-
dovecot (1:2.3.2.1-1ubuntu3.4) cosmic-security; urgency=medium
* SECURITY UPDATE: submission-login denial of service issues
- debian/patches/CVE-2019-1149x-1.patch: remove unused
client->pending_starttls in src/submission-login/client.h.
- debian/patches/CVE-2019-1149x-2.patch: fix crash occurring when
client disconnects during authentication in
src/submission-login/client-authenticate.c,
src/submission-login/client.c.
- debian/patches/CVE-2019-1149x-3.patch: fix AUTH response error
handling so that it stops reading more input in
src/lib-smtp/smtp-server-cmd-auth.c.
- CVE-2019-11494
- CVE-2019-11499
-- Marc Deslauriers <email address hidden> Mon, 29 Apr 2019 07:46:18 -0400
-
dovecot (1:2.3.2.1-1ubuntu3.3) cosmic-security; urgency=medium
* SECURITY UPDATE: JSON encoder assert DoS
- debian/patches/CVE-2019-10691.patch: escape invalid UTF-8 as unicode
bytes in src/lib/json-parser.c, src/lib/test-json-parser.c.
- CVE-2019-10691
-- Marc Deslauriers <email address hidden> Tue, 16 Apr 2019 12:33:03 -0400
-
dovecot (1:2.3.2.1-1ubuntu3.2) cosmic-security; urgency=medium
* SECURITY UPDATE: stack overflow when reading FTS or POP3-UIDL header
- debian/patches/CVE-2019-7524-1.patch: fix buffer overflow when
reading oversized hdr-pop3-uidl header in
src/lib-storage/index/index-pop3-uidl.c.
- debian/patches/CVE-2019-7524-2.patch: fix buffer overflow when
reading oversized fts header in src/plugins/fts/fts-api.c.
- CVE-2019-7524
-- Marc Deslauriers <email address hidden> Fri, 29 Mar 2019 07:49:50 -0400
-
dovecot (1:2.3.2.1-1ubuntu3.1) cosmic-security; urgency=medium
* SECURITY UPDATE: incorrect client certificate validation
- debian/patches/CVE-2019-3814-1.patch: do not import empty certificate
username in src/auth/auth-request.c.
- debian/patches/CVE-2019-3814-2.patch: fail authentication if
certificate username was unexpectedly missing in
src/auth/auth-request-handler.c.
- debian/patches/CVE-2019-3814-3.patch: ensure we get username from
certificate in src/login-common/sasl-server.c.
- CVE-2019-3814
-- Marc Deslauriers <email address hidden> Mon, 28 Jan 2019 08:49:23 -0500
-
dovecot (1:2.3.2.1-1ubuntu3) cosmic; urgency=high
* No change rebuild against openssl 1.1.1 with TLS 1.3 support.
-- Dimitri John Ledkov <email address hidden> Sat, 29 Sep 2018 01:36:48 +0100
-
dovecot (1:2.3.2.1-1ubuntu2) cosmic; urgency=medium
* d/p/fix-glibc-crypt-ftbfs: cherry-pick from upstream to find crypt(3)
correctly to fix FTBFS (LP: #1793138).
-- Robie Basak <email address hidden> Thu, 20 Sep 2018 08:51:00 +0100
-
dovecot (1:2.3.2.1-1ubuntu1) cosmic; urgency=medium
* Merge with Debian unstable (LP: #1771524). Remaining changes:
- carry mail-stack-delivery as empty transitional package
(can be dropped >20.04)
* Dropped Changes
- Add updated autopkgtest to debian/tests/* (LP: 1638865)
(those becamce superfluous by being mostly identical to the tests in
debian/tests/usage that are now packaged by Debian.)
-- Christian Ehrhardt <email address hidden> Fri, 03 Aug 2018 12:31:43 +0200
-
dovecot (1:2.2.35-2ubuntu1) cosmic; urgency=medium
* Merge with Debian unstable (LP: #1771816). Remaining changes:
- Add updated autopkgtest to debian/tests/* (these tests got simplified
and streamlined to use the packages default configuration which solves
LP: #1638865)
* Dropped Changes (now upstream)
- SECURITY UPDATE: rfc822_parse_domain Information Leak Vulnerability
- SECURITY UPDATE: TLS SNI config lookups DoS
- SECURITY UPDATE: Memory leak that can cause crash due to memory exhaustion
* Dropped Changes (no more needed after 18.04)
- handle conffile removal of /etc/init/dovecot.conf (due to dropping
upstart).
* Dropped Changes (no more needed)
- Drop build dependency on libstemmer-dev (universe) - this is now in main
- Disable dovecot-lucene plugin as it had various issues and is deprecated
in favor of solr anyway (LP 1524526) - no more failing in Cosmic.
* Dropped Changes (mail-stack-delivery)
It was decided to no more carry mail-stack-delivery as a package in favor
to out-of-package solutions. It became less useful due to one of the
biggest benefit (auto-ssl setup) being part of the base setup now.
- Add mail-stack-delivery
- add package in d/rules, d/control
- add d/*mail-stack-delivery* maintainer scripts and default conf
- d/mail-stack-delivery.preinst: Move previously installed backups and
config files to a new package namespace.
- d/mail-stack-delivery.README.Debian clarified use of configuration files
- d/mail-stack-delivery.postinst: Use ssl key/cert paths now set up by
dovecot-core; transition for such configs formerly set up by
mail-stack-delivery to use the new default ssl config (if user had no
conffile change or choses new defaults).
- d/mail-stack-delivery.postinst: if moving dovecot to the new defaults on
upgrade, also move the related postfix key/cert entries.
- debian/99-mail-stack-delivery.conf: do not explicitly enable protocols
as all installed are auto-included from the base config now.
- adapt autopkgtests to match new version.
- d/control: for the ssl transition to work we need to ensure dovecot-core
is complete before upgrading mail-stack-delivery, so add a Pre-Depends.
- d/mail-stack-delivery.postinst: add SSL_CERT/SSL_KEY detection to
postconf section (was formerly initialized at the now dropped key setup)
- d/mail-stack-delivery.postinst: fix SSL_CERT/SSL_KEY detection to only
read non-comments from the right keywords and to strip common bad-chars
- d/mail-stack-delivery.postinst: stop modifying mandatory tls config,
recent upstream has sane defaults now
- debian/99-mail-stack-delivery.conf: drop explicit ssl_cipher_list,
recent upstream has sane defaults now
* Added Changes:
- carry mail-stack-delivery as empty transitional package
(can be dropped >20.04)
dovecot (1:2.2.35-2) unstable; urgency=medium
* [7665652] Use git-subtree to generate pigeonhole patch from git; add
single-debian-patch to d/source/local-options
* [bfa0f10] d/rules: specify libdir manually; previous upload moved modules
under /usr/lib/<triplet>, which was bound to break existing setups
* [982e826] d/copyright: adjust pigeonhole path and bump years
dovecot (1:2.2.35-1) unstable; urgency=medium
* [8108cba] New upstream version 2.2.35
* [6cbbaa1] Update pigeonhole to 0.4.23 (Closes: #892137)
* [9ace5f2] Switch Vcs-* URLs to salsa.d.o
* [ef40625] d/rules: call configure via dh_auto_configure.
Thanks to Helmut Grohne (Closes: #885854)
* [a459455] Drop B-D on libcurl4-gnutls-dev; removed upstream since 2.2
* [235af9d] Update upstream signing key
dovecot (1:2.2.34-2) unstable; urgency=high
* [868dc65] Update pigeonhole to 0.4.22
* Set urgency to high due to the security fixes in 2.2.34-1
dovecot (1:2.2.34-1) unstable; urgency=medium
* [f53dc9a] New upstream version 2.2.34
Fixes the following security issues:
+ CVE-2017-15130: TLS SNI config lookups may lead to excessive memory
usage (Closes: #891820)
+ CVE-2017-14461: rfc822_parse_domain information leak vulnerability
(Closes: #891819)
+ CVE-2017-15132: auth client leaks memory if SASL authentication is
aborted (Closes: #888432)
* [0dc98c6] Do not patch all-settings.c; regenerate it at build time
instead. Thanks to Aki Tuomi!
* [e678e3b] Bump dh compat to 11
+ B-D on debhelper (>= 11~)
+ Use dh_installsystemd instead of dh_systemd_enable
* [271b290] Bump Standards-Version to 4.1.3; no changes needed
* [3cd6715] d/copyright: bump upstream and debian years
* [380d1ac] Drop the ENABLED flag from /etc/default/dovecot (but let the
initscript handle it if it exists)
* [97d6fae] d/watch: switch upstream URL to https://
-- Christian Ehrhardt <email address hidden> Wed, 16 May 2018 14:40:19 +0200
-
dovecot (1:2.2.33.2-1ubuntu4) bionic; urgency=medium
* SECURITY UPDATE: rfc822_parse_domain Information Leak Vulnerability
- debian/patches/CVE-2017-14461/*.patch: upstream parsing fixes.
- CVE-2017-14461
* SECURITY UPDATE: TLS SNI config lookups DoS
- debian/patches/CVE-2017-15130/*.patch: upstream config filtering fix.
- CVE-2017-15130
-- Marc Deslauriers <email address hidden> Mon, 26 Feb 2018 12:34:24 -0500
