Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package dovecot24 for openSUSE:Factory checked in at 2026-03-27 16:51:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dovecot24 (Old) and /work/SRC/openSUSE:Factory/.dovecot24.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dovecot24" Fri Mar 27 16:51:40 2026 rev:16 rq:1343160 version:2.4.3 Changes: -------- --- /work/SRC/openSUSE:Factory/dovecot24/dovecot24.changes 2026-01-23 17:34:45.766135726 +0100 +++ /work/SRC/openSUSE:Factory/.dovecot24.new.8177/dovecot24.changes 2026-03-27 16:54:23.847730355 +0100 @@ -1,0 +2,169 @@ +Fri Mar 27 10:23:52 UTC 2026 - Marcus Rueckert <[email protected]> + +- Update to 2.4.3 (boo#1260893 boo#1260894 boo#1260895 boo#1260896 + boo#1260897 boo#1260898 boo#1260899 boo#1260900 boo#1260901 + boo#1260902) + There are experimental features in 2.4, one is enabled with + --enable-experimental-mail-utf8, and another with + --enable-experimental-imap4rev2, and you also need to set + mail_utf8_extensions=yes and imap4rev2_enabled=yes to enable them + in config. + + Critical bug fixes + - CVE-2025-59028: Invalid base64 authentication can cause DoS for + other logins. + - CVE-2025-59031: decode2text.sh OOXML extraction may follow + symlinks and read unintended files during indexing. Fixed by + dropping the script. + - CVE-2026-24031: SQL injection possible if auth_username_chars + is configured empty. Fixed escaping to always happen. v2.4 + regression. + - CVE-2026-27859: Excessive RFC 2231 MIME parameters in email + would cause excessive CPU usage. Fixed by limiting number of + parameters to process. + - CVE-2026-27860: LDAP query injection possible if + auth_username_chars is configured empty. Fixed escaping to + always happen. v2.4 regression. + - CVE-2026-27857: Sending excessive parenthesis causes imap-login + to use excessive memory. + - CVE-2026-27856: Doveadm credentials were not checked using + timing-safe checking function. + - CVE-2026-27855: OTP driver vulnerable to replay attack. + Changes + - Remove default + service/*/service_extra_groups=$SET:default_internal_group. + They are now replaced by default + mail_access_groups=$SET:default_internal_group. + - The version file has been renamed as version.txt to avoid clash + with C++ headers. + - auth: oauth2 - Do not export token automatically, must be + exported using fields. + - config: Don't accept 0 as meaning unlimited anymore for + last_valid_uid, last_valid_gid, mail_cache_max_headers_count, + mail_cache_max_header_name_length, mail_vsize_bg_after_count, + mail_sort_max_read_count, message_max_size, + submission_max_recipients and quota_mail_size. + - imap, pop3: Don't autoexpunge if Dovecot is shutting down or + process is killed. + - imap: LIST - Handle invalid mUTF-7 mailbox names as never + matching anything + - lazy-expunge: Change lazy_expunge_only_last_instance default to + yes. + - lda: Use EX_TEMPFAIL (75) if configuration is invalid instead + of 89. v2.4 regression. + - lib-master: Increase ANVIL_DEFAULT_LOOKUP_TIMEOUT_MSECS from 5s + to 30s + - lib: crc32 - Use zlib's built-in CRC32 function + New features + - Improve UTF-8 support for mail storage. + - auth: Add default auth-token UNIX socket for token-based + authentication. + - doc: solr-config-9.xml - Make it compatible with Solr 9.8.0 + - doveadm: dsync - Search mails when exporting to reduce number + of mails exported