dovecot (1:2.2.22-1ubuntu2.12) xenial-security; urgency=medium

  * SECURITY REGRESSION: updating CVE-2019-11500-3.patch with the right check

 -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Wed, 28 Aug 2019 13:23:21 -0300

dovecot (1:2.2.22-1ubuntu2.11) xenial-security; urgency=medium

  * SECURITY UPDATE: IMAP do not properly handled NULL byte - bounds
    heap memory writes
    - debian/patches/CVE-2019-11500-*.patch: doesn't accept strings with
      NULs in src/lib-imap/imap-parser.c and
      pigeonhole/src/lib-managesieve/managesieve-parser.c,
      make sure str_unescape won't be writing past allocated memory
      in src/lib-imap/imap-parser.c and
      pieonhole/src/lig-managesieve/managesieve-parser.c.
    - CVE-2019-11500

 -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Wed, 14 Aug 2019 13:19:55 -0300

dovecot (1:2.2.22-1ubuntu2.10) xenial-security; urgency=medium

  * SECURITY UPDATE: stack overflow when reading FTS or POP3-UIDL header
    - debian/patches/CVE-2019-7524-2.patch: fix buffer overflow when
      reading oversized fts header in src/plugins/fts/fts-api.c.
    - CVE-2019-7524

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 29 Mar 2019 08:02:32 -0400

dovecot (1:2.2.22-1ubuntu2.9) xenial-security; urgency=medium

  * SECURITY UPDATE: incorrect client certificate validation
    - debian/patches/CVE-2019-3814-1.patch: do not import empty certificate
      username in src/auth/auth-request.c.
    - debian/patches/CVE-2019-3814-2.patch: fail authentication if
      certificate username was unexpectedly missing in
      src/auth/auth-request-handler.c.
    - debian/patches/CVE-2019-3814-3.patch: ensure we get username from
      certificate in src/login-common/sasl-server.c.
    - CVE-2019-3814

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 28 Jan 2019 08:53:15 -0500

dovecot (1:2.2.22-1ubuntu2.8) xenial; urgency=medium

  * debian/*.triggers: change triggers to -noawait variety: there is no need
    for awaited triggers for the restarting of dovecot. (LP: #1780996)

 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Wed, 11 Jul 2018 14:48:37 -0400

dovecot (1:2.2.22-1ubuntu2.7) xenial-security; urgency=medium

  * SECURITY UPDATE: rfc822_parse_domain Information Leak Vulnerability
    - debian/patches/CVE-2017-14461/*.patch: upstream parsing fixes.
    - CVE-2017-14461
  * SECURITY UPDATE: TLS SNI config lookups DoS
    - debian/patches/CVE-2017-15130/*.patch: upstream config filtering fix.
    - CVE-2017-15130

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 27 Feb 2018 07:46:12 -0500

dovecot (1:2.2.22-1ubuntu2.6) xenial-security; urgency=medium

  * SECURITY UPDATE: Memory leak that can cause crash due to memory exhaustion
    - debian/patches/CVE-2017-15132.patch: fix memory leak in
      auth_client_request_abort() in src/lib-auth/auth-client-request.c.
    - debian/patches/CVE-2017-15132-additional.patch: remove request after
      abort in src/lib-auth/auth-client-request.c,
      src/lib-auth/auth-server-connection.c,
      src/lib-auth/auth-serser-connection.h.
    - CVE-2017-15132

 -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Wed, 31 Jan 2018 12:58:33 -0300

dovecot (1:2.2.22-1ubuntu2.4) xenial-security; urgency=medium

  * REGRESSION UPDATE: Revert CVE-2017-2669 fix as this version of dovecot is
    not affected by the security flaw and the change caused a regression in
    passdb and userdb dictionary authentication backends
    debian/patches/CVE-2017-2669.patch: Remove the patch

 -- Tyler Hicks <tyhicks@canonical.com>  Tue, 11 Apr 2017 14:29:20 +0000

dovecot (1:2.2.22-1ubuntu2.3) xenial-security; urgency=medium

  * SECURITY UPDATE: DoS via crafted username
    - debian/patches/CVE-2017-2669.patch: do not double-expand key in
      passdb dict when authenticating in src/auth/db-dict.c.
    - CVE-2017-2669

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 07 Apr 2017 13:34:12 -0400

dovecot (1:2.2.22-1ubuntu2.2) xenial; urgency=medium

  * d/p/fix-sieve-pigeonhole-crash-on-huge-mails.patch: Fix sieve-pigeonhole
    crash when filtering too much data (LP: #1633220)

 -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Wed, 09 Nov 2016 13:13:08 +0100

# For older changelog entries, run 'apt-get changelog dovecot-core'