Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package dovecot24 for openSUSE:Factory checked in at 2026-05-13 17:20:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dovecot24 (Old) and /work/SRC/openSUSE:Factory/.dovecot24.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dovecot24" Wed May 13 17:20:31 2026 rev:18 rq:1352803 version:2.4.4 Changes: -------- --- /work/SRC/openSUSE:Factory/dovecot24/dovecot24.changes 2026-04-11 22:32:20.647040715 +0200 +++ /work/SRC/openSUSE:Factory/.dovecot24.new.1966/dovecot24.changes 2026-05-13 17:22:00.337928368 +0200 @@ -1,0 +2,89 @@ +Tue May 12 14:13:24 UTC 2026 - Marcus Rueckert <[email protected]> + +- Update to 2.4.4 (boo#1265146 boo#1265147 boo#1265148 boo#1265149 + boo#1265150) + - core + * CVE-2026-27851: lib-var-expand: Safe filter marks all + following pipelines safe. + * CVE-2026-33603: auth: CRAM-SHA-*-PLUS channel binding could + be faked. MITM attacker with a certificate trusted by the + client could have bypassed the requirement for channel + binding. + * CVE-2026-40020: IMAP folders can be shared-spammed to + everyone. + * CVE-2026-42006: An attacker can cause uncontrolled memory + usage with excessive bracing over IMAP. The fix in + CVE-2026-27857 was incomplete. + * indexer-worker, quota-status, script-login, + program-client-local: Root privileges are now dropped + permanently before serving requests. + * indexer-worker: Default restart_request_count changed + to 1 to work correctly after permanent root privilege drop. + * lmtp: Add back service_extra_groups=$SET:default_internal_group + that was incorrectly removed in v2.4.3. + * master: inet_listener_reuse_port has been replaced by + service_reuse_port. The new setting properly pre-creates all + listener sockets at startup and assigns one unique socket per + process. Using this allows evenly distributing incoming + connections to login processes. See + https://doc.dovecot.org/latest/core/config/service.html#service_reuse_port + for details. + - auth: Fix LDAP escaping of 0x13 control character. + - auth: Use timing-safe comparison for certificate and public + key fingerprints. + - fts: Correctly handle internal http-client response errors. + - fts: Don't send request to Tika if there is no body text. + - fts: Fix address header indexing for RFC 2047 encoded-words. + - fts: tika, fts-solr: Fix use-after-free crash during DNS + lookup. + - imap: Fix assertion panic on invalid REPLACE 0 command. + - lib-auth-client: Avoid "unknown id" errors for aborted auth + requests. + - lib-dcrypt: Fix potential crash if trying to access + untrusted/corrupted keys. + - lib-dcrypt: Improve error message if keys aren't in hex + format as expected. + - lib-index: Fix potential crash if fsck fails. + - lib-ldap: Fix using OpenLDAP default CA when + ssl_client_ca_dir/file is unset. v2.4.3 regression. + - lib-master, master: Fix behavior for services with + client_limit>1 and restart_request_count so that processes + reaching restart_request_count are no longer counted towards + process_limit. + - lib-master: Fix crash when reaching client_limit with + restart_request_count>1. + - lib-master: haproxy - Don't trust client certificate common + name when HAProxy reports verification failure. + - lib-sasl: cram-md5 - Fix out of bounds memory read. + - lib-sasl: oauth2 - Fix one byte out of bounds read. + - lib-sql: cassandra - Fix reusing Cassandra SSL connections. + - lib-sql: sqlite - Fix sqlite_journal_mode=wal to actually + work. + - lib-storage: Auto-rename non-NFC subscription file entries to + NFC on read. + - lib-storage: Prevent non-atom SEARCH keywords from causing + IMAP command injection. + - lib-var-expand-crypt: Return error if hex decoding fails. + - lib-var-expand: Fix crash (SIGFPE) with non-positive divisor + for / and %. + - log: Fix memory leak at deinit. + - login-common: When process is full, don't destroy clients + waiting on master auth. + - login-proxy: Fix crash with rawlog and multiplexing during + reconnection. + - mail-compress: Fix panic when save method unavailable. + - mail-crypt: Fix crash when HMAC-based algorithm is used. + - mail-crypt: Use AEAD instead of HMAC with ChaCha20-Poly1305. + - mdbox: Create files with O_NOFOLLOW. + - push-notification: ox - Fix use-after-free crash during DNS + lookup. + - quota: quota-status - Limit input buffer size to 1 kB. + - pigeonhole: + * CVE-2026-40016: sieve :contains and :matches operators could + have been using excessive amount of CPU. Limit the CPU to + sieve_max_cpu_time. + - Fix potential crashes parsing corrupted Sieve binaries. + - lib-sieve: matches - Fix trailing literal match when it fills + value exactly. v2.4.3 regression. + +------------------------------------------------------------------- Old: ---- dovecot-2.4.3.tar.gz dovecot-2.4.3.tar.gz.sig dovecot-pigeonhole-2.4.3.tar.gz dovecot-pigeonhole-2.4.3.tar.gz.sig New: ---- dovecot-2.4.4.tar.gz dovecot-2.4.4.tar.gz.sig dovecot-pigeonhole-2.4.4.tar.gz dovecot-pigeonhole-2.4.4.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dovecot24.spec ++++++ --- /var/tmp/diff_new_pack.vhyBMJ/_old 2026-05-13 17:22:01.317969017 +0200 +++ /var/tmp/diff_new_pack.vhyBMJ/_new 2026-05-13 17:22:01.317969017 +0200 @@ -17,8 +17,8 @@ %define pkg_name dovecot -%define dovecot_version 2.4.3 -%define dovecot_pigeonhole_version 2.4.3 +%define dovecot_version 2.4.4 +%define dovecot_pigeonhole_version 2.4.4 %define dovecot_branch 2.4 %define dovecot_pigeonhole_source_dir %{pkg_name}-pigeonhole-%{dovecot_pigeonhole_version} %define dovecot_pigeonhole_docdir %{_docdir}/%{pkg_name}/dovecot-pigeonhole @@ -48,7 +48,7 @@ %endif Name: dovecot24 -Version: 2.4.3 +Version: 2.4.4 Release: 0 Summary: IMAP and POP3 Server Written Primarily with Security in Mind License: BSD-3-Clause AND LGPL-2.1-or-later AND MIT ++++++ dovecot-2.4.3.tar.gz -> dovecot-2.4.4.tar.gz ++++++ /work/SRC/openSUSE:Factory/dovecot24/dovecot-2.4.3.tar.gz /work/SRC/openSUSE:Factory/.dovecot24.new.1966/dovecot-2.4.4.tar.gz differ: char 12, line 1 ++++++ dovecot-pigeonhole-2.4.3.tar.gz -> dovecot-pigeonhole-2.4.4.tar.gz ++++++ ++++ 24060 lines of diff (skipped)
