robert pushed to zarafa (el5). "Merge remote branch 'origin/f21' into el5"
notifications at fedoraproject.org
notifications at fedoraproject.org
Tue Apr 7 18:42:36 UTC 2015
>From 4a32efa8ecd979a088b9154786ab08b60b5705f7 Mon Sep 17 00:00:00 2001
From: Peter Robinson <pbrobinson at fedoraproject.org>
Date: Mon, 18 Aug 2014 11:29:49 +0000
Subject: - Rebuilt for
https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
diff --git a/zarafa.spec b/zarafa.spec
index 2f61640..e82760d 100644
--- a/zarafa.spec
+++ b/zarafa.spec
@@ -32,7 +32,7 @@ Summary: Open Source Edition of the Zarafa Collaboration Platform
Name: zarafa
Version: 7.1.10
%if %{beta_or_rc}
-Release: 0.%{actual_release}.svn%{svnrevision}%{?dist}
+Release: 0.%{actual_release}.svn%{svnrevision}%{?dist}.1
%else
Release: %{actual_release}%{?dist}
%endif
@@ -916,6 +916,9 @@ fi
%{python_sitearch}/*
%changelog
+* Mon Aug 18 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 7.1.10-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
* Fri Jul 11 2014 Robert Scheck <robert at fedoraproject.org> 7.1.10-2
- Added a workaround to really support MariaDB (#995870)
- Re-added a patch to allow building without zarafa-search
--
cgit v0.10.2
>From 2fe388869b31fa6faf57daead3083d8bb95bdc4d Mon Sep 17 00:00:00 2001
From: Kevin Kofler <Kevin at tigcc.ticalc.org>
Date: Sun, 26 Oct 2014 00:21:57 +0200
Subject: Rebuild for reference-counting-enabled clucene09
* Sat Oct 25 2014 Kevin Kofler <Kevin at tigcc.ticalc.org> 7.1.11-2
- Rebuild for reference-counting-enabled clucene09
diff --git a/zarafa.spec b/zarafa.spec
index 6801a2b..13819dc 100644
--- a/zarafa.spec
+++ b/zarafa.spec
@@ -1,5 +1,5 @@
%global beta_or_rc 0
-%global actual_release 1
+%global actual_release 2
%global svnrevision 46050
%global with_search 1
%global with_ldap 1
@@ -934,6 +934,9 @@ fi
%{python_sitearch}/*
%changelog
+* Sat Oct 25 2014 Kevin Kofler <Kevin at tigcc.ticalc.org> 7.1.11-2
+- Rebuild for reference-counting-enabled clucene09
+
* Wed Oct 15 2014 Robert Scheck <robert at fedoraproject.org> 7.1.11-1
- Upgrade to 7.1.11 (#1139442)
- Removed bundled PHP PEAR files/libraries
--
cgit v0.10.2
>From ce0e01723f2fe9e281c4e63436caa81558cb7a9f Mon Sep 17 00:00:00 2001
From: Robert Scheck <robert at fedoraproject.org>
Date: Mon, 23 Feb 2015 00:55:48 +0100
Subject: - Added multiple minor enhancement and bugfix patches - Added patch
to fix CVE-2014-0103 for PHP < 5.3 (#1073618)
diff --git a/zarafa-7.1.10-imap-badcharset.patch b/zarafa-7.1.10-imap-badcharset.patch
new file mode 100644
index 0000000..76b5a36
--- /dev/null
+++ b/zarafa-7.1.10-imap-badcharset.patch
@@ -0,0 +1,19 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa <= 7.1.10 which fixes the RFC-
+violating reply of the Zarafa IMAP gateway in response to a failed SEARCH CHARSET request.
+This is documented at http://tools.ietf.org/html/rfc3501#page-64: "BADCHARSET: Optionally
+followed by a parenthesized list of charsets. [...]". This patch adds missing parenthesis.
+
+Proposed to upstream via e-mail on Sun, 27 Jul 2014 23:58:01 +0200, patch was put into the
+upstream ticket https://jira.zarafa.com/browse/ZCP-12504.
+
+--- zarafa-7.1.10/gateway/IMAP.cpp 2014-05-23 15:56:37.000000000 +0200
++++ zarafa-7.1.10/gateway/IMAP.cpp.imap-badcharset 2014-07-27 23:42:30.000000000 +0200
+@@ -2409,7 +2409,7 @@
+ if (lstSearchCriteria[1] != "WINDOWS-1252") {
+ iconv = new ECIConv("windows-1252", lstSearchCriteria[1]);
+ if (!iconv->canConvert()) {
+- hr2 = HrResponse(RESP_TAGGED_NO, strTag, "[BADCHARSET WINDOWS-1252] "+strMode+"SEARCH charset not supported");
++ hr2 = HrResponse(RESP_TAGGED_NO, strTag, "[BADCHARSET (WINDOWS-1252)] "+strMode+"SEARCH charset not supported");
+ hr = MAPI_E_CALL_FAILED;
+ goto exit;
+ }
diff --git a/zarafa-7.1.10-imap-fetch-body.patch b/zarafa-7.1.10-imap-fetch-body.patch
new file mode 100644
index 0000000..da4e2fa
--- /dev/null
+++ b/zarafa-7.1.10-imap-fetch-body.patch
@@ -0,0 +1,93 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa <= 7.1.10 which fixes the RFC-
+violating reply of the Zarafa IMAP gateway in response to a body fetch request. This is
+documented at http://tools.ietf.org/html/rfc3501#page-55. Additionally this has been also
+compared with the Dovecot IMAP server as a nearly (or even de facto) IMAP server reference
+implementation. Please note that this is NOT a duplicate of ZCP-11590/ZCP-11739/ZCP-12365!
+
+Wrong behaviour of Zarafa <= 7.1.10rc1-44973 (without this patch):
+> A4 FETCH 1 (BODY.PEEK[HEADER.FIELDS (FROM FROM)])
+< * 1 FETCH (BODY[HEADER.FIELDS (FROM FROM)] {66}
+From: User1 <user1 at domain.org>
+From: User1 <user1 at domain.org>
+
+)
+< A4 OK FETCH completed
+
+Comparison with IMAP server Dovecot 2.2.13:
+> A4 FETCH 1 (BODY.PEEK[HEADER.FIELDS (FROM FROM)])
+< * 1 FETCH (BODY[HEADER.FIELDS (FROM FROM)] {34}
+From: User1 <user1 at domain.org>
+
+)
+< A4 OK Fetch completed.
+
+Correct behaviour of Zarafa (after having this patch applied):
+> A4 FETCH 1 (BODY.PEEK[HEADER.FIELDS (FROM FROM)])
+< * 1 FETCH (BODY[HEADER.FIELDS (FROM FROM)] {34}
+From: User1 <user1 at domain.org>
+
+)
+< A4 OK FETCH completed
+
+Testing: Full IMAP dialog example from the client perspective (after this patch applied):
+< * OK [CAPABILITY IMAP4rev1 LITERAL+ AUTH=PLAIN] Zarafa IMAP gateway ready
+> A0 LOGIN robert robert
+< A0 OK [CAPABILITY IMAP4rev1 LITERAL+ CHILDREN XAOL-OPTION NAMESPACE QUOTA IDLE] LOGIN completed
+> A1 LIST "" INBOX
+< * LIST (\HasNoChildren) "/" "INBOX"
+< A1 OK LIST completed
+> A2 SELECT INBOX
+< * 2 EXISTS
+< * 0 RECENT
+< * FLAGS (\Seen \Draft \Deleted \Flagged \Answered $Forwarded)
+< * OK [PERMANENTFLAGS (\Seen \Draft \Deleted \Flagged \Answered $Forwarded)] Permanent flags
+< * OK [UIDNEXT 4343] Predicted next UID
+< * OK [UNSEEN 1] First unseen message
+< * OK [UIDVALIDITY 9313] UIDVALIDITY value
+< A2 OK [READ-WRITE] SELECT completed
+> A3 SEARCH UNSEEN ALL
+< * SEARCH 1 2
+< A3 OK SEARCH completed
+> A4 FETCH 1 (BODY.PEEK[HEADER.FIELDS (FROM FROM)])
+< * 1 FETCH (BODY[HEADER.FIELDS (FROM FROM)] {34}
+From: User1 <user1 at domain.org>
+
+)
+< A4 OK FETCH completed
+> A5 CLOSE
+< A5 OK CLOSE completed
+> A6 LOGOUT
+< * BYE Zarafa server logging out
+< A6 OK LOGOUT completed
+
+IMPORTANT: This patch has been very carefully and extensively tested but it might not be
+perfect nevertheless as I am not really a C/C++ developer. There should be a code review
+by an experienced C/C++ developer before merging into Zarafa core.
+
+Proposed to upstream via e-mail on Thu, 29 May 2014 01:55:35 +0200, patch was put into the
+upstream ticket https://jira.zarafa.com/browse/ZCP-12398.
+
+--- zarafa-7.1.10/gateway/IMAP.cpp 2014-05-12 12:06:03.000000000 +0200
++++ zarafa-7.1.10/gateway/IMAP.cpp.imap-fetch-body 2014-05-29 00:49:29.000000000 +0200
+@@ -5253,10 +5253,21 @@
+ } else {
+ vector<string> lstReqFields;
+ vector<string>::iterator iterReqField;
++ vector<string>::iterator r, w;
++ set<string> tmpset;
+
+ // Get fields as vector
+ lstReqFields = tokenize(strFields, " ");
+
++ // Make elements of vector unique
++ for(r = lstReqFields.begin(), w = lstReqFields.begin(); r != lstReqFields.end(); ++r) {
++ if(tmpset.insert(*r).second) {
++ *w++ = *r;
++ }
++ }
++
++ lstReqFields.erase(w, lstReqFields.end());
++
+ // Output headers specified, in order of field set
+ for(iterReqField = lstReqFields.begin(); iterReqField != lstReqFields.end(); iterReqField++) {
+ for(iterField = lstFields.begin(); iterField != lstFields.end(); iterField++) {
diff --git a/zarafa-7.1.10-kyotocabinet.patch b/zarafa-7.1.10-kyotocabinet.patch
index 43e62a3..00cdeab 100644
--- a/zarafa-7.1.10-kyotocabinet.patch
+++ b/zarafa-7.1.10-kyotocabinet.patch
@@ -4,6 +4,9 @@ broken on the given system and/or architecture. Interestingly that patch is not
in 2012 the first time, proposed them as a patch to Zarafa and got merged. With a recent Zarafa release it
seems they silently removed it again...
+Proposed to upstream via e-mail on Fri, 11 Jul 2014 01:03:43 +0200, patch was put into the upstream ticket
+https://jira.zarafa.com/browse/ZCP-12463.
+
--- zarafa-7.1.10/ECtools/zarafa-search/Makefile.am 2014-05-23 15:03:49.000000000 +0200
+++ zarafa-7.1.10/ECtools/zarafa-search/Makefile.am.kyotocabinet 2014-07-10 21:48:42.000000000 +0200
@@ -1,4 +1,8 @@
diff --git a/zarafa-7.1.10-ssl_protocols_ciphers.patch b/zarafa-7.1.10-ssl_protocols_ciphers.patch
index 756d2fd..876df60 100644
--- a/zarafa-7.1.10-ssl_protocols_ciphers.patch
+++ b/zarafa-7.1.10-ssl_protocols_ciphers.patch
@@ -38,6 +38,9 @@ a code review and code clean up by an experienced C/C++ developer before merging
This patch should be only applied in conjuction with the POP3 RESP-CODES and AUTH-RESP-CODE patch,
the POP3 CAPA (CAPABILITIES) patch as well as the POP3 STLS (STARTTLS) patch applied before.
+Proposed to upstream via e-mail on Sat, 8 Mar 2014 14:30:29 +0100, patch was put into the upstream
+ticket https://jira.zarafa.com/browse/ZCP-12143.
+
--- zarafa-7.1.10/caldav/CalDAV.cpp 2014-05-23 15:56:36.000000000 +0200
+++ zarafa-7.1.10/caldav/CalDAV.cpp.rsc 2014-08-12 19:45:04.000000000 +0200
@@ -220,7 +220,9 @@
diff --git a/zarafa-7.1.10-webaccess-fail2ban.patch b/zarafa-7.1.10-webaccess-fail2ban.patch
new file mode 100644
index 0000000..b0bb26e
--- /dev/null
+++ b/zarafa-7.1.10-webaccess-fail2ban.patch
@@ -0,0 +1,38 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa <= 7.1.0 which logs authentication
+failures of Zarafa WebAccess into the error log of the webserver. This is basically a backport of
+https://jira.zarafa.com/browse/WA-6908 from WebApp to WebAccess. In difference to original patch
+there is no inappropriate space before a punctuation mark also known as "plenken".
+
+The second part of this patch is a backport of Zarafa WebApp 1.6 which ensures that authentication
+is only performed if username and password are filled. This avoids a) strange looking results of
+error_log() from the first part and b) reduces the possible risk of denial of service given that
+PHP is not connecting the Zarafa server if not really needed.
+
+I guess the usage of isset() rather !empty() was accidential because isset() is always true once
+the HTTP POST via the login formular happens.
+
+Proposed to upstream via e-mail on Wed, 13 Aug 2014 22:56:09 +0200, patch was put into the upstream
+ticket https://jira.zarafa.com/browse/ZCP-12543.
