diff --git a/zarafa-7.1.10-imap-badcharset.patch b/zarafa-7.1.10-imap-badcharset.patch new file mode 100644 index 0000000..76b5a36 --- /dev/null +++ b/zarafa-7.1.10-imap-badcharset.patch @@ -0,0 +1,19 @@ +Patch by Robert Scheck for Zarafa <= 7.1.10 which fixes the RFC- +violating reply of the Zarafa IMAP gateway in response to a failed SEARCH CHARSET request. +This is documented at http://tools.ietf.org/html/rfc3501#page-64: "BADCHARSET: Optionally +followed by a parenthesized list of charsets. [...]". This patch adds missing parenthesis. + +Proposed to upstream via e-mail on Sun, 27 Jul 2014 23:58:01 +0200, patch was put into the +upstream ticket https://jira.zarafa.com/browse/ZCP-12504. + +--- zarafa-7.1.10/gateway/IMAP.cpp 2014-05-23 15:56:37.000000000 +0200 ++++ zarafa-7.1.10/gateway/IMAP.cpp.imap-badcharset 2014-07-27 23:42:30.000000000 +0200 +@@ -2409,7 +2409,7 @@ + if (lstSearchCriteria[1] != "WINDOWS-1252") { + iconv = new ECIConv("windows-1252", lstSearchCriteria[1]); + if (!iconv->canConvert()) { +- hr2 = HrResponse(RESP_TAGGED_NO, strTag, "[BADCHARSET WINDOWS-1252] "+strMode+"SEARCH charset not supported"); ++ hr2 = HrResponse(RESP_TAGGED_NO, strTag, "[BADCHARSET (WINDOWS-1252)] "+strMode+"SEARCH charset not supported"); + hr = MAPI_E_CALL_FAILED; + goto exit; + } diff --git a/zarafa-7.1.10-imap-fetch-body.patch b/zarafa-7.1.10-imap-fetch-body.patch new file mode 100644 index 0000000..da4e2fa --- /dev/null +++ b/zarafa-7.1.10-imap-fetch-body.patch @@ -0,0 +1,93 @@ +Patch by Robert Scheck for Zarafa <= 7.1.10 which fixes the RFC- +violating reply of the Zarafa IMAP gateway in response to a body fetch request. This is +documented at http://tools.ietf.org/html/rfc3501#page-55. Additionally this has been also +compared with the Dovecot IMAP server as a nearly (or even de facto) IMAP server reference +implementation. Please note that this is NOT a duplicate of ZCP-11590/ZCP-11739/ZCP-12365! + +Wrong behaviour of Zarafa <= 7.1.10rc1-44973 (without this patch): +> A4 FETCH 1 (BODY.PEEK[HEADER.FIELDS (FROM FROM)]) +< * 1 FETCH (BODY[HEADER.FIELDS (FROM FROM)] {66} +From: User1 +From: User1 + +) +< A4 OK FETCH completed + +Comparison with IMAP server Dovecot 2.2.13: +> A4 FETCH 1 (BODY.PEEK[HEADER.FIELDS (FROM FROM)]) +< * 1 FETCH (BODY[HEADER.FIELDS (FROM FROM)] {34} +From: User1 + +) +< A4 OK Fetch completed. + +Correct behaviour of Zarafa (after having this patch applied): +> A4 FETCH 1 (BODY.PEEK[HEADER.FIELDS (FROM FROM)]) +< * 1 FETCH (BODY[HEADER.FIELDS (FROM FROM)] {34} +From: User1 + +) +< A4 OK FETCH completed + +Testing: Full IMAP dialog example from the client perspective (after this patch applied): +< * OK [CAPABILITY IMAP4rev1 LITERAL+ AUTH=PLAIN] Zarafa IMAP gateway ready +> A0 LOGIN robert robert +< A0 OK [CAPABILITY IMAP4rev1 LITERAL+ CHILDREN XAOL-OPTION NAMESPACE QUOTA IDLE] LOGIN completed +> A1 LIST "" INBOX +< * LIST (\HasNoChildren) "/" "INBOX" +< A1 OK LIST completed +> A2 SELECT INBOX +< * 2 EXISTS +< * 0 RECENT +< * FLAGS (\Seen \Draft \Deleted \Flagged \Answered $Forwarded) +< * OK [PERMANENTFLAGS (\Seen \Draft \Deleted \Flagged \Answered $Forwarded)] Permanent flags +< * OK [UIDNEXT 4343] Predicted