-
dovecot (1:2.3.13+dfsg1-1ubuntu1.1) hirsute-security; urgency=medium
* SECURITY UPDATE: incorrectly escapes kid and azp fields in JWT tokens
- debian/patches/CVE-2021-29157.patch: improve escaping in
src/lib-dict-extra/dict-fs.c, src/lib-oauth2/oauth2-jwt.c,
src/lib-oauth2/test-oauth2-jwt.c.
- CVE-2021-29157
* SECURITY UPDATE: plaintext command injection before STARTTLS
- debian/patches/CVE-2021-33515.patch: properly handle command queue in
src/lib-smtp/smtp-server-cmd-starttls.c,
src/lib-smtp/smtp-server-connection.c.
- CVE-2021-33515
-- Marc Deslauriers <email address hidden> Wed, 16 Jun 2021 09:02:15 -0400
-
dovecot (1:2.3.13+dfsg1-1ubuntu1) hirsute; urgency=medium
* Package references hidden symbols during an LTO link. This needs further
investigation. Until then, disable LTO.
-- Matthias Klose <email address hidden> Tue, 30 Mar 2021 17:23:55 +0200
-
dovecot (1:2.3.13+dfsg1-1build1) hirsute; urgency=high
* No change rebuild against clucene-core
-- Balint Reczey <email address hidden> Thu, 18 Feb 2021 18:19:47 +0100
-
dovecot (1:2.3.13+dfsg1-1) unstable; urgency=medium
[ Christian Göttsche ]
* [6829237] New upstream version 2.3.13 (Closes: #979363)
- CVE-2020-24386: IMAP hibernation allows accessing other peoples mail
- CVE-2020-25275: MIME parsing crashes with particular messages
* [6d25736] Add libzstd-dev to build-dependencies (Closes: #969165)
* [5956798] Rebase patches
* [2cb63c3] Bump to standards version 4.5.1 (no further changes)
* [548bac5] Drop unmatched copyright src/lib-ntlm/* wildcard
* [6f33f3f] Ignore package-contains-documentation-outside-usr-share-doc
false-positives
* [dde9c94] Handle removed configuration file in postinst
[ Pino Toscano ]
* [04a60e3] d/{control,rules}: disable apparmor support on !linux archs
(Closes: #951869)
[ Helmut Grohne ]
* [e5f9fcb] d/patches: improve cross-compile support (Closes: #979370)
-- Noah Meyerhans <email address hidden> Mon, 25 Jan 2021 15:38:17 -0800
-
dovecot (1:2.3.11.3+dfsg1-2ubuntu1) hirsute; urgency=medium
* SECURITY UPDATE: information disclosure via imap hibernation
- debian/patches/CVE-2020-24386-1.patch: escape tag when sending it to
imap-hibernate process in src/imap/imap-client-hibernate.c.
- debian/patches/CVE-2020-24386-2.patch: add unit test for
imap-client-hibernate in src/imap/Makefile.am,
src/imap/imap-client-hibernate.c, src/imap/imap-client.h,
src/imap/test-imap-client-hibernate.c.
- CVE-2020-24386
* SECURITY UPDATE: remote DoS via large number of MIME parts
- debian/patches/CVE-2020-25275-1.patch: fix assert-crash when
enforcing MIME part limit in src/lib-mail/message-parser.c,
src/lib-mail/test-message-parser.c.
- debian/patches/CVE-2020-25275-2.patch: don't generate invalid
BODYSTRUCTURE when reaching MIME part limit in
src/lib-imap/imap-bodystructure.c.
- CVE-2020-25275
-- Marc Deslauriers <email address hidden> Mon, 28 Dec 2020 10:59:24 -0500
-
dovecot (1:2.3.11.3+dfsg1-2) unstable; urgency=medium
[ Christian Göttsche ]
* [44770f6] Add patch for 32bit compiler warnings
* [053865a] Lintian: remove unused override
* [4ece2e1] Lintian: add forwarded header to Debian specific patches
* [67872b7] Lintian: ignore Debian only man page
* [d30bd7e] Lintian: tag manpage-without-executable got renamed to
spare-manual-page
* [3bdf952] Limit libcap-dev build-dependency to linux-any
* [28f6425] Drop acute accent in man page
* [8c15850] Add patch allowing GSSAPI containing NULL
-- Noah Meyerhans <email address hidden> Wed, 19 Aug 2020 12:06:07 -0700