+
+--- zarafa-7.1.10/php-webclient-ajax/client/login.php 2014-05-23 15:56:38.000000000 +0200
++++ zarafa-7.1.10/php-webclient-ajax/client/login.php 2014-08-13 22:11:38.000000000 +0200
+@@ -86,6 +86,8 @@
+ switch($_SESSION["hresult"]){
+ case MAPI_E_LOGON_FAILED:
+ case MAPI_E_UNCONFIGURED:
++ // Print error message to error_log of webserver
++ error_log('user '.$_POST["username"].': authentication failure at MAPI');
+ echo _("Logon failed, please check your name/password.");
+ break;
+ case MAPI_E_NETWORK_ERROR:
+--- zarafa-7.1.10/php-webclient-ajax/index.php 2014-05-23 15:56:38.000000000 +0200
++++ zarafa-7.1.10/php-webclient-ajax/index.php 2014-08-13 22:11:11.000000000 +0200
+@@ -153,7 +153,7 @@
+
+ // Create global mapi object. This object is used in many other files
+ $GLOBALS["mapisession"] = new MAPISession();
+- if (isset($_SESSION["username"]) && isset($_SESSION["password"])) {
++ if (!empty($_SESSION["username"]) && !empty($_SESSION["password"])) {
+ $sslcert_file = defined('SSLCERT_FILE') ? SSLCERT_FILE : null;
+ $sslcert_pass = defined('SSLCERT_PASS') ? SSLCERT_PASS : null;
+ $hresult = $GLOBALS["mapisession"]->logon($_SESSION["username"], $_SESSION["password"], DEFAULT_SERVER, $sslcert_file, $sslcert_pass);
diff --git a/zarafa-7.1.10-webaccess-mcrypt.patch b/zarafa-7.1.10-webaccess-mcrypt.patch
new file mode 100644
index 0000000..49bed4e
--- /dev/null
+++ b/zarafa-7.1.10-webaccess-mcrypt.patch
@@ -0,0 +1,58 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa >= 7.1.10 which fixes the fix that fixes CVE-2014-0103. Ush,
+that was complicated, so: CVE-2014-0103 exists because Zarafa WebAccess < 7.1.10 and Zarafa WebApp < 1.6 storing passwords
+in cleartext on server (in the PHP session). Zarafa solved this flaw by using openssl_encrypt() and openssl_decrypt() from
+PHP's OpenSSL bindings. However these functions are only available in PHP 5.3 or later. Without this patch suggestion, any
+older but still supported Linux distribution like Red Hat Enterprise Linux 5 or SuSE Linux Enterprise Server 10 (which are
+both shipping PHP < 5.3 by default) would still be left vulnerable.
+
+Given that I am personally more a fan of OpenSSL rather mcrypt, I am not absolutely sure if this implementation is really
+correct even it works fine on my test system. So please explicitly review this code to avoid introducing another security
+flaw by trying to fix one! A thing that I generally question for myself is the usage of "des-ede3-cbc"/"MCRYPT_TRIPLEDES"
+instead of e.g. MCRYPT_RIJNDAEL_128. Given that this decision was initially made by Zarafa I am just following that here.
+
+Important: To get this patch really powerful the install-time requirement needs to be adapted like this (this example is
+based on Fedora's build system so the macros %{?rhel} and %{?fedora} might not exist at Zarafa but need to be replaced by
+other macros):
+
+%if 0%{?rhel}%{?fedora} < 6
+Requires: php-mcrypt
+%else
+Requires: php-openssl
+%endif
+
+This requires php-openssl (provided by php-common) on RHEL 6 (and later) and php-mcrypt (separate package) before RHEL 6.
+
+Proposed to upstream via e-mail on Thu, 5 Jun 2014 00:24:32 +0200, patch was put into the (non-disclosed) upstream ticket
+https://jira.zarafa.com/browse/ZCP-12407.
+
+--- zarafa-7.1.10/php-webclient-ajax/index.php 2014-05-23 15:56:38.000000000 +0200
++++ zarafa-7.1.10/php-webclient-ajax/index.php.webaccess-mcrypt 2014-06-05 00:08:18.000000000 +0200
+@@ -135,6 +135,8 @@
+ // if user has openssl module installed
+ if(function_exists("openssl_encrypt")) {
+ $_SESSION['password'] = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
++ } elseif(function_exists("mcrypt_encrypt")) {
++ $_SESSION['password'] = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV));
+ } else {
+ $_SESSION["password"] = $password;
+ }
+--- zarafa-7.1.10/php-webclient-ajax/server/core/class.mapisession.php 2014-05-23 15:56:38.000000000 +0200
++++ zarafa-7.1.10/php-webclient-ajax/server/core/class.mapisession.php.webaccess-mcrypt 2014-06-05 00:08:57.000000000 +0200
+@@ -132,6 +132,8 @@
+ if(is_string($username) && is_string($password)) {
+ if(function_exists("openssl_decrypt")) {
+ $password = openssl_decrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
++ } elseif(function_exists("mcrypt_decrypt")) {
++ $password = trim(mcrypt_decrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, base64_decode($password), MCRYPT_MODE_CBC, PASSWORD_IV));
+ }
+ // logon
+ $this->session = mapi_logon_zarafa($username, $password, $server, $sslcert_file, $sslcert_pass);
+@@ -139,6 +141,8 @@
+
+ if(function_exists("openssl_encrypt")) {
+ $password = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
++ } elseif(function_exists("mcrypt_encrypt")) {
++ $password = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV));
+ }
+
+ if ($result == NOERROR && $this->session !== false){
diff --git a/zarafa-7.1.11-gsoap-sslv3.patch b/zarafa-7.1.11-gsoap-sslv3.patch
new file mode 100644
index 0000000..e4875ee
--- /dev/null
+++ b/zarafa-7.1.11-gsoap-sslv3.patch
@@ -0,0 +1,20 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for zarafa >= 7.1.11 which removes the Zarafa-
+specific override/limitation that forces SSLv3-only SOAP connection between the Zarafa services.
+The pristine gSOAP library itself uses SSLv23_method() instead and thus allows TLSv1.0, TLSv1.1
+as well as TLSv1.2.
+
+Proposed to upstream via e-mail on Wed, 2 Apr 2014 11:35:40 +0200, initial patch was put into the
+upstream ticket Ticket#2014040210000266.
+
+--- zarafa-7.1.11/provider/common/SOAPSock.cpp 2014-09-03 10:45:06.000000000 +0200
++++ zarafa-7.1.11/provider/common/SOAPSock.cpp.gsoap-sslv3 2015-02-18 01:15:50.000000000 +0100
+@@ -162,9 +162,6 @@
+
+ lpCmd->endpoint = strdup(strServerPath.c_str());
+
+- // override the gsoap default v23 method to the force safer v3 only method.
+- lpCmd->soap->ctx = SSL_CTX_new(SSLv3_method());
+-
+ #ifdef WITH_OPENSSL
+ if (strncmp("https:", lpCmd->endpoint, 6) == 0) {
+ // no need to add certificates to call, since soap also calls SSL_CTX_set_default_verify_paths()
diff --git a/zarafa-7.1.11-plaintext_auth_localhost.patch b/zarafa-7.1.11-plaintext_auth_localhost.patch
index 9b6aae0..c5fefd3 100644
--- a/zarafa-7.1.11-plaintext_auth_localhost.patch
+++ b/zarafa-7.1.11-plaintext_auth_localhost.patch
@@ -15,6 +15,9 @@ Important: The technical implementation of this patch might be not perfect as I
C++ developer. There should be a code review by an experienced C/C++ developer before merging into
Zarafa core.
+Proposed to upstream via e-mail on Thu, 16 Oct 2014 00:00:05 +0200, patch was put into the upstream
+ticket https://jira.zarafa.com/browse/ZCP-12473.
+
--- zarafa-7.1.11/gateway/IMAP.cpp 2014-09-03 10:45:06.000000000 +0200
+++ zarafa-7.1.11/gateway/IMAP.cpp.plaintext_auth_localhost 2014-09-24 01:29:10.000000000 +0200
@@ -757,7 +757,7 @@
diff --git a/zarafa-7.1.11-vacation-headers.patch b/zarafa-7.1.11-vacation-headers.patch
new file mode 100644
index 0000000..924ff1d
--- /dev/null
+++ b/zarafa-7.1.11-vacation-headers.patch
@@ -0,0 +1,32 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa >= 7.1.11 which restricts replies by
+zarafa-autorespond to automated processes and mailing lists according to RFC 5230, section 4.6. For
+further details please have a look to http://tools.ietf.org/html/rfc5230#page-8 as well.
+
+Proposed to upstream via e-mail on Wed, 27 Aug 2014 23:30:31 +0200, patch was put into the upstream
+ticket https://jira.zarafa.com/browse/ZCP-12590.
+
+--- zarafa-7.1.11/spooler/DAgent.cpp 2014-08-24 12:27:06.000000000 +0200
++++ zarafa-7.1.11/spooler/DAgent.cpp.vacation-headers 2014-08-27 23:20:18.000000000 +0200
+@@ -1422,11 +1422,19 @@
+
+ // See if we're looping
+ if (lpMessageProps[0].ulPropTag == PR_TRANSPORT_MESSAGE_HEADERS_A) {
+- if ( (strstr(lpMessageProps[0].Value.lpszA, "X-Zarafa-Vacation:") != NULL) ||
+- (strstr(lpMessageProps[0].Value.lpszA, "Auto-Submitted:") != NULL) ||
+- (strstr(lpMessageProps[0].Value.lpszA, "Precedence:") != NULL) )
++ if ( (strstr(lpMessageProps[0].Value.lpszA, "X-Zarafa-Vacation:") != NULL) || // Zarafa
++ (strstr(lpMessageProps[0].Value.lpszA, "Auto-Submitted:") != NULL) || // RFC 3834
++ (strstr(lpMessageProps[0].Value.lpszA, "List-Id:") != NULL) || // RFC 2919
++ (strstr(lpMessageProps[0].Value.lpszA, "List-Help:") != NULL) || // RFC 2369
++ (strstr(lpMessageProps[0].Value.lpszA, "List-Subscribe:") != NULL) || // RFC 2369
++ (strstr(lpMessageProps[0].Value.lpszA, "List-Unsubscribe:") != NULL) || // RFC 2369
++ (strstr(lpMessageProps[0].Value.lpszA, "List-Post:") != NULL) || // RFC 2369
++ (strstr(lpMessageProps[0].Value.lpszA, "List-Owner:") != NULL) || // RFC 2369
++ (strstr(lpMessageProps[0].Value.lpszA, "List-Archive:") != NULL) || // RFC 2369
++ (strstr(lpMessageProps[0].Value.lpszA, "Precedence:") != NULL) ) // RFC 3834
+ // Vacation header already present, do not send vacation reply
+ // Precedence: list/bulk/junk, do not reply to these mails
++ // See also http://tools.ietf.org/html/rfc5230#page-8 for details
+ goto exit;
+ // save headers to a file so they can also be tested from the script we're runing
+ snprintf(szTemp, PATH_MAX, "%s/autorespond-headers.XXXXXX", getenv("TEMP") == NULL ? "/tmp" : getenv("TEMP"));
diff --git a/zarafa-7.1.11-vacation-headers2.patch b/zarafa-7.1.11-vacation-headers2.patch
new file mode 100644
index 0000000..7fcae17
--- /dev/null
+++ b/zarafa-7.1.11-vacation-headers2.patch
@@ -0,0 +1,44 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa >= 7.1.11 which adds anti-loop headers
+for automatic responses by zarafa-autorespond for Microsoft Exchange and all vacation(1) compatible
+implementations.
+
+For the Microsoft Exchange related part useful links are:
+ - http://msdn.microsoft.com/en-us/library/ee219609(v=exchg.80).aspx
+ - https://www.jitbit.com/maxblog/18-detecting-outlook-autoreplyout-of-office-emails-and-x-auto-response-suppress-header/
+
+For vacation(1) compatible implementations useful links are:
+ - http://www.daemon-systems.org/man/vacation.1.html
+ - Book "sendmail" (written by Bryan Costales, Claus Assmann, George Jansen, Gregory Neil Shapiro), ISBN 0596555342
+
+Proposed to upstream via e-mail on Wed, 27 Aug 2014 23:59:58 +0200, patch was put into the upstream
+ticket https://jira.zarafa.com/browse/ZCP-12591.
+
+--- zarafa-7.1.11/spooler/DAgent.cpp 2014-08-24 12:27:06.000000000 +0200
++++ zarafa-7.1.11/spooler/DAgent.cpp.vacation-headers2 2014-08-27 23:52:42.000000000 +0200
+@@ -1469,12 +1469,25 @@
+ if (hr != hrSuccess)
+ goto exit;
+
+- // add anti-loop header
++ // add anti-loop header for Zarafa
+ snprintf(szHeader, PATH_MAX, "\nX-Zarafa-Vacation: autorespond");
+ hr = WriteOrLogError(fd, szHeader, strlen(szHeader));
+ if (hr != hrSuccess)
+ goto exit;
+
++ // add anti-loop header for Exchange, see http://msdn.microsoft.com/en-us/library/ee219609(v=exchg.80).aspx
++ snprintf(szHeader, PATH_MAX, "\nX-Auto-Response-Suppress: All");
++ hr = WriteOrLogError(fd, szHeader, strlen(szHeader));
++ if (hr != hrSuccess)
++ goto exit;
++
++ // add anti-loop header for vacation(1) compatible implementations, see section 10.9 of book "sendmail" (written
++ // by Bryan Costales, Claus Assmann, George Jansen, Gregory Neil Shapiro), ISBN 0596555342
++ snprintf(szHeader, PATH_MAX, "\nPrecedence: bulk");
++ hr = WriteOrLogError(fd, szHeader, strlen(szHeader));
++ if (hr != hrSuccess)
++ goto exit;
++
+ if (lpMessageProps[3].ulPropTag == PR_SUBJECT_W) {
+ // convert as one string because of [] characters
+ swprintf(szwHeader, PATH_MAX, L"%ls [%ls]", szSubject, lpMessageProps[3].Value.lpszW);
diff --git a/zarafa-7.1.9-ssl_ecdhe.patch b/zarafa-7.1.9-ssl_ecdhe.patch
index f1a1a8e..6596637 100644
--- a/zarafa-7.1.9-ssl_ecdhe.patch
+++ b/zarafa-7.1.9-ssl_ecdhe.patch
@@ -22,6 +22,9 @@ by an experienced C/C++ and OpenSSL developer before merging into Zarafa core.
This patch should be only applied after ZCP-12143 and its dependencies. However this patch might maybe
not directly apply due to some previous merge issues as mentioned in Ticket#2014030810000131.
+Proposed to upstream via e-mail on Mon, 14 Apr 2014 12:04:17 +0200, patch was put into the upstream
+ticket https://jira.zarafa.com/browse/ZCP-12237.