next UID +< * OK [UNSEEN 1] First unseen message +< * OK [UIDVALIDITY 9313] UIDVALIDITY value +< A2 OK [READ-WRITE] SELECT completed +> A3 SEARCH UNSEEN ALL +< * SEARCH 1 2 +< A3 OK SEARCH completed +> A4 FETCH 1 (BODY.PEEK[HEADER.FIELDS (FROM FROM)]) +< * 1 FETCH (BODY[HEADER.FIELDS (FROM FROM)] {34} +From: User1 + +) +< A4 OK FETCH completed +> A5 CLOSE +< A5 OK CLOSE completed +> A6 LOGOUT +< * BYE Zarafa server logging out +< A6 OK LOGOUT completed + +IMPORTANT: This patch has been very carefully and extensively tested but it might not be +perfect nevertheless as I am not really a C/C++ developer. There should be a code review +by an experienced C/C++ developer before merging into Zarafa core. + +Proposed to upstream via e-mail on Thu, 29 May 2014 01:55:35 +0200, patch was put into the +upstream ticket https://jira.zarafa.com/browse/ZCP-12398. + +--- zarafa-7.1.10/gateway/IMAP.cpp 2014-05-12 12:06:03.000000000 +0200 ++++ zarafa-7.1.10/gateway/IMAP.cpp.imap-fetch-body 2014-05-29 00:49:29.000000000 +0200 +@@ -5253,10 +5253,21 @@ + } else { + vector lstReqFields; + vector::iterator iterReqField; ++ vector::iterator r, w; ++ set tmpset; + + // Get fields as vector + lstReqFields = tokenize(strFields, " "); + ++ // Make elements of vector unique ++ for(r = lstReqFields.begin(), w = lstReqFields.begin(); r != lstReqFields.end(); ++r) { ++ if(tmpset.insert(*r).second) { ++ *w++ = *r; ++ } ++ } ++ ++ lstReqFields.erase(w, lstReqFields.end()); ++ + // Output headers specified, in order of field set + for(iterReqField = lstReqFields.begin(); iterReqField != lstReqFields.end(); iterReqField++) { + for(iterField = lstFields.begin(); iterField != lstFields.end(); iterField++) { diff --git a/zarafa-7.1.10-kyotocabinet.patch b/zarafa-7.1.10-kyotocabinet.patch index 43e62a3..00cdeab 100644 --- a/zarafa-7.1.10-kyotocabinet.patch +++ b/zarafa-7.1.10-kyotocabinet.patch @@ -4,6 +4,9 @@ broken on the given system and/or architecture. Interestingly that patch is not in 2012 the first time, proposed them as a patch to Zarafa and got merged. With a recent Zarafa release it seems they silently removed it again... +Proposed to upstream via e-mail on Fri, 11 Jul 2014 01:03:43 +0200, patch was put into the upstream ticket +https://jira.zarafa.com/browse/ZCP-12463. + --- zarafa-7.1.10/ECtools/zarafa-search/Makefile.am 2014-05-23 15:03:49.000000000 +0200 +++ zarafa-7.1.10/ECtools/zarafa-search/Makefile.am.kyotocabinet 2014-07-10 21:48:42.000000000 +0200 @@ -1,4 +1,8 @@ diff --git a/zarafa-7.1.10-ssl_protocols_ciphers.patch b/zarafa-7.1.10-ssl_protocols_ciphers.patch index 756d2fd..876df60 100644 --- a/zarafa-7.1.10-ssl_protocols_ciphers.patch +++ b/zarafa-7.1.10-ssl_protocols_ciphers.patch @@ -38,6 +38,9 @@ a code review and code clean up by an experienced C/C++ developer before merging This patch should be only applied in conjuction with the POP3 RESP-CODES and AUTH-RESP-CODE patch, the POP3 CAPA (CAPABILITIES) patch as well as the POP3 STLS (STARTTLS) patch applied before. +Proposed to upstream via e-mail on Sat, 8 Mar 2014 14:30:29 +0100, patch was put into the upstream +ticket https://jira.zarafa.com/browse/ZCP-12143. + --- zarafa-7.1.10/caldav/CalDAV.cpp 