[Dovecot] Dovecot (unofficial) patches
Dear list,
As a recent dovecot addict, I'm a bit puzzled by the sheer amount of patches available. I have not seen the history of these patches and I could not find a README explainng the patches. Are all these personal wishes/nice to have things or are they (to be) incorporated in dovecot-final?
I use rpmbuild to create new rpms from the latest tarball but in that process still several patches are included during the build. I wonder if they are still needed in rc15. I use the orignal spec file (the latest I could find) was created for rc7 and in there I see:
Patch2 dovecot-0.99.10-mbox-patch Seems to be to change the order of ./Mail before ./mail
Patch3 dovecot-CVE-2006-2414 Overview from CVE db:Directory traversal vulnerability in Dovecot 1.0 beta and 1.0 allows remote attackers to list files and directories under the mbox parent directory and obtain mailbox names via ".." sequences in the (1) LIST or (2) DELETE IMAP command.
I'm not a spec file wizard, so I change as less as possible. Unfortunately the maintainer (Jerome Soyer) has never responded to my emails.
My server runs Mandriva Official 2007.0 and Postfix 2.3.3 and dovecot rc14 (will move to rc15 soon).
TNX EgbertJan (NL)
On Sun, 2006-11-19 at 12:20 +0100, Egbert Jan wrote:
As a recent dovecot addict, I'm a bit puzzled by the sheer amount of patches available. I have not seen the history of these patches and I could not find a README explainng the patches. Are all these personal wishes/nice to have things or are they (to be) incorporated in dovecot-final?
I think there are 4 kinds of patches:
Patches to fix a specific issue in some Dovecot versions. These have already been merged into newer versions.
Enhancement requests that are too large changes for v1.0 at this point, so they're just waiting for v1.1.
Debugging patches.
Patches for some small features that some people have needed, but I've decided they're too ugly to be included in the main Dovecot sources. Usually I've also figured out a better way to implement these, but the better way would require larger rewrites of other parts.
I guess I could clean up the /patches/ directory in the web server.
I use rpmbuild to create new rpms from the latest tarball but in that process still several patches are included during the build. I wonder if they are still needed in rc15. I use the orignal spec file (the latest I could find) was created for rc7 and in there I see:
Patch2 dovecot-0.99.10-mbox-patch Seems to be to change the order of ./Mail before ./mail
The order is still mail -> Mail. I guess this is distribution-specific of what they want. I don't want Mail -> mail ordering. And the autodetection preferrably shouldn't be used anyway.
Patch3 dovecot-CVE-2006-2414 Overview from CVE db:Directory traversal vulnerability in Dovecot 1.0 beta and 1.0 allows remote attackers to list files and directories under the mbox parent directory and obtain mailbox names via ".." sequences in the (1) LIST or (2) DELETE IMAP command.
Fixed in 1.0beta8 and since.
participants (2)
-
Egbert Jan
-
Timo Sirainen