[PATCH] managesieve-login: Fix crash when command didn't finish on the first call

Gbp-Pq: Name CVE-2025-59032.patch

[PATCH 02/24] fts: Remove decode2text.sh

The script is flawed and not fit for production use, should
recommend writing your own script, or using Apache Tika.

Gbp-Pq: Name CVE-2025-59031.patch

[PATCH 01/24] auth: Don't disconnect auth client when invalid base64 SASL input is received

The base64 input comes from untrusted client. It shouldn't cause the auth
client to disconnect, which causes other concurrent logins to be aborted.

Broken by 1486c30e191ff079bfa78e7950173bb33d8073d9

Gbp-Pq: Name CVE-2025-59028.patch

[PATCH] acl: Fix crash when group ACLs are used, but user's acl_groups is empty

From 003bf9a6959714e0f696f0015c8c712e89962b9b Mon Sep 17 00:00:00 2001
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129952

Gbp-Pq: Name acl-Fix-crash-when-group-ACLs-are-used-but-user-s-ac.patch

[PATCH] trash: Use mailbox event in trash_try_mailbox() for settings

From 06af53902479572fc96f04b4372fdabb9d01996b Mon Sep 17 00:00:00 2001
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127029

Gbp-Pq: Name 0001-trash-Use-mailbox-event-in-trash_try_mailbox-for-set.patch

[PATCH] auth: ldap - Fix crash if users are iterated, but userdb_ldap_iterate_fields is not set

From 576a2f52bff4c13971d9e6d1172857a4f18ddd14 Mon Sep 17 00:00:00 2001
Bug-Debian: https://bugs.debian.org/1121000

Bug-Debian: https://bugs.debian.org/1121000
Gbp-Pq: Name bug1121000_dovecot-ldap_Crash_if_iterate_filter_is_set_but_iterate_fields_is_not_set.patch

[PATCH] lib-sieve/sieve-script.c: sieve_script_create_common: Correctly handle errors.

Fixes null pointer deref (e.g. in case of absent file).

Gbp-Pq: Name lib-sieve_sieve-script_c_sieve_script_create_common_Correctly_handle_errors.patch

[PATCH] auth: Terminate properly auth_oauth2_post_setting_defines list

Fixes:
Error: xoauth2: oauth2 failed: Local validation failed: auth_oauth2_fields settings: Failed to parse configuration: settings struct auth_oauth2_fields #1 key mismatch

Gbp-Pq: Name auth__Terminate_properly_auth_oauth2_post_setting_defines.patch

[PATCH] auth: Use AUTH_CACHE_KEY_USER instead of per-database constants

Fixes cache key issue where users would end up overwriting
each other in cache due to cache key being essentially static
string because we no longer support %u.

Forgotten in 2e298e7ee98b6df61cf85117f000290d60a473b8

Gbp-Pq: Name auth__Use_AUTH_CACHE_KEY_USER_instead_of_per-database.patch

[PATCH] Fix LDAP SASL auth support

961275fdb54878fdfa4ee1b9f1a4f00e82bf4a83 moved code without creating a
way to have HAVE_LDAP_SASL defined there.

Copy the preprocessor block from src/auth/db-ldap.c to fix this.

Gbp-Pq: Name bug1106784_Fix-LDAP-SASL-auth-support.patch

Fix groff errors in upstream manpages

Forwarded: no
Last-Update: 2025-05-02

Last-Update: 2025-05-02
Gbp-Pq: Name fix-man-errors.patch

Fix GSSAPI regression

Origin: https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/message/O54EAGLIXXHMOH7BQCCKHHB3Z32HDWVR/
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104549
Last-Update: 2025-05-02

Dovecot 2.4 introduced a regression that broke GSSAPI authentication for
some clients.  This patch contains a fix provided by the upstream maintainers.
Last-Update: 2025-05-02
Gbp-Pq: Name bug1104549-gssapi-regression.patch

fit-32-bit-test-integers

===================================================================

Gbp-Pq: Name fit-32-bit-test-integers.patch

Use _FORTIFY_SOURCE level 3

Forwarded: not-needed

Gbp-Pq: Name Use-_FORTIFY_SOURCE-level-3.patch

[PATCH] lda: Default mail_home=$HOME environment if not using userdb lookup

The previous code to do this was removed by
e57d5b9002f910c095ee5b55821395fcf1da016a

Gbp-Pq: Name 0002-lda-Default-mail_home-HOME-environment-if-not-using-.patch

[PATCH] lda: Fix using USER environment if -d hasn't been specified

This became broken at some point.

Gbp-Pq: Name 0001-lda-Fix-using-USER-environment-if-d-hasn-t-been-spec.patch

Don't try to build doc/rfc subdir components

Forwarded: not-needed

Forwarded: not-needed
Gbp-Pq: Name skip-rfc-subdir.patch

dovecot (1:2.4.1+dfsg1-6+deb13u4) trixie-security; urgency=medium

  * [bc29057] CVE-2025-59028: auth: Don't disconnect auth client when
    invalid base64 SASL input is received
  * [fee7a9a] CVE-2025-59031: stop shipping the decode2text shell script
  * [9a4442e] CVE-2025-59032: managesieve-login: Fix crash when command
    didn't finish on the first call
  * [2711b3e] CVE-2026-24031, CVE-2026-27860: auth: fix ldap and sql
    injection
  * [d30f1c3] CVE-2026-27855: fix OTP authentication reply vulnerability
  * [e1b0ff7] CVE-2026-27856: doveadm: fix timing oracle attack
  * [b8a69bf] CVE-2026-27857: fix resource exhaustion DoS in NOOP command
    parsing
  * [85dd068] CVE-2026-27858: fix pre-authentication managesieve memory
    consumption issue
  * [880e332] CVE-2026-27859: fix uncontrolled resource allocation when
    delivering specially crafted email messages

[dgit import unpatched dovecot 1:2.4.1+dfsg1-6+deb13u4]

Import dovecot_2.4.1+dfsg1-6+deb13u4.debian.tar.xz

[dgit import tarball dovecot 1:2.4.1+dfsg1-6+deb13u4 dovecot_2.4.1+dfsg1-6+deb13u4.debian.tar.xz]

Import dovecot_2.4.1+dfsg1.orig.tar.gz

[dgit import orig dovecot_2.4.1+dfsg1.orig.tar.gz]

Import dovecot_2.4.1+dfsg1.orig-pigeonhole.tar.gz

[dgit import orig dovecot_2.4.1+dfsg1.orig-pigeonhole.tar.gz]