Ubuntu
dovecot package

Merge dovecot from Debian Unstable for 22.04

Bug #1942376 reported by Bryce Harrington
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dovecot (Ubuntu)
Invalid
Medium
Bryce Harrington
Ubuntu later

Bug Description

[NOTE: This is a POC bug for canonical-server merge planning/workflow changes]

Upstream: 2.3.16
Debian: 1:2.3.13+dfsg1-2
Ubuntu: 1:2.3.13+dfsg1-1ubuntu3
Scheduled-For: 2022.02

Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle.

### New Debian Changes ###

dovecot (1:2.3.13+dfsg1-2) unstable; urgency=high

  * Import upstream fixes for security issues (Closes: #990566):
    - CVE-2021-29157: Path traversal issue allowing an attacker with
      access to the local filesystem can trick OAuth2 authentication into
      using an HS256 validation key from an attacker-controlled location
    - CVE-2021-33515: Sensitive information could be redirected to an
      attacker-controlled address because of a STARTTLS command injection
      bug in the submission service

 -- Noah Meyerhans <email address hidden> Tue, 20 Jul 2021 08:05:19 -0700

### Old Ubuntu Delta ###

dovecot (1:2.3.13+dfsg1-1ubuntu3) impish; urgency=medium

  * No-change rebuild due to OpenLDAP soname bump.

 -- Sergio Durigan Junior <email address hidden> Mon, 21 Jun 2021 17:46:46 -0400

dovecot (1:2.3.13+dfsg1-1ubuntu2) impish; urgency=medium

  * SECURITY UPDATE: incorrectly escapes kid and azp fields in JWT tokens
    - debian/patches/CVE-2021-29157.patch: improve escaping in
      src/lib-dict-extra/dict-fs.c, src/lib-oauth2/oauth2-jwt.c,
      src/lib-oauth2/test-oauth2-jwt.c.
    - CVE-2021-29157
  * SECURITY UPDATE: plaintext command injection before STARTTLS
    - debian/patches/CVE-2021-33515.patch: properly handle command queue in
      src/lib-smtp/smtp-server-cmd-starttls.c,
      src/lib-smtp/smtp-server-connection.c.
    - CVE-2021-33515

 -- Marc Deslauriers <email address hidden> Wed, 16 Jun 2021 09:02:15 -0400

dovecot (1:2.3.13+dfsg1-1ubuntu1) hirsute; urgency=medium

  * Package references hidden symbols during an LTO link. This needs further
    investigation. Until then, disable LTO.

 -- Matthias Klose <email address hidden> Tue, 30 Mar 2021 17:23:55 +0200

dovecot (1:2.3.13+dfsg1-1build1) hirsute; urgency=high

  * No change rebuild against clucene-core

 -- Balint Reczey <email address hidden> Thu, 18 Feb 2021 18:19:47 +0100

### Newer Upstream Releases ###

https://github.com/dovecot/core/blob/2.3.14/NEWS
https://github.com/dovecot/core/blob/2.3.15/NEWS
https://github.com/dovecot/core/blob/2.3.16/NEWS

Tags: needs-merge
Bryce Harrington (bryce)
Changed in dovecot (Ubuntu):
importance: Undecided → Medium
milestone: none → later
Bryce Harrington (bryce)
Changed in dovecot (Ubuntu):
assignee: nobody → Bryce Harrington (bryce)
summary: - Merge dovecot from Debian for 22.04
+ Merge dovecot from Debian Unstable for 22.04
Bryce Harrington (bryce)
tags: added: needs-merge
Bryce Harrington (bryce)
Changed in dovecot (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.