[Nothing to merge yet] ** Description changed:
- Upstream: tbd + Upstream: 2.3.16 Debian: 1:2.3.16+dfsg1-3 Ubuntu: 1:2.3.13+dfsg1-1ubuntu3 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. ### New Debian Changes ### dovecot (1:2.3.16+dfsg1-3) unstable; urgency=medium * [7b858b6] Fix FTBFS on mips(64)el. Stacktrace generation on these architectures requires -funwind-tables, as with 32-bit arm. -- Noah Meyerhans <no...@debian.org> Thu, 16 Sep 2021 08:41:27 -0700 dovecot (1:2.3.16+dfsg1-2) unstable; urgency=medium [ Christian Göttsche ] * [e1e9ece] d/patches: rework backtrace test patch * [be404bf] d/patches: add big-endian patch -- Noah Meyerhans <no...@debian.org> Fri, 10 Sep 2021 16:10:50 -0700 dovecot (1:2.3.16+dfsg1-1) unstable; urgency=medium [ Christian Göttsche ] * [ff4a227] New upstream version 2.3.14+dfsg1 * [963fa3b] New upstream version 2.3.15+dfsg1 (Closes: #991323, #983510) * [5e0c898] d/watch: adjust dversionmangle for dfsg suffix * [9ffb0f5] d/patches: update * [850e1d6] New upstream version 2.3.16+dfsg1 * [7140b87] d/patches: rebase patches * [fb1b77e] d/rules: enable LTO * [ce7055d] d/control: add libsystemd-dev dependency * [db93263] d/copyright: drop unused section * [aeec1e8] d/rules: update how to set systemdsystemunitdir * [ebe9709] d/patches: resolve compiler warnings * [19b2bb0] d/changelog: bump to 1:2.3.16+dfsg1-1 * [58a4078] d/patches: update 32bit warnings patch [ Noah Meyerhans ] * [f217c2e] Fix indexer crash * [b075317] Import upstream patch for indexer crash on client disconnect * [36e8740] drop debian/dovecot-core.maintscript -- Noah Meyerhans <no...@debian.org> Thu, 02 Sep 2021 13:22:16 -0700 dovecot (1:2.3.13+dfsg1-2) unstable; urgency=high * Import upstream fixes for security issues (Closes: #990566): - CVE-2021-29157: Path traversal issue allowing an attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location - CVE-2021-33515: Sensitive information could be redirected to an attacker-controlled address because of a STARTTLS command injection bug in the submission service -- Noah Meyerhans <no...@debian.org> Tue, 20 Jul 2021 08:05:19 -0700 dovecot (1:2.3.13+dfsg1-1) unstable; urgency=medium [ Christian Göttsche ] * [6829237] New upstream version 2.3.13 (Closes: #979363) - CVE-2020-24386: IMAP hibernation allows accessing other peoples mail - CVE-2020-25275: MIME parsing crashes with particular messages * [6d25736] Add libzstd-dev to build-dependencies (Closes: #969165) * [5956798] Rebase patches * [2cb63c3] Bump to standards version 4.5.1 (no further changes) * [548bac5] Drop unmatched copyright src/lib-ntlm/* wildcard * [6f33f3f] Ignore package-contains-documentation-outside-usr-share-doc false-positives * [dde9c94] Handle removed configuration file in postinst [ Pino Toscano ] * [04a60e3] d/{control,rules}: disable apparmor support on !linux archs (Closes: #951869) [ Helmut Grohne ] * [e5f9fcb] d/patches: improve cross-compile support (Closes: #979370) -- Noah Meyerhans <no...@debian.org> Mon, 25 Jan 2021 15:38:17 -0800 dovecot (1:2.3.11.3+dfsg1-2) unstable; urgency=medium [ Christian Göttsche ] * [44770f6] Add patch for 32bit compiler warnings * [053865a] Lintian: remove unused override * [4ece2e1] Lintian: add forwarded header to Debian specific patches * [67872b7] Lintian: ignore Debian only man page * [d30bd7e] Lintian: tag manpage-without-executable got renamed to spare-manual-page * [3bdf952] Limit libcap-dev build-dependency to linux-any * [28f6425] Drop acute accent in man page * [8c15850] Add patch allowing GSSAPI containing NULL -- Noah Meyerhans <no...@debian.org> Wed, 19 Aug 2020 12:06:07 -0700 dovecot (1:2.3.11.3+dfsg1-1) unstable; urgency=high * New upstream release fixes security issues (Closes: #968302) - CVE-2020-12100 - Receiving mail with deeply nested MIME parts leads to resource exhaustion as Dovecot attempts to parse it. - CVE-2020-12673 - Dovecot's NTLM implementation does not correctly check message buffer size, which leads to reading past allocation which can lead to crash. - CVE-2020-12674 - Dovecot's RPA mechanism implementation accepts zero-length message, which leads to assert-crash later on. ### Old Ubuntu Delta ### dovecot (1:2.3.13+dfsg1-1ubuntu3) impish; urgency=medium * No-change rebuild due to OpenLDAP soname bump. -- Sergio Durigan Junior <sergio.duri...@canonical.com> Mon, 21 Jun 2021 17:46:46 -0400 dovecot (1:2.3.13+dfsg1-1ubuntu2) impish; urgency=medium * SECURITY UPDATE: incorrectly escapes kid and azp fields in JWT tokens - debian/patches/CVE-2021-29157.patch: improve escaping in src/lib-dict-extra/dict-fs.c, src/lib-oauth2/oauth2-jwt.c, src/lib-oauth2/test-oauth2-jwt.c. - CVE-2021-29157 * SECURITY UPDATE: plaintext command injection before STARTTLS - debian/patches/CVE-2021-33515.patch: properly handle command queue in src/lib-smtp/smtp-server-cmd-starttls.c, src/lib-smtp/smtp-server-connection.c. - CVE-2021-33515 -- Marc Deslauriers <marc.deslauri...@ubuntu.com> Wed, 16 Jun 2021 09:02:15 -0400 dovecot (1:2.3.13+dfsg1-1ubuntu1) hirsute; urgency=medium * Package references hidden symbols during an LTO link. This needs further investigation. Until then, disable LTO. -- Matthias Klose <d...@ubuntu.com> Tue, 30 Mar 2021 17:23:55 +0200 dovecot (1:2.3.13+dfsg1-1build1) hirsute; urgency=high * No change rebuild against clucene-core -- Balint Reczey <rbal...@ubuntu.com> Thu, 18 Feb 2021 18:19:47 +0100 ** Changed in: dovecot (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946855 Title: Merge dovecot from Debian unstable for 22.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1946855/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs