Commits · 3aa30b5a1c1fbbdf578d3472dbaaf9f086b9514a · Feed / openwrt-packages

Oct 31, 2023

postfix: move to PCRE2 library · 876f3fa5


Move to PCRE2 library as PCRE is EOL and won't receive any security
updates anymore.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit f585559690e4d607f5fea5eeed4517d5c157098c)

876f3fa5

postfix: bump to 3.8.2 release · f2fb6c56

Christian Marangi authored 1 year ago


Bump postfix to 3.8.2 release.

Refresh patches and drop patch 502-detect-glibc.patch as it got merged
upstream.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 4b7d365b8644586029823f04c57a03a6f721e5ab)

f2fb6c56

fdm: update to 2.2 release and switch to PCRE2 · 2cc3f40b

Christian Marangi authored 1 year ago


Update to release 2.2 and switch to PCRE2. New release switched from
PCRE to PCRE2 and is now required.

Drop patch merged upstream and backport 2 additional patch that fix a
user-after-free and a PCRE2 bug.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 13982c13d09803b8979f7934c6048db9ad240338)

2cc3f40b

Oct 25, 2023

exim: update to version 4.96.2 · e458d26d

Daniel Golle authored 1 year ago


Fixes vulnerabilities:
 - Improper Neutralization of Special Elements (CVE-2023-42117)
 - dnsdb Out-Of-Bounds Read (CVE-2023-42119)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 86ec7b19bc5f5935152b1423bb4f450ccefaabae)

e458d26d

Oct 08, 2023

exim: update to version 4.96.1 · f6ae8362

Daniel Golle authored 1 year ago


This is a security release.

JH/01 Bug 2999: Fix a possible OOB write in the external authenticator, which
      could be triggered by externally-supplied input.  Found by Trend Micro.
      CVE-2023-42115

JH/02 Bug 3000: Fix a possible OOB write in the SPA authenticator, which could
      be triggered by externally-controlled input.  Found by Trend Micro.
      CVE-2023-42116

JH/03 Bug 3001: Fix a possible OOB read in the SPA authenticator, which could
      be triggered by externally-controlled input.  Found by Trend Micro.
      CVE-2023-42114

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 7c8f4a2a1c2e883ae3ebd62aab96bb45e31b4d55)

f6ae8362

Oct 02, 2023

exim: apply hotfix for some ZDI reported vulnerabilities · dc38ce57

Daniel Golle authored 1 year ago


Apply preliminary hotfix for some (three?) of the 0-day
vulnerabilities reported by ZDI.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit db85d9ead6c3258757e199ad1fbd5bd20c9aac5f)

dc38ce57

Sep 21, 2023

msmtp: update to version 1.8.24 · e731fe98

Josef Schlehofer authored 1 year ago

Release notes:
https://github.com/marlam/msmtp-mirror/commit/ef62463e4d0dc1f8e7f1db4f8dd35650999c13f9X



Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 29a9a6a4a7b797097992eb7ff2cfd84d11920b25)

e731fe98

Sep 20, 2023

alpine: disable parallel build · a7769bf3

Eneas U de Queiroz authored 1 year ago


Parallel build does not work because it may reach a point where OSTYPE
might be needed before it is actually built.  They appear to run
parallel to each other:

echo slx > OSTYPE
[...]
cat: OSTYPE: No such file or directory
sh: line 1: test: too many arguments
cat: OSTYPE: No such file or directory
Already built for -- you must do "make clean" first
make[6]: *** [Makefile:706: rebuild] Error 1
make[6]: *** Waiting for unfinished jobs....

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 0e652e244928afd3ac9490589542de0263b89e44)

a7769bf3

May 17, 2023

mblaze: fix compilation with musl 1.2.4 · 5312113c

Tianling Shen authored 1 year ago


musl 1.2.4 deprecated legacy "LFS64" ("large file support") interfaces so
just having _GNU_SOURCE defined is not enough anymore.

Backport an upstream fix to replace these old data types.

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>

5312113c

May 13, 2023

pigeonhole: update to version 0.5.20 · 470c63d1

Daniel Golle authored 1 year ago


v0.5.20 2022-12-12  Aki Tuomi <aki.tuomi@open-xchange.com>

    * No changes - release done to keep version numbers synced.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

470c63d1

dovecot: update to version 2.3.20 · a1648fbd

Daniel Golle authored 1 year ago

v2.3.20 2022-12-22  Aki Tuomi <aki.tuomi@open-xchange.com>

    + Add dsync_features=no-header-hashes. When this setting is enabled and
      one dsync side doesn't support mail GUIDs (i.e. imapc), there is no
      fallback to using header hashes. Instead, dsync assumes that all mails
      with identical IMAP UIDs contains the same mail contents. This can
      significantly improve dsync performance with some IMAP servers that
      don't support caching Date/Message-ID headers.
    + lua: HTTP client has more settings now, see
      https://doc.dovecot.org/admin_manual/lua/#dovecot.http.client
    + replicator: "doveadm replicator status" command now outputs when the
      next sync is expected for the user.
    - LAYOUT=index: duplicate GUIDs were not cleaned out. Also the list
      recovery was not optimal.
    - auth: Assert crash would occur when iterating multiple userdb
      backends.
    - director: Logging into director using master user with
      auth_master_user_separator character redirected user to a wrong
      backend, unless master_user_separator setting was also set to the same
      value. Merged these into auth_master_user_separator.
    - dsync: Couldn't always fix folder GUID conflicts automatically with
      Maildir format. This resulted in replication repeatedly failing
      with "Remote lost mailbox GUID".
    - dsync: Failed to migrate INBOX when using namespace prefix=INBOX/,
      resulting in "Remote lost mailbox GUID" errors.
    - dsync: INBOX was created too early with namespace prefix=INBOX/,
      resulting a GUID conflict. This may have been resolved automatically,
      but not always.
    - dsync: v2.3.18 regression: Wrong imapc password with dsync caused
      Panic: file lib-event.c: line 506 (event_pop_global):
      assertion failed: (event == current_global_event)
    - imapc: Requesting STATUS for a mailbox with imapc and INDEXPVT
      configured did not return correct (private) unseen counts.
    - lib-dict: Process would crash when committing data to redis without
      dict proxy.
    - lib-mail: Corrupted cached BODYSTRUCTURE caused panic during FETCH.
      Fixes: Panic: file message-part-data.c: line 579 (message_part_is_attachment):
      assertion failed: (data != NULL). v2.3.13 regression.
    - lib-storage: mail_attribute_dict with dict-sql failed when it tried to
      lookup empty dict keys.
    - lib: ioloop-kqueue was missing include breaking some BSD builds.
    - lua-http: Dovecot Lua HTTP client could not resolve DNS names in mail
      processes, because it expected "dns-client" socket to exist in the
      current directory.
    - oauth2: Using %{oauth2:name} variables could cause useless
      introspections.
    - pop3: Sending POP3 command with ':' character caused an assert-crash.
      v2.3.18 regression.
    - replicator: Replication queue had various issues, potentially causing
      replication requests to become stuck.
    - stats: Invalid Prometheus label names were created with specific
      histogram group_by configurations. Prometheus rejected these labels.

v2.3.19.1 2022-06-14  Aki Tuomi <aki.tuomi@open-xchange.com>

    - doveadm deduplicate: Non-duplicate mails were deleted.
      v2.3.19 regression.
    - auth: Crash would occur when iterating multiple backends.
      Fixes: Panic: file userdb-blocking.c:
      line 125 (userdb_blocking_iter_next): assertion failed: (ctx->conn != NULL)

v2.3.19 2022-05-10  Aki Tuomi <aki.tuomi@open-xchange.com>

    + Added mail_user_session_finished event, which is emitted when the mail
      user session is finished (e.g. imap, pop3, lmtp). It also includes
      fields with some process statistics information.
      See https://doc.dovecot.org/admin_manual/list_of_events/ for more
      information.
    + Added process_shutdown_filter setting. When an event matches the filter,
      the process will be shutdown after the current connection(s) have
      finished. This is intended to reduce memory usage of long-running imap
      processes that keep a lot of memory allocated instead of freeing it to
      the OS.
    + auth: Add cache hit indicator to auth passdb/userdb finished events.
      See https://doc.dovecot.org/admin_manual/list_of_events/ for more
      information.
    + doveadm deduplicate: Performance is improved significantly.
    + imapc: COPY commands were sent one mail at a time to the remote IMAP
      server. Now the copying is buffered, so multiple mails can be copied
      with a single COPY command.
    + lib-lua: Add a Lua interface to Dovecot's HTTP client library. See
      https://doc.dovecot.org/admin_manual/lua/

