Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:dovecot
User: [email protected]
Usertags: pu
[ Reason ]
I'd like to update dovecot to pull in several bug fixes, both upstream and
in packaging. All of the bugs can potentially lead to availability issues,
either in the form of incorrectly delivered mail or an inability to retrieve
mail.
[ Impact ]
The following bugs are addressed by the attached debdiff:
#1116070 - segfault in lib-sieve in various scenarios
#1116328 - oauth token validation failure leading to authentication failures
that should have succeeded
#1112667 - typos and other minor fixes in the Debian-provided default
configuration
#1111469 - dovecot-lmtp: Debian-overridden auth_username_format wrongly
drops default case-insensitivity
[ Tests ]
Changes have been validated upstream and are all present in testing.
[ Risks ]
The changes are small and targeted, minimizing the risk.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in (old)stable
[*] the issue is verified as fixed in unstable
[ Changes ]
dovecot (1:2.4.1+dfsg1-6+deb13u2) trixie; urgency=medium
* [6ac2883] Clean up a few typos in default/example config (Closes: #1112667)
* [7feb544] Ensure default lmtpd auth_username_format matches the global value
(Closes: #1111469)
* [216ec20] import upstream patch for improperly terminated
auth_oauth2_post_setting_defines
(Closes: #1116328)
* [46eab61] lib-sieve/sieve-script.c: sieve_script_create_common: Correctly
handle errors.
(Closes: #1116070)
-- Noah Meyerhans <[email protected]> Thu, 23 Oct 2025 10:01:33 -0400
[ Other info ]
The debdiff is against the deb13u1 security release currently in trixie-p-u,
which addressed #1115964
diff -Nru dovecot-2.4.1+dfsg1/debian/changelog
dovecot-2.4.1+dfsg1/debian/changelog
--- dovecot-2.4.1+dfsg1/debian/changelog 2025-09-24 09:14:50.000000000
-0400
+++ dovecot-2.4.1+dfsg1/debian/changelog 2025-10-23 10:01:33.000000000
-0400
@@ -1,8 +1,20 @@
+dovecot (1:2.4.1+dfsg1-6+deb13u2) trixie; urgency=medium
+
+ * [6ac2883] Clean up a few typos in default/example config (Closes: #1112667)
+ * [7feb544] Ensure default lmtpd auth_username_format matches the global
value
+ (Closes: #1111469)
+ * [216ec20] import upstream patch for improperly terminated
auth_oauth2_post_setting_defines
+ (Closes: #1116328)
+ * [46eab61] lib-sieve/sieve-script.c: sieve_script_create_common: Correctly
handle errors.
+ (Closes: #1116070)
+
+ -- Noah Meyerhans <[email protected]> Thu, 23 Oct 2025 10:01:33 -0400
+
dovecot (1:2.4.1+dfsg1-6+deb13u1) trixie-security; urgency=high
* Import upstream fix for an issue with authentication cache management that
could result in users being logged in as the wrong user in certain
- configurations. (Closes: #1115964)
+ configurations. (CVE-2025-30189) (Closes: #1115964)
-- Noah Meyerhans <[email protected]> Wed, 24 Sep 2025 09:14:50 -0400
diff -Nru dovecot-2.4.1+dfsg1/debian/conf/conf.d/10-auth.conf
dovecot-2.4.1+dfsg1/debian/conf/conf.d/10-auth.conf
--- dovecot-2.4.1+dfsg1/debian/conf/conf.d/10-auth.conf 2025-09-24
09:14:50.000000000 -0400
+++ dovecot-2.4.1+dfsg1/debian/conf/conf.d/10-auth.conf 2025-10-23
09:55:37.000000000 -0400
@@ -1,5 +1,3 @@
-#log_debug=category=auth
-#auth_debug_passwords = yes
##
## Authentication processes
##
diff -Nru dovecot-2.4.1+dfsg1/debian/conf/conf.d/10-mail.conf
dovecot-2.4.1+dfsg1/debian/conf/conf.d/10-mail.conf
--- dovecot-2.4.1+dfsg1/debian/conf/conf.d/10-mail.conf 2025-09-24
09:14:50.000000000 -0400
+++ dovecot-2.4.1+dfsg1/debian/conf/conf.d/10-mail.conf 2025-10-23
09:55:37.000000000 -0400
@@ -32,9 +32,9 @@
# Note that upstream considers mbox deprecated and strongly recommends
# against its use in production environments. See further information
# at
-# https://doc.dovecot.org/2.4.0/core/config/mailbox/formats/mbox.html
+# https://doc.dovecot.org/2.4.1/core/config/mailbox/formats/mbox.html
mail_driver = mbox
-mail_home = /home/%{user|username}
+mail_home = /home/%{user | username}
mail_path = %{home}/mail
mail_inbox_path = /var/mail/%{user}
@@ -120,7 +120,7 @@
#mail_uid =
#mail_gid =
-# Group to enable temporarily for privileged operations. Currently this is
+# Group to enable temporarily for privileged operations. Currently this is
# used only with INBOX when either its initial creation or dotlocking fails.
# Typically this is set to "mail" to give access to /var/mail.
mail_privileged_group = mail
@@ -211,7 +211,7 @@
# settings. If this setting is empty, "/./" in home dirs are ignored.
# WARNING: Never add directories here which local users can modify, that
# may lead to root exploit. Usually this should be done only if you don't
-# allow shell access for users. <doc/wiki/Chrooting.txt>
+# allow shell access for users.
