** Description changed: - Scheduled-For: 23.01 Upstream: tbd - Debian: 1:2.3.16+dfsg1-3 + Debian: 1:2.3.16+dfsg1-3 Ubuntu: 1:2.3.13+dfsg1-1ubuntu3 - Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. - ### New Debian Changes ### dovecot (1:2.3.16+dfsg1-3) unstable; urgency=medium - * [7b858b6] Fix FTBFS on mips(64)el. Stacktrace generation on these - architectures requires -funwind-tables, as with 32-bit arm. + * [7b858b6] Fix FTBFS on mips(64)el. Stacktrace generation on these + architectures requires -funwind-tables, as with 32-bit arm. - -- Noah Meyerhans <no...@debian.org> Thu, 16 Sep 2021 08:41:27 -0700 + -- Noah Meyerhans <no...@debian.org> Thu, 16 Sep 2021 08:41:27 -0700 dovecot (1:2.3.16+dfsg1-2) unstable; urgency=medium - [ Christian Göttsche ] - * [e1e9ece] d/patches: rework backtrace test patch - * [be404bf] d/patches: add big-endian patch + [ Christian Göttsche ] + * [e1e9ece] d/patches: rework backtrace test patch + * [be404bf] d/patches: add big-endian patch - -- Noah Meyerhans <no...@debian.org> Fri, 10 Sep 2021 16:10:50 -0700 + -- Noah Meyerhans <no...@debian.org> Fri, 10 Sep 2021 16:10:50 -0700 dovecot (1:2.3.16+dfsg1-1) unstable; urgency=medium - [ Christian Göttsche ] - * [ff4a227] New upstream version 2.3.14+dfsg1 - * [963fa3b] New upstream version 2.3.15+dfsg1 (Closes: #991323, #983510) - * [5e0c898] d/watch: adjust dversionmangle for dfsg suffix - * [9ffb0f5] d/patches: update - * [850e1d6] New upstream version 2.3.16+dfsg1 - * [7140b87] d/patches: rebase patches - * [fb1b77e] d/rules: enable LTO - * [ce7055d] d/control: add libsystemd-dev dependency - * [db93263] d/copyright: drop unused section - * [aeec1e8] d/rules: update how to set systemdsystemunitdir - * [ebe9709] d/patches: resolve compiler warnings - * [19b2bb0] d/changelog: bump to 1:2.3.16+dfsg1-1 - * [58a4078] d/patches: update 32bit warnings patch + [ Christian Göttsche ] + * [ff4a227] New upstream version 2.3.14+dfsg1 + * [963fa3b] New upstream version 2.3.15+dfsg1 (Closes: #991323, #983510) + * [5e0c898] d/watch: adjust dversionmangle for dfsg suffix + * [9ffb0f5] d/patches: update + * [850e1d6] New upstream version 2.3.16+dfsg1 + * [7140b87] d/patches: rebase patches + * [fb1b77e] d/rules: enable LTO + * [ce7055d] d/control: add libsystemd-dev dependency + * [db93263] d/copyright: drop unused section + * [aeec1e8] d/rules: update how to set systemdsystemunitdir + * [ebe9709] d/patches: resolve compiler warnings + * [19b2bb0] d/changelog: bump to 1:2.3.16+dfsg1-1 + * [58a4078] d/patches: update 32bit warnings patch - [ Noah Meyerhans ] - * [f217c2e] Fix indexer crash - * [b075317] Import upstream patch for indexer crash on client disconnect - * [36e8740] drop debian/dovecot-core.maintscript + [ Noah Meyerhans ] + * [f217c2e] Fix indexer crash + * [b075317] Import upstream patch for indexer crash on client disconnect + * [36e8740] drop debian/dovecot-core.maintscript - -- Noah Meyerhans <no...@debian.org> Thu, 02 Sep 2021 13:22:16 -0700 + -- Noah Meyerhans <no...@debian.org> Thu, 02 Sep 2021 13:22:16 -0700 dovecot (1:2.3.13+dfsg1-2) unstable; urgency=high - * Import upstream fixes for security issues (Closes: #990566): - - CVE-2021-29157: Path traversal issue allowing an attacker with - access to the local filesystem can trick OAuth2 authentication into - using an HS256 validation key from an attacker-controlled location - - CVE-2021-33515: Sensitive information could be redirected to an - attacker-controlled address because of a STARTTLS command injection - bug in the submission service + * Import upstream fixes for security issues (Closes: #990566): + - CVE-2021-29157: Path traversal issue allowing an attacker with + access to the local filesystem can trick OAuth2 authentication into + using an HS256 validation key from an attacker-controlled location + - CVE-2021-33515: Sensitive information could be redirected to an + attacker-controlled address because of a STARTTLS command injection + bug in the submission service - -- Noah Meyerhans <no...