dovecot - Dec 2022 - Dovecot v2.3.20 released

On Fri, Dec 23, 2022 at 11:59:54AM +0200, Aki Tuomi
wrote:
> > On 23/12/2022 11:47 EET Eray Aslan <eraya at a21an.org> wrote:
> > On Thu, Dec 22, 2022 at 10:06:16AM +0200, Aki Tuomi wrote:
> > > We are pleased to release v2.3.20 of Dovecot.
> > 
> > Can you confirm that CVE-2022-30550 is patched in dovecot-2.3.20?
Thank
> > you.
> 
> We've decided to fix it for 2.4 release only, so it's not fixed in
2.3.20.
That is a surprising decision.

One more question regarding openssl. I am getting test failures when
building against openssl-3 but not when building against openssl-1.1.1s.
Can you confirm if openssl-3 is supported?

[...]
test-crypto.c:827: Assert failed: ret == TRUE
Panic: file dcrypt-openssl.c: line 2639 (dcrypt_openssl_private_to_public_key):
assertion failed: (priv_key != NULL && pub_key_r != NULL)
Error: Raw backtrace: ./test-crypto(backtrace_append+0x42) [0x560ff72000b2]
-> ./test-crypto(backtrace_get+0x1e) [0x560ff72001fe] ->
./test-crypto(+0x26952) [0x560ff71dd952] -> ./test-crypto(+0x26991)
[0x560ff71dd991] -> ./test-crypto(+0x14e03) [0x560ff71cbe03] ->
.libs/libdcrypt_openssl.so(+0x5f25) [0x7f5b1b499f25] ->
./test-crypto(+0x1f071) [0x560ff71d6071] -> ./test-crypto(+0x227cf)
[0x560ff71d97cf] -> ./test-crypto(test_run+0x4a) [0x560ff71da2da] ->
./test-crypto(main+0x4f) [0x560ff71d032f] -> /lib64/libc.so.6(+0x232ca)
[0x7f5b1b5322ca] -> /lib64/libc.so.6(__libc_start_main+0x85) [0x7f5b1b532385]
-> ./test-crypto(_start+0x21) [0x560ff71d0451]
make[3]: *** [Makefile:1137: check-local] Error 1
[...]
$ openssl version
OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)

Thank you
-- 
Eray

> On 23/12/2022 14:23 EET Eray Aslan <eraya at a21an.org> wrote:
> 
>  
> On Fri, Dec 23, 2022 at 11:59:54AM +0200, Aki Tuomi wrote:
> > > On 23/12/2022 11:47 EET Eray Aslan <eraya at a21an.org>
wrote:
> > > On Thu, Dec 22, 2022 at 10:06:16AM +0200, Aki Tuomi wrote:
> > > > We are pleased to release v2.3.20 of Dovecot.
> > > 
> > > Can you confirm that CVE-2022-30550 is patched in dovecot-2.3.20?
Thank
> > > you.
> > 
> > We've decided to fix it for 2.4 release only, so it's not
fixed in 2.3.20.
> 
> That is a surprising decision.
> 
The bug does not, in fact, affect that many setups, and we do not consider it to
be practically that severe bug.
> One more question regarding openssl. I am getting test failures when
> building against openssl-3 but not when building against openssl-1.1.1s.
> Can you confirm if openssl-3 is supported?
> 
> [...]
> test-crypto.c:827: Assert failed: ret == TRUE
> Panic: file dcrypt-openssl.c: line 2639
(dcrypt_openssl_private_to_public_key): assertion failed: (priv_key != NULL
&& pub_key_r != NULL)
> Error: Raw backtrace: ./test-crypto(backtrace_append+0x42) [0x560ff72000b2]
-> ./test-crypto(backtrace_get+0x1e) [0x560ff72001fe] ->
./test-crypto(+0x26952) [0x560ff71dd952] -> ./test-crypto(+0x26991)
[0x560ff71dd991] -> ./test-crypto(+0x14e03) [0x560ff71cbe03] ->
.libs/libdcrypt_openssl.so(+0x5f25) [0x7f5b1b499f25] ->
./test-crypto(+0x1f071) [0x560ff71d6071] -> ./test-crypto(+0x227cf)
[0x560ff71d97cf] -> ./test-crypto(test_run+0x4a) [0x560ff71da2da] ->
./test-crypto(main+0x4f) [0x560ff71d032f] -> /lib64/libc.so.6(+0x232ca)
[0x7f5b1b5322ca] -> /lib64/libc.so.6(__libc_start_main+0x85) [0x7f5b1b532385]
-> ./test-crypto(_start+0x21) [0x560ff71d0451]
> make[3]: *** [Makefile:1137: check-local] Error 1
> [...]
> $ openssl version
> OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
> 
> Thank you
> -- 
> Eray
OpenSSL 3.0 support is also planned for 2.4.

Aki