dovecot (1:2.3.16+dfsg1-3ubuntu2.4) jammy-security; urgency=medium
* SECURITY UPDATE: Having a large number of address headers (From, To,
Cc, Bcc, etc.) becomes excessively CPU intensive
- debian/patches/CVE-2024-23184-1.patch: fix dllist2 test name in
src/lib/test-llist.c.
- debian/patches/CVE-2024-23184-2.patch: add DLLIST2_JOIN() in
src/lib/llist.h, src/lib/test-llist.c.
- debian/patches/CVE-2024-23184-3.patch: use test_assert_idx() where
possible in src/lib-imap/test-imap-envelope.c.
- debian/patches/CVE-2024-23184-4.patch: change message_address to be
doubly linked list in src/lib-imap/imap-envelope.c,
src/lib-mail/message-address.c, src/lib-mail/message-address.h,
src/lib-mail/test-message-address.c.
- debian/patches/CVE-2024-23184-5.patch: add
message_address_parse_full() and struct message_address_list in
src/lib-mail/message-address.c, src/lib-mail/message-address.h,
src/lib-mail/test-message-address.c.
- debian/patches/CVE-2024-23184-6.patch: optimize parsing large number
of address headers in src/lib-imap/imap-envelope.c,
src/lib-mail/message-part-data.c, src/lib-mail/message-part-data.h,
src/lib-storage/index/index-search-mime.c.
- CVE-2024-23184
* SECURITY UPDATE: Very large headers can cause resource exhaustion when
parsing message
- debian/patches/CVE-2024-23185-1.patch: limit header block to 10MB by
default in src/lib-mail/message-header-parser.c,
src/lib-mail/message-header-parser.h,
src/lib-mail/test-message-header-parser.c.
- debian/patches/CVE-2024-23185-2.patch: limit headers total count to
50MB by default in src/lib-mail/message-parser-private.h,
src/lib-mail/message-parser.c, src/lib-mail/message-parser.h,
src/lib-mail/test-message-parser.c.
- CVE-2024-23185
* Note: This package does _not_ contain the changes from
1:2.3.16+dfsg1-3ubuntu2.3 in jammy-proposed.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 11 Sep 2024 07:54:46 -0400
dovecot (1:2.3.16+dfsg1-3ubuntu2.2) jammy; urgency=medium
* Backport fix + refactoring for handling ssl settings
(LP: #1991564)
- d/p/split-master_service_ssl_settings_to_iostream_set-to-client-server-functions.patch
- d/p/split-off-master_service_ssl_server_settings.patch
- d/p/remove-unused-master_service_is_ssl_module_loaded.patch
- d/p/use-ssl-server-settings-only-when-necessary.patch
- d/p/remove-unnecessary-master_service_flag_use_ssl_settings.patch
-- Bryce Harrington <bryce@canonical.com> Wed, 11 Jan 2023 06:39:32 -0800
dovecot (1:2.3.16+dfsg1-3ubuntu2.1) jammy-security; urgency=medium
* SECURITY UPDATE: privilege escalation via multiple passdbs
- debian/patches/CVE-2022-30550.patch: fix handling passdbs with
identical driver/args but different mechanisms/username_filter in
src/auth/auth-request.c, src/auth/auth.c, src/auth/auth.h,
src/auth/passdb.c, src/auth/passdb.h.
- CVE-2022-30550
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 07 Jul 2022 13:13:40 -0400
dovecot (1:2.3.16+dfsg1-3ubuntu2) jammy; urgency=medium
* No-change rebuild for icu soname change.
-- Matthias Klose <doko@ubuntu.com> Wed, 09 Feb 2022 09:13:08 +0100
dovecot (1:2.3.16+dfsg1-3ubuntu1) jammy; urgency=medium
[ Bryce Harrington ]
* Merge with Debian unstable. (LP: #1946855)
Remaining changes:
- Package references hidden symbols during an LTO link. This needs further
investigation. Until then, disable LTO.