 for more information.
    - auth: Cache lookup would use incorrect cache key after username change.
    - auth: Improve handling unexpected LDAP connection errors/hangs.
      Try to fix up these cases by reconnecting to the LDAP server and
      aborting LDAP requests earlier.
    - auth: Process crashed if userdb iteration was attempted while auth-workers
      were already full handling auth requests.
    - auth: db-oauth2: Using %{oauth2:name} variables caused unnecessary
      introspection requests.
    - dict: Timeouts may have been leaked at deinit.
    - director: Ring may have become unstable if a backend's tag was changed.
      It could also have caused director process to crash.
    - doveadm kick: Numeric parameter was treated as IP address.
    - doveadm: Proxying can panic when flushing print output. Fixes
      Panic: file ioloop.c: line 865 (io_loop_destroy): assertion failed:
      (ioloop == current_ioloop).
    - doveadm sync: BROKENCHAR was wrongly changed to '_' character when
      migrating mailboxes. This was set by default to %, so any mailbox
      names containing % characters were modified to "_25".
    - imapc: Copying or moving mails with doveadm to an imapc mailbox could
      have produced "Error: Syncing mailbox '[...]' failed" Errors. The
      operation itself succeeded but attempting to sync the destination
      mailbox failed.
    - imapc: Prevent index log synchronization errors when two or more imapc
      sessions are adding messages to the same mailbox index files, i.e.
      INDEX=MEMORY is not used.
    - indexer: Process was slowly leaking memory for each indexing request.
    - lib-fts: fts header filters caused binary content to be sent to the
      indexer with non-default configuration.
    - doveadm-server: Process could hang in some situations when printing
      output to TCP client, e.g. when printing doveadm sync state.
    - lib-index: dovecot.index.log files were often read and parsed entirely,
      rather than only the parts that were actually necessary. This mainly
      increased CPU usage.
    - lmtp-proxy: Session ID forwarding would cause same session IDs being
      used when delivering same mail to multiple backends.
    - log: Log prefix update may have been lost if log process was busy.
      This could have caused log prefixes to be empty or in some cases
      reused between sessions, i.e. log lines could have been logged for the
      wrong user/session.
    - mail_crypt: Plugin crashes if it's loaded only for some users. Fixes
      Panic: Module context mail_crypt_user_module missing.
    - mail_crypt: When LMTP was delivering mails to both recipients with mail
      encryption enabled and not enabled, the non-encrypted recipients may
      have gotten mails encrypted anyway. This happened when the first
      recipient was encrypted (mail_crypt_save_version=2) and the 2nd
      recipient was not encrypted (mail_crypt_save_version=0).
    - pop3: Session would crash if empty line was sent.
    - stats: HTTP server leaked memory.
    - submission-login: Long credentials, such as OAUTH2 tokens, were refused
      during SASL interactive due to submission server applying line length
      limits.
    - submission-login: When proxying to remote host, authentication was not
      using interactive SASL when logging in using long credentials such as
      OAUTH2 tokens. This caused authentication to fail due to line length
      constraints in SMTP protocol.
    - submission: Terminating the client connection with QUIT command after
      mail transaction is started with MAIL command and before it is
      finished with DATA/BDAT can cause a segfault crash.
    - virtual: doveadm search queries with mailbox-guid as the only parameter
      crashes: Panic: file virtual-search.c: line 77 (virtual_search_get_records):
      assertion failed: (result != 0)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

a1648fbd

May 10, 2023

dovecot: Fix iconv macro is missing compile error · 96145db7

Juan del Bosque authored 1 year ago


Fix a Dovecot compile error when building with no other packages than
the default in master build, because iconv macro is missing.

Fixes: #20677

Signed-off-by: Juan del Bosque <juan@web64.pro>

96145db7

Apr 21, 2023

treewide: remove AUTORELEASE · 0c10c224

Paul Fertser authored 1 year ago


Automatically compute and substitute current values for all
$(AUTORELEASE) instances as this feature is deprecated and shouldn't be
used.

The following temporary change was made to the core:

diff --git a/rules.mk b/rules.mk
index 57d7995d4fa8..f16367de87a8 100644
--- a/rules.mk
+++ b/rules.mk
@@ -429,7 +429,7 @@ endef
 abi_version_str = $(subst -,,$(subst _,,$(subst .,,$(1))))

 COMMITCOUNT = $(if $(DUMP),0,$(call commitcount))
-AUTORELEASE = $(if $(DUMP),0,$(call commitcount,1))
+AUTORELEASE = $(if $(DUMP),0,$(shell sed -i "s/\$$(AUTORELEASE)/$(call commitcount,1)/" $(CURDIR)/Makefile))

 all:
 FORCE: ;

And this command used to fix affected packages:

for i in $(cd feeds/packages; git grep -l PKG_RELEASE:=.*AUTORELEASE | \
                              sed 's^.*/\([^/]*\)/Makefile^\1^';);
do
  make package/$i/download
done

Signed-off-by: Paul Fertser <fercerpav@gmail.com>

0c10c224

Apr 08, 2023

treewide: refactor to use PKG_BUILD_FLAGS:=lto · e7d9c865

Andre Heider authored 1 year ago


See commit 07730ff3 "treewide: add support for "lto" in PKG_BUILD_FLAGS"
on the main repository.

