[ubuntu/eoan-proposed] dovecot 1:2.3.4.1-5ubuntu1 (Accepted)

[Bryce Harrington]

dovecot (1:2.3.4.1-5ubuntu1) eoan; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - carry mail-stack-delivery as empty transitional package
  * Dropped:
    - SECURITY UPDATE: stack overflow when reading FTS or POP3-UIDL header
      + debian/patches/CVE-2019-7524-1.patch: fix buffer overflow when
        reading oversized hdr-pop3-uidl header in
        src/lib-storage/index/index-pop3-uidl.c.
      + debian/patches/CVE-2019-7524-2.patch: fix buffer overflow when
        reading oversized fts header in src/plugins/fts/fts-api.c.
      + CVE-2019-7524
      [Fixed in 1:2.3.4.1-3]
    - SECURITY UPDATE: JSON encoder assert DoS
      + debian/patches/CVE-2019-10691.patch: escape invalid UTF-8 as unicode
        bytes in src/lib/json-parser.c, src/lib/test-json-parser.c.
      + CVE-2019-10691
      [Fixed in 1:2.3.4.1-4]
    - SECURITY UPDATE: submission-login denial of service issues
      + debian/patches/CVE-2019-1149x-1.patch: remove unused
        client->pending_starttls in src/submission-login/client.h.
      + debian/patches/CVE-2019-1149x-2.patch: fix crash occurring when
        client disconnects during authentication in
        src/submission-login/client-authenticate.c,
        src/submission-login/client.c.
      + debian/patches/CVE-2019-1149x-3.patch: fix AUTH response error
        handling so that it stops reading more input in
        src/lib-smtp/smtp-server-cmd-auth.c.
      + CVE-2019-11494
      + CVE-2019-11499
      [Fixed in 1:2.3.4.1-5]

dovecot (1:2.3.4.1-5) unstable; urgency=medium

  * [bd00402] Fix CVE-2019-11494 and CVE-2019-11499 (Closes: #928235)
     - submission-login: fix null pointer dereference when client
       disconnects during authentication (CVE-2019-11494)
     - submission-login: fix assert-crash when receiving an invalid
       authentication message over TLS (CVE-2019-11499)

dovecot (1:2.3.4.1-4) unstable; urgency=high

  * [d04d4ba] Fix assert-crash in JSON encoder (CVE-2019-10691)

dovecot (1:2.3.4.1-3) unstable; urgency=high

  * [07c9212] Fix two buffer overflows when reading oversized FTS headers
    and/or oversized POP3-UIDL headers (CVE-2019-7524).

dovecot (1:2.3.4.1-2) unstable; urgency=medium

  [ Laurent Bigonville ]
  * [ac99918] Fix double-free crash in mysql driver
    Fix double closing of the connection in the mysql driver, this should
    fix the crash in the dovecot auth process, taken from upstream.
    (Closes: #918339)

  [ Apollon Oikonomopoulos ]
  * [8a30446] Bump Standards-Version to 4.3.0; no changes needed

Date: Fri, 03 May 2019 12:02:04 -0700
Changed-By: Bryce Harrington <bryce at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Bryce Harrington <bryce at bryceharrington.org>
https://launchpad.net/ubuntu/+source/dovecot/1:2.3.4.1-5ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 03 May 2019 12:02:04 -0700
Source: dovecot
Architecture: source
Version: 1:2.3.4.1-5ubuntu1
Distribution: eoan
Urgency: high
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Bryce Harrington <bryce at canonical.com>
Closes: 918339 928235
Changes:
 dovecot (1:2.3.4.1-5ubuntu1) eoan; urgency=medium
 .
   * Merge with Debian unstable. Remaining changes:
     - carry mail-stack-delivery as empty transitional package
   * Dropped:
     - SECURITY UPDATE: stack overflow when reading FTS or POP3-UIDL header
       + debian/patches/CVE-2019-7524-1.patch: fix buffer overflow when
         reading oversized hdr-pop3-uidl header in
         src/lib-storage/index/index-pop3-uidl.c.
       + debian/patches/CVE-2019-7524-2.patch: fix buffer overflow when
         reading oversized fts header in src/plugins/fts/fts-api.c.
       + CVE-2019-7524
       [Fixed in 1:2.3.4.1-3]
     - SECURITY UPDATE: JSON encoder assert DoS
       + debian/patches/CVE-2019-10691.patch: escape invalid UTF-8 as unicode
         bytes in src/lib/json-parser.c, src/lib/test-json-parser.c.
       + CVE-2019-10691
       [Fixed in 1:2.3.4.1-4]
     - SECURITY UPDATE: submission-login denial of service issues
       + debian/patches/CVE-2019-1149x-1.patch: remove unused
         client->pending_starttls in src/submission-login/client.h.
       + debian/patches/CVE-2019-1149x-2.patch: fix crash occurring when
         client disconnects during authentication in
         src/submission-login/client-authenticate.c,
         src/submission-login/client.c.
       + debian/patches/CVE-2019-1149x-3.patch: fix AUTH response error
         handling so that it stops reading more input in
         src/lib-smtp/smtp-server-cmd-auth.c.
       + CVE-2019-11494
       + CVE-2019-11499
       [Fixed in 1:2.3.4.1-5]
 .
 dovecot (1:2.3.4.1-