summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Timo Sirainen [Mon, 2 Mar 2026 11:50:24 +0000 (13:50 +0200)]
[PATCH 15/24] global: Use const for struct imap_parser_params params
Gbp-Pq: Name CVE-2026-27857-5.patch
Timo Sirainen [Fri, 6 Mar 2026 13:35:12 +0000 (15:35 +0200)]
[PATCH 14/24] imap-login: Limit the number of open IMAP parser lists
This prevents attackers from using a large number of '(' in a command to
grow memory usage excessively.
Gbp-Pq: Name CVE-2026-27857-4.patch
Timo Sirainen [Fri, 6 Mar 2026 13:32:29 +0000 (15:32 +0200)]
[PATCH 13/24] lib-imap: Add imap_parser_params.list_count_limit
Gbp-Pq: Name CVE-2026-27857-3.patch
Timo Sirainen [Fri, 6 Mar 2026 13:25:14 +0000 (15:25 +0200)]
[PATCH 12/24] lib-imap, global: Add params parameter to imap_parser_create()
Gbp-Pq: Name CVE-2026-27857-2.patch
Timo Sirainen [Fri, 6 Mar 2026 15:06:45 +0000 (17:06 +0200)]
[PATCH 1/2] plugins: imap-filter-sieve: imap-filter-sieve - Adjust to imap_parser_create() API change
Gbp-Pq: Name CVE-2026-27857-1.patch
Aki Tuomi [Wed, 4 Mar 2026 12:39:43 +0000 (14:39 +0200)]
[PATCH 18/24] doveadm: client-connection - Get API key from per-connection settings
Gbp-Pq: Name CVE-2026-27856-3.patch
Aki Tuomi [Wed, 4 Mar 2026 07:28:18 +0000 (09:28 +0200)]
[PATCH 17/24] doveadm: Use datastack for temporary b64 value
There is no need to allocate it from connection pool.
Gbp-Pq: Name CVE-2026-27856-2.patch
Aki Tuomi [Wed, 4 Mar 2026 06:05:13 +0000 (08:05 +0200)]
[PATCH 16/24] doveadm: client-connection - Use timing safe credential check
Gbp-Pq: Name CVE-2026-27856-1.patch
Aki Tuomi [Wed, 11 Mar 2026 10:46:53 +0000 (12:46 +0200)]
[PATCH 24/24] auth: passdb-sql - Require update_query to be set when used
Gbp-Pq: Name CVE-2026-27855-4.patch
Aki Tuomi [Mon, 9 Mar 2026 19:23:29 +0000 (21:23 +0200)]
[PATCH 23/24] auth: Initialize set_credentials event properly
Fixes update_query
Gbp-Pq: Name CVE-2026-27855-3.patch
Aki Tuomi [Wed, 11 Mar 2026 10:30:32 +0000 (12:30 +0200)]
[PATCH 22/24] auth: Move passdb event lifecycle handling to auth_request_passdb_event_(begin|end)
Gbp-Pq: Name CVE-2026-27855-2.patch
Aki Tuomi [Mon, 9 Mar 2026 18:04:27 +0000 (20:04 +0200)]
[PATCH 21/24] auth: cache - Use translated username in auth_cache_remove()
Gbp-Pq: Name CVE-2026-27855-1.patch
Timo Sirainen [Wed, 25 Feb 2026 10:40:22 +0000 (12:40 +0200)]
[PATCH 11/24] lib-var-expand: Add "safe" filter to prevent escaping output
For example ldap_base = %{passdb:next_dn | safe} to avoid escaping the DN.
Gbp-Pq: Name CVE-2026-24031-27860-8.patch
Timo Sirainen [Tue, 24 Feb 2026 10:26:46 +0000 (12:26 +0200)]
[PATCH 10/24] auth: userdb sql - Fix escaping for user iteration
This is mostly a non-issue, since userdb iteration doesn't take any
untrusted input.
Broken by
ef0c63b690e6ef9fbd53cb815dfab50d1667ba3a
Gbp-Pq: Name CVE-2026-24031-27860-7.patch
Timo Sirainen [Tue, 24 Feb 2026 10:24:37 +0000 (12:24 +0200)]
[PATCH 09/24] auth: passdb sql - Fix escaping for set_credentials()
This was only used by OTP SASL mechanism after successful authentication, so
it practically couldn't be used for SQL injections.
Broken by
ef0c63b690e6ef9fbd53cb815dfab50d1667ba3a
Gbp-Pq: Name CVE-2026-24031-27860-6.patch
Timo Sirainen [Mon, 23 Feb 2026 17:54:40 +0000 (19:54 +0200)]
[PATCH 08/24] auth: Rewrite ldap_escape() with a unit test
Gbp-Pq: Name CVE-2026-24031-27860-5.patch
Timo Sirainen [Mon, 23 Feb 2026 17:33:16 +0000 (19:33 +0200)]
[PATCH 07/24] auth: test-auth - Run Lua unit tests even when building Lua as plugin
Gbp-Pq: Name CVE-2026-24031-27860-4.patch
Timo Sirainen [Mon, 23 Feb 2026 11:37:09 +0000 (13:37 +0200)]
[PATCH 06/24] lib-settings: settings_get_params() - Fix using provided escape_func
This fixes auth-sql and auth-ldap to actually do escaping.