2014-05-23 15:56:36.000000000 +0200 +++ zarafa-7.1.10/caldav/CalDAV.cpp.rsc 2014-08-12 19:45:04.000000000 +0200 @@ -220,7 +220,9 @@ diff --git a/zarafa-7.1.10-webaccess-fail2ban.patch b/zarafa-7.1.10-webaccess-fail2ban.patch new file mode 100644 index 0000000..b0bb26e --- /dev/null +++ b/zarafa-7.1.10-webaccess-fail2ban.patch @@ -0,0 +1,38 @@ +Patch by Robert Scheck for Zarafa <= 7.1.0 which logs authentication +failures of Zarafa WebAccess into the error log of the webserver. This is basically a backport of +https://jira.zarafa.com/browse/WA-6908 from WebApp to WebAccess. In difference to original patch +there is no inappropriate space before a punctuation mark also known as "plenken". + +The second part of this patch is a backport of Zarafa WebApp 1.6 which ensures that authentication +is only performed if username and password are filled. This avoids a) strange looking results of +error_log() from the first part and b) reduces the possible risk of denial of service given that +PHP is not connecting the Zarafa server if not really needed. + +I guess the usage of isset() rather !empty() was accidential because isset() is always true once +the HTTP POST via the login formular happens. + +Proposed to upstream via e-mail on Wed, 13 Aug 2014 22:56:09 +0200, patch was put into the upstream +ticket https://jira.zarafa.com/browse/ZCP-12543. + +--- zarafa-7.1.10/php-webclient-ajax/client/login.php 2014-05-23 15:56:38.000000000 +0200 ++++ zarafa-7.1.10/php-webclient-ajax/client/login.php 2014-08-13 22:11:38.000000000 +0200 +@@ -86,6 +86,8 @@ + switch($_SESSION["hresult"]){ + case MAPI_E_LOGON_FAILED: + case MAPI_E_UNCONFIGURED: ++ // Print error message to error_log of webserver ++ error_log('user '.$_POST["username"].': authentication failure at MAPI'); + echo _("Logon failed, please check your name/password."); + break; + case MAPI_E_NETWORK_ERROR: +--- zarafa-7.1.10/php-webclient-ajax/index.php 2014-05-23 15:56:38.000000000 +0200 ++++ zarafa-7.1.10/php-webclient-ajax/index.php 2014-08-13 22:11:11.000000000 +0200 +@@ -153,7 +153,7 @@ + + // Create global mapi object. This object is used in many other files + $GLOBALS["mapisession"] = new MAPISession(); +- if (isset($_SESSION["username"]) && isset($_SESSION["password"])) { ++ if (!empty($_SESSION["username"]) && !empty($_SESSION["password"])) { + $sslcert_file = defined('SSLCERT_FILE') ? SSLCERT_FILE : null; + $sslcert_pass = defined('SSLCERT_PASS') ? SSLCERT_PASS : null; + $hresult = $GLOBALS["mapisession"]->logon($_SESSION["username"], $_SESSION["password"], DEFAULT_SERVER, $sslcert_file, $sslcert_pass); diff --git a/zarafa-7.1.10-webaccess-mcrypt.patch b/zarafa-7.1.10-webaccess-mcrypt.patch new file mode 100644 index 0000000..49bed4e --- /dev/null +++ b/zarafa-7.1.10-webaccess-mcrypt.patch @@ -0,0 +1,58 @@ +Patch by Robert Scheck for Zarafa >= 7.1.10 which fixes the fix that fixes CVE-2014-0103. Ush, +that was complicated, so: CVE-2014-0103 exists because Zarafa WebAccess < 7.1.10 and Zarafa WebApp < 1.6 storing passwords +in cleartext on server (in the PHP session). Zarafa solved this flaw by using openssl_encrypt() and openssl_decrypt() from +PHP's OpenSSL bindings. However these functions are only available in PHP 5.3 or later. Without this patch suggestion, any +older but still supported Linux distribution like Red Hat Enterprise Linux 5 or SuSE Linux Enterprise Server 10 (which are +both shipping PHP < 5.3 by default) would still be left vulnerable. + +Given that I am personally more a fan of OpenSSL rather mcrypt, I am not absolutely sure if this implementation is really +correct even it works fine on my test system. So please explicitly review this code to avoid introducing another security +flaw by trying to fix one! A thing that I generally question for myself is the usage of "des-ede3-cbc"/"MCRYPT_TRIPLEDES" +instead of e.g. MCRYPT_RIJNDAEL_128. Given that this decision was initially made by Zarafa I am just following that here. + +Important: To get this patch really powerful the install-time requirement needs to be adapted like this (this example is +based on Fedora's build system so the macros %{?rhel} and %{?fedora} might not exist at Zarafa but need to be replaced by +other macros): + +%if 0%{?rhel}%{?fedora} < 6 +Requires: php-mcrypt +%else +Requires: php-openssl +%endif + +This requires php-openssl (provided by php-common) on RHEL 6 (and later) and php-mcrypt (separate package) before RHEL 6. + +Proposed to upstream via e-mail on Thu, 5 Jun 2014 00:24:32 +0200, patch was put into the (non-disclosed) upstream ticket +https://jira.zarafa.com/browse/ZCP-12407. + +--- zarafa-7.1.10/php-webclient-ajax/index.php 2014-05-23 15:56:38.000000000 +0200 ++++ zarafa-7.1.10/php-webclient-ajax/index.php.webaccess-mcrypt 2014-06-05 00:08:18.000000000 +0200 +@@ -135,6 +135,8 @@ + // if user has openssl module installed + if(function_exists("openssl_encrypt")) { + $_SESSION['password'] = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV); ++ } elseif(function_exists("mcrypt_encrypt")) { ++ $_SESSION['password'] = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV)); + } else { + $_SESSION["password"] = $password; + } +--- zarafa-7.1.10/php-webclient-ajax/server/core/class.mapisession.php 2014-05-23 15:56:38.000000000 +0200 ++++ zarafa-7.1.10/php-webclient-ajax/server/core/class.mapisession.php.webaccess-mcrypt 2014-06-05 00:08:57.000000000 +0200 +@@ -132,6 +132,8 @@ + if(is_string($username) && is_string($password)) { + if(function_exists("openssl_decrypt")) { + $password = openssl_decrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV); ++ } elseif(function_exists("mcrypt_decrypt")) { ++ $password = trim(mcrypt_decrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, base64_decode($password), MCRYPT_MODE_CBC, PASSWORD_IV)); + } + // logon + $this->session = mapi_logon_zarafa($username, $password, $server, $sslcert_file, $sslcert_pass); +@@ -139,6 +141,8 @@ + + if(function_exists("openssl_encrypt")) { + $password = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV); ++ } elseif(function_exists("mcrypt_encrypt")) { ++ $password = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV)); + } + + if ($result == NOERROR && $this->session !