Note: Some packages only added `-flto` to CFLAGS and not LDFLAGS. This
fixes it and properly enables LTO.

Signed-off-by: Andre Heider <a.heider@gmail.com>

e7d9c865

treewide: refactor to use PKG_BUILD_FLAGS:=gc-sections · 35f4ef76

Andre Heider authored 1 year ago


See commit da370098 "treewide: add support for "gc-sections" in
PKG_BUILD_FLAGS" on the main repository.

Note: This only touches packages which use all three parts
(-ffunction-sections, -fdata-sections and -Wl,--gc-sections) enabled by
this build flag. Some packages only use a subset, and these are left
unchanged for now.

Signed-off-by: Andre Heider <a.heider@gmail.com>

35f4ef76

Jan 14, 2023

alpine: fix old URL · 40c685e6
Rosen Penev authored 2 years ago
```
Signed-off-by: Rosen Penev <rosenp@gmail.com>
```
40c685e6

opendkim: use pkgconfig for libbsd · 833515f4

Rosen Penev authored 2 years ago


Allows using the overlay. Also remove the outdated uClibc patch.

Signed-off-by: Rosen Penev <rosenp@gmail.com>

833515f4

Dec 23, 2022
- pigeonhole: update to 0.5.19 · 7316c741
  W. Michael Petullo authored 2 years ago
  
  Signed-off-by: W. Michael Petullo <mike@flyn.org>
  7316c741
Dec 20, 2022

emailrelay: update to v2.4.1 · 735cba83

Sergey Ponomarev authored 2 years ago


The patch seems not needed anymore.
Also remove deprecated PKG_RELEASE:=$(AUTORELEASE)

Signed-off-by: Sergey Ponomarev <stokito@gmail.com>

735cba83

Dec 18, 2022

postfix: Fix compile against glibc 2.36 · 33786efe

Hauke Mehrtens authored 2 years ago


This backports a change from postfix 3.8, I do not know exactly why it
detects Linux 6 here, but this is needed to fix compilation with glibc
2.36.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

33786efe

Oct 13, 2022

exim: update to version 4.96 · 5d5348bc

Daniel Golle authored 2 years ago

Exim version 4.96
-----------------

JH/01 Move the wait-for-next-tick (needed for unique message IDs) from
after reception to before a subsequent reception. This should
mean slightly faster delivery, and also confirmation of reception
to senders.

JH/02 Move from using the pcre library to pcre2. The former is no longer
being developed or supported (by the original developer).

JH/03 Constification work in the filters module required a major version
bump for the local-scan API. Specifically, the "headers_charset"
global which is visible via the API is now const and may therefore
not be modified by local-scan code.

JH/04 Fix ClamAV TCP use under FreeBSD. Previously the OS-specific shim for
sendfile() didi not account for the way the ClamAV driver code called it.

JH/05 Bug 2819: speed up command-line messages being read in. Previously a
time check was being done for every character; replace that with one
per buffer.

JH/06 Bug 2815: Fix ALPN sent by server under OpenSSL. Previously the string
sent was prefixed with a length byte.

JH/07 Change the SMTP feature name for pipelining connect to be compliant with
RFC 5321. Previously Dovecot (at least) would log errors during
submission.

JH/08 Remove stripping of the binaries from the FreeBSD build. This was added
in 4.61 without a reason logged. Binaries will be bigger, which might
matter on diskspace-constrained systems, but debug is easier.

JH/09 Fix macro-definition during "-be" expansion testing. The move to
write-protected store for macros had not accounted for these runtime
additions; fix by removing this protection for "-be" mode.

JH/10 Convert all uses of select() to poll(). FreeBSD 12.2 was found to be
handing out large-numbered file descriptors, violating the usual Unix
assumption (and required by Posix) that the lowest possible number will be
allocated by the kernel when a new one is needed. In the daemon, and any
child procesees, values higher than 1024 (being bigger than FD_SETSIZE)
are not useable for FD_SET() [and hence select()] and overwrite the stack.
Assorted crashes happen.

JH/11 Fix use of $sender_host_name in daemon process. When used in certain
main-section options or in a connect ACL, the value from the first ever
connection was never replaced for subsequent connections. Found by
Wakko Warner.

JH/12 Bug 2838: Fix for i32lp64 hard-align platforms. Found for SPARC Linux,
though only once PCRE2 was introduced: the memory accounting used under
debug offset allocations by an int, giving a hard trap in early startup.
Change to using a size_t. Debug and fix by John Paul Adrian Glaubitz.

JH/13 Bug 2845: Fix handling of tls_require_ciphers for OpenSSL when a value
with underbars is given. The write-protection of configuration introduced
in 4.95 trapped when normalisation was applied to an option not needing
expansion action.

JH/14 Bug 1895: TLS: Deprecate RFC 5114 Diffie-Hellman parameters.

JH/15 Fix a resource leak in *BSD. An off-by-one error resulted in the daemon
failing to close the certificates directory, every hour or any time it
was touched.

JH/16 Debugging initiated by an ACL control now continues through into routing
and transport processes. Previously debugging stopped any time Exim
re-execs, or for processing a queued message.

JH/17 The "expand" debug selector now gives more detail, specifically on the
result of expansion operators and items.

JH/18 Bug 2751: Fix include_directory in redirect routers. Previously a
bad comparison between the option value and the name of the file to
be included was done, and a mismatch was wrongly identified.
4.88 to 4.95 are affected.

JH/19 Support for Berkeley DB versions 1 and 2 is withdrawn.

JH/20 When built with NDBM for hints DB's check for nonexistence of a name
supplied as the db file-pair basename. Previously, if a directory
path was given, for example via the autoreply "once" option, the DB
file.pag and file.dir files would be created in that directory's
parent.

JH/21 Remove the "allow_insecure_tainted_data" main config option and the
"taint" log_selector. These were previously deprecated.

JH/22 Fix static address-list lookups to properly return the matched item.
Previously only the domain part was returned.

JH/23 Bug 2864: FreeBSD: fix transport hang after 4xx/5xx response. Previously
the call into OpenSSL to send a TLS Close was being repeated; this
resulted in the library waiting for the peer's Close. If that was never
sent we waited forever. Fix by tracking send calls.

JH/24 The ${run} expansion item now expands its command string elements after
splitting. Previously it was before; the new ordering makes handling
zero-length arguments simpler. The old ordering can be obtained by
appending a new option "preexpand", after a comma, to the "run".

JH/25 Taint-check exec arguments for transport-initiated external processes.
Previously, tainted values could be used. This affects "pipe", "lmtp" and
"queryprogram" transport, transport-filter, and ETRN commands.
The ${run} expansion is also affected: in "preexpand" mode no part of
the command line may be tainted, in default mode the executable name
may not be tainted.

JH/26 Fix CHUNKING on a continued-transport. Previously the usabliility of
the the facility was not passed across execs, and only the first message
passed over a connection could use BDAT; any further ones using DATA.

JH/27 Support the PIPECONNECT facility in the smtp transport when the helo_data
uses $sending_ip_address and an interface is specified.
Previously any use of the local address in the EHLO name disabled
PIPECONNECT, the common case being to use the rDNS of it.

JH/28 OpenSSL: fix transport-required OCSP stapling verification under session
resumption. Previously verify failed because no certificate status is
passed on the wire for the restarted session. Fix by using the recorded
ocsp status of the stored session for the new connection.

JH/29 TLS resumption: the key for session lookup in the client now includes
more info that a server could potentially use in configuring a TLS
session, avoiding oferring mismatching sessions to such a server.
Previously only the server IP was used.

JH/30 Fix string_copyn() for limit greater than actual string length.
Previously the copied amount was the limit, which could result in a
overlapping memcpy for newly allocated destination soon after a
source string shorter than the limit. Found/investigated by KM.

JH/31 Bug 2886: GnuTLS: Do not free the cached creds on transport connection
close; it may be needed for a subsequent connection. This caused a
SEGV on primary-MX defer. Found/investigated by Gedalya & Andreas.

JH/32 Fix CHUNKING for a second message on a connection when the first was
rejected. Previously we did not reset the chunking-offered state, and
erroneously rejected the BDAT command. Investigation help from
Jesse Hathaway.

JH/33 Fis ${srs_encode ...} to handle an empty sender address, now returning
an empty address. Previously the expansion returned an error.

HS/01 Bug 2855: Handle a v4mapped sender address given us by a frontending
proxy. Previously these were misparsed, leading to paniclog entries.

Also contains commit 51be321b27 "Fix PAM auth. Bug 2813" addressing
CVE-2022-37451.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit f2763b95)

Unverified

5d5348bc

Sep 07, 2022

exim: update to version 4.96 · f2763b95