. The result is,
+that if aclocal.m4/configure files are generated by a Debian system, but used on a
+Fedora or Red Hat Enterprise Linux 64 bit system for compiling, "-rpath /usr/lib64"
+makes it into the binary.
+
+Fedora and EPEL (for Red Hat Enterprise Linux) do not allow binaries with rpath, as
+the Linux dynamic linker is usually smarter than the hardcoded path.
+
+The fix for this issue is to add the optional /lib64 and /usr/lib64 directories at/
+within libtool in front of the regular /lib and /usr/lib directories at the system
+library path. These libtool information are hold in aclocal.m4, which is generated
+by running aclocal. As the content of aclocal.m4 is included into configure during
+a run of autoconf, aclocal.m4 needs to be modified within the upstream build system
+each time after a aclocal run - until Debian's libtool is fixed at Debian upstream.
+
+Applying the fix is either possible by using the first hunk of the patch (second
+hunk is runtime-only if configure file has been already generated) or by running
+the following sed command after each aclocal run within the upstream build system:
+
+ sed -e 's@\(# Append ld.so.conf contents to the search path\)@# Add ABI-specific directories to the system library path.\n sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"\n\n \1@' \
+ -e 's@/lib /usr/lib $lt_ld_extra@$sys_lib_dlsearch_path_spec $lt_ld_extra@' -i zarafa-7.1.11/aclocal.m4
+
+More information regarding this topic can be found for example at:
+
+ - http://osdir.com/ml/bug-libtool-gnu/2009-12/msg00034.html
+ - http://lists.gnu.org/archive/html/libtool/2009-01/msg00039.html
+ - http://thread.gmane.org/gmane.comp.gnu.libtool.general/8339/focus=8345
+
+--- zarafa-7.1.11/aclocal.m4 2014-09-03 09:56:52.000000000 +0200
++++ zarafa-7.1.11/aclocal.m4.rpath 2014-09-07 17:20:37.000000000 +0200
+@@ -2672,10 +2672,13 @@
+ # before this can be enabled.
+ hardcode_into_libs=yes
+
++ # Add ABI-specific directories to the system library path.
++ sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
++
+ # Append ld.so.conf contents to the search path
+ if test -f /etc/ld.so.conf; then
+ lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
+- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
++ sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
+ fi
+
+ # We used to test for /lib/ld.so.1 and disable shared libraries on
+--- zarafa-7.1.11/configure 2014-09-03 09:56:53.000000000 +0200
++++ zarafa-7.1.11/configure.rpath 2014-09-07 17:28:07.000000000 +0200
+@@ -10983,10 +10983,13 @@
+ # before this can be enabled.
+ hardcode_into_libs=yes
+
++ # Add ABI-specific directories to the system library path.
++ sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
++
+ # Append ld.so.conf contents to the search path
+ if test -f /etc/ld.so.conf; then
+ lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
+- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
++ sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
+ fi
+
+ # We used to test for /lib/ld.so.1 and disable shared libraries on
+@@ -16025,10 +16028,13 @@
+ # before this can be enabled.
+ hardcode_into_libs=yes
+
++ # Add ABI-specific directories to the system library path.
++ sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
++
+ # Append ld.so.conf contents to the search path
+ if test -f /etc/ld.so.conf; then
+ lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
+- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
++ sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
+ fi
+
+ # We used to test for /lib/ld.so.1 and disable shared libraries on
diff --git a/zarafa-7.1.9-ssl_ecdhe.patch b/zarafa-7.1.9-ssl_ecdhe.patch
new file mode 100644
index 0000000..f1a1a8e
--- /dev/null
+++ b/zarafa-7.1.9-ssl_ecdhe.patch
@@ -0,0 +1,82 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa <= 7.1.9 which implements ECDHE (elliptic
+curve diffie-hellman key exchange) support. http://en.wikipedia.org/wiki/Elliptic_curve_cryptography is
+providing more information about elliptic curves.
+
+Suggestions for testing; run the following openssl(1) commands before and after applying this patch:
+
+1. echo QUIT | openssl s_client -connect <host>:110 -starttls pop3 2>&1 | grep Cipher
+2. echo QUIT | openssl s_client -connect <host>:143 -starttls imap 2>&1 | grep Cipher
+3. echo QUIT | openssl s_client -connect <host>:237 2>&1 | grep Cipher
+4. echo QUIT | openssl s_client -connect <host>:993 2>&1 | grep Cipher
+5. echo QUIT | openssl s_client -connect <host>:995 2>&1 | grep Cipher
+6. echo QUIT | openssl s_client -connect <host>:8443 2>&1 | grep Cipher
+
+After applying this patch the output should contain e.g. "ECDHE-RSA-AES256-GCM-SHA384" on a Red Hat
+Enterprise Linux 6.5 (only RHEL >= 6.5 has support for elliptic curve). Without this patch the result
+is e.g. "AES256-GCM-SHA384".
+
+Important: The technical implementation of this patch might be not perfect as I am not really a C/C++
+developer. The logic and the implementation is heavily based on Sendmail. There should be a code review
+by an experienced C/C++ and OpenSSL developer before merging into Zarafa core.
+
+This patch should be only applied after ZCP-12143 and its dependencies. However this patch might maybe
+not directly apply due to some previous merge issues as mentioned in Ticket#2014030810000131.
+
+--- zarafa-7.1.9/common/ECChannel.cpp 2014-04-13 23:46:59.000000000 +0200
++++ zarafa-7.1.9/common/ECChannel.cpp.ssl_ecdhe 2014-04-13 23:59:43.000000000 +0200
+@@ -97,6 +97,9 @@
+ char *ssl_name;
+ int ssl_proto, ssl_op = 0, ssl_include = 0, ssl_exclude = 0;
+ bool ssl_neg;
++#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1)
++ EC_KEY *ecdh;
++#endif
+
+ if (lpConfig == NULL) {
+ hr = MAPI_E_CALL_FAILED;
+@@ -113,6 +116,16 @@
+ lpCTX = SSL_CTX_new(SSLv23_server_method());
+ SSL_CTX_set_options(lpCTX, SSL_OP_ALL);
+
++#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1)
++ ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
++
++ if (ecdh != NULL) {
++ SSL_CTX_set_options(lpCTX, SSL_OP_SINGLE_ECDH_USE);
++ SSL_CTX_set_tmp_ecdh(lpCTX, ecdh);
++ EC_KEY_free(ecdh);
++ }
++#endif
++
+ ssl_name = strtok(ssl_protocols, " ");
+ while(ssl_name != NULL) {
+ if (*ssl_name != '!')
+--- zarafa-7.1.9/provider/server/ECSoapServerConnection.cpp 2014-04-13 23:46:59.000000000 +0200
++++ zarafa-7.1.9/provider/server/ECSoapServerConnection.cpp.ssl_ecdhe 2014-04-14 00:00:54.000000000 +0200
+@@ -245,6 +245,9 @@
+ char *ssl_name;
+ int ssl_proto, ssl_op = 0, ssl_include = 0, ssl_exclude = 0;
+ bool ssl_neg;
++#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1)
++ EC_KEY *ecdh;
++#endif
+
+ if(lpServerName == NULL) {
+ er = ZARAFA_E_INVALID_PARAMETER;
+@@ -277,6 +280,16 @@
+
+ SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_ALL);
+
++#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1)
++ ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
++
++ if (ecdh != NULL) {
++ SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_SINGLE_ECDH_USE);
++ SSL_CTX_set_tmp_ecdh(lpsSoap->ctx, ecdh);
++ EC_KEY_free(ecdh);
++ }
++#endif
++
+ ssl_name = strtok(server_ssl_protocols, " ");
+ while(ssl_name != NULL) {
+ if (*ssl_name != '!')