+
--- zarafa-7.1.9/common/ECChannel.cpp 2014-04-13 23:46:59.000000000 +0200
+++ zarafa-7.1.9/common/ECChannel.cpp.ssl_ecdhe 2014-04-13 23:59:43.000000000 +0200
@@ -97,6 +97,9 @@
diff --git a/zarafa.spec b/zarafa.spec
index 13819dc..4bbf0e1 100644
--- a/zarafa.spec
+++ b/zarafa.spec
@@ -1,5 +1,5 @@
%global beta_or_rc 0
-%global actual_release 2
+%global actual_release 3
%global svnrevision 46050
%global with_search 1
%global with_ldap 1
@@ -60,6 +60,13 @@ Patch2: zarafa-7.1.10-kyotocabinet.patch
Patch3: zarafa-7.1.10-ssl_protocols_ciphers.patch
Patch4: zarafa-7.1.9-ssl_ecdhe.patch
Patch5: zarafa-7.1.11-plaintext_auth_localhost.patch
+Patch6: zarafa-7.1.10-imap-badcharset.patch
+Patch7: zarafa-7.1.10-imap-fetch-body.patch
+Patch8: zarafa-7.1.11-vacation-headers.patch
+Patch9: zarafa-7.1.11-vacation-headers2.patch
+Patch10: zarafa-7.1.10-webaccess-fail2ban.patch
+Patch11: zarafa-7.1.10-webaccess-mcrypt.patch
+Patch12: zarafa-7.1.11-gsoap-sslv3.patch
BuildRequires: bison
BuildRequires: gcc-c++
@@ -315,7 +322,7 @@ Group: Applications/Productivity
Requires: httpd, php-mapi = %{version}-%{release}
# Bug: php53 from RHEL 5 does not provide php (#717158)
%if 0%{?rhel} == 5
-Requires: mod_php >= 4.3
+Requires: mod_php >= 4.3, php-mcrypt
%else
Requires: php >= 4.3, php-openssl
%endif
@@ -391,6 +398,14 @@ touch -c -r aclocal.m4.rpath aclocal.m4
%patch3 -p1 -b .ssl_protocols_ciphers
%patch4 -p1 -b .ssl_ecdhe
%patch5 -p1 -b .disable_plaintext_auth-localhost
+%patch6 -p1 -b .imap-badcharset
+%patch7 -p1 -b .imap-fetch-body
+%patch8 -p1 -b .vacation-headers
+%patch9 -p1 -b .vacation-headers2
+%patch10 -p1 -b .webaccess-fail2ban
+%patch11 -p1 -b .webaccess-mcrypt
+rm -f php-webclient-ajax/{.,*,*/*}/*.webaccess-*
+%patch12 -p1 -b .gsoap-sslv3
%build
%if 0%{?rhel}%{?fedora} < 6
@@ -725,7 +740,8 @@ fi
%files common
%defattr(-,root,root,-)
-%doc installer/licenseagreement/AGPL-3
+%{!?_licensedir:%global license %%doc}
+%license installer/licenseagreement/AGPL-3
%dir %{_sysconfdir}/%{name}/
%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
%config(noreplace) %{_sysconfdir}/sysconfig/%{name}
@@ -934,6 +950,10 @@ fi
%{python_sitearch}/*
%changelog
+* Sun Feb 22 2015 Robert Scheck <robert at fedoraproject.org> 7.1.11-3
+- Added multiple minor enhancement and bugfix patches
+- Added patch to fix CVE-2014-0103 for PHP < 5.3 (#1073618)
+
* Sat Oct 25 2014 Kevin Kofler <Kevin at tigcc.ticalc.org> 7.1.11-2
- Rebuild for reference-counting-enabled clucene09
--
cgit v0.10.2
>From 860fae12508e25d020d8ee3e3762d34475280606 Mon Sep 17 00:00:00 2001
From: Robert Scheck <robert at fedoraproject.org>
Date: Mon, 23 Feb 2015 00:58:12 +0100
Subject: Added minor bugfixes to two patches
diff --git a/zarafa-7.1.10-webaccess-fail2ban.patch b/zarafa-7.1.10-webaccess-fail2ban.patch
deleted file mode 100644
index b0bb26e..0000000
--- a/zarafa-7.1.10-webaccess-fail2ban.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa <= 7.1.0 which logs authentication
-failures of Zarafa WebAccess into the error log of the webserver. This is basically a backport of
-https://jira.zarafa.com/browse/WA-6908 from WebApp to WebAccess. In difference to original patch
-there is no inappropriate space before a punctuation mark also known as "plenken".
-
-The second part of this patch is a backport of Zarafa WebApp 1.6 which ensures that authentication
-is only performed if username and password are filled. This avoids a) strange looking results of
-error_log() from the first part and b) reduces the possible risk of denial of service given that
-PHP is not connecting the Zarafa server if not really needed.
-
-I guess the usage of isset() rather !empty() was accidential because isset() is always true once
-the HTTP POST via the login formular happens.
-
-Proposed to upstream via e-mail on Wed, 13 Aug 2014 22:56:09 +0200, patch was put into the upstream
-ticket https://jira.zarafa.com/browse/ZCP-12543.
-
---- zarafa-7.1.10/php-webclient-ajax/client/login.php 2014-05-23 15:56:38.000000000 +0200
-+++ zarafa-7.1.10/php-webclient-ajax/client/login.php 2014-08-13 22:11:38.000000000 +0200
-@@ -86,6 +86,8 @@
- switch($_SESSION["hresult"]){
- case MAPI_E_LOGON_FAILED:
- case MAPI_E_UNCONFIGURED:
-+ // Print error message to error_log of webserver
-+ error_log('user '.$_POST["username"].': authentication failure at MAPI');
- echo _("Logon failed, please check your name/password.");
- break;
- case MAPI_E_NETWORK_ERROR:
---- zarafa-7.1.10/php-webclient-ajax/index.php 2014-05-23 15:56:38.000000000 +0200
-+++ zarafa-7.1.10/php-webclient-ajax/index.php 2014-08-13 22:11:11.000000000 +0200
-@@ -153,7 +153,7 @@
-
- // Create global mapi object. This object is used in many other files
- $GLOBALS["mapisession"] = new MAPISession();
-- if (isset($_SESSION["username"]) && isset($_SESSION["password"])) {
-+ if (!empty($_SESSION["username"]) && !empty($_SESSION["password"])) {
- $sslcert_file = defined('SSLCERT_FILE') ? SSLCERT_FILE : null;
- $sslcert_pass = defined('SSLCERT_PASS') ? SSLCERT_PASS : null;
- $hresult = $GLOBALS["mapisession"]->logon($_SESSION["username"], $_SESSION["password"], DEFAULT_SERVER, $sslcert_file, $sslcert_pass);
diff --git a/zarafa-7.1.10-webaccess-mcrypt.patch b/zarafa-7.1.10-webaccess-mcrypt.patch
deleted file mode 100644
index 49bed4e..0000000
--- a/zarafa-7.1.10-webaccess-mcrypt.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa >= 7.1.10 which fixes the fix that fixes CVE-2014-0103. Ush,
-that was complicated, so: CVE-2014-0103 exists because Zarafa WebAccess < 7.1.10 and Zarafa WebApp < 1.6 storing passwords
-in cleartext on server (in the PHP session). Zarafa solved this flaw by using openssl_encrypt() and openssl_decrypt() from
-PHP's OpenSSL bindings. However these functions are only available in PHP 5.3 or later. Without this patch suggestion, any
-older but still supported Linux distribution like Red Hat Enterprise Linux 5 or SuSE Linux Enterprise Server 10 (which are
-both shipping PHP < 5.3 by default) would still be left vulnerable.
-
-Given that I am personally more a fan of OpenSSL rather mcrypt, I am not absolutely sure if this implementation is really
-correct even it works fine on my test system. So please explicitly review this code to avoid introducing another security
-flaw by trying to fix one! A thing that I generally question for myself is the usage of "des-ede3-cbc"/"MCRYPT_TRIPLEDES"
-instead of e.g. MCRYPT_RIJNDAEL_128. Given that this decision was initially made by Zarafa I am just following that here.
-
-Important: To get this patch really powerful the install-time requirement needs to be adapted like this (this example is
-based on Fedora's build system so the macros %{?rhel} and %{?fedora} might not exist at Zarafa but need to be replaced by
-other macros):
-
-%if 0%{?rhel}%{?fedora} < 6
-Requires: php-mcrypt
-%else
-Requires: php-openssl
-%endif
-
-This requires php-openssl (provided by php-common) on RHEL 6 (and later) and php-mcrypt (separate package) before RHEL 6.
-
-Proposed to upstream via e-mail on Thu, 5 Jun 2014 00:24:32 +0200, patch was put into the (non-disclosed) upstream ticket
-https://jira.zarafa.com/browse/ZCP-12407.
-
---- zarafa-7.1.10/php-webclient-ajax/index.php 2014-05-23 15:56:38.000000000 +0200
-+++ zarafa-7.1.10/php-webclient-ajax/index.php.webaccess-mcrypt 2014-06-05 00:08:18.000000000 +0200
-@@ -135,6 +135,8 @@
- // if user has openssl module installed
- if(function_exists("openssl_encrypt")) {
- $_SESSION['password'] = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
-+ } elseif(function_exists("mcrypt_encrypt")) {
-+ $_SESSION['password'] = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV));
- } else {
- $_SESSION["password"] = $password;
- }
---- zarafa-7.1.10/php-webclient-ajax/server/core/class.mapisession.php 2014-05-23 15:56:38.000000000 +0200
-+++ zarafa-7.1.10/php-webclient-ajax/server/core/class.mapisession.php.webaccess-mcrypt 2014-06-05 00:08:57.000000000 +0200
-@@ -132,6 +132,8 @@
- if(is_string($username) && is_string($password)) {
- if(function_exists("openssl_decrypt")) {
- $password = openssl_decrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
-+ } elseif(function_exists("mcrypt_decrypt")) {
-+ $password = trim(mcrypt_decrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, base64_decode($password), MCRYPT_MODE_CBC, PASSWORD_IV));
- }
- // logon
- $this->session = mapi_logon_zarafa($username, $password, $server, $sslcert_file, $sslcert_pass);
-@@ -139,6 +141,8 @@
-
- if(function_exists("openssl_encrypt")) {
- $password = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
-+ } elseif(function_exists("mcrypt_encrypt")) {
-+ $password = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV));
- }
-
- if ($result == NOERROR && $this->session !== false){
diff --git a/zarafa-7.1.11-webaccess-fail2ban.patch b/zarafa-7.1.11-webaccess-fail2ban.patch
new file mode 100644
index 0000000..3c2b5c3
--- /dev/null
+++ b/zarafa-7.1.11-webaccess-fail2ban.patch
@@ -0,0 +1,21 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa <= 7.1.11 which logs authentication
+failures of Zarafa WebAccess into the error log of the webserver. This is basically a backport of
+https://jira.zarafa.com/browse/WA-6908 from WebApp to WebAccess. In difference to original patch
+there is no inappropriate space before a punctuation mark also known as "plenken".
+
+Proposed to upstream via e-mail on Wed, 13 Aug 2014 22:56:09 +0200, initial patch was put into the
+upstream ticket https://jira.zarafa.com/browse/ZCP-12543.
+
+--- zarafa-7.1.11/php-webclient-ajax/client/login.php 2014-09-03 10:45:06.000000000 +0200
++++ zarafa-7.1.11/php-webclient-ajax/client/login.php 2015-02-18 01:08:13.000000000 +0100
+@@ -86,6 +86,10 @@
+ switch($_SESSION["hresult"]){
+ case MAPI_E_LOGON_FAILED:
+ case MAPI_E_UNCONFIGURED:
++ // Print error message to error_log of webserver
++ if (!empty($_POST["username"])) {
++ error_log('user '.$_POST["username"].': authentication failure at MAPI');
++ }
+ echo _("Logon failed, please check your name/password.");
+ break;
+ case MAPI_E_NETWORK_ERROR:
diff --git a/zarafa-7.1.11-webaccess-mcrypt.patch b/zarafa-7.1.11-webaccess-mcrypt.patch
new file mode 100644
index 0000000..56b5274
--- /dev/null
+++ b/zarafa-7.1.11-webaccess-mcrypt.patch
@@ -0,0 +1,58 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa >= 7.1.10 which fixes the fix that fixes CVE-2014-0103. Ush,
+that was complicated, so: CVE-2014-0103 exists because Zarafa WebAccess < 7.1.10 and Zarafa WebApp < 1.6 storing passwords
+in cleartext on server (in the PHP session). Zarafa solved this flaw by using openssl_encrypt() and openssl_decrypt() from
+PHP's OpenSSL bindings. However these functions are only available in PHP 5.3 or later. Without this patch suggestion, any
+older but still supported Linux distribution like Red Hat Enterprise Linux 5 or SuSE Linux Enterprise Server 10 (which are
+both shipping PHP < 5.3 by default) would still be left vulnerable.
+
+Given that I am personally more a fan of OpenSSL rather mcrypt, I am not absolutely sure if this implementation is really
+correct even it works fine on my test system. So please explicitly review this code to avoid introducing another security
+flaw by trying to fix one! A thing that I generally question for myself is the usage of "des-ede3-cbc"/"MCRYPT_TRIPLEDES"
+instead of e.g. MCRYPT_RIJNDAEL_128. Given that this decision was initially made by Zarafa I am just following that here.
+
+Important: To get this patch really powerful the install-time requirement needs to be adapted like this (this example is
+based on Fedora's build system so the macros %{?rhel} and %{?fedora} might not exist at Zarafa but need to be replaced by
+other macros):
+
+%if 0%{?rhel}%{?fedora} < 6
+Requires: php-mcrypt
+%else
+Requires: php-openssl
+%endif
+
+This requires php-openssl (provided by php-common) on RHEL 6 (and later) and php-mcrypt (separate package) before RHEL 6.
+
+Proposed to upstream via e-mail on Thu, 5 Jun 2014 00:24:32 +0200, initial patch was put into the (non-disclosed) upstream
+ticket https://jira.zarafa.com/browse/ZCP-12407.
