Public bug reported:
[NOTE: This is a POC bug for canonical-server merge planning/workflow
changes]
Upstream: 2.3.16
Debian: 1:2.3.13+dfsg1-2
Ubuntu: 1:2.3.13+dfsg1-1ubuntu3
Scheduled-For: 2022.02
Debian does new releases regularly, so it's likely there will be newer
versions available before FF that we can pick up if this merge is done
later in the cycle.
### New Debian Changes ###
dovecot (1:2.3.13+dfsg1-2) unstable; urgency=high
* Import upstream fixes for security issues (Closes: #990566):
- CVE-2021-29157: Path traversal issue allowing an attacker with
access to the local filesystem can trick OAuth2 authentication into
using an HS256 validation key from an attacker-controlled location
- CVE-2021-33515: Sensitive information could be redirected to an
attacker-controlled address because of a STARTTLS command injection
bug in the submission service
-- Noah Meyerhans <[email protected]> Tue, 20 Jul 2021 08:05:19 -0700
### Old Ubuntu Delta ###
dovecot (1:2.3.13+dfsg1-1ubuntu3) impish; urgency=medium
* No-change rebuild due to OpenLDAP soname bump.
-- Sergio Durigan Junior <[email protected]> Mon, 21 Jun
2021 17:46:46 -0400
dovecot (1:2.3.13+dfsg1-1ubuntu2) impish; urgency=medium
* SECURITY UPDATE: incorrectly escapes kid and azp fields in JWT tokens
- debian/patches/CVE-2021-29157.patch: improve escaping in
src/lib-dict-extra/dict-fs.c, src/lib-oauth2/oauth2-jwt.c,
src/lib-oauth2/test-oauth2-jwt.c.
- CVE-2021-29157
* SECURITY UPDATE: plaintext command injection before STARTTLS
- debian/patches/CVE-2021-33515.patch: properly handle command queue in
src/lib-smtp/smtp-server-cmd-starttls.c,
src/lib-smtp/smtp-server-connection.c.
- CVE-2021-33515
-- Marc Deslauriers <[email protected]> Wed, 16 Jun 2021
09:02:15 -0400
dovecot (1:2.3.13+dfsg1-1ubuntu1) hirsute; urgency=medium
* Package references hidden symbols during an LTO link. This needs further
investigation. Until then, disable LTO.
-- Matthias Klose <[email protected]> Tue, 30 Mar 2021 17:23:55 +0200
dovecot (1:2.3.13+dfsg1-1build1) hirsute; urgency=high
* No change rebuild against clucene-core
-- Balint Reczey <[email protected]> Thu, 18 Feb 2021 18:19:47 +0100
### Newer Upstream Releases ###
https://github.com/dovecot/core/blob/2.3.14/NEWS
https://github.com/dovecot/core/blob/2.3.15/NEWS
https://github.com/dovecot/core/blob/2.3.16/NEWS
** Affects: dovecot (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1942376
Title:
Merge dovecot from Debian for 22.04
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1942376/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