by dsync-server. + - dovecot-sysreport: Add -D|--destdir support. + - imap, imap-hibernate: Use DOVECOT-TOKEN authentication for + unhibernation. + - Default imap-master socket permissioms have been changed due to + this. + - imap: Add APPENDLIMIT capability when configured with + quota_mail_size. + - imap: Support STATUS (DELETED) for IMAP4rev2. + - imapc: Add support for SEARCH MIMEPART + - imapc: Improve error forwarding. + - imapc: Support SORT and ESORT extensions. + - imapc: Support STATUS (DELETED) for IMAP4rev2. + - lib-sql: Support parameterized queries. + - lib-test: Add new test-dir API for better temporary test + directory handling. + - lmtp: Advertize SIZE capability when configured with + quota_mail_size. + - lmtp: Support XCLIENT DESTADDR and DESTPORT + - pop3-login: proxy - Add support for XCLIENT DESTIP and DESTPORT + - submission-login: proxy - Add support for XCLIENT DESTIP and + DESTPORT + - Various optimizations have been made to the code. + Bug fixes + - Fix building dovecot with BSD, Solaris and macOS. + - auth: Crash would occur if users were iterated but + userdb_ldap_iterate_fields was not set. + - auth: Fix request leak when client authenticates with + unsupported mechanism. + - auth: Some passdbs would default to PLAIN instead of CRYPT + scheme. + - config: Section and setting names could have been intermixed, + resulting in the setting being silently ignored. + - configure: Fix checking if BUILD_IMAP_HIBERNATE is set + - doveadm: dsync - -e parameter was handled wrong with + dsync-server. + - fts-flatcurve: Mailbox leak would occur if mailbox failed to + open. + - imap: Fix potential issues with unhibernation and process state + handling. + - imapc: SEARCH failure handling was done wrong. + - imapc: UID STORE commands included extra comma in uidset. + - lib-auth-client: auth-master - Fix panic when reconnecting + after handshake timeout. + - lib-compression: Lz4 algorithm would assert-crash with + malicious data. + - lib-dcrypt: Fix digest algorithm handling. + - lib-dict: Escape username paths to prevent traversal issues + with dict-fs. + - lib-http: Fix HTTP parsing edge cases and state handling. + - lib-iostream: Disallow empty ssl_min_protocol. + - lib-json: Fix incorrect character handling logic. + - lib-ldap: Fix various TLS related bugs. + - lib-mail: Fix charset translation and MIME parsing edge cases. + - lib-mail: Fix multiple bounds checks and parsing issues in + message handling. + - lib-var-expand: Multiple fixes and improvements for expansion + handling. + - lib: Fix punycode decoding out-of-bounds reads. + - lib: Fix unicode normalization edge cases causing crashes. + - lib-http: Chunked transfer trailer size was not limited. + - login-common: Improve logging and internal error handling. + - login-common: login_log_format_elements was split by spaces + naively, which could break variable expansion. Use template + aware splitting now. + - master: Dovecot would fail to start if listen directive was + used and dovenull or dovecot user was missing. + - pop3c: Connection might've hung with SSL. + - util: Fix handling of environment variables containing control + characters. + - Many other bugs have been fixed. +- Update pigeonhole to 2.4.3 + Critical bug fixes + - CVE-2026-27858: managesieve-login can allocate large amount of + memory during authentication. + - CVE-2025-59032: ManageSieve panic occurs with sieve-connect as a client. + Changes + - lib-sieve: Don't accept 0 as meaning unlimited anymore for + sieve_quota_script_count and sieve_quota_storage_size. + - managesieve-login: If mail_max_userip_connections is reached, + return LIMIT/CONNECTIONS resp-code. + - managesieve-login: proxy - Return unexpected backend failures + as TRYLATER/NORETRY resp-code. + - managesieve: Remove default + service_extra_groups=$SET:default_internal_group. + New features + - managesieve-login: proxy - Add support for XCLIENT DESTIP and + DESTPORT. + Bug fixes + - imapsieve: Fix panic occurring upon implicit flag changes. + - lib-sieve: include-extension - Fix crash occurring when + previous global command has no arguments. + - lib-sieve: Fix erroneous attempt to read active script for + non-personal storage. + - lib-sieve: ldap: Fix linking non-shared LIBDOVECOT. +- drop patches included in update + 0001-auth-Fix-dashes-to-underscores-in-driver-names-in-fi.patch + 0001-lib-regex-Separate-maximum-capture-groups-and-match-.patch + 0002-auth-Fix-crypt-CRYPT-in-passdb_passwd-passdb_ldap-de.patch + 0002-lib-regex-Set-DREGEX_MAX_MATCHES-to-library-default.patch + 0003-auth-Make-the-default-passdb_static-passdb_default_p.patch + 0003-lib-regex-Limit-number-of-capture-groups-correctly.patch + 0004-auth-Set-CRYPT-as-default-passdb_default_password_sc.patch + dovecot24-32bit-1.patch + dovecot24-32bit-2.patch + +------------------------------------------------------------------- Old: ---- 0001-auth-Fix-dashes-to-underscores-in-driver-names-in-fi.patch 0001-lib-regex-Separate-maximum-capture-groups-and-match-.patch 0002-auth-Fix-crypt-CRYPT-in-passdb_passwd-passdb_ldap-de.patch 0002-lib-regex-Set-DREGEX_MAX_MATCHES-to-library-default.patch 0003-auth-Make-the-default-passdb_static-passdb_default_p.patch 0003-lib-regex-Limit-number-of-capture-groups-correctly.patch 0004-auth-Set-CRYPT-as-default-passdb_default_password_sc.patch dovecot-2.4.2.tar.gz dovecot-pigeonhole-2.4.2.tar.gz dovecot24-32bit-1.patch dovecot24-32bit-2.patch New: ---- dovecot-2.4.3.tar.gz dovecot-pigeonhole-2.4.3.tar.gz ----------(Old B)---------- Old:- drop patches included in update 0001-auth-Fix-dashes-to-underscores-in-driver-names-in-fi.patch 0001-lib-regex-Separate-maximum-capture-groups-and-match-.patch Old: 0001-auth-Fix-dashes-to-underscores-in-driver-names-in-fi.patch 0001-lib-regex-Separate-maximum-capture-groups-and-match-.patch 0002-auth-Fix-crypt-CRYPT-in-passdb_passwd-passdb_ldap-de.patch Old: 0001-lib-regex-Separate-maximum-capture-groups-and-match-.patch 0002-auth-Fix-crypt-CRYPT-in-passdb_passwd-passdb_ldap-de.patch 0002-lib-regex-Set-DREGEX_MAX_MATCHES-to-library-default.patch Old: 0002-auth-Fix-crypt-CRYPT-in-passdb_passwd-passdb_ldap-de.patch 0002-lib-regex-Set-DREGEX_MAX_MATCHES-to-library-default.patch 0003-auth-Make-the-default-passdb_static-passdb_default_p.patch Old: 0002-lib-regex-Set-DREGEX_MAX_MATCHES-to-library-default.patch 0003-auth-Make-the-default-passdb_static-passdb_default_p.patch 0003-lib-regex-Limit-number-of-capture-groups-correctly.patch Old: 0003-auth-Make-the-default-passdb_static-passdb_default_p.patch 0003-lib-regex-Limit-number-of-capture-groups-correctly.patch 0004-auth-Set-CRYPT-as-default-passdb_default_password_sc.patch Old: 0003-lib-regex-Limit-number-of-capture-groups-correctly.patch 0004-auth-Set-CRYPT-as-default-passdb_default_password_sc.patch dovecot24-32bit-1.patch Old: 0004-auth-Set-CRYPT-as-default-passdb_default_password_sc.patch dovecot24-32bit-1.patch dovecot24-32bit-2.patch Old: dovecot24-32bit-1.patch dovecot24-32bit-2.patch ----------(Old E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dovecot24.spec ++++++ --- /var/tmp/diff_new_pack.af3dBP/_old 2026-03-27 16:54:26.415837859 +0100 +++ /var/tmp/diff_new_pack.af3dBP/_new 2026-03-27 16:54:26.419838027 +0100 @@ -17,8 +17,8 @@ %define pkg_name dovecot -%define dovecot_version 2.4.2 -%define dovecot_pigeonhole_version 2.4.2 +%define dovecot_version 2.4.3 +%define dovecot_pigeonhole_version 2.4.3 %define dovecot_branch 2.4 %define dovecot_pigeonhole_source_dir %{pkg_name}-pigeonhole-%{dovecot_pigeonhole_version} %define dovecot_pigeonhole_docdir %{_docdir}/%{pkg_name}/dovecot-pigeonhole @@ -48,7 +48,7 @@ %endif Name: dovecot24 -Version: 2.4.2 +Version: 2.4.3 Release: 0 Summary: IMAP and POP3 Server Written Primarily with Security in Mind License: BSD-3-Clause AND LGPL-2.1-or-later AND MIT @@ -66,15 +66,6 @@ Patch1: dovecot-2.4.0-lua_json.patch # PATCH-FIX-OPENSUSE Patch2: dovecot-2.3.17-env_script_interpreter.patch -Patch3: dovecot24-32bit-1.patch -Patch4: dovecot24-32bit-2.patch -Patch11: 0001-lib-regex-Separate-maximum-capture-groups-and-match-.patch -Patch12: 0002-lib-regex-Set-DREGEX_MAX_MATCHES-to-library-default.patch -Patch13: 0003-lib-regex-Limit-number-of-capture-groups-correctly.patch -Patch14: 0001-auth-Fix-dashes-to-underscores-in-driver-names-in-fi.patch -Patch15: 0002-auth-Fix-crypt-CRYPT-in-passdb_passwd-passdb_ldap-de.patch -Patch16: 0003-auth-Make-the-default-passdb_static-passdb_default_p.patch -Patch17: 0004-auth-Set-CRYPT-as-default-passdb_default_password_sc.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: bison @@ -322,6 +313,7 @@ --with-moduledir=%{_libdir}/%{pkg_name}/modules \ --libexecdir=%{_prefix}/lib/ \ --enable-experimental-mail-utf8 \ + --enable-experimental-imap4rev2 \ --with-ioloop=best \ --with-ldap=plugin \ --with-sql=plugin \ @@ -502,7 +494,6 @@ %{_prefix}/lib/%{pkg_name}/doveadm-server %{_prefix}/lib/%{pkg_name}/stats %{_prefix}/lib/%{pkg_name}/xml2text -%{_prefix}/lib/%{pkg_name}/decode2text.sh %{_prefix}/lib/%{pkg_name}/quota-status %{_prefix}/lib/%{pkg_name}/managesieve %{_prefix}/lib/%{pkg_name}/managesieve-login @@ -591,10 +582,8 @@ %{_mandir}/man1/doveadm-acl.1%{?ext_man} %{_mandir}/man1/doveadm-altmove.1%{?ext_man} %{_mandir}/man1/doveadm-auth.1%{?ext_man} -%{_mandir}/man1/doveadm-backup.1%{?ext_man} %{_mandir}/man1/doveadm-compress-connect.1%{?ext_man} %{_mandir}/man1/doveadm-config.1%{?ext_man} -%{_mandir}/man1/doveadm-copy.1%{?ext_man} %{_mandir}/man1/doveadm-deduplicate.1%{?ext_man} %{_mandir}/man1/doveadm-dict.1%{?ext_man} %{_mandir}/man1/doveadm-dump.1%{?ext_man} @@ -645,7 +634,6 @@ %{_mandir}/man1/sieve-test.1%{?ext_man} %{_mandir}/man1/sievec.1%{?ext_man} %{_mandir}/man1/sieved.1%{?ext_man} -%{_mandir}/man7/doveadm-search-query.7%{?ext_man} %{_mandir}/man7/pigeonhole.7%{?ext_man} # doc %doc %{_docdir}/%{pkg_name} ++++++ dovecot-2.4.2.tar.gz -> dovecot-2.4.3.tar.gz ++++++ /work/SRC/openSUSE:Factory/dovecot24/dovecot-2.4.2.tar.gz /work/SRC/openSUSE:Factory/.dovecot24.new.8177/dovecot-2.4.3.tar.gz differ: char 12, line 1 ++++++ dovecot-pigeonhole-2.4.2.tar.gz -> dovecot-pigeonhole-2.4.3.tar.gz ++++++ ++++ 13437 lines of diff (skipped)