== false){ diff --git a/zarafa-7.1.11-gsoap-sslv3.patch b/zarafa-7.1.11-gsoap-sslv3.patch new file mode 100644 index 0000000..e4875ee --- /dev/null +++ b/zarafa-7.1.11-gsoap-sslv3.patch @@ -0,0 +1,20 @@ +Patch by Robert Scheck for zarafa >= 7.1.11 which removes the Zarafa- +specific override/limitation that forces SSLv3-only SOAP connection between the Zarafa services. +The pristine gSOAP library itself uses SSLv23_method() instead and thus allows TLSv1.0, TLSv1.1 +as well as TLSv1.2. + +Proposed to upstream via e-mail on Wed, 2 Apr 2014 11:35:40 +0200, initial patch was put into the +upstream ticket Ticket#2014040210000266. + +--- zarafa-7.1.11/provider/common/SOAPSock.cpp 2014-09-03 10:45:06.000000000 +0200 ++++ zarafa-7.1.11/provider/common/SOAPSock.cpp.gsoap-sslv3 2015-02-18 01:15:50.000000000 +0100 +@@ -162,9 +162,6 @@ + + lpCmd->endpoint = strdup(strServerPath.c_str()); + +- // override the gsoap default v23 method to the force safer v3 only method. +- lpCmd->soap->ctx = SSL_CTX_new(SSLv3_method()); +- + #ifdef WITH_OPENSSL + if (strncmp("https:", lpCmd->endpoint, 6) == 0) { + // no need to add certificates to call, since soap also calls SSL_CTX_set_default_verify_paths() diff --git a/zarafa-7.1.11-plaintext_auth_localhost.patch b/zarafa-7.1.11-plaintext_auth_localhost.patch index 9b6aae0..c5fefd3 100644 --- a/zarafa-7.1.11-plaintext_auth_localhost.patch +++ b/zarafa-7.1.11-plaintext_auth_localhost.patch @@ -15,6 +15,9 @@ Important: The technical implementation of this patch might be not perfect as I C++ developer. There should be a code review by an experienced C/C++ developer before merging into Zarafa core. +Proposed to upstream via e-mail on Thu, 16 Oct 2014 00:00:05 +0200, patch was put into the upstream +ticket https://jira.zarafa.com/browse/ZCP-12473. + --- zarafa-7.1.11/gateway/IMAP.cpp 2014-09-03 10:45:06.000000000 +0200 +++ zarafa-7.1.11/gateway/IMAP.cpp.plaintext_auth_localhost 2014-09-24 01:29:10.000000000 +0200 @@ -757,7 +757,7 @@ diff --git a/zarafa-7.1.11-vacation-headers.patch b/zarafa-7.1.11-vacation-headers.patch new file mode 100644 index 0000000..924ff1d --- /dev/null +++ b/zarafa-7.1.11-vacation-headers.patch @@ -0,0 +1,32 @@ +Patch by Robert Scheck for Zarafa >= 7.1.11 which restricts replies by +zarafa-autorespond to automated processes and mailing lists according to RFC 5230, section 4.6. For +further details please have a look to http://tools.ietf.org/html/rfc5230#page-8 as well. + +Proposed to upstream via e-mail on Wed, 27 Aug 2014 23:30:31 +0200, patch was put into the upstream +ticket https://jira.zarafa.com/browse/ZCP-12590. + +--- zarafa-7.1.11/spooler/DAgent.cpp 2014-08-24 12:27:06.000000000 +0200 ++++ zarafa-7.1.11/spooler/DAgent.cpp.vacation-headers 2014-08-27 23:20:18.000000000 +0200 +@@ -1422,11 +1422,19 @@ + + // See if we're looping + if (lpMessageProps[0].ulPropTag == PR_TRANSPORT_MESSAGE_HEADERS_A) { +- if ( (strstr(lpMessageProps[0].Value.lpszA, "X-Zarafa-Vacation:") != NULL) || +- (strstr(lpMessageProps[0].Value.lpszA, "Auto-Submitted:") != NULL) || +- (strstr(lpMessageProps[0].Value.lpszA, "Precedence:") != NULL) ) ++ if ( (strstr(lpMessageProps[0].Value.lpszA, "X-Zarafa-Vacation:") != NULL) || // Zarafa ++ (strstr(lpMessageProps[0].Value.lpszA, "Auto-Submitted:") != NULL) || // RFC 3834 ++ (strstr(lpMessageProps[0].Value.lpszA, "List-Id:") != NULL) || // RFC 