Merge dovecot from Debian unstable for 22.04
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dovecot (Ubuntu) |
Fix Released
|
Undecided
|
Bryce Harrington |
Bug Description
Upstream: 2.3.16
Debian: 1:2.3.16+dfsg1-3
Ubuntu: 1:2.3.13+
Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle.
### New Debian Changes ###
dovecot (1:2.3.16+dfsg1-3) unstable; urgency=medium
* [7b858b6] Fix FTBFS on mips(64)el. Stacktrace generation on these
architectures requires -funwind-tables, as with 32-bit arm.
-- Noah Meyerhans <email address hidden> Thu, 16 Sep 2021 08:41:27 -0700
dovecot (1:2.3.16+dfsg1-2) unstable; urgency=medium
[ Christian Göttsche ]
* [e1e9ece] d/patches: rework backtrace test patch
* [be404bf] d/patches: add big-endian patch
-- Noah Meyerhans <email address hidden> Fri, 10 Sep 2021 16:10:50 -0700
dovecot (1:2.3.16+dfsg1-1) unstable; urgency=medium
[ Christian Göttsche ]
* [ff4a227] New upstream version 2.3.14+dfsg1
* [963fa3b] New upstream version 2.3.15+dfsg1 (Closes: #991323, #983510)
* [5e0c898] d/watch: adjust dversionmangle for dfsg suffix
* [9ffb0f5] d/patches: update
* [850e1d6] New upstream version 2.3.16+dfsg1
* [7140b87] d/patches: rebase patches
* [fb1b77e] d/rules: enable LTO
* [ce7055d] d/control: add libsystemd-dev dependency
* [db93263] d/copyright: drop unused section
* [aeec1e8] d/rules: update how to set systemdsystemun
* [ebe9709] d/patches: resolve compiler warnings
* [19b2bb0] d/changelog: bump to 1:2.3.16+dfsg1-1
* [58a4078] d/patches: update 32bit warnings patch
[ Noah Meyerhans ]
* [f217c2e] Fix indexer crash
* [b075317] Import upstream patch for indexer crash on client disconnect
* [36e8740] drop debian/
-- Noah Meyerhans <email address hidden> Thu, 02 Sep 2021 13:22:16 -0700
dovecot (1:2.3.13+dfsg1-2) unstable; urgency=high
* Import upstream fixes for security issues (Closes: #990566):
- CVE-2021-29157: Path traversal issue allowing an attacker with
access to the local filesystem can trick OAuth2 authentication into
using an HS256 validation key from an attacker-controlled location
- CVE-2021-33515: Sensitive information could be redirected to an
attacker-
bug in the submission service
-- Noah Meyerhans <email address hidden> Tue, 20 Jul 2021 08:05:19 -0700
dovecot (1:2.3.13+dfsg1-1) unstable; urgency=medium
[ Christian Göttsche ]
* [6829237] New upstream version 2.3.13 (Closes: #979363)
- CVE-2020-24386: IMAP hibernation allows accessing other peoples mail
- CVE-2020-25275: MIME parsing crashes with particular messages
* [6d25736] Add libzstd-dev to build-dependencies (Closes: #969165)
* [5956798] Rebase patches
* [2cb63c3] Bump to standards version 4.5.1 (no further changes)
* [548bac5] Drop unmatched copyright src/lib-ntlm/* wildcard
* [6f33f3f] Ignore package-
false-positives
* [dde9c94] Handle removed configuration file in postinst
[ Pino Toscano ]
* [04a60e3] d/{control,rules}: disable apparmor support on !linux archs
(Closes: #951869)
[ Helmut Grohne ]
* [e5f9fcb] d/patches: improve cross-compile support (Closes: #979370)
-- Noah Meyerhans <email address hidden> Mon, 25 Jan 2021 15:38:17 -0800
dovecot (1:2.3.
[ Christian Göttsche ]
* [44770f6] Add patch for 32bit compiler warnings
* [053865a] Lintian: remove unused override
* [4ece2e1] Lintian: add forwarded header to Debian specific patches
* [67872b7] Lintian: ignore Debian only man page
* [d30bd7e] Lintian: tag manpage-
spare-
* [3bdf952] Limit libcap-dev build-dependency to linux-any
* [28f6425] Drop acute accent in man page
* [8c15850] Add patch allowing GSSAPI containing NULL
-- Noah Meyerhans <email address hidden> Wed, 19 Aug 2020 12:06:07 -0700
dovecot (1:2.3.
* New upstream release fixes security issues (Closes: #968302)
- CVE-2020-12100 - Receiving mail with deeply nested MIME parts leads to
resource exhaustion as Dovecot attempts to parse it.
- CVE-2020-12673 - Dovecot's NTLM implementation does not correctly check
message buffer size, which leads to reading past allocation which can
lead to crash.
- CVE-2020-12674 - Dovecot's RPA mechanism implementation accepts
zero-length message, which leads to assert-crash later on.
### Old Ubuntu Delta ###
dovecot (1:2.3.
* No-change rebuild due to OpenLDAP soname bump.
-- Sergio Durigan Junior <email address hidden> Mon, 21 Jun 2021 17:46:46 -0400
dovecot (1:2.3.
* SECURITY UPDATE: incorrectly escapes kid and azp fields in JWT tokens
- debian/
src/
src/
- CVE-2021-29157
* SECURITY UPDATE: plaintext command injection before STARTTLS
- debian/
src/
src/
- CVE-2021-33515
-- Marc Deslauriers <email address hidden> Wed, 16 Jun 2021 09:02:15 -0400
dovecot (1:2.3.
* Package references hidden symbols during an LTO link. This needs further
investigation. Until then, disable LTO.
-- Matthias Klose <email address hidden> Tue, 30 Mar 2021 17:23:55 +0200
dovecot (1:2.3.
* No change rebuild against clucene-core
-- Balint Reczey <email address hidden> Thu, 18 Feb 2021 18:19:47 +0100
CVE References
Changed in dovecot (Ubuntu): | |
assignee: | nobody → Bryce Harrington (bryce) |
description: | updated |
Changed in dovecot (Ubuntu): | |
milestone: | none → ubuntu-22.01 |
description: | updated |
Changed in dovecot (Ubuntu): | |
status: | New → Incomplete |
Changed in dovecot (Ubuntu): | |
status: | Incomplete → New |
status: | New → In Progress |
Changed in dovecot (Ubuntu): | |
milestone: | ubuntu-22.01 → ubuntu-21.11 |
Uploaded; pending transition.