* Dropped:
- SECURITY UPDATE: incorrectly escapes kid and azp fields in JWT tokens
+ debian/patches/CVE-2021-29157.patch: improve escaping in
src/lib-dict-extra/dict-fs.c, src/lib-oauth2/oauth2-jwt.c,
src/lib-oauth2/test-oauth2-jwt.c.
[Included in Debian 1:2.3.13+dfsg1-2]
- SECURITY UPDATE: plaintext command injection before STARTTLS
+ debian/patches/CVE-2021-33515.patch: properly handle command queue in
src/lib-smtp/smtp-server-cmd-starttls.c,
src/lib-smtp/smtp-server-connection.c.
[Included in Debian 1:2.3.13+dfsg1-2]
* d/rules: Disable Debian's recent enablement of LTO as well, as it
FTBFS when building with gcc 11.
(LP: #1951325)
[ Simon Chopin ]
* d/p/OpenSSL3.patch: Workaround to fix EC key handling when building
with OpenSSL 3.0.
(LP: #1945763)
-- Bryce Harrington <bryce@canonical.com> Wed, 17 Nov 2021 13:46:08 -0800
dovecot (1:2.3.16+dfsg1-3) unstable; urgency=medium
* [7b858b6] Fix FTBFS on mips(64)el. Stacktrace generation on these
architectures requires -funwind-tables, as with 32-bit arm.
-- Noah Meyerhans <noahm@debian.org> Thu, 16 Sep 2021 08:41:27 -0700
dovecot (1:2.3.16+dfsg1-2) unstable; urgency=medium
[ Christian Göttsche ]
* [e1e9ece] d/patches: rework backtrace test patch
* [be404bf] d/patches: add big-endian patch
-- Noah Meyerhans <noahm@debian.org> Fri, 10 Sep 2021 16:10:50 -0700
dovecot (1:2.3.16+dfsg1-1) unstable; urgency=medium
[ Christian Göttsche ]
* [ff4a227] New upstream version 2.3.14+dfsg1
* [963fa3b] New upstream version 2.3.15+dfsg1 (Closes: #991323, #983510)
* [5e0c898] d/watch: adjust dversionmangle for dfsg suffix
* [9ffb0f5] d/patches: update
* [850e1d6] New upstream version 2.3.16+dfsg1
* [7140b87] d/patches: rebase patches
* [fb1b77e] d/rules: enable LTO
* [ce7055d] d/control: add libsystemd-dev dependency
* [db93263] d/copyright: drop unused section
* [aeec1e8] d/rules: update how to set systemdsystemunitdir
* [ebe9709] d/patches: resolve compiler warnings
* [19b2bb0] d/changelog: bump to 1:2.3.16+dfsg1-1
* [58a4078] d/patches: update 32bit warnings patch
[ Noah Meyerhans ]
* [f217c2e] Fix indexer crash
* [b075317] Import upstream patch for indexer crash on client disconnect
* [36e8740] drop debian/dovecot-core.maintscript
-- Noah Meyerhans <noahm@debian.org> Thu, 02 Sep 2021 13:22:16 -0700
dovecot (1:2.3.13+dfsg1-2) unstable; urgency=high
* Import upstream fixes for security issues (Closes: #990566):
- CVE-2021-29157: Path traversal issue allowing an attacker with
access to the local filesystem can trick OAuth2 authentication into
using an HS256 validation key from an attacker-controlled location
- CVE-2021-33515: Sensitive information could be redirected to an
attacker-controlled address because of a STARTTLS command injection
bug in the submission service
-- Noah Meyerhans <noahm@debian.org> Tue, 20 Jul 2021 08:05:19 -0700
dovecot (1:2.3.13+dfsg1-1ubuntu3) impish; urgency=medium
* No-change rebuild due to OpenLDAP soname bump.
-- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 17:46:46 -0400
# For older changelog entries, run 'apt-get changelog dovecot-core'
Generated by dwww version 1.14 on Fri Jan 24 20:52:34 CET 2025.