diff --git a/zarafa.spec b/zarafa.spec
index 3da0cf1..6801a2b 100644
--- a/zarafa.spec
+++ b/zarafa.spec
@@ -1,6 +1,6 @@
%global beta_or_rc 0
-%global actual_release 5
-%global svnrevision 44973
+%global actual_release 1
+%global svnrevision 46050
%global with_search 1
%global with_ldap 1
%global with_xmlto 1
@@ -10,6 +10,7 @@
%global with_gsoap 0
%endif
%global no_multiupload 1
+%global no_bundled_php 1
%global php_apiver %((echo 0; php -i 2>/dev/null | sed -n 's/^PHP API => //p') | tail -1)
%global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")
@@ -30,9 +31,9 @@
Summary: Open Source Edition of the Zarafa Collaboration Platform
Name: zarafa
-Version: 7.1.10
+Version: 7.1.11
%if %{beta_or_rc}
-Release: 0.%{actual_release}.svn%{svnrevision}%{?dist}.1
+Release: 0.%{actual_release}.svn%{svnrevision}%{?dist}
%else
Release: %{actual_release}%{?dist}
%endif
@@ -53,9 +54,12 @@ Source1: %{name}.ini
Source2: %{name}.logrotate
Source3: %{name}-webaccess.conf
-Patch0: zarafa-7.0.9-rpath.patch
-Patch1: zarafa-7.1.10-kyotocabinet.patch
-Patch2: zarafa-7.1.10-mariadb.patch
+Patch0: zarafa-7.1.11-rpath.patch
+Patch1: zarafa-7.1.11-php-unbundle.patch
+Patch2: zarafa-7.1.10-kyotocabinet.patch
+Patch3: zarafa-7.1.10-ssl_protocols_ciphers.patch
+Patch4: zarafa-7.1.9-ssl_ecdhe.patch
+Patch5: zarafa-7.1.11-plaintext_auth_localhost.patch
BuildRequires: bison
BuildRequires: gcc-c++
@@ -315,6 +319,9 @@ Requires: mod_php >= 4.3
%else
Requires: php >= 4.3, php-openssl
%endif
+%if %{no_bundled_php}
+Requires: php-json, php-pear-XML-Serializer
+%endif
%if 0%{?rhel}%{?fedora} > 5
BuildArch: noarch
%endif
@@ -377,8 +384,13 @@ to interact with Zarafa.
%setup -q
%patch0 -p1 -b .rpath
touch -c -r aclocal.m4.rpath aclocal.m4
-%patch1 -p1 -b .kyotocabinet
-%patch2 -p1 -b .mariadb
+%if %{no_bundled_php}
+%patch1 -p1 -b .php-unbundle
+%endif
+%patch2 -p1 -b .kyotocabinet
+%patch3 -p1 -b .ssl_protocols_ciphers
+%patch4 -p1 -b .ssl_ecdhe
+%patch5 -p1 -b .disable_plaintext_auth-localhost
%build
%if 0%{?rhel}%{?fedora} < 6
@@ -522,7 +534,7 @@ mkdir -p $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/plugins/
# Remove unwanted language connectors and webaccess files
rm -f $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/client/widgets/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.{cfm,pl}
-rm -f $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/{.htaccess,%{name}-webaccess.conf}
+rm -f $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/{.htaccess,%{name}-webaccess.conf,senddocument.php}
# Remove flash-based multi-attachment upload (missing source)
%if %{no_multiupload}
@@ -533,6 +545,12 @@ mv -f $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/webaccess/config.php{.new,}
rm -rf $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/client/widgets/swfupload/
%endif
+# Remove bundled PHP PEAR files/libraries
+%if %{no_bundled_php}
+rm -rf $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/server/PEAR
+rm -f $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/{.,server/core}/*.php-unbundle
+%endif
+
# Remove files only required by proprietary web services
rm -rf $RPM_BUILD_ROOT{%{_sysconfdir}/%{name}/ws.cfg,%{_datadir}/zarafa/timezones}
@@ -916,6 +934,13 @@ fi
%{python_sitearch}/*
%changelog
+* Wed Oct 15 2014 Robert Scheck <robert at fedoraproject.org> 7.1.11-1
+- Upgrade to 7.1.11 (#1139442)
+- Removed bundled PHP PEAR files/libraries
+- Added patch to allow mitigation of SSLv3/POODLE vulnerability
+- Added patch to implement ECDHE support (depending on OpenSSL)
+- Added patch to allow plaintext authentication from 127.0.0.1
+
* Tue Aug 26 2014 David Tardon <dtardon at redhat.com> - 7.1.10-5
- rebuild for ICU 53.1
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/zarafa.git/commit/?h=el5&id=6485eb28e256fbae6066e86b50b3476884356127
More information about the scm-commits
mailing list