Gbp-Pq: Name CVE-2026-24031-27860-3.patch
Timo Sirainen [Fri, 20 Feb 2026 16:37:38 +0000 (18:37 +0200)]
[PATCH 05/24] auth: passdb/userdb ldap - Fix escaping ldap filter, base and bind_userdn
Broken by
c2ccdab8d09dec65753ee42366f48d53d7f47cfd
Gbp-Pq: Name CVE-2026-24031-27860-2.patch
Timo Sirainen [Wed, 25 Feb 2026 07:33:25 +0000 (09:33 +0200)]
[PATCH 04/24] auth: Make struct settings_get_params params const
Gbp-Pq: Name CVE-2026-24031-27860-1.patch
Timo Sirainen [Mon, 22 Dec 2025 20:25:04 +0000 (22:25 +0200)]
[PATCH] managesieve-login: Fix crash when command didn't finish on the first call
Gbp-Pq: Name CVE-2025-59032.patch
Aki Tuomi [Thu, 8 Jan 2026 06:51:59 +0000 (08:51 +0200)]
[PATCH 02/24] fts: Remove decode2text.sh
The script is flawed and not fit for production use, should
recommend writing your own script, or using Apache Tika.
Gbp-Pq: Name CVE-2025-59031.patch
Timo Sirainen [Tue, 4 Nov 2025 09:34:30 +0000 (11:34 +0200)]
[PATCH 01/24] auth: Don't disconnect auth client when invalid base64 SASL input is received
The base64 input comes from untrusted client. It shouldn't cause the auth
client to disconnect, which causes other concurrent logins to be aborted.
Broken by
1486c30e191ff079bfa78e7950173bb33d8073d9
Gbp-Pq: Name CVE-2025-59028.patch
Marco Bettini [Thu, 28 Aug 2025 15:09:56 +0000 (15:09 +0000)]
[PATCH] acl: Fix crash when group ACLs are used, but user's acl_groups is empty
From
003bf9a6959714e0f696f0015c8c712e89962b9b Mon Sep 17 00:00:00 2001
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=
1129952
Gbp-Pq: Name acl-Fix-crash-when-group-ACLs-are-used-but-user-s-ac.patch
Aki Tuomi [Fri, 9 Jan 2026 11:31:42 +0000 (13:31 +0200)]
[PATCH] trash: Use mailbox event in trash_try_mailbox() for settings
From
06af53902479572fc96f04b4372fdabb9d01996b Mon Sep 17 00:00:00 2001
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=
1127029
Gbp-Pq: Name 0001-trash-Use-mailbox-event-in-trash_try_mailbox-for-set.patch
Timo Sirainen [Thu, 6 Nov 2025 12:52:37 +0000 (14:52 +0200)]
[PATCH] auth: ldap - Fix crash if users are iterated, but userdb_ldap_iterate_fields is not set
From
576a2f52bff4c13971d9e6d1172857a4f18ddd14 Mon Sep 17 00:00:00 2001
Bug-Debian: https://bugs.debian.org/
1121000
Bug-Debian: https://bugs.debian.org/
1121000
Gbp-Pq: Name bug1121000_dovecot-ldap_Crash_if_iterate_filter_is_set_but_iterate_fields_is_not_set.patch
Alexander Gerasiov [Tue, 23 Sep 2025 10:50:43 +0000 (13:50 +0300)]
[PATCH] lib-sieve/sieve-script.c: sieve_script_create_common: Correctly handle errors.
Fixes null pointer deref (e.g. in case of absent file).
Gbp-Pq: Name lib-sieve_sieve-script_c_sieve_script_create_common_Correctly_handle_errors.patch
Timo Sirainen [Thu, 15 May 2025 10:06:56 +0000 (13:06 +0300)]
[PATCH] auth: Terminate properly auth_oauth2_post_setting_defines list
Fixes:
Error: xoauth2: oauth2 failed: Local validation failed: auth_oauth2_fields settings: Failed to parse configuration: settings struct auth_oauth2_fields #1 key mismatch
Gbp-Pq: Name auth__Terminate_properly_auth_oauth2_post_setting_defines.patch
Aki Tuomi [Fri, 25 Jul 2025 05:16:52 +0000 (08:16 +0300)]
[PATCH] auth: Use AUTH_CACHE_KEY_USER instead of per-database constants
Fixes cache key issue where users would end up overwriting
each other in cache due to cache key being essentially static
string because we no longer support %u.
Forgotten in
2e298e7ee98b6df61cf85117f000290d60a473b8
Gbp-Pq: Name auth__Use_AUTH_CACHE_KEY_USER_instead_of_per-database.patch
Jakob Haufe [Sun, 25 May 2025 13:04:50 +0000 (15:04 +0200)]
[PATCH] Fix LDAP SASL auth support
961275fdb54878fdfa4ee1b9f1a4f00e82bf4a83 moved code without creating a
way to have HAVE_LDAP_SASL defined there.
Copy the preprocessor block from src/auth/db-ldap.c to fix this.
Gbp-Pq: Name bug1106784_Fix-LDAP-SASL-auth-support.patch
Noah Meyerhans [Tue, 31 Mar 2026 19:07:17 +0000 (15:07 -0400)]
Fix groff errors in upstream manpages
Forwarded: no
Last-Update: 2025-05-02
Last-Update: 2025-05-02
Gbp-Pq: Name fix-man-errors.patch
Dovecot Maintainers [Tue, 31 Mar 2026 19:07:17 +0000 (15:07 -0400)]
Fix GSSAPI regression
Origin: https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/message/O54EAGLIXXHMOH7BQCCKHHB3Z32HDWVR/
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=
1104549
Last-Update: 2025-05-02
Dovecot 2.4 introduced a regression that broke GSSAPI authentication for
some clients. This patch contains a fix provided by the upstream maintainers.
Last-Update: 2025-05-02
Gbp-Pq: Name bug1104549-gssapi-regression.patch
Dovecot Maintainers [Tue, 31 Mar 2026 19:07:17 +0000 (15:07 -0400)]
fit-32-bit-test-integers
===================================================================
Gbp-Pq: Name fit-32-bit-test-integers.patch
Christian Göttsche [Thu, 22 Dec 2022 16:00:53 +0000 (17:00 +0100)]
Use _FORTIFY_SOURCE level 3
Forwarded: not-needed
Gbp-Pq: Name Use-_FORTIFY_SOURCE-level-3.patch
Timo Sirainen [Mon, 26 May 2025 06:45:56 +0000 (09:45 +0300)]
[PATCH] lda: Default mail_home=$HOME environment if not using userdb lookup
The previous code to do this was removed by
e57d5b9002f910c095ee5b55821395fcf1da016a
Gbp-Pq: Name 0002-lda-Default-mail_home-HOME-environment-if-not-using-.patch
Timo Sirainen [Mon, 26 May 2025 06:37:35 +0000 (09:37 +0300)]
[PATCH] lda: Fix using USER environment if -d hasn't been specified
This became broken at some point.
Gbp-Pq: Name 0001-lda-Fix-using-USER-environment-if-d-hasn-t-been-spec.patch
Noah Meyerhans [Fri, 22 May 2020 04:48:59 +0000 (21:48 -0700)]
Don't try to build doc/rfc subdir components
Forwarded: not-needed
Forwarded: not-needed
Gbp-Pq: Name skip-rfc-subdir.patch
Noah Meyerhans [Tue, 31 Mar 2026 19:07:17 +0000 (15:07 -0400)]
dovecot (1:2.4.1+dfsg1-6+deb13u4) trixie-security; urgency=medium
* [
bc29057] CVE-2025-59028: auth: Don't disconnect auth client when
invalid base64 SASL input is received
* [
fee7a9a] CVE-2025-59031: stop shipping the decode2text shell script
* [
9a4442e] CVE-2025-59032: managesieve-login: Fix crash when command
didn't finish on the first call
* [
2711b3e] CVE-2026-24031, CVE-2026-27860: auth: fix ldap and sql
injection
* [
d30f1c3] CVE-2026-27855: fix OTP authentication reply vulnerability
* [
e1b0ff7] CVE-2026-27856: doveadm: fix timing oracle attack
* [
b8a69bf] CVE-2026-27857: fix resource exhaustion DoS in NOOP command
parsing
* [
85dd068] CVE-2026-27858: fix pre-authentication managesieve memory
consumption issue
* [
880e332] CVE-2026-27859: fix uncontrolled resource allocation when
delivering specially crafted email messages
[dgit import unpatched dovecot 1:2.4.1+dfsg1-6+deb13u4]
Noah Meyerhans [Tue, 31 Mar 2026 19:07:17 +0000 (15:07 -0400)]
Import dovecot_2.4.1+dfsg1-6+deb13u4.debian.tar.xz
[dgit import tarball dovecot 1:2.4.1+dfsg1-6+deb13u4 dovecot_2.4.1+dfsg1-6+deb13u4.debian.tar.xz]
Noah Meyerhans [Sun, 30 Mar 2025 15:48:57 +0000 (11:48 -0400)]
Import dovecot_2.4.1+dfsg1.orig.tar.gz
[dgit import orig dovecot_2.4.1+dfsg1.orig.tar.gz]
Noah Meyerhans [Sun, 30 Mar 2025 15:48:57 +0000 (11:48 -0400)]
Import dovecot_2.4.1+dfsg1.orig-pigeonhole.tar.gz
[dgit import orig dovecot_2.4.1+dfsg1.orig-pigeonhole.tar.gz]
projects / dovecot.git / log