This bug was fixed in the package dovecot - 1:2.3.16+dfsg1-3ubuntu1
---------------
dovecot (1:2.3.16+dfsg1-3ubuntu1) jammy; urgency=medium
[ Bryce Harrington ]
* Merge with Debian unstable. (LP: #1946855)
Remaining changes:
- Package references hidden symbols during an LTO link. This needs further
investigation. Until then, disable LTO.
* Dropped:
- SECURITY UPDATE: incorrectly escapes kid and azp fields in JWT tokens
+ debian/patches/CVE-2021-29157.patch: improve escaping in
src/lib-dict-extra/dict-fs.c, src/lib-oauth2/oauth2-jwt.c,
src/lib-oauth2/test-oauth2-jwt.c.
[Included in Debian 1:2.3.13+dfsg1-2]
- SECURITY UPDATE: plaintext command injection before STARTTLS
+ debian/patches/CVE-2021-33515.patch: properly handle command queue in
src/lib-smtp/smtp-server-cmd-starttls.c,
src/lib-smtp/smtp-server-connection.c.
[Included in Debian 1:2.3.13+dfsg1-2]
* d/rules: Disable Debian's recent enablement of LTO as well, as it
FTBFS when building with gcc 11.
(LP: #1951325)
[ Simon Chopin ]
* d/p/OpenSSL3.patch: Workaround to fix EC key handling when building
with OpenSSL 3.0.
(LP: #1945763)
-- Bryce Harrington <[email protected]> Wed, 17 Nov 2021 13:46:08
-0800
** Changed in: dovecot (Ubuntu)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-29157
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-33515
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1946855
Title:
Merge dovecot from Debian unstable for 22.04
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1946855/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