<https://doc.dovecot.org/latest/core/config/chrooting.html>
#valid_chroot_dirs =
# Default chroot directory for mail processes. This can be overridden for
diff -Nru dovecot-2.4.1+dfsg1/debian/conf/conf.d/10-master.conf
dovecot-2.4.1+dfsg1/debian/conf/conf.d/10-master.conf
--- dovecot-2.4.1+dfsg1/debian/conf/conf.d/10-master.conf 2025-09-24
09:14:50.000000000 -0400
+++ dovecot-2.4.1+dfsg1/debian/conf/conf.d/10-master.conf 2025-10-23
09:55:37.000000000 -0400
@@ -25,7 +25,7 @@
# Number of connections to handle before starting a new process. Typically
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
- # is faster. <d>
+ # is faster.
<https://doc.dovecot.org/2.4.1/core/config/service.html#service_restart_request_count>
#service_restart_request_count = 1
# Number of processes to always keep waiting for more connections.
diff -Nru dovecot-2.4.1+dfsg1/debian/conf/conf.d/20-lmtp.conf
dovecot-2.4.1+dfsg1/debian/conf/conf.d/20-lmtp.conf
--- dovecot-2.4.1+dfsg1/debian/conf/conf.d/20-lmtp.conf 2025-09-24
09:14:50.000000000 -0400
+++ dovecot-2.4.1+dfsg1/debian/conf/conf.d/20-lmtp.conf 2025-10-23
09:56:09.000000000 -0400
@@ -45,7 +45,7 @@
# userdb in Debian is /etc/passwd, which doesn't include domain
# names in the user. If you're using a different userdb backend
# that does include domain names, you may wish to remove this. See
- # https://doc.dovecot.org/2.4.0/howto/lmtp/exim.html and
- #
https://doc.dovecot.org/2.4.0/core/summaries/settings.html#auth_username_format
- auth_username_format = %{user | username}
+ # https://doc.dovecot.org/2.4.1/howto/lmtp/exim.html and
+ #
https://doc.dovecot.org/2.4.1/core/summaries/settings.html#auth_username_format
+ auth_username_format = %{user | username | lower}
}
diff -Nru dovecot-2.4.1+dfsg1/debian/conf/conf.d/90-quota.conf
dovecot-2.4.1+dfsg1/debian/conf/conf.d/90-quota.conf
--- dovecot-2.4.1+dfsg1/debian/conf/conf.d/90-quota.conf 2025-09-24
09:14:50.000000000 -0400
+++ dovecot-2.4.1+dfsg1/debian/conf/conf.d/90-quota.conf 2025-10-23
09:55:37.000000000 -0400
@@ -34,7 +34,7 @@
# You can execute a given command when user exceeds a specified quota limit.
# Each quota root has separate limits. Only the command for the first
-# exceeded limit is excecuted, so put the highest limit first.
+# exceeded limit is executed, so put the highest limit first.
# The commands are executed via script service by connecting to the named
# UNIX socket (quota-warning below).
# Note that % needs to be escaped as %%, otherwise "% " expands to empty.
diff -Nru dovecot-2.4.1+dfsg1/debian/conf/conf.d/auth-passwdfile.conf.ext
dovecot-2.4.1+dfsg1/debian/conf/conf.d/auth-passwdfile.conf.ext
--- dovecot-2.4.1+dfsg1/debian/conf/conf.d/auth-passwdfile.conf.ext
2025-09-24 09:14:50.000000000 -0400
+++ dovecot-2.4.1+dfsg1/debian/conf/conf.d/auth-passwdfile.conf.ext
2025-10-23 09:55:37.000000000 -0400
@@ -10,7 +10,7 @@
#}
#userdb passwd-file {
-# auth_username_format=%{user}
+# auth_username_format = %{user}
# passwd_file_path = /etc/dovecot/users
# fields {
diff -Nru dovecot-2.4.1+dfsg1/debian/conf/conf.d/auth-system.conf.ext
dovecot-2.4.1+dfsg1/debian/conf/conf.d/auth-system.conf.ext
--- dovecot-2.4.1+dfsg1/debian/conf/conf.d/auth-system.conf.ext 2025-09-24
09:14:50.000000000 -0400
+++ dovecot-2.4.1+dfsg1/debian/conf/conf.d/auth-system.conf.ext 2025-10-23
09:55:37.000000000 -0400
@@ -24,7 +24,7 @@
userdb passwd {
}
-# System users (NSS, /etc/passwd, or similiar).
+# System users (NSS, /etc/passwd, or similar).
# In many systems nowadays this uses Name Service Switch, which is
# configured in /etc/nsswitch.conf.
<https://doc.dovecot.org/latest/core/config/auth/databases/passwd.html>
#passdb passwb {
diff -Nru
dovecot-2.4.1+dfsg1/debian/patches/auth__Terminate_properly_auth_oauth2_post_setting_defines.patch
dovecot-2.4.1+dfsg1/debian/patches/auth__Terminate_properly_auth_oauth2_post_setting_defines.patch
---
dovecot-2.4.1+dfsg1/debian/patches/auth__Terminate_properly_auth_oauth2_post_setting_defines.patch
1969-12-31 19:00:00.000000000 -0500
+++
dovecot-2.4.1+dfsg1/debian/patches/auth__Terminate_properly_auth_oauth2_post_setting_defines.patch
2025-10-23 09:56:35.000000000 -0400
@@ -0,0 +1,25 @@
+From e546239af593dfd0722bea9ff169b60006e219f9 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <[email protected]>
+Date: Thu, 15 May 2025 13:06:56 +0300
+Subject: [PATCH] auth: Terminate properly auth_oauth2_post_setting_defines
+ list
+
+Fixes:
+Error: xoauth2: oauth2 failed: Local validation failed: auth_oauth2_fields
settings: Failed to parse configuration: settings struct auth_oauth2_fields #1
key mismatch
+---
+ src/auth/db-oauth2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/auth/db-oauth2.c b/src/auth/db-oauth2.c
+index bd807e30b55..230c6cf7678 100644
+--- a/src/auth/db-oauth2.c
++++ b/src/auth/db-oauth2.c
+@@ -134,6 +134,8 @@ const struct setting_parser_info
auth_oauth2_setting_parser_info = {
+ static const struct setting_define auth_oauth2_post_setting_defines[] = {
+ { .type = SET_STRLIST, .key = "oauth2_fields",
+ .offset = offsetof(struct auth_oauth2_post_settings, fields) },
++
++ SETTING_DEFINE_LIST_END
+ };
+
+ static const struct auth_oauth2_post_settings
auth_oauth2_post_default_settings = {
diff -Nru
dovecot-2.4.1+dfsg1/debian/patches/lib-sieve_sieve-script_c_sieve_script_create_common_Correctly_handle_errors.patch
dovecot-2.4.1+dfsg1/debian/patches/lib-sieve_sieve-script_c_sieve_script_create_common_Correctly_handle_errors.patch
---
dovecot-2.4.1+dfsg1/debian/patches/lib-sieve_sieve-script_c_sieve_script_create_common_Correctly_handle_errors.patch
1969-12-31 19:00:00.000000000 -0500
+++
dovecot-2.4.1+dfsg1/debian/patches/lib-sieve_sieve-script_c_sieve_script_create_common_Correctly_handle_errors.patch
2025-10-23 09:56:54.000000000 -0400
@@ -0,0 +1,26 @@
+From 2b9a4e85bc4547fcff84398b2bda00d0ced09fae Mon Sep 17 00:00:00 2001
+From: Alexander Gerasiov <[email protected]>
+Date: Tue, 23 Sep 2025 13:50:43 +0300
+Subject: [PATCH] lib-sieve/sieve-script.c: sieve_script_create_common:
+ Correctly handle errors.
+
+Fixes null pointer deref (e.g. in case of absent file).
+---
+ src/lib-sieve/sieve-script.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: dovecot/pigeonhole/src/lib-sieve/sieve-script.c
+===================================================================
+--- dovecot.orig/pigeonhole/src/lib-sieve/sieve-script.c
++++ dovecot/pigeonhole/src/lib-sieve/sieve-script.c
+@@ -166,8 +166,8 @@ sieve_script_create_common(struct sieve_
+ sieve_storage_unref(&storage);
+ if (ret > 0 && open &&
+ sieve_script_open(script, error_code_r) < 0) {
+- *error_r = sieve_storage_get_last_error(
+- storage, error_code_r);
++ *error_r = sieve_script_get_last_error(
++ script, error_code_r);
+ sieve_script_unref(&script);
+ if (*error_code_r == SIEVE_ERROR_NOT_FOUND)
+ continue;
diff -Nru dovecot-2.4.1+dfsg1/debian/patches/series
dovecot-2.4.1+dfsg1/debian/patches/series
--- dovecot-2.4.1+dfsg1/debian/patches/series 2025-09-24 09:14:50.000000000
-0400
+++ dovecot-2.4.1+dfsg1/debian/patches/series 2025-10-23 09:56:54.000000000
-0400
@@ -27,3 +27,5 @@
fix-man-errors.patch
bug1106784_Fix-LDAP-SASL-auth-support.patch
auth__Use_AUTH_CACHE_KEY_USER_instead_of_per-database.patch
+auth__Terminate_properly_auth_oauth2_post_setting_defines.patch
+lib-sieve_sieve-script_c_sieve_script_create_common_Correctly_handle_errors.patch
