- dovecot (1:2.4.2+dfsg1-3+rpi1) forky-staging; urgency=medium
++dovecot (1:2.4.3+dfsg1-2+rpi1) forky-staging; urgency=medium
+
+ [changes brought forward from 1:2.3.21+dfsg1-3+rpi1 by Peter Michael Green <plugwash@raspbian.org> at Thu, 20 Jun 2024 17:16:27 +0000]
+ * Disablte testsuite.
+
- -- Raspbian forward porter <root@raspbian.org> Sun, 08 Feb 2026 14:26:07 +0000
++ -- Raspbian forward porter <root@raspbian.org> Sat, 18 Apr 2026 18:33:51 +0000
++
+ dovecot (1:2.4.3+dfsg1-2) unstable; urgency=medium
+
+ * [2e35d07] autopkgtests: Add managesieved authentication test
+ * [226112b] Remove generated settings-history-pigeonhole.h on clean
+ * [dd36c64] ci: replace obsolete build-package-twice test
+ * [d6da850] use an alternate temporary directory in the test suite
+ (Closes: #1133346)
+ * [80afe14] ci: disable the validate-package-clean-up check
+ * [c9e076a] drop stale lintian overrides
+
+ -- Noah Meyerhans <noahm@debian.org> Tue, 14 Apr 2026 15:36:12 -0400
+
+ dovecot (1:2.4.3+dfsg1-1) unstable; urgency=medium
+
+ [ Max Nikulin ]
+ * [ea2f6e5] conf.d/10-mail.conf: Fix broken link to mbox.html
+ * [6e8d7c5] dovecot-core.README.Debian: fix docs URL
+
+ [ Christian Kastner ]
+ * [a46c892] auth_mechanisms: 'login' no longer part of default
+
+ [ Christian Göttsche ]
+ * [86f1990] d/control: fix indentation
+ * [81e373f] d/dovecot-core.bug-control: add missing binary packages
+ * [ebb77bf] d/dovecot-core.postrm: restart to reload modules
+ * [6774c19] d/dovecot-flatcurve.postinst: fix copy+paste mistake
+ * [94bb48d] d/rules: use find ... -delete instead of rm
+ * [540e3f1] d/dovecot*.postinst: remove dead code
+
+ [ Noah Meyerhans ]
+ * [4ec7e67] New upstream version 2.4.3+dfsg1 resolves multiple security
+ issues:
+ - CVE-2025-59028: Invalid base64 authentication can cause DoS for
+ other logins.
+ and read unintended files during indexing. Fixed by dropping the
+ script.
+ - CVE-2026-24031: SQL injection possible if auth_username_chars is
+ configured empty. Fixed escaping to always happen. v2.4 regression.
+ - CVE-2026-27859: Excessive RFC 2231 MIME parameters in email would cause
+ excessive CPU usage. Fixed by limiting number of parameters to process.
+ - CVE-2026-27860: LDAP query injection possible if auth_username_chars
+ is configured empty. Fixed escaping to always happen. v2.4
+ regression.
+ - CVE-2026-27857: Sending excessive parenthesis causes imap-login to
+ use excessive memory.
+ - CVE-2026-27856: Doveadm credentials were not checked using
+ timing-safe checking function.
+ - CVE-2026-27855: OTP driver vulnerable to replay attack.
+ * [83a079c] Refresh or drop patches
+ * [6ccfe01] Stop installing decode2text.sh per CVE-2025-59031
+ * [44f9918] transfer ownership of conf.d/90-fts-flatcurve.conf to the
+ right package
+ * [4dc8772] Add python3 to build-depends for src/lib-settings
+ * [deae63d] autopkgtest: store hashed rather than plaintext passwords in
+ passdbs
+ * [edc5e6a] add dovecot-ldap autopkgtests
+
+ -- Noah Meyerhans <noahm@debian.org> Fri, 03 Apr 2026 14:36:36 -0400
+
+ dovecot (1:2.4.2+dfsg1-4) unstable; urgency=medium
+
+ * [e8f1499] Drop stale build-dependency on libdb-dev (Closes: #1119173)
+ * [86b8fb2] lib: Preserve errno in our malloc() and free() wrappers
+ (Closes: #1128400)
+ * [99e1cd6] backport upstream fix for crash in trash plugin (Closes: #1127029)
+
+ -- Noah Meyerhans <noahm@debian.org> Wed, 04 Mar 2026 20:08:14 -0500
dovecot (1:2.4.2+dfsg1-3) unstable; urgency=medium
projects / dovecot.git / commitdiff