Hello community, here is the log from the commit of package dovecot22 for openSUSE:Factory checked in at 2015-06-23 12:00:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dovecot22 (Old) and /work/SRC/openSUSE:Factory/.dovecot22.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "dovecot22" Changes: -------- --- /work/SRC/openSUSE:Factory/dovecot22/dovecot22.changes 2015-05-26 12:33:56.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.dovecot22.new/dovecot22.changes 2015-06-23 12:00:47.000000000 +0200 @@ -1,0 +2,27 @@ +Mon Jun 15 15:14:57 UTC 2015 - mrueckert@suse.de + +- added dovecot-2.2.18-better_ssl_defaults.patch: (boo #854512) + - set the default cipher suite to: + ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH + - disable not just SSLv2 by default but also SSLv3 + - set default dh params length to 2048 + - prefer server side cipher order + - disable compression +- dropped all config changing via sed and folded them into this + patch + + Upgrade note: if you want to benefit from those changes you have + to merge your /etc/dovecot/conf.d/10-ssl.conf with + /usr/share/doc/packages/dovecot/example-config/conf.d/10-ssl.conf + +------------------------------------------------------------------- +Mon Jun 15 11:22:01 UTC 2015 - mrueckert@suse.de + +- added dovecot-2.2.18-dont_use_etc_ssl_certs.patch: + Remove all references /etc/ssl/certs/. It should not be used + anymore. (boo #932386) + + Please make sure you read README.SUSE after installing this + update. + +------------------------------------------------------------------- New: ---- dovecot-2.2.18-better_ssl_defaults.patch dovecot-2.2.18-dont_use_etc_ssl_certs.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dovecot22.spec ++++++ --- /var/tmp/diff_new_pack.ljQQro/_old 2015-06-23 12:00:48.000000000 +0200 +++ /var/tmp/diff_new_pack.ljQQro/_new 2015-06-23 12:00:48.000000000 +0200 @@ -127,6 +127,8 @@ Source5: dovecot-2.2.configfiles Source6: dovecot-2.1-pigeonhole.configfiles Source7: dovecot-2.2-pigeonhole.configfiles +Patch: dovecot-2.2.18-dont_use_etc_ssl_certs.patch +Patch1: dovecot-2.2.18-better_ssl_defaults.patch Summary: IMAP and POP3 Server Written Primarily with Security in Mind License: BSD-3-Clause and LGPL-2.1+ and MIT Group: Productivity/Networking/Email/Servers @@ -304,12 +306,9 @@ %prep %setup -q -n %{pkg_name}-%{dovecot_version} -a 1 +%patch -p1 +%patch1 -p1 %{__gzip} -9v ChangeLog -# Disable ssl per default. -%{__sed} -i 's|#ssl = yes|ssl = no|' doc/example-config/conf.d/10-ssl.conf -# Also do not include non-existant key and cert files for SSL bnc#696919. -%{__sed} -i 's|^ssl_cert = |#ssl_cert = |' doc/example-config/conf.d/10-ssl.conf -%{__sed} -i 's|^ssl_key = |#ssl_key = |' doc/example-config/conf.d/10-ssl.conf # Fix plugins dir. %{__sed} -i 's|#mail_plugin_dir = /usr/lib/dovecot|mail_plugin_dir = %{_libdir}/dovecot/modules|' doc/example-config/conf.d/10-mail.conf ++++++ dovecot-2.2.18-better_ssl_defaults.patch ++++++ Index: dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf =================================================================== --- dovecot-2.2.18.orig/doc/example-config/conf.d/10-ssl.conf +++ dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf @@ -9,8 +9,8 @@ # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf -ssl_cert = ssl_cipher = "HIGH"; + db->ssl_cipher = "ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH"; db->ssl_verify_server_cert = 0; /* FIXME: change to 1 for v2.3 */ args = t_strsplit_spaces(connect_string, " "); ++++++ dovecot-2.2.18-dont_use_etc_ssl_certs.patch ++++++ Index: dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf =================================================================== --- dovecot-2.2.18.orig/doc/example-config/conf.d/10-ssl.conf +++ dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf @@ -9,7 +9,7 @@ # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf -ssl_cert =