2919 ++ (strstr(lpMessageProps[0].Value.lpszA, "List-Help:") != NULL) || // RFC 2369 ++ (strstr(lpMessageProps[0].Value.lpszA, "List-Subscribe:") != NULL) || // RFC 2369 ++ (strstr(lpMessageProps[0].Value.lpszA, "List-Unsubscribe:") != NULL) || // RFC 2369 ++ (strstr(lpMessageProps[0].Value.lpszA, "List-Post:") != NULL) || // RFC 2369 ++ (strstr(lpMessageProps[0].Value.lpszA, "List-Owner:") != NULL) || // RFC 2369 ++ (strstr(lpMessageProps[0].Value.lpszA, "List-Archive:") != NULL) || // RFC 2369 ++ (strstr(lpMessageProps[0].Value.lpszA, "Precedence:") != NULL) ) // RFC 3834 + // Vacation header already present, do not send vacation reply + // Precedence: list/bulk/junk, do not reply to these mails ++ // See also http://tools.ietf.org/html/rfc5230#page-8 for details + goto exit; + // save headers to a file so they can also be tested from the script we're runing + snprintf(szTemp, PATH_MAX, "%s/autorespond-headers.XXXXXX", getenv("TEMP") == NULL ? "/tmp" : getenv("TEMP")); diff --git a/zarafa-7.1.11-vacation-headers2.patch b/zarafa-7.1.11-vacation-headers2.patch new file mode 100644 index 0000000..7fcae17 --- /dev/null +++ b/zarafa-7.1.11-vacation-headers2.patch @@ -0,0 +1,44 @@ +Patch by Robert Scheck for Zarafa >= 7.1.11 which adds anti-loop headers +for automatic responses by zarafa-autorespond for Microsoft Exchange and all vacation(1) compatible +implementations. + +For the Microsoft Exchange related part useful links are: + - http://msdn.microsoft.com/en-us/library/ee219609(v=exchg.80).aspx + - https://www.jitbit.com/maxblog/18-detecting-outlook-autoreplyout-of-office-emails-and-x-auto-response-suppress-header/ + +For vacation(1) compatible implementations useful links are: + - http://www.daemon-systems.org/man/vacation.1.html + - Book "sendmail" (written by Bryan Costales, Claus Assmann, George Jansen, Gregory Neil Shapiro), ISBN 0596555342 + +Proposed to upstream via e-mail on Wed, 27 Aug 2014 23:59:58 +0200, patch was put into the upstream +ticket https://jira.zarafa.com/browse/ZCP-12591. + +--- zarafa-7.1.11/spooler/DAgent.cpp 2014-08-24 12:27:06.000000000 +0200 ++++ zarafa-7.1.11/spooler/DAgent.cpp.vacation-headers2 2014-08-27 23:52:42.000000000 +0200 +@@ -1469,12 +1469,25 @@ + if (hr != hrSuccess) + goto exit; + +- // add anti-loop header ++ // add anti-loop header for Zarafa + snprintf(szHeader, PATH_MAX, "\nX-Zarafa-Vacation: autorespond"); + hr = WriteOrLogError(fd, szHeader, strlen(szHeader)); + if (hr != hrSuccess) + goto exit; + ++ // add anti-loop header for Exchange, see http://msdn.microsoft.com/en-us/library/ee219609(v=exchg.80).aspx ++ snprintf(szHeader, PATH_MAX, "\nX-Auto-Response-Suppress: All"); ++ hr = WriteOrLogError(fd, szHeader, strlen(szHeader)); ++ if (hr != hrSuccess) ++ goto exit; ++ ++ // add anti-loop header for vacation(1) compatible implementations, see section 10.9 of book "sendmail" (written ++ // by Bryan Costales, Claus Assmann, George Jansen, Gregory Neil Shapiro), ISBN 0596555342 ++ snprintf(szHeader, PATH_MAX, "\nPrecedence: bulk"); ++ hr = WriteOrLogError(fd, szHeader, strlen(szHeader)); ++ if (hr != hrSuccess) ++ goto exit; ++ + if (lpMessageProps[3].ulPropTag == PR_SUBJECT_W) { + // convert as one string because of [] characters + swprintf(szwHeader, PATH_MAX, L"%ls [%ls]", szSubject, lpMessageProps[3].Value.lpszW); diff --git a/zarafa-7.1.9-ssl_ecdhe.patch b/zarafa-7.1.9-ssl_ecdhe.patch index f1a1a8e..6596637 100644 --- a/zarafa-7.1.9-ssl_ecdhe.patch +++ b/zarafa-7.1.9-ssl_ecdhe.patch @@ -22,6 +22,9 @@ by an experienced C/C++ and OpenSSL developer before merging into Zarafa core. This patch should be only applied after ZCP-12143 and its dependencies. However this patch might maybe not directly apply due to some previous merge issues as mentioned in Ticket#2014030810000131. +Proposed to upstream via e-mail on Mon, 14 Apr 2014 12:04:17 +0200, patch was put into the upstream +ticket https://jira.zarafa.com/browse/ZCP-12237. + --- zarafa-7.1.9/common/ECChannel.cpp 2014-04-13 23:46:59.000000000 +0200 +++ zarafa-7.1.9/common/ECChannel.cpp.ssl_ecdhe 2014-04-13 23:59:43.000000000 +0200 @@ -97,6 +97,9 @@ diff --git a/zarafa.spec b/zarafa.spec index 13819dc..4bbf0e1 100644 --- a/zarafa.spec +++ b/zarafa.spec @@ -1,5 +1,5 @@ %global beta_or_rc 0 -%global actual_release 2 +%global actual_release 3 %global svnrevision 46050 %global with_search 1 %global with_ldap 1 @@ -60,6 +60,13 @@ Patch2: zarafa-7.1.10-kyotocabinet.patch Patch3: zarafa-7.1.10-ssl_protocols_ciphers.patch Patch4: zarafa-7.1.9-ssl_ecdhe.patch Patch5: zarafa-7.1.11-plaintext_auth_localhost.patch +Patch6: zarafa-7.1.10-imap-badcharset.patch +Patch7: zarafa-7.1.10-imap-fetch-body.patch +Patch8: zarafa-7.1.11-vacation-headers.patch +Patch9: zarafa-7.1.11-vacation-headers2.patch +Patch10: zarafa-7.1.10-webaccess-fail2ban.patch +Patch11: zarafa-7.1.10-webaccess-mcrypt.patch +Patch12: zarafa-7.1.11-gsoap-sslv3.patch BuildRequires: bison BuildRequires: gcc-c++ @@ -315,7 +322,7 @@ Group: Applications/Productivity Requires: httpd, php-mapi = %{version}-%{release} # Bug: php53 from RHEL 5 does not provide php (#717158) %if 0%{?rhel} == 5 -Requires: mod_php >= 4.3 +Requires: mod_php >= 4.3, php-mcrypt %else Requires: php >= 4.3, php-openssl %endif @@ -391,6 +398,14 @@ touch -c -r aclocal.m4.rpath aclocal.m4 %patch3 -p1 -b .ssl_protocols_ciphers %patch4 -p1 -b .ssl_ecdhe %patch5 -p1 -b .disable_plaintext_auth-localhost +%patch6 -p1 -b .imap-badcharset +%patch7 -p1 -b .imap-fetch-body +%patch8 -p1 -b .vacation-headers +%patch9 -p1 -b .vacation-headers2 +%patch10 -p1 -b .webaccess-fail2ban +%patch11 -p1 -b .webaccess-mcrypt +rm -f php-webclient-ajax/{.,*,*/*}/*.webaccess-* +%patch12 -p1 -b .gsoap-sslv3 %build %if 0%{?rhel}%{?fedora} < 6 @@ -725,7 +740,8 @@ fi %files common %defattr(-,root,root,-) -%doc installer/licenseagreement/AGPL-3 +%{!?_licensedir:%global license %%doc} +%license installer/licenseagreement/AGPL-3 %dir %{_sysconfdir}/%{name}/ %config(noreplace) %{_sysconfdir}/logrotate.d/%{name} %config(noreplace) %{_sysconfdir}/sysconfig/%{name} @@ -934,6 +950,10 @@ fi %{python_sitearch}/* %changelog +* Sun Feb 22 2015 Robert Scheck 7.1.11-3 +- Added multiple minor enhancement and bugfix patches +- Added patch to fix CVE-2014-0103 for PHP < 5.3 (#1073618) + * Sat Oct 25 2014 Kevin Kofler 7.1.11-2 - Rebuild for reference-counting-enabled clucene09