dovecot - Nov 2006 - Dovecot (unofficial) patches

Dear list,

As a recent dovecot addict, I'm a bit puzzled by the sheer amount of
patches available. I have not seen the history of these patches and I
could not find a README explainng the patches. Are all these personal
wishes/nice to have things or are they (to be) incorporated in
dovecot-final?

I use rpmbuild to create new rpms from the latest tarball but in that
process still several patches are included during the build. I wonder if
they are still needed in rc15. I use the orignal spec file (the latest I
could find) was created for rc7 and in there I see:

Patch2 dovecot-0.99.10-mbox-patch
Seems to be to change the order of ./Mail before ./mail

Patch3 dovecot-CVE-2006-2414
Overview from CVE db:Directory traversal vulnerability in Dovecot 1.0 beta
and 1.0 allows remote attackers to list files and directories under the
mbox parent directory and obtain mailbox names via ".." sequences in
the
(1) LIST or (2) DELETE IMAP command.

I'm not a spec file wizard, so I change as less as possible. Unfortunately
the maintainer (Jerome Soyer) has never responded to my emails.

My server runs Mandriva Official 2007.0 and Postfix 2.3.3 and dovecot rc14
(will move to rc15 soon).

TNX
EgbertJan (NL)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3834 bytes
Desc: not available
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20061119/da161707/attachment-0002.bin>

On Sun, 2006-11-19 at 12:20 +0100, Egbert Jan wrote:
> As a recent dovecot addict, I'm a bit puzzled by the sheer amount of
> patches available. I have not seen the history of these patches and I
> could not find a README explainng the patches. Are all these personal
> wishes/nice to have things or are they (to be) incorporated in
> dovecot-final?
I think there are 4 kinds of patches:

1) Patches to fix a specific issue in some Dovecot versions. These have
already been merged into newer versions.

2) Enhancement requests that are too large changes for v1.0 at this
point, so they're just waiting for v1.1.

3) Debugging patches.

4) Patches for some small features that some people have needed, but
I've decided they're too ugly to be included in the main Dovecot
sources. Usually I've also figured out a better way to implement these,
but the better way would require larger rewrites of other parts.

I guess I could clean up the /patches/ directory in the web server.
> I use rpmbuild to create new rpms from the latest tarball but in that
> process still several patches are included during the build. I wonder if
> they are still needed in rc15. I use the orignal spec file (the latest I
> could find) was created for rc7 and in there I see:
> 
> Patch2 dovecot-0.99.10-mbox-patch
> Seems to be to change the order of ./Mail before ./mail
The order is still mail -> Mail. I guess this is distribution-specific
of what they want. I don't want Mail -> mail ordering. And the
autodetection preferrably shouldn't be used anyway.
> Patch3 dovecot-CVE-2006-2414
> Overview from CVE db:Directory traversal vulnerability in Dovecot 1.0 beta
> and 1.0 allows remote attackers to list files and directories under the
> mbox parent directory and obtain mailbox names via ".." sequences
in the
> (1) LIST or (2) DELETE IMAP command.
Fixed in 1.0beta8 and since.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20061119/6a5db4f0/attachment.bin>