From: Raspbian automatic forward porter <root@raspbian.org>
Date: Sun, 31 May 2026 20:32:40 +0000 (+0100)
Subject: Merge version 1:2.4.1+dfsg1-6+rpi1+deb13u3 and 1:2.4.1+dfsg1-6+deb13u6 to produce... 
X-Git-Tag: archive/raspbian/1%2.4.1+dfsg1-6+rpi1+deb13u6^0
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=05e906ab096d52c981d74c48888f2d10a27d091b;p=dovecot.git

Merge version 1:2.4.1+dfsg1-6+rpi1+deb13u3 and 1:2.4.1+dfsg1-6+deb13u6 to produce 1:2.4.1+dfsg1-6+rpi1+deb13u6
---

05e906ab096d52c981d74c48888f2d10a27d091b
diff --cc debian/changelog
index 35dcc10,65d96f2..1dd5d97
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,9 -1,43 +1,50 @@@
- dovecot (1:2.4.1+dfsg1-6+rpi1+deb13u3) trixie-staging; urgency=medium
++dovecot (1:2.4.1+dfsg1-6+rpi1+deb13u6) trixie-staging; urgency=medium
 +
 +  [changes brought forward from 1:2.3.21+dfsg1-3+rpi1 by Peter Michael Green <plugwash@raspbian.org> at Thu, 20 Jun 2024 17:16:27 +0000]
 +  * Disablte testsuite.
 +
-  -- Raspbian forward porter <root@raspbian.org>  Tue, 17 Mar 2026 14:28:20 +0000
++ -- Raspbian forward porter <root@raspbian.org>  Sun, 31 May 2026 20:32:39 +0000
++
+ dovecot (1:2.4.1+dfsg1-6+deb13u6) trixie-security; urgency=medium
+ 
+   * Security update (Closes: #1136444)
+   * [76ceed4] CVE-2026-27851: lib-var-expand: Reset safe state when
+     transfer is unset
+   * [4af6fb3] CVE-2026-40016: lib-sieve: Enforce CPU time limit within
+     :contains and :matches matcher loops
+   * [366ef61] CVE-2026-33603: login-common: Only accept base64 in sasl
+   * [26bd41e] CVE-2026-40020: IMAP folders can be shared-spammed to
+     everyone.
+   * [b6f5bac] CVE-2026-42006: imap-login: Excessive memory usage DoS
+ 
+  -- Noah Meyerhans <noahm@debian.org>  Mon, 18 May 2026 16:03:51 -0400
+ 
+ dovecot (1:2.4.1+dfsg1-6+deb13u5) trixie; urgency=medium
+ 
+   * [b357180] autopkgtests: Add managesieved authentication test
+   * [c9d69a1] Fix memory leak in CVE-2026-27857 fix
+ 
+  -- Noah Meyerhans <noahm@debian.org>  Wed, 06 May 2026 15:18:43 -0400
+ 
+ dovecot (1:2.4.1+dfsg1-6+deb13u4) trixie-security; urgency=medium
+ 
+   * [bc29057] CVE-2025-59028: auth: Don't disconnect auth client when
+     invalid base64 SASL input is received
+   * [fee7a9a] CVE-2025-59031: stop shipping the decode2text shell script
+   * [9a4442e] CVE-2025-59032: managesieve-login: Fix crash when command
+     didn't finish on the first call
+   * [2711b3e] CVE-2026-24031, CVE-2026-27860: auth: fix ldap and sql
+     injection
+   * [d30f1c3] CVE-2026-27855: fix OTP authentication reply vulnerability
+   * [e1b0ff7] CVE-2026-27856: doveadm: fix timing oracle attack
+   * [b8a69bf] CVE-2026-27857: fix resource exhaustion DoS in NOOP command
+     parsing
+   * [85dd068] CVE-2026-27858: fix pre-authentication managesieve memory
+     consumption issue
+   * [880e332] CVE-2026-27859: fix uncontrolled resource allocation when
+     delivering specially crafted email messages
+ 
+  -- Noah Meyerhans <noahm@debian.org>  Tue, 31 Mar 2026 15:07:17 -0400
  
  dovecot (1:2.4.1+dfsg1-6+deb13u3) trixie; urgency=medium