@debian.org> Tue, 20 Jul 2021 08:05:19 -0700 + -- Noah Meyerhans <no...@debian.org> Tue, 20 Jul 2021 08:05:19 -0700 dovecot (1:2.3.13+dfsg1-1) unstable; urgency=medium - [ Christian Göttsche ] - * [6829237] New upstream version 2.3.13 (Closes: #979363) - - CVE-2020-24386: IMAP hibernation allows accessing other peoples mail - - CVE-2020-25275: MIME parsing crashes with particular messages + [ Christian Göttsche ] + * [6829237] New upstream version 2.3.13 (Closes: #979363) + - CVE-2020-24386: IMAP hibernation allows accessing other peoples mail + - CVE-2020-25275: MIME parsing crashes with particular messages - * [6d25736] Add libzstd-dev to build-dependencies (Closes: #969165) - * [5956798] Rebase patches - * [2cb63c3] Bump to standards version 4.5.1 (no further changes) - * [548bac5] Drop unmatched copyright src/lib-ntlm/* wildcard - * [6f33f3f] Ignore package-contains-documentation-outside-usr-share-doc - false-positives - * [dde9c94] Handle removed configuration file in postinst + * [6d25736] Add libzstd-dev to build-dependencies (Closes: #969165) + * [5956798] Rebase patches + * [2cb63c3] Bump to standards version 4.5.1 (no further changes) + * [548bac5] Drop unmatched copyright src/lib-ntlm/* wildcard + * [6f33f3f] Ignore package-contains-documentation-outside-usr-share-doc + false-positives + * [dde9c94] Handle removed configuration file in postinst - [ Pino Toscano ] - * [04a60e3] d/{control,rules}: disable apparmor support on !linux archs - (Closes: #951869) + [ Pino Toscano ] + * [04a60e3] d/{control,rules}: disable apparmor support on !linux archs + (Closes: #951869) - [ Helmut Grohne ] - * [e5f9fcb] d/patches: improve cross-compile support (Closes: #979370) + [ Helmut Grohne ] + * [e5f9fcb] d/patches: improve cross-compile support (Closes: #979370) - -- Noah Meyerhans <no...@debian.org> Mon, 25 Jan 2021 15:38:17 -0800 + -- Noah Meyerhans <no...@debian.org> Mon, 25 Jan 2021 15:38:17 -0800 dovecot (1:2.3.11.3+dfsg1-2) unstable; urgency=medium - [ Christian Göttsche ] - * [44770f6] Add patch for 32bit compiler warnings - * [053865a] Lintian: remove unused override - * [4ece2e1] Lintian: add forwarded header to Debian specific patches - * [67872b7] Lintian: ignore Debian only man page - * [d30bd7e] Lintian: tag manpage-without-executable got renamed to - spare-manual-page - * [3bdf952] Limit libcap-dev build-dependency to linux-any - * [28f6425] Drop acute accent in man page - * [8c15850] Add patch allowing GSSAPI containing NULL + [ Christian Göttsche ] + * [44770f6] Add patch for 32bit compiler warnings + * [053865a] Lintian: remove unused override + * [4ece2e1] Lintian: add forwarded header to Debian specific patches + * [67872b7] Lintian: ignore Debian only man page + * [d30bd7e] Lintian: tag manpage-without-executable got renamed to + spare-manual-page + * [3bdf952] Limit libcap-dev build-dependency to linux-any + * [28f6425] Drop acute accent in man page + * [8c15850] Add patch allowing GSSAPI containing NULL - -- Noah Meyerhans <no...@debian.org> Wed, 19 Aug 2020 12:06:07 -0700 + -- Noah Meyerhans <no...