+
+--- zarafa-7.1.10/php-webclient-ajax/index.php 2014-05-23 15:56:38.000000000 +0200
++++ zarafa-7.1.10/php-webclient-ajax/index.php.webaccess-mcrypt 2014-06-05 00:08:18.000000000 +0200
+@@ -135,6 +135,8 @@
+ // if user has openssl module installed
+ if(function_exists("openssl_encrypt")) {
+ $_SESSION['password'] = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
++ } elseif(function_exists("mcrypt_encrypt")) {
++ $_SESSION['password'] = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV));
+ } else {
+ $_SESSION["password"] = $password;
+ }
+--- zarafa-7.1.10/php-webclient-ajax/server/core/class.mapisession.php 2014-05-23 15:56:38.000000000 +0200
++++ zarafa-7.1.10/php-webclient-ajax/server/core/class.mapisession.php.webaccess-mcrypt 2014-06-05 00:08:57.000000000 +0200
+@@ -132,6 +132,8 @@
+ if(is_string($username) && is_string($password)) {
+ if(function_exists("openssl_decrypt")) {
+ $password = openssl_decrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
++ } elseif(function_exists("mcrypt_decrypt")) {
++ $password = rtrim(mcrypt_decrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, base64_decode($password), MCRYPT_MODE_CBC, PASSWORD_IV), "\0");
+ }
+ // logon
+ $this->session = mapi_logon_zarafa($username, $password, $server, $sslcert_file, $sslcert_pass);
+@@ -139,6 +141,8 @@
+
+ if(function_exists("openssl_encrypt")) {
+ $password = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
++ } elseif(function_exists("mcrypt_encrypt")) {
++ $password = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV));
+ }
+
+ if ($result == NOERROR && $this->session !== false){
--
cgit v0.10.2
>From 423e99d9b3c7f0a134494c7853150fbd0a5d6efc Mon Sep 17 00:00:00 2001
From: Robert Scheck <robert at fedoraproject.org>
Date: Fri, 6 Mar 2015 00:37:52 +0100
Subject: Added small security enhancement
diff --git a/zarafa-7.1.11-gsoap-sslv3.patch b/zarafa-7.1.11-gsoap-sslv3.patch
index e4875ee..877b0e1 100644
--- a/zarafa-7.1.11-gsoap-sslv3.patch
+++ b/zarafa-7.1.11-gsoap-sslv3.patch
@@ -1,13 +1,14 @@
Patch by Robert Scheck <robert at fedoraproject.org> for zarafa >= 7.1.11 which removes the Zarafa-
specific override/limitation that forces SSLv3-only SOAP connection between the Zarafa services.
The pristine gSOAP library itself uses SSLv23_method() instead and thus allows TLSv1.0, TLSv1.1
-as well as TLSv1.2.
+as well as TLSv1.2. Disable SSLv2 and SSLv3 as well as TLS compression explicitly; similar like
+the Zarafa Outlook Client which meanwhile only allows TLSv1.0 (and better).
Proposed to upstream via e-mail on Wed, 2 Apr 2014 11:35:40 +0200, initial patch was put into the
upstream ticket Ticket#2014040210000266.
--- zarafa-7.1.11/provider/common/SOAPSock.cpp 2014-09-03 10:45:06.000000000 +0200
-+++ zarafa-7.1.11/provider/common/SOAPSock.cpp.gsoap-sslv3 2015-02-18 01:15:50.000000000 +0100
++++ zarafa-7.1.11/provider/common/SOAPSock.cpp.gsoap-sslv3 2015-03-04 00:28:25.000000000 +0100
@@ -162,9 +162,6 @@
lpCmd->endpoint = strdup(strServerPath.c_str());
@@ -18,3 +19,18 @@ upstream ticket Ticket#2014040210000266.
#ifdef WITH_OPENSSL
if (strncmp("https:", lpCmd->endpoint, 6) == 0) {
// no need to add certificates to call, since soap also calls SSL_CTX_set_default_verify_paths()
+@@ -188,6 +185,14 @@
+ lpCmd->soap->fsslverify = ssl_verify_callback_zarafa_silent;
+
+ SSL_CTX_set_verify(lpCmd->soap->ctx, SSL_VERIFY_PEER, lpCmd->soap->fsslverify);
++
++ // disable SSLv2 (according to RFC 6176) and SSLv3, leaving just TLSv1.0 (and better)
++ SSL_CTX_set_options(lpCmd->soap->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
++
++#ifdef SSL_OP_NO_COMPRESSION
++ // disable TLS compression to close the CRIME attack vector (also known as CVE-2012-4929)
++ SSL_CTX_set_options(lpCmd->soap->ctx, SSL_OP_NO_COMPRESSION);
++#endif
+ }
+ #endif
+
--
cgit v0.10.2
>From 384c0c36e17e9c2e98393126257100ddfdf35f70 Mon Sep 17 00:00:00 2001
From: Robert Scheck <robert at fedoraproject.org>
Date: Fri, 6 Mar 2015 00:39:02 +0100
Subject: Update patch file names also in spec file
diff --git a/zarafa.spec b/zarafa.spec
index 4bbf0e1..e14ac54 100644
--- a/zarafa.spec
+++ b/zarafa.spec
@@ -64,8 +64,8 @@ Patch6: zarafa-7.1.10-imap-badcharset.patch
Patch7: zarafa-7.1.10-imap-fetch-body.patch
Patch8: zarafa-7.1.11-vacation-headers.patch
Patch9: zarafa-7.1.11-vacation-headers2.patch
-Patch10: zarafa-7.1.10-webaccess-fail2ban.patch
-Patch11: zarafa-7.1.10-webaccess-mcrypt.patch
+Patch10: zarafa-7.1.11-webaccess-fail2ban.patch
+Patch11: zarafa-7.1.11-webaccess-mcrypt.patch
Patch12: zarafa-7.1.11-gsoap-sslv3.patch
BuildRequires: bison
--
cgit v0.10.2
>From c7ecef187edd7fa348ed6ad7ca11525806461993 Mon Sep 17 00:00:00 2001
From: Robert Scheck <robert at fedoraproject.org>
Date: Wed, 18 Mar 2015 13:17:27 +0100
Subject: Handle "su" option in logrotate >= 3.8.0 to avoid errors
diff --git a/zarafa.spec b/zarafa.spec
index e14ac54..4fc0f9a 100644
--- a/zarafa.spec
+++ b/zarafa.spec
@@ -488,6 +488,10 @@ done
# Move the logrotate configuration file to its correct place
install -p -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/%{name}
+%if 0%{?fedora} >= 16 || 0%{?rhel} >= 7
+sed -e 's/}/\tsu root root\n}/' -i $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/%{name}
+touch -c -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/%{name}
+%endif
# Move the userscripts to their correct place and symlink them
mkdir -p $RPM_BUILD_ROOT%{_datadir}/%{name}/userscripts/
@@ -953,6 +957,7 @@ fi
* Sun Feb 22 2015 Robert Scheck <robert at fedoraproject.org> 7.1.11-3
- Added multiple minor enhancement and bugfix patches
- Added patch to fix CVE-2014-0103 for PHP < 5.3 (#1073618)
+- Handle "su" option in logrotate >= 3.8.0 to avoid errors
* Sat Oct 25 2014 Kevin Kofler <Kevin at tigcc.ticalc.org> 7.1.11-2
- Rebuild for reference-counting-enabled clucene09
--
cgit v0.10.2
>From 17841d83c9a5d875bf788bed28173e1a621c7d68 Mon Sep 17 00:00:00 2001
From: Robert Scheck <robert at fedoraproject.org>
Date: Tue, 7 Apr 2015 20:37:32 +0200
Subject: Upgrade to 7.1.12
diff --git a/sources b/sources
index cfbf649..4a70ced 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-7317dd7889303abbbd30e39f04771f10 zcp-7.1.11.tar.gz
+98ceed8b35a68bba669aecccbc7b1f43 zcp-7.1.12.tar.gz
diff --git a/zarafa-7.1.10-ssl_protocols_ciphers.patch b/zarafa-7.1.10-ssl_protocols_ciphers.patch
deleted file mode 100644
index 876df60..0000000
--- a/zarafa-7.1.10-ssl_protocols_ciphers.patch
+++ /dev/null
@@ -1,449 +0,0 @@
-Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa <= 7.1.10 which implements much more
-fine granulated configuration settings for SSL/TLS protocol and cipher enabling and disabling. The
-currently available "ssl_enable_v2" setting allows either to disable SSLv2 (and enables SSLv3 only
-instead) or to enable all, thus SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 (TLSv1.1 and TLSv1.2 only
-if Zarafa was linked against OpenSSL 1.0.1 or later). Since SSLv2 has known protocol weaknesses it
-never should be enabled - but for Zarafa it currently must be enabled to support TLSv1 and better.
-
-This patch introduces the new setting "ssl_protocols" which replaces "ssl_enable_v2". The default
-is "!SSLv2" to simply disable SSLv2 by default. The setting can be filled either with SSL protocols
-that shall be enabled and/or disabled, e.g. "SSLv3 TLSv1" or "!SSLv2 !SSLv3". However only the more
-usual disable/exclude option should be used as this does not exclude future protocols by default.
-
-Further this patch introduces the completely new setting "ssl_ciphers". This one allows to set SSL
-cipher suites. Right now, all SSL ciphers are accepted which is just weak or might Zarafa even make
-even vulnerable to known SSL attacks. The German Federal Office for Information Security (BSI) says
-that RC4 should not be used anymore - but Zarafa does it by default. And without this patch there
-is also no way for Zarafa administrators to avoid that. Indeed this setting has the risk to get the
-administrators ending up in a cipher mismatch between different systems but this new setting still
-could be declared as officially unsupported and only for the brave ones who know what they do. Thus
-the default is already set to something less weak than before but still below BSI recommendations.
-
-Finally this patch introduces the also new setting "ssl_prefer_server_ciphers". It does what it is
-named after: When choosing a cipher during an SSL/TLS handshake, normally the client's preference
-is used. If this setting is enabled, the server's preference will be used instead. This comes handy
-to administrators for strange cipher orderings required for special configurations and clients - or
-new weaknesses where workarounds are required for the time being.
-
-Testing: Configure zarafa-gateway, zarafa-ical and zarafa-server for cleartext and SSL as usual.
-Try to login via POP3S, IMAPS, CalDAV-SSL and MAPI in SOAP over HTTPS. Change SSL protocols and the
-ciphers to something more weak ("SSLv2" and "LOW") or to something more strong ("TLSv1.2" and e.g.
-"HIGH"). During all my tests I did not figure out any newly introduced issue or Zarafa breakage.
-
-Important: The technical implementation of this patch might be not perfect as I am not really a C/
-C++ developer. The logic and the implementation is heavily based on Dovecot, Postfix and hints from
-https://docs.fedoraproject.org/en-US/Fedora_Security_Team/html/Defensive_Coding/. There should be
-a code review and code clean up by an experienced C/C++ developer before merging into Zarafa core.
-
-This patch should be only applied in conjuction with the POP3 RESP-CODES and AUTH-RESP-CODE patch,
-the POP3 CAPA (CAPABILITIES) patch as well as the POP3 STLS (STARTTLS) patch applied before.
-
-Proposed to upstream via e-mail on Sat, 8 Mar 2014 14:30:29 +0100, patch was put into the upstream
-ticket https://jira.zarafa.com/browse/ZCP-12143.
-
---- zarafa-7.1.10/caldav/CalDAV.cpp 2014-05-23 15:56:36.000000000 +0200
-+++ zarafa-7.1.10/caldav/CalDAV.cpp.rsc 2014-08-12 19:45:04.000000000 +0200
-@@ -220,7 +220,9 @@
- { "log_timestamp", "1" },
- { "ssl_private_key_file", "/etc/zarafa/ical/privkey.pem" },
- { "ssl_certificate_file", "/etc/zarafa/ical/cert.pem" },
-- { "ssl_enable_v2", "no" },
-+ { "ssl_protocols", "!SSLv2" },
-+ { "ssl_ciphers", "ALL:!LOW:!SSLv2:!EXP:!aNULL" },
-+ { "ssl_prefer_server_ciphers", "no" },
- { "ssl_verify_client", "no" },
- { "ssl_verify_file", "" },
- { "ssl_verify_path", "" },
---- zarafa-7.1.10/common/ECChannel.cpp 2014-05-23 15:56:36.000000000 +0200
-+++ zarafa-7.1.10/common/ECChannel.cpp.rsc 2014-08-12 19:48:00.000000000 +0200
-@@ -92,6 +92,11 @@
- HRESULT hr = hrSuccess;
- char *szFile = NULL;
- char *szPath = NULL;
-+ char *ssl_protocols = strdup(lpConfig->GetSetting("ssl_protocols"));
-+ char *ssl_ciphers = lpConfig->GetSetting("ssl_ciphers");
-+ char *ssl_name;
-+ int ssl_proto, ssl_op = 0, ssl_include = 0, ssl_exclude = 0;
-+ bool ssl_neg;
-
- if (lpConfig == NULL) {
- hr = MAPI_E_CALL_FAILED;
-@@ -107,11 +112,79 @@
- SSL_load_error_strings();
- lpCTX = SSL_CTX_new(SSLv23_server_method());
- SSL_CTX_set_options(lpCTX, SSL_OP_ALL);
-- SSL_CTX_set_default_verify_paths(lpCTX);
-
-- // disable SSLv2 support
-- if (!parseBool(lpConfig->GetSetting("ssl_enable_v2", "", "no")))
-- SSL_CTX_set_options(lpCTX, SSL_OP_NO_SSLv2);
-+ ssl_name = strtok(ssl_protocols, " ");
-+ while(ssl_name != NULL) {
-+ if (*ssl_name != '!')
-+ ssl_neg = FALSE;
-+ else {
-+ ssl_name++;
-+ ssl_neg = TRUE;
-+ }
-+
-+ if (strcasecmp(ssl_name, SSL_TXT_SSLV2) == 0)
-+ ssl_proto = 0x01;
-+ else if (strcasecmp(ssl_name, SSL_TXT_SSLV3) == 0)
-+ ssl_proto = 0x02;
-+ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1) == 0)
-+ ssl_proto = 0x04;
-+#ifdef SSL_TXT_TLSV1_1
-+ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1_1) == 0)
-+ ssl_proto = 0x08;
-+#endif
-+#ifdef SSL_TXT_TLSV1_2
-+ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1_2) == 0)
-+ ssl_proto = 0x10;
-+#endif
-+ else {
-+ lpLogger->Log(EC_LOGLEVEL_ERROR, "Unknown protocol '%s' in ssl_protocols setting", ssl_name);
-+ hr = MAPI_E_CALL_FAILED;
-+ goto exit;
-+ }
-+
-+ if (ssl_neg)
-+ ssl_exclude |= ssl_proto;
-+ else
-+ ssl_include |= ssl_proto;
-+
-+ ssl_name = strtok(NULL, " ");
-+ }
-+
-+ if (ssl_include != 0) {
-+ // Exclude everything, except those that are included (and let excludes still override those)
-+ ssl_exclude |= 0x1f & ~ssl_include;
-+ }
-+
-+ if ((ssl_exclude & 0x01) != 0)
-+ ssl_op |= SSL_OP_NO_SSLv2;
-+ if ((ssl_exclude & 0x02) != 0)
-+ ssl_op |= SSL_OP_NO_SSLv3;
-+ if ((ssl_exclude & 0x04) != 0)
-+ ssl_op |= SSL_OP_NO_TLSv1;
-+#ifdef SSL_OP_NO_TLSv1_1
-+ if ((ssl_exclude & 0x08) != 0)
-+ ssl_op |= SSL_OP_NO_TLSv1_1;
-+#endif
-+#ifdef SSL_OP_NO_TLSv1_2
-+ if ((ssl_exclude & 0x10) != 0)
-+ ssl_op |= SSL_OP_NO_TLSv1_2;
-+#endif
-+
-+ if (ssl_protocols) {
-+ SSL_CTX_set_options(lpCTX, ssl_op);
-+ }
-+
-+ if (ssl_ciphers && SSL_CTX_set_cipher_list(lpCTX, ssl_ciphers) != 1) {
-+ lpLogger->Log(EC_LOGLEVEL_ERROR, "Can not set SSL cipher list to '%s': %s", ssl_ciphers, ERR_error_string(ERR_get_error(), 0));
-+ hr = MAPI_E_CALL_FAILED;
-+ goto exit;
-+ }
-+
-+ if (parseBool(lpConfig->GetSetting("ssl_prefer_server_ciphers"))) {
-+ SSL_CTX_set_options(lpCTX, SSL_OP_CIPHER_SERVER_PREFERENCE);
-+ }
-+
-+ SSL_CTX_set_default_verify_paths(lpCTX);
-
- if (SSL_CTX_use_certificate_chain_file(lpCTX, lpConfig->GetSetting("ssl_certificate_file")) != 1) {
- lpLogger->Log(EC_LOGLEVEL_ERROR, "SSL CTX certificate file error: %s", ERR_error_string(ERR_get_error(), 0));
---- zarafa-7.1.10/doc/manual.xml 2014-05-23 15:01:13.000000000 +0200
-+++ zarafa-7.1.10/doc/manual.xml.rsc 2014-08-12 19:45:04.000000000 +0200
-@@ -4226,11 +4226,33 @@
- </varlistentry>
-
- <varlistentry>
-- <term><option>server_ssl_enable_v2</option></term>
-+ <term><option>server_ssl_protocols</option></term>
- <listitem>
-- <para>Incoming SSL connections normally are v3.</para>
-- <para>Default: <replaceable>no</replaceable>
-- </para>
-+ <para>Disabled or enabled protocol names. Supported protocol names
-+ are <replaceable>SSLv2</replaceable>, <replaceable>SSLv3</replaceable>
-+ and <replaceable>TLSv1</replaceable>. If Zarafa was linked against
-+ OpenSSL 1.0.1 or later there is additional support for the new protocols
-+ <replaceable>TLSv1.1</replaceable> and <replaceable>TLSv1.2</replaceable>.
-+ To exclude both, SSLv2 and SSLv3 set <option>server_ssl_protocols</option>
-+ to <replaceable>!SSLv2 !SSLv3</replaceable>. SSLv2 is considered unsafe
-+ and these connections should not be accepted.</para>
-+ <para>Default: <replaceable>!SSLv2</replaceable></para>
-+ </listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term><option>server_ssl_ciphers</option></term>
-+ <listitem>
-+ <para>SSL ciphers to use, set to <replaceable>ALL</replaceable> for backward compatibility.</para>
-+ <para>Default: <replaceable>ALL:!LOW:!SSLv2:!EXP:!aNULL</replaceable></para>
-+ </listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term><option>server_ssl_prefer_server_ciphers</option></term>
-+ <listitem>
-+ <para>Prefer the server's order of SSL ciphers over client's.</para>
-+ <para>Default: <replaceable>no</replaceable></para>
- </listitem>
- </varlistentry>
-
-@@ -8070,11 +8092,32 @@
- </varlistentry>
-
- <varlistentry>
-- <term><option>ssl_enable_v2</option></term>
-+ <term><option>ssl_protocols</option></term>
-+ <listitem>
-+ <para>Disabled or enabled protocol names. Supported protocol names
-+ are <replaceable>SSLv2</replaceable>, <replaceable>SSLv3</replaceable>
-+ and <replaceable>TLSv1</replaceable>. If Zarafa was linked against
-+ OpenSSL 1.0.1 or later there is additional support for the new protocols
-+ <replaceable>TLSv1.1</replaceable> and <replaceable>TLSv1.2</replaceable>.
-+ To exclude both, SSLv2 and SSLv3 set <option>ssl_protocols</option>
-+ to <replaceable>!SSLv2 !SSLv3</replaceable>. SSLv2 is considered unsafe
-+ and these connections should not be accepted.</para>
-+ <para>Default: <replaceable>!SSLv2</replaceable></para>
-+ </listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term><option>ssl_ciphers</option></term>
-+ <listitem>
-+ <para>SSL ciphers to use, set to <replaceable>ALL</replaceable> for backward compatibility.</para>
-+ <para>Default: <replaceable>ALL:!LOW:!SSLv2:!EXP:!aNULL</replaceable></para>
-+ </listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term><option>ssl_prefer_server_ciphers</option></term>
- <listitem>
-- <para>Accept SSLv2 only connections. SSLv2 is considered
-- unsafe, and these connections should not be
-- accepted.</para>
-+ <para>Prefer the server's order of SSL ciphers over client's.</para>
- <para>Default: <replaceable>no</replaceable></para>
- </listitem>
- </varlistentry>
-@@ -10075,11 +10118,32 @@
- </varlistentry>
-
- <varlistentry>
-- <term><option>ssl_enable_v2</option></term>
-+ <term><option>ssl_protocols</option></term>
-+ <listitem>
-+ <para>Disabled or enabled protocol names. Supported protocol names
-+ are <replaceable>SSLv2</replaceable>, <replaceable>SSLv3</replaceable>
-+ and <replaceable>TLSv1</replaceable>. If Zarafa was linked against
-+ OpenSSL 1.0.1 or later there is additional support for the new protocols
-+ <replaceable>TLSv1.1</replaceable> and <replaceable>TLSv1.2</replaceable>.
-+ To exclude both, SSLv2 and SSLv3 set <option>ssl_protocols</option>
-+ to <replaceable>!SSLv2 !SSLv3</replaceable>. SSLv2 is considered unsafe
-+ and these connections should not be accepted.</para>
-+ <para>Default: <replaceable>!SSLv2</replaceable></para>
-+ </listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term><option>ssl_ciphers</option></term>
-+ <listitem>
-+ <para>SSL ciphers to use, set to <replaceable>ALL</replaceable> for backward compatibility.</para>
-+ <para>Default: <replaceable>ALL:!LOW:!SSLv2:!EXP:!aNULL</replaceable></para>
-+ </listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term><option>ssl_prefer_server_ciphers</option></term>
- <listitem>
-- <para>Accept SSLv2 only connections. SSLv2 is considered
-- unsafe, and these connections should not be
-- accepted.</para>
-+ <para>Prefer the server's order of SSL ciphers over client's.</para>
- <para>Default: <replaceable>no</replaceable></para>
- </listitem>
- </varlistentry>
---- zarafa-7.1.10/gateway/Gateway.cpp 2014-05-23 15:56:37.000000000 +0200
-+++ zarafa-7.1.10/gateway/Gateway.cpp.rsc 2014-08-12 19:45:04.000000000 +0200
-@@ -365,7 +365,9 @@
- { "ssl_verify_client", "no" },
- { "ssl_verify_file", "" },
- { "ssl_verify_path", "" },
-- { "ssl_enable_v2", "no" },
-+ { "ssl_protocols", "!SSLv2" },
-+ { "ssl_ciphers", "ALL:!LOW:!SSLv2:!EXP:!aNULL" },
-+ { "ssl_prefer_server_ciphers", "no" },
- { "log_method", "file" },
- { "log_file", "-" },
- { "log_level", "2", CONFIGSETTING_RELOADABLE },
---- zarafa-7.1.10/installer/linux/gateway.cfg 2014-05-23 15:03:19.000000000 +0200
-+++ zarafa-7.1.10/installer/linux/gateway.cfg.rsc 2014-08-12 19:45:04.000000000 +0200
-@@ -84,8 +84,14 @@
- ssl_verify_file =
- ssl_verify_path =
-
--# Accept SSLv2 only incoming connections
--ssl_enable_v2 = no
-+# SSL protocols to use, set to '!SSLv2' for 'ssl_enable_v2 = no'
-+ssl_protocols = !SSLv2
-+
-+# SSL ciphers to use, set to 'ALL' for backward compatibility
-+ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL
-+
-+# Prefer the server's order of SSL ciphers over client's
-+ssl_prefer_server_ciphers = no
-
- # Process model, using pthreads (thread) or processes (fork)
- process_model = fork
---- zarafa-7.1.10/installer/linux/ical.cfg 2014-05-23 15:03:19.000000000 +0200
-+++ zarafa-7.1.10/installer/linux/ical.cfg.rsc 2014-08-12 19:45:04.000000000 +0200
-@@ -66,8 +66,14 @@
- ssl_verify_file =
- ssl_verify_path =
-
--# Accept SSLv2 only incoming connections
--ssl_enable_v2 = no
-+# SSL protocols to use, set to '!SSLv2' for 'ssl_enable_v2 = no'
-+ssl_protocols = !SSLv2
-+
-+# SSL ciphers to use, set to 'ALL' for backward compatibility
-+ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL
-+
-+# Prefer the server's order of SSL ciphers over client's
-+ssl_prefer_server_ciphers = no
-
- ##############################################################
- # OTHER ICAL SETTINGS
---- zarafa-7.1.10/installer/linux/server.cfg 2014-05-23 15:03:19.000000000 +0200
-+++ zarafa-7.1.10/installer/linux/server.cfg.rsc 2014-08-12 19:45:04.000000000 +0200
-@@ -154,8 +154,14 @@
- # Path with CA certificates, e.g. /etc/ssl/certs
- server_ssl_ca_path =
-
--# Accept SSLv2 only connections. Normally v3 connections are used.
--server_ssl_enable_v2 = no
-+# SSL protocols to use, set to '!SSLv2' for 'server_ssl_enable_v2 = no'
-+server_ssl_protocols = !SSLv2
-+
-+# SSL ciphers to use, set to 'ALL' for backward compatibility
-+server_ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL
-+
-+# Prefer the server's order of SSL ciphers over client's
-+server_ssl_prefer_server_ciphers = no
-
- # Path of SSL Public keys of clients
- sslkeys_path = /etc/zarafa/sslkeys
---- zarafa-7.1.10/provider/server/ECServer.cpp 2014-05-23 15:56:37.000000000 +0200
-+++ zarafa-7.1.10/provider/server/ECServer.cpp.rsc 2014-08-12 19:45:04.000000000 +0200
-@@ -919,7 +919,9 @@
- { "server_ssl_key_pass", "server", CONFIGSETTING_EXACT },
- { "server_ssl_ca_file", "/etc/zarafa/ssl/cacert.pem" },
- { "server_ssl_ca_path", "" },
-- { "server_ssl_enable_v2", "no" },
-+ { "server_ssl_protocols", "!SSLv2" },
-+ { "server_ssl_ciphers", "ALL:!LOW:!SSLv2:!EXP:!aNULL" },
-+ { "server_ssl_prefer_server_ciphers", "no" },
- { "sslkeys_path", "/etc/zarafa/sslkeys" }, // login keys
- // Database options
- { "database_engine", "mysql" },
---- zarafa-7.1.10/provider/server/ECSoapServerConnection.cpp 2014-05-23 15:56:37.000000000 +0200
-+++ zarafa-7.1.10/provider/server/ECSoapServerConnection.cpp.rsc 2014-08-12 19:45:04.000000000 +0200
-@@ -240,6 +240,11 @@
- ECRESULT er = erSuccess;
- int socket = SOAP_INVALID_SOCKET;
- struct soap *lpsSoap = NULL;
-+ char *server_ssl_protocols = strdup(m_lpConfig->GetSetting("server_ssl_protocols"));
-+ char *server_ssl_ciphers = m_lpConfig->GetSetting("server_ssl_ciphers");
-+ char *ssl_name;
-+ int ssl_proto, ssl_op = 0, ssl_include = 0, ssl_exclude = 0;
-+ bool ssl_neg;
-
- if(lpServerName == NULL) {
- er = ZARAFA_E_INVALID_PARAMETER;
-@@ -270,10 +275,79 @@
- goto exit;
- }
-
-- // disable SSLv2 support
-- if (!parseBool(m_lpConfig->GetSetting("server_ssl_enable_v2", "", "no")))
-- SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_NO_SSLv2);
--
-+ SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_ALL);
-+
-+ ssl_name = strtok(server_ssl_protocols, " ");
-+ while(ssl_name != NULL) {
-+ if (*ssl_name != '!')
-+ ssl_neg = FALSE;
-+ else {
-+ ssl_name++;
-+ ssl_neg = TRUE;
-+ }
-+
-+ if (strcasecmp(ssl_name, SSL_TXT_SSLV2) == 0)
-+ ssl_proto = 0x01;
-+ else if (strcasecmp(ssl_name, SSL_TXT_SSLV3) == 0)
-+ ssl_proto = 0x02;
-+ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1) == 0)
-+ ssl_proto = 0x04;
-+#ifdef SSL_TXT_TLSV1_1
-+ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1_1) == 0)
-+ ssl_proto = 0x08;
-+#endif
-+#ifdef SSL_TXT_TLSV1_2
-+ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1_2) == 0)
-+ ssl_proto = 0x10;
-+#endif
-+ else {
-+ m_lpLogger->Log(EC_LOGLEVEL_FATAL, "Unknown protocol '%s' in server_ssl_protocols setting", ssl_name);
-+ er = ZARAFA_E_CALL_FAILED;
-+ goto exit;
-+ }
-+
-+ if (ssl_neg)
-+ ssl_exclude |= ssl_proto;
-+ else
-+ ssl_include |= ssl_proto;
-+
-+ ssl_name = strtok(NULL, " ");
-+ }
-+
-+ if (ssl_include != 0) {
-+ // Exclude everything, except those that are included (and let excludes still override those)
-+ ssl_exclude |= 0x1f & ~ssl_include;
-+ }
-+
-+ if ((ssl_exclude & 0x01) != 0)
-+ ssl_op |= SSL_OP_NO_SSLv2;
-+ if ((ssl_exclude & 0x02) != 0)
-+ ssl_op |= SSL_OP_NO_SSLv3;
-+ if ((ssl_exclude & 0x04) != 0)
-+ ssl_op |= SSL_OP_NO_TLSv1;
-+#ifdef SSL_OP_NO_TLSv1_1
-+ if ((ssl_exclude & 0x08) != 0)
-+ ssl_op |= SSL_OP_NO_TLSv1_1;
-+#endif
-+#ifdef SSL_OP_NO_TLSv1_2
-+ if ((ssl_exclude & 0x10) != 0)
-+ ssl_op |= SSL_OP_NO_TLSv1_2;
-+#endif
-+
-+ if (server_ssl_protocols) {
-+ SSL_CTX_set_options(lpsSoap->ctx, ssl_op);
-+ }
-+
-+ if (server_ssl_ciphers && SSL_CTX_set_cipher_list(lpsSoap->ctx, server_ssl_ciphers) != 1) {
-+ m_lpLogger->Log(EC_LOGLEVEL_FATAL, "Can not set SSL cipher list to '%s': %s", server_ssl_ciphers, ERR_error_string(ERR_get_error(), 0));
-+ er = ZARAFA_E_CALL_FAILED;
-+ goto exit;
-+ }
-+
-+ if (parseBool(m_lpConfig->GetSetting("server_ssl_prefer_server_ciphers"))) {
-+ SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
-+ }
-+
- // request certificate from client, is OK if not present.
- SSL_CTX_set_verify(lpsSoap->ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, NULL);
-
diff --git a/zarafa-7.1.11-gsoap-sslv3.patch b/zarafa-7.1.11-gsoap-sslv3.patch
deleted file mode 100644
index 877b0e1..0000000
--- a/zarafa-7.1.11-gsoap-sslv3.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-Patch by Robert Scheck <robert at fedoraproject.org> for zarafa >= 7.1.11 which removes the Zarafa-
-specific override/limitation that forces SSLv3-only SOAP connection between the Zarafa services.
-The pristine gSOAP library itself uses SSLv23_method() instead and thus allows TLSv1.0, TLSv1.1
-as well as TLSv1.2. Disable SSLv2 and SSLv3 as well as TLS compression explicitly; similar like
-the Zarafa Outlook Client which meanwhile only allows TLSv1.0 (and better).
-
-Proposed to upstream via e-mail on Wed, 2 Apr 2014 11:35:40 +0200, initial patch was put into the
-upstream ticket Ticket#2014040210000266.
-
---- zarafa-7.1.11/provider/common/SOAPSock.cpp 2014-09-03 10:45:06.000000000 +0200
-+++ zarafa-7.1.11/provider/common/SOAPSock.cpp.gsoap-sslv3 2015-03-04 00:28:25.000000000 +0100
-@@ -162,9 +162,6 @@
-
- lpCmd->endpoint = strdup(strServerPath.c_str());
-
-- // override the gsoap default v23 method to the force safer v3 only method.
-- lpCmd->soap->ctx = SSL_CTX_new(SSLv3_method());
--
- #ifdef WITH_OPENSSL
- if (strncmp("https:", lpCmd->endpoint, 6) == 0) {
- // no need to add certificates to call, since soap also calls SSL_CTX_set_default_verify_paths()
-@@ -188,6 +185,14 @@
- lpCmd->soap->fsslverify = ssl_verify_callback_zarafa_silent;
-
- SSL_CTX_set_verify(lpCmd->soap->ctx, SSL_VERIFY_PEER, lpCmd->soap->fsslverify);
-+
-+ // disable SSLv2 (according to RFC 6176) and SSLv3, leaving just TLSv1.0 (and better)
-+ SSL_CTX_set_options(lpCmd->soap->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
-+
-+#ifdef SSL_OP_NO_COMPRESSION
-+ // disable TLS compression to close the CRIME attack vector (also known as CVE-2012-4929)
-+ SSL_CTX_set_options(lpCmd->soap->ctx, SSL_OP_NO_COMPRESSION);
-+#endif
- }
- #endif
-
diff --git a/zarafa-7.1.11-webaccess-mcrypt.patch b/zarafa-7.1.11-webaccess-mcrypt.patch
deleted file mode 100644
index 56b5274..0000000
--- a/zarafa-7.1.11-webaccess-mcrypt.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa >= 7.1.10 which fixes the fix that fixes CVE-2014-0103. Ush,
-that was complicated, so: CVE-2014-0103 exists because Zarafa WebAccess < 7.1.10 and Zarafa WebApp < 1.6 storing passwords
-in cleartext on server (in the PHP session). Zarafa solved this flaw by using openssl_encrypt() and openssl_decrypt() from
-PHP's OpenSSL bindings. However these functions are only available in PHP 5.3 or later. Without this patch suggestion, any
-older but still supported Linux distribution like Red Hat Enterprise Linux 5 or SuSE Linux Enterprise Server 10 (which are
-both shipping PHP < 5.3 by default) would still be left vulnerable.
-
-Given that I am personally more a fan of OpenSSL rather mcrypt, I am not absolutely sure if this implementation is really
-correct even it works fine on my test system. So please explicitly review this code to avoid introducing another security
-flaw by trying to fix one! A thing that I generally question for myself is the usage of "des-ede3-cbc"/"MCRYPT_TRIPLEDES"
-instead of e.g. MCRYPT_RIJNDAEL_128. Given that this decision was initially made by Zarafa I am just following that here.
-
-Important: To get this patch really powerful the install-time requirement needs to be adapted like this (this example is
-based on Fedora's build system so the macros %{?rhel} and %{?fedora} might not exist at Zarafa but need to be replaced by
-other macros):
-
-%if 0%{?rhel}%{?fedora} < 6
-Requires: php-mcrypt
-%else
-Requires: php-openssl
-%endif
-
-This requires php-openssl (provided by php-common) on RHEL 6 (and later) and php-mcrypt (separate package) before RHEL 6.
-
-Proposed to upstream via e-mail on Thu, 5 Jun 2014 00:24:32 +0200, initial patch was put into the (non-disclosed) upstream
-ticket https://jira.zarafa.com/browse/ZCP-12407.
-
---- zarafa-7.1.10/php-webclient-ajax/index.php 2014-05-23 15:56:38.000000000 +0200
-+++ zarafa-7.1.10/php-webclient-ajax/index.php.webaccess-mcrypt 2014-06-05 00:08:18.000000000 +0200
-@@ -135,6 +135,8 @@
- // if user has openssl module installed
- if(function_exists("openssl_encrypt")) {
- $_SESSION['password'] = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
-+ } elseif(function_exists("mcrypt_encrypt")) {
-+ $_SESSION['password'] = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV));
- } else {
- $_SESSION["password"] = $password;
- }
---- zarafa-7.1.10/php-webclient-ajax/server/core/class.mapisession.php 2014-05-23 15:56:38.000000000 +0200
-+++ zarafa-7.1.10/php-webclient-ajax/server/core/class.mapisession.php.webaccess-mcrypt 2014-06-05 00:08:57.000000000 +0200
-@@ -132,6 +132,8 @@
- if(is_string($username) && is_string($password)) {
- if(function_exists("openssl_decrypt")) {
- $password = openssl_decrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
-+ } elseif(function_exists("mcrypt_decrypt")) {
-+ $password = rtrim(mcrypt_decrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, base64_decode($password), MCRYPT_MODE_CBC, PASSWORD_IV), "\0");
- }
- // logon
- $this->session = mapi_logon_zarafa($username, $password, $server, $sslcert_file, $sslcert_pass);
-@@ -139,6 +141,8 @@
-
- if(function_exists("openssl_encrypt")) {
- $password = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
-+ } elseif(function_exists("mcrypt_encrypt")) {
-+ $password = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV));
- }
-
- if ($result == NOERROR && $this->session !== false){
diff --git a/zarafa-7.1.12-gsoap-sslv3.patch b/zarafa-7.1.12-gsoap-sslv3.patch
new file mode 100644
index 0000000..b1e58f2
--- /dev/null
+++ b/zarafa-7.1.12-gsoap-sslv3.patch
@@ -0,0 +1,38 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for zarafa >= 7.1.12 which disables weak SSLv2
+and SSLv3 protocols for encrypted SOAP connections between the Zarafa services. Until (including)
+the Zarafa 7.1.11 release the upstream default was to replace the SSLv23_method() that a pristine
+gSOAP library ships with the "safer" SSLv3_method(). With Zarafa 7.1.12 the SSLv3_method() was
+changed to SSLv23_method(). However this enables SSLv2 again (and still does not disable SSLv3).
+Thus this patch disables SSLv2 and SSLv3 as well as TLS compression explicitly; similar like the
+Zarafa Outlook Client which meanwhile only allows TLSv1.0 (and better).
+
+Proposed to upstream via e-mail on Wed, 2 Apr 2014 11:35:40 +0200, initial patch was put into the
+upstream ticket Ticket#2014040210000266.
+
+--- zarafa-7.1.12/provider/common/SOAPSock.cpp 2015-04-07 13:10:13.000000000 +0200
++++ zarafa-7.1.12/provider/common/SOAPSock.cpp.gsoap-sslv3 2015-04-07 16:32:20.000000000 +0200
+@@ -157,9 +157,6 @@
+
+ lpCmd->endpoint = strdup(strServerPath.c_str());
+
+- // default allow SSLv3, TLSv1, TLSv1.1 and TLSv1.2
+- lpCmd->soap->ctx = SSL_CTX_new(SSLv23_method());
+-
+ #ifdef WITH_OPENSSL
+ if (strncmp("https:", lpCmd->endpoint, 6) == 0) {
+ // no need to add certificates to call, since soap also calls SSL_CTX_set_default_verify_paths()
+@@ -183,6 +180,14 @@
+ lpCmd->soap->fsslverify = ssl_verify_callback_zarafa_silent;
+
+ SSL_CTX_set_verify(lpCmd->soap->ctx, SSL_VERIFY_PEER, lpCmd->soap->fsslverify);
++
++ // disable SSLv2 (according to RFC 6176) and SSLv3, leaving just TLSv1.0 (and better)
++ SSL_CTX_set_options(lpCmd->soap->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
++
++#ifdef SSL_OP_NO_COMPRESSION
++ // disable TLS compression to close the CRIME attack vector (also known as CVE-2012-4929)
++ SSL_CTX_set_options(lpCmd->soap->ctx, SSL_OP_NO_COMPRESSION);
++#endif
+ }
+ #endif
+
diff --git a/zarafa-7.1.12-licensed-archiver.patch b/zarafa-7.1.12-licensed-archiver.patch
new file mode 100644
index 0000000..0ccde8c
--- /dev/null
+++ b/zarafa-7.1.12-licensed-archiver.patch
@@ -0,0 +1,117 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa >= 7.1.12 which removes a wrongly introduced dependency to the
+proprietary zarafa-licensed. From Zarafa 7.1.11 to 7.1.12 there were some changes to the ValidateArchiverLicense() method;
+due to these changes rebuilding fails with "ArchiverSession.cpp:53:23: fatal error: ECLicense.h: No such file or directory"
+now. The patch just reverts the changes that were introduced from 7.1.11 to 7.1.12 to get the code building again.
+
+--- zarafa-7.1.12/ECtools/zarafa-archiver/ArchiverSession.cpp 2015-04-07 13:10:12.000000000 +0200
++++ zarafa-7.1.12/ECtools/zarafa-archiver/ArchiverSession.cpp.licensed-archiver 2015-04-07 15:55:07.000000000 +0200
+@@ -50,8 +50,6 @@
+ #include "mapiext.h"
+ #include "userutil.h"
+ #include "ECMsgStore.h"
+-#include "ECLicense.h"
+-#include "ECMAPILicense.h"
+
+ typedef mapi_memory_ptr<ECSERVERLIST> ECServerListPtr;
+
+@@ -879,38 +877,7 @@
+ typedef mapi_object_ptr<ECMsgStore, IID_ECMsgStore> ECMsgStorePtr;
+
+ HRESULT ArchiverSession::ValidateArchiverLicense(bool attachnewuser /* = false*/) const {
+- IMsgStore *lpMsgStore = NULL;
+- IMsgStore *lpProxedMsgStore = NULL;
+- UnknownPtr ptrUnknown;
+- ECMsgStorePtr ptrOnlineStore;
+-
+- HRESULT hr = HrOpenDefaultStore(GetMAPISession(), MDB_WRITE | MDB_NO_DIALOG | MDB_NO_MAIL | MDB_TEMPORARY, &lpMsgStore);
+- if (hr != hrSuccess)
+- goto exit;
+-
+- hr = GetProxyStoreObject(lpMsgStore, &lpProxedMsgStore);
+- if (hr != hrSuccess)
+- goto exit;
+-
+- hr = lpProxedMsgStore->QueryInterface(IID_ECMsgStoreOnline, &ptrUnknown);
+- if (hr != hrSuccess)
+- goto exit;
+-
+- hr = ptrUnknown->QueryInterface(IID_ECMsgStore, &ptrOnlineStore);
+- if (hr != hrSuccess) {
+- m_lpLogger->Log(EC_LOGLEVEL_FATAL, "Unable to validate archived user count. Please check the archiver and licensed log for errors.");
+- hr = MAPI_E_NO_SUPPORT;
+- goto exit;
+- }
+-
+- hr = HrCheckLicense(&ptrOnlineStore->m_xMsgStore, SERVICE_TYPE_ARCHIVE, ZARAFA_ARCHIVE_DEFAULT);
+- if (hr != hrSuccess)
+- {
+- m_lpLogger->Log(EC_LOGLEVEL_FATAL, "No archiver license found.");
+- hr = MAPI_E_NO_SUPPORT;
+- }
+- else
+- {
++ HRESULT hr;
+ unsigned int ulArchivedUsers = 0;
+ unsigned int ulMaxUsers = 0;
+
+@@ -931,7 +898,6 @@
+ } else if (ulArchivedUsers + 5 >= ulMaxUsers) { //@todo which warning limit?
+ m_lpLogger->Log(EC_LOGLEVEL_FATAL, "You almost reached the archived user limit. Archived users %d of %d", ulArchivedUsers, ulMaxUsers);
+ }
+- }
+
+ exit:
+ return hr;
+--- zarafa-7.1.12/ECtools/zarafa-archiver/Makefile.am 2015-04-07 12:00:49.000000000 +0200
++++ zarafa-7.1.12/ECtools/zarafa-archiver/Makefile.am.licensed-archiver 2015-04-07 15:59:42.000000000 +0200
+@@ -9,7 +9,6 @@
+ -I${top_srcdir}/provider/client \
+ -I${top_srcdir}/provider/include \
+ -I${top_srcdir}/provider/soap \
+- -I${top_srcdir}/liblicense \
+ -I${top_builddir}/provider/soap \
+ $(GSOAP_CFLAGS) \
+ -I${top_srcdir}/common \
+@@ -17,9 +16,7 @@
+
+ libarchiver_la_LIBADD = ${top_builddir}/mapi4linux/src/libmapi.la \
+ ${top_builddir}/common/libcommon_mapi.la \
+- ${top_builddir}/common/libcommon_util.la \
+- ${top_builddir}/liblicense/liblicense.la \
+- ${top_builddir}/liblicense/liblicense_mapi.la
++ ${top_builddir}/common/libcommon_util.la
+
+ libarchiver_la_SOURCES = \
+ ArchiverSession.cpp ArchiverSession.h ArchiverSessionPtr.h \
+--- zarafa-7.1.12/ECtools/zarafa-archiver/Makefile.in 2015-04-07 12:03:40.000000000 +0200
++++ zarafa-7.1.12/ECtools/zarafa-archiver/Makefile.in.licensed-archiver 2015-04-07 16:00:15.000000000 +0200
+@@ -112,9 +112,7 @@
+ libarchiver_la_DEPENDENCIES = \
+ ${top_builddir}/mapi4linux/src/libmapi.la \
+ ${top_builddir}/common/libcommon_mapi.la \
+- ${top_builddir}/common/libcommon_util.la \
+- ${top_builddir}/liblicense/liblicense.la \
+- ${top_builddir}/liblicense/liblicense_mapi.la
++ ${top_builddir}/common/libcommon_util.la
+ am_libarchiver_la_OBJECTS = ArchiverSession.lo archiver-common.lo \
+ ArchiveManageImpl.lo ArchiveStateCollector.lo \
+ ArchiveStateUpdater.lo ArchiveHelper.lo StoreHelper.lo \
+@@ -395,7 +393,6 @@
+ -I${top_srcdir}/provider/client \
+ -I${top_srcdir}/provider/include \
+ -I${top_srcdir}/provider/soap \
+- -I${top_srcdir}/liblicense \
+ -I${top_builddir}/provider/soap \
+ $(GSOAP_CFLAGS) \
+ -I${top_srcdir}/common \
+@@ -403,9 +400,7 @@
+
+ libarchiver_la_LIBADD = ${top_builddir}/mapi4linux/src/libmapi.la \
+ ${top_builddir}/common/libcommon_mapi.la \
+- ${top_builddir}/common/libcommon_util.la \
+- ${top_builddir}/liblicense/liblicense.la \
+- ${top_builddir}/liblicense/liblicense_mapi.la
++ ${top_builddir}/common/libcommon_util.la
+
+ libarchiver_la_SOURCES = \
+ ArchiverSession.cpp ArchiverSession.h ArchiverSessionPtr.h \
diff --git a/zarafa-7.1.12-ssl_ecdhe.patch b/zarafa-7.1.12-ssl_ecdhe.patch
new file mode 100644
index 0000000..837fba2
--- /dev/null
+++ b/zarafa-7.1.12-ssl_ecdhe.patch
@@ -0,0 +1,85 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa >= 7.1.12 which implements ECDHE (elliptic
+curve diffie-hellman key exchange) support. http://en.wikipedia.org/wiki/Elliptic_curve_cryptography is
+providing more information about elliptic curves.
+
+Suggestions for testing; run the following openssl(1) commands before and after applying this patch:
+
+1. echo QUIT | openssl s_client -connect <host>:110 -starttls pop3 2>&1 | grep Cipher
+2. echo QUIT | openssl s_client -connect <host>:143 -starttls imap 2>&1 | grep Cipher
+3. echo QUIT | openssl s_client -connect <host>:237 2>&1 | grep Cipher
+4. echo QUIT | openssl s_client -connect <host>:993 2>&1 | grep Cipher
+5. echo QUIT | openssl s_client -connect <host>:995 2>&1 | grep Cipher
+6. echo QUIT | openssl s_client -connect <host>:8443 2>&1 | grep Cipher
+
+After applying this patch the output should contain e.g. "ECDHE-RSA-AES256-GCM-SHA384" on a Red Hat
+Enterprise Linux 6.5 (only RHEL >= 6.5 has support for elliptic curve). Without this patch the result
+is e.g. "AES256-GCM-SHA384".
+
+Important: The technical implementation of this patch might be not perfect as I am not really a C/C++
+developer. The logic and the implementation is heavily based on Sendmail. There should be a code review
+by an experienced C/C++ and OpenSSL developer before merging into Zarafa core.
+
+This patch should be only applied after ZCP-12143 and its dependencies. However this patch might maybe
+not directly apply due to some previous merge issues as mentioned in Ticket#2014030810000131.
+
+Proposed to upstream via e-mail on Mon, 14 Apr 2014 12:04:17 +0200, initial patch was put into upstream
+ticket https://jira.zarafa.com/browse/ZCP-12237.
+
+--- zarafa-7.1.12/common/ECChannel.cpp 2015-04-07 13:10:12.000000000 +0200
++++ zarafa-7.1.12/common/ECChannel.cpp.ssl_ecdhe 2015-04-07 17:12:15.000000000 +0200
+@@ -93,6 +93,9 @@
+ char *ssl_ciphers = lpConfig->GetSetting("ssl_ciphers");
+ char *ssl_name = NULL;
+ int ssl_op = 0, ssl_include = 0, ssl_exclude = 0;
++#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1)
++ EC_KEY *ecdh;
++#endif
+
+ if (lpConfig == NULL) {
+ lpLogger->Log(EC_LOGLEVEL_ERROR, "ECChannel::HrSetCtx(): invalid parameters");
+@@ -113,6 +116,16 @@
+
+ SSL_CTX_set_options(lpCTX, SSL_OP_ALL); // enable quirk and bug workarounds
+
++#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1)
++ ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
++
++ if (ecdh != NULL) {
++ SSL_CTX_set_options(lpCTX, SSL_OP_SINGLE_ECDH_USE);
++ SSL_CTX_set_tmp_ecdh(lpCTX, ecdh);
++ EC_KEY_free(ecdh);
++ }
++#endif
++
+ ssl_name = strtok(ssl_protocols, " ");
+ while(ssl_name != NULL) {
+ int ssl_proto = 0;
+--- zarafa-7.1.12/provider/server/ECSoapServerConnection.cpp 2015-04-07 13:10:13.000000000 +0200
++++ zarafa-7.1.12/provider/server/ECSoapServerConnection.cpp.ssl_ecdhe 2015-04-07 17:13:23.000000000 +0200
+@@ -235,6 +235,9 @@
+ char *server_ssl_ciphers = m_lpConfig->GetSetting("server_ssl_ciphers");
+ char *ssl_name = NULL;
+ int ssl_op = 0, ssl_include = 0, ssl_exclude = 0;
++#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1)
++ EC_KEY *ecdh;
++#endif
+
+ if(lpServerName == NULL) {
+ free(server_ssl_ciphers);
+@@ -268,6 +271,16 @@
+
+ SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_ALL);
+
++#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1)
++ ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
++
++ if (ecdh != NULL) {
++ SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_SINGLE_ECDH_USE);
++ SSL_CTX_set_tmp_ecdh(lpsSoap->ctx, ecdh);
++ EC_KEY_free(ecdh);
++ }
++#endif
++
+ ssl_name = strtok(server_ssl_protocols, " ");
+ while(ssl_name != NULL) {
+ int ssl_proto = 0;
diff --git a/zarafa-7.1.12-ssl_protocols_ciphers.patch b/zarafa-7.1.12-ssl_protocols_ciphers.patch
new file mode 100644
index 0000000..c9de1c6
--- /dev/null
+++ b/zarafa-7.1.12-ssl_protocols_ciphers.patch
@@ -0,0 +1,123 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa >= 7.1.12 which re-adds the whole
+documentation that was initially proposed to upstream but lost when this feature was backported
+from Zarafa 7.2 to the 7.1 series.
+
+Proposed to upstream via e-mail on Sat, 8 Mar 2014 14:30:29 +0100, initial patch was put into
+the upstream ticket https://jira.zarafa.com/browse/ZCP-12143.
+
+--- zarafa-7.1.12/doc/manual.xml 2015-04-07 12:03:31.000000000 +0200
++++ zarafa-7.1.12/doc/manual.xml.ssl_protocols_ciphers 2015-04-07 17:05:47.000000000 +0200
+@@ -4226,14 +4226,35 @@
+ </varlistentry>
+
+ <varlistentry>
+- <term><option>server_ssl_enable_v2</option></term>
++ <term><option>server_ssl_protocols</option></term>
+ <listitem>
+- <para>Incoming SSL connections normally are v3.</para>
+- <para>Default: <replaceable>no</replaceable>
+- </para>
++ <para>Disabled or enabled protocol names. Supported protocol names
++ are <replaceable>SSLv2</replaceable>, <replaceable>SSLv3</replaceable>
++ and <replaceable>TLSv1</replaceable>. If Zarafa was linked against
++ OpenSSL 1.0.1 or later there is additional support for the new protocols
++ <replaceable>TLSv1.1</replaceable> and <replaceable>TLSv1.2</replaceable>.
++ To exclude both, SSLv2 and SSLv3 set <option>server_ssl_protocols</option>
++ to <replaceable>!SSLv2 !SSLv3</replaceable>. SSLv2 is considered unsafe
++ and these connections should not be accepted.</para>
++ <para>Default: <replaceable>!SSLv2</replaceable></para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term><option>server_ssl_ciphers</option></term>
++ <listitem>
++ <para>SSL ciphers to use, set to <replaceable>ALL</replaceable> for backward compatibility.</para>
++ <para>Default: <replaceable>ALL:!LOW:!SSLv2:!EXP:!aNULL</replaceable></para>
+ </listitem>
+ </varlistentry>
+
++ <varlistentry>
++ <term><option>server_ssl_prefer_server_ciphers</option></term>
++ <listitem>
++ <para>Prefer the server's order of SSL ciphers over client's.</para>
++ <para>Default: <replaceable>no</replaceable></para>
++ </listitem>
++ </varlistentry>
+ </variablelist>
+ </refsection>
+
+@@ -8090,11 +8111,32 @@
+ </varlistentry>
+
+ <varlistentry>
+- <term><option>ssl_enable_v2</option></term>
++ <term><option>ssl_protocols</option></term>
++ <listitem>
++ <para>Disabled or enabled protocol names. Supported protocol names
++ are <replaceable>SSLv2</replaceable>, <replaceable>SSLv3</replaceable>
++ and <replaceable>TLSv1</replaceable>. If Zarafa was linked against
++ OpenSSL 1.0.1 or later there is additional support for the new protocols
++ <replaceable>TLSv1.1</replaceable> and <replaceable>TLSv1.2</replaceable>.
++ To exclude both, SSLv2 and SSLv3 set <option>ssl_protocols</option>
++ to <replaceable>!SSLv2 !SSLv3</replaceable>. SSLv2 is considered unsafe
++ and these connections should not be accepted.</para>
++ <para>Default: <replaceable>!SSLv2</replaceable></para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term><option>ssl_ciphers</option></term>
+ <listitem>
+- <para>Accept SSLv2 only connections. SSLv2 is considered
+- unsafe, and these connections should not be
+- accepted.</para>
++ <para>SSL ciphers to use, set to <replaceable>ALL</replaceable> for backward compatibility.</para>
++ <para>Default: <replaceable>ALL:!LOW:!SSLv2:!EXP:!aNULL</replaceable></para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term><option>ssl_prefer_server_ciphers</option></term>
++ <listitem>
++ <para>Prefer the server's order of SSL ciphers over client's.</para>
+ <para>Default: <replaceable>no</replaceable></para>
+ </listitem>
+ </varlistentry>
+@@ -10091,11 +10133,32 @@
+ </varlistentry>
+
+ <varlistentry>
+- <term><option>ssl_enable_v2</option></term>
++ <term><option>ssl_protocols</option></term>
++ <listitem>
++ <para>Disabled or enabled protocol names. Supported protocol names
++ are <replaceable>SSLv2</replaceable>, <replaceable>SSLv3</replaceable>
++ and <replaceable>TLSv1</replaceable>. If Zarafa was linked against
++ OpenSSL 1.0.1 or later there is additional support for the new protocols
++ <replaceable>TLSv1.1</replaceable> and <replaceable>TLSv1.2</replaceable>.
++ To exclude both, SSLv2 and SSLv3 set <option>ssl_protocols</option>
++ to <replaceable>!SSLv2 !SSLv3</replaceable>. SSLv2 is considered unsafe
++ and these connections should not be accepted.</para>
++ <para>Default: <replaceable>!SSLv2</replaceable></para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term><option>ssl_ciphers</option></term>
++ <listitem>
++ <para>SSL ciphers to use, set to <replaceable>ALL</replaceable> for backward compatibility.</para>
++ <para>Default: <replaceable>ALL:!LOW:!SSLv2:!EXP:!aNULL</replaceable></para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term><option>ssl_prefer_server_ciphers</option></term>
+ <listitem>
+- <para>Accept SSLv2 only connections. SSLv2 is considered
+- unsafe, and these connections should not be
+- accepted.</para>
++ <para>Prefer the server's order of SSL ciphers over client's.</para>
+ <para>Default: <replaceable>no</replaceable></para>
+ </listitem>
+ </varlistentry>
diff --git a/zarafa-7.1.12-webaccess-mcrypt.patch b/zarafa-7.1.12-webaccess-mcrypt.patch
new file mode 100644
index 0000000..e7b3fcd
--- /dev/null
+++ b/zarafa-7.1.12-webaccess-mcrypt.patch
@@ -0,0 +1,58 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa >= 7.1.12 which fixes the fix that fixes CVE-2014-0103. Ush,
+that was complicated, so: CVE-2014-0103 exists because Zarafa WebAccess < 7.1.10 and Zarafa WebApp < 1.6 storing passwords
+in cleartext on server (in the PHP session). Zarafa solved this flaw by using openssl_encrypt() and openssl_decrypt() from
+PHP's OpenSSL bindings. However these functions are only available in PHP 5.3 or later. Without this patch suggestion, any
+older but still supported Linux distribution like Red Hat Enterprise Linux 5 or SuSE Linux Enterprise Server 10 (which are
+both shipping PHP < 5.3 by default) would still be left vulnerable.
+
+Given that I am personally more a fan of OpenSSL rather mcrypt, I am not absolutely sure if this implementation is really
+correct even it works fine on my test system. So please explicitly review this code to avoid introducing another security
+flaw by trying to fix one! A thing that I generally question for myself is the usage of "des-ede3-cbc"/"MCRYPT_TRIPLEDES"
+instead of e.g. MCRYPT_RIJNDAEL_128. Given that this decision was initially made by Zarafa I am just following that here.
+
+Important: To get this patch really powerful the install-time requirement needs to be adapted like this (this example is
+based on Fedora's build system so the macros %{?rhel} and %{?fedora} might not exist at Zarafa but need to be replaced by
+other macros):
+
+%if 0%{?rhel}%{?fedora} < 6
+Requires: php-mcrypt
+%else
+Requires: php-openssl
+%endif
+
+This requires php-openssl (provided by php-common) on RHEL 6 (and later) and php-mcrypt (separate package) before RHEL 6.
+
+Proposed to upstream via e-mail on Thu, 5 Jun 2014 00:24:32 +0200, initial patch was put into the (non-disclosed) upstream
+ticket https://jira.zarafa.com/browse/ZCP-12407.
+
+--- zarafa-7.1.12/php-webclient-ajax/index.php 2015-04-07 13:10:13.000000000 +0200
++++ zarafa-7.1.12/php-webclient-ajax/index.php.webaccess-mcrypt 2015-04-07 16:22:23.000000000 +0200
+@@ -135,6 +135,8 @@
+ } else {
+ $_SESSION['password'] = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
+ }
++ } elseif(function_exists("mcrypt_encrypt")) {
++ $_SESSION['password'] = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV));
+ } else {
+ $_SESSION["password"] = $password;
+ }
+--- zarafa-7.1.12/php-webclient-ajax/server/core/class.mapisession.php 2015-04-07 13:10:14.000000000 +0200
++++ zarafa-7.1.12/php-webclient-ajax/server/core/class.mapisession.php.webaccess-mcrypt 2015-04-07 16:23:58.000000000 +0200
+@@ -132,6 +132,8 @@
+ } else {
+ $password = openssl_decrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
+ }
++ } elseif(function_exists("mcrypt_decrypt")) {
++ $password = rtrim(mcrypt_decrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, base64_decode($password), MCRYPT_MODE_CBC, PASSWORD_IV), "\0");
+ }
+ // logon
+ $this->session = mapi_logon_zarafa($username, $password, $server, $sslcert_file, $sslcert_pass);
+@@ -144,6 +146,8 @@
+ } else {
+ $password = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
+ }
++ } elseif(function_exists("mcrypt_encrypt")) {
++ $password = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV));
+ }
+
+ if ($result == NOERROR && $this->session !== false){
diff --git a/zarafa-7.1.9-ssl_ecdhe.patch b/zarafa-7.1.9-ssl_ecdhe.patch
deleted file mode 100644
index 6596637..0000000
--- a/zarafa-7.1.9-ssl_ecdhe.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa <= 7.1.9 which implements ECDHE (elliptic
-curve diffie-hellman key exchange) support. http://en.wikipedia.org/wiki/Elliptic_curve_cryptography is
-providing more information about elliptic curves.
-
-Suggestions for testing; run the following openssl(1) commands before and after applying this patch:
-
-1. echo QUIT | openssl s_client -connect <host>:110 -starttls pop3 2>&1 | grep Cipher
-2. echo QUIT | openssl s_client -connect <host>:143 -starttls imap 2>&1 | grep Cipher
-3. echo QUIT | openssl s_client -connect <host>:237 2>&1 | grep Cipher
-4. echo QUIT | openssl s_client -connect <host>:993 2>&1 | grep Cipher
-5. echo QUIT | openssl s_client -connect <host>:995 2>&1 | grep Cipher
-6. echo QUIT | openssl s_client -connect <host>:8443 2>&1 | grep Cipher
-
-After applying this patch the output should contain e.g. "ECDHE-RSA-AES256-GCM-SHA384" on a Red Hat
-Enterprise Linux 6.5 (only RHEL >= 6.5 has support for elliptic curve). Without this patch the result
-is e.g. "AES256-GCM-SHA384".
-
-Important: The technical implementation of this patch might be not perfect as I am not really a C/C++
-developer. The logic and the implementation is heavily based on Sendmail. There should be a code review
-by an experienced C/C++ and OpenSSL developer before merging into Zarafa core.
-
-This patch should be only applied after ZCP-12143 and its dependencies. However this patch might maybe
-not directly apply due to some previous merge issues as mentioned in Ticket#2014030810000131.
-
-Proposed to upstream via e-mail on Mon, 14 Apr 2014 12:04:17 +0200, patch was put into the upstream
-ticket https://jira.zarafa.com/browse/ZCP-12237.
-
---- zarafa-7.1.9/common/ECChannel.cpp 2014-04-13 23:46:59.000000000 +0200
-+++ zarafa-7.1.9/common/ECChannel.cpp.ssl_ecdhe 2014-04-13 23:59:43.000000000 +0200
-@@ -97,6 +97,9 @@
- char *ssl_name;
- int ssl_proto, ssl_op = 0, ssl_include = 0, ssl_exclude = 0;
- bool ssl_neg;
-+#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1)
-+ EC_KEY *ecdh;
-+#endif
-
- if (lpConfig == NULL) {
- hr = MAPI_E_CALL_FAILED;
-@@ -113,6 +116,16 @@
- lpCTX = SSL_CTX_new(SSLv23_server_method());
- SSL_CTX_set_options(lpCTX, SSL_OP_ALL);
-
-+#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1)
-+ ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
-+
-+ if (ecdh != NULL) {
-+ SSL_CTX_set_options(lpCTX, SSL_OP_SINGLE_ECDH_USE);
-+ SSL_CTX_set_tmp_ecdh(lpCTX, ecdh);
-+ EC_KEY_free(ecdh);
-+ }
-+#endif
-+
- ssl_name = strtok(ssl_protocols, " ");
- while(ssl_name != NULL) {
- if (*ssl_name != '!')
---- zarafa-7.1.9/provider/server/ECSoapServerConnection.cpp 2014-04-13 23:46:59.000000000 +0200
-+++ zarafa-7.1.9/provider/server/ECSoapServerConnection.cpp.ssl_ecdhe 2014-04-14 00:00:54.000000000 +0200
-@@ -245,6 +245,9 @@
- char *ssl_name;
- int ssl_proto, ssl_op = 0, ssl_include = 0, ssl_exclude = 0;
- bool ssl_neg;
-+#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1)
-+ EC_KEY *ecdh;
-+#endif
-
- if(lpServerName == NULL) {
- er = ZARAFA_E_INVALID_PARAMETER;
-@@ -277,6 +280,16 @@
-
- SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_ALL);
-
-+#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1)
-+ ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
-+
-+ if (ecdh != NULL) {
-+ SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_SINGLE_ECDH_USE);
-+ SSL_CTX_set_tmp_ecdh(lpsSoap->ctx, ecdh);
-+ EC_KEY_free(ecdh);
-+ }
-+#endif
-+
- ssl_name = strtok(server_ssl_protocols, " ");
- while(ssl_name != NULL) {
- if (*ssl_name != '!')
diff --git a/zarafa.spec b/zarafa.spec
index 4fc0f9a..2debd81 100644
--- a/zarafa.spec
+++ b/zarafa.spec
@@ -1,6 +1,6 @@
%global beta_or_rc 0
-%global actual_release 3
-%global svnrevision 46050
+%global actual_release 1
+%global svnrevision 48726
%global with_search 1
%global with_ldap 1
%global with_xmlto 1
@@ -31,7 +31,7 @@
Summary: Open Source Edition of the Zarafa Collaboration Platform
Name: zarafa
-Version: 7.1.11
+Version: 7.1.12
%if %{beta_or_rc}
Release: 0.%{actual_release}.svn%{svnrevision}%{?dist}
%else
@@ -57,16 +57,17 @@ Source3: %{name}-webaccess.conf
Patch0: zarafa-7.1.11-rpath.patch
Patch1: zarafa-7.1.11-php-unbundle.patch
Patch2: zarafa-7.1.10-kyotocabinet.patch
-Patch3: zarafa-7.1.10-ssl_protocols_ciphers.patch
-Patch4: zarafa-7.1.9-ssl_ecdhe.patch
+Patch3: zarafa-7.1.12-ssl_protocols_ciphers.patch
+Patch4: zarafa-7.1.12-ssl_ecdhe.patch
Patch5: zarafa-7.1.11-plaintext_auth_localhost.patch
Patch6: zarafa-7.1.10-imap-badcharset.patch
Patch7: zarafa-7.1.10-imap-fetch-body.patch
Patch8: zarafa-7.1.11-vacation-headers.patch
Patch9: zarafa-7.1.11-vacation-headers2.patch
Patch10: zarafa-7.1.11-webaccess-fail2ban.patch
-Patch11: zarafa-7.1.11-webaccess-mcrypt.patch
-Patch12: zarafa-7.1.11-gsoap-sslv3.patch
+Patch11: zarafa-7.1.12-webaccess-mcrypt.patch
+Patch12: zarafa-7.1.12-gsoap-sslv3.patch
+Patch13: zarafa-7.1.12-licensed-archiver.patch
BuildRequires: bison
BuildRequires: gcc-c++
@@ -406,6 +407,7 @@ touch -c -r aclocal.m4.rpath aclocal.m4
%patch11 -p1 -b .webaccess-mcrypt
rm -f php-webclient-ajax/{.,*,*/*}/*.webaccess-*
%patch12 -p1 -b .gsoap-sslv3
+%patch13 -p1 -b .licensed-archiver
%build
%if 0%{?rhel}%{?fedora} < 6
@@ -553,7 +555,7 @@ mkdir -p $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/plugins/
# Remove unwanted language connectors and webaccess files
rm -f $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/client/widgets/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.{cfm,pl}
-rm -f $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/{.htaccess,%{name}-webaccess.conf,senddocument.php}
+rm -f $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/{.htaccess,%{name}-webaccess.conf}
# Remove flash-based multi-attachment upload (missing source)
%if %{no_multiupload}
@@ -782,8 +784,6 @@ fi
%{_libdir}/libicalmapi.so
%{_libdir}/libinetmapi.so
%{_libdir}/libmapi.so
-%{_libdir}/libmapicalendar.so
-%{_libdir}/libmapitimezone.so
%{_libdir}/libcommon_mapi.a
%{_libdir}/libcommon_service.a
%{_libdir}/libcommon_ssl.a
@@ -792,10 +792,8 @@ fi
%{_libdir}/libzarafasync.so
%{_includedir}/icalmapi/
%{_includedir}/inetmapi/
-%{_includedir}/mapitimezone/
%{_includedir}/mapi4linux/
%{_includedir}/libfreebusy/
-%{_includedir}/libmapicalendar/
%{_includedir}/libzarafasync/
%{_includedir}/%{name}/
%{_libdir}/pkgconfig/%{name}.pc
@@ -940,12 +938,11 @@ fi
%{_libdir}/libicalmapi.so.*
%{_libdir}/libinetmapi.so.*
%{_libdir}/libmapi.so.*
-%{_libdir}/libmapicalendar.so.*
-%{_libdir}/libmapitimezone.so.*
%files -n php-mapi
%defattr(-,root,root,-)
%config(noreplace) %{_sysconfdir}/php.d/%{ini_name}
+%config(noreplace) %{_sysconfdir}/%{name}/php-mapi.cfg
%{_datadir}/php/mapi/
%{_libdir}/php/modules/mapi.so
@@ -954,7 +951,8 @@ fi
%{python_sitearch}/*
%changelog
-* Sun Feb 22 2015 Robert Scheck <robert at fedoraproject.org> 7.1.11-3
+* Tue Apr 07 2015 Robert Scheck <robert at fedoraproject.org> 7.1.12-1
+- Upgrade to 7.1.12
- Added multiple minor enhancement and bugfix patches
- Added patch to fix CVE-2014-0103 for PHP < 5.3 (#1073618)
- Handle "su" option in logrotate >= 3.8.0 to avoid errors
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/zarafa.git/commit/?h=el5&id=6d2e2419781af693695e6a313e1ca41345635a1b
More information about the scm-commits
mailing list