@debian.org> Wed, 19 Aug 2020 12:06:07 -0700 dovecot (1:2.3.11.3+dfsg1-1) unstable; urgency=high - * New upstream release fixes security issues (Closes: #968302) - - CVE-2020-12100 - Receiving mail with deeply nested MIME parts leads to - resource exhaustion as Dovecot attempts to parse it. - - CVE-2020-12673 - Dovecot's NTLM implementation does not correctly check - message buffer size, which leads to reading past allocation which can - lead to crash. - - CVE-2020-12674 - Dovecot's RPA mechanism implementation accepts - zero-length message, which leads to assert-crash later on. - + * New upstream release fixes security issues (Closes: #968302) + - CVE-2020-12100 - Receiving mail with deeply nested MIME parts leads to + resource exhaustion as Dovecot attempts to parse it. + - CVE-2020-12673 - Dovecot's NTLM implementation does not correctly check + message buffer size, which leads to reading past allocation which can + lead to crash. + - CVE-2020-12674 - Dovecot's RPA mechanism implementation accepts + zero-length message, which leads to assert-crash later on. ### Old Ubuntu Delta ### dovecot (1:2.3.13+dfsg1-1ubuntu3) impish; urgency=medium - * No-change rebuild due to OpenLDAP soname bump. + * No-change rebuild due to OpenLDAP soname bump. - -- Sergio Durigan Junior <sergio.duri...@canonical.com> Mon, 21 Jun + -- Sergio Durigan Junior <sergio.duri...@canonical.com> Mon, 21 Jun 2021 17:46:46 -0400 dovecot (1:2.3.13+dfsg1-1ubuntu2) impish; urgency=medium - * SECURITY UPDATE: incorrectly escapes kid and azp fields in JWT tokens - - debian/patches/CVE-2021-29157.patch: improve escaping in - src/lib-dict-extra/dict-fs.c, src/lib-oauth2/oauth2-jwt.c, - src/lib-oauth2/test-oauth2-jwt.c. - - CVE-2021-29157 - * SECURITY UPDATE: plaintext command injection before STARTTLS - - debian/patches/CVE-2021-33515.patch: properly handle command queue in - src/lib-smtp/smtp-server-cmd-starttls.c, - src/lib-smtp/smtp-server-connection.c. - - CVE-2021-33515 + * SECURITY UPDATE: incorrectly escapes kid and azp fields in JWT tokens + - debian/patches/CVE-2021-29157.patch: improve escaping in + src/lib-dict-extra/dict-fs.c, src/lib-oauth2/oauth2-jwt.c, + src/lib-oauth2/test-oauth2-jwt.c. + - CVE-2021-29157 + * SECURITY UPDATE: plaintext command injection before STARTTLS + - debian/patches/CVE-2021-33515.patch: properly handle command queue in + src/lib-smtp/smtp-server-cmd-starttls.c, + src/lib-smtp/smtp-server-connection.c. + - CVE-2021-33515 - -- Marc Deslauriers <marc.deslauri...@ubuntu.com> Wed, 16 Jun 2021 + -- Marc Deslauriers <marc.deslauri...@ubuntu.com> Wed, 16 Jun 2021 09:02:15 -0400 dovecot (1:2.3.13+dfsg1-1ubuntu1) hirsute; urgency=medium - * Package references hidden symbols during an LTO link. This needs further - investigation. Until then, disable LTO. + * Package references hidden symbols during an LTO link. This needs further + investigation. Until then, disable LTO. - -- Matthias Klose <d...@ubuntu.com> Tue, 30 Mar 2021 17:23:55 +0200 + -- Matthias Klose <d...@ubuntu.com> Tue, 30 Mar 2021 17:23:55 +0200 dovecot (1:2.3.13+dfsg1-1build1) hirsute; urgency=high - * No change rebuild against clucene-core + * No change rebuild against clucene-core - -- Balint Reczey <rbal...@ubuntu.com> Thu, 18 Feb 2021 18:19:47 +0100 + -- Balint Reczey <rbal...@ubuntu.com> Thu, 18 Feb 2021 18:19:47 +0100
** Changed in: dovecot (Ubuntu) Milestone: None => ubuntu-22.01 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946855 Title: Merge dovecot from Debian unstable for 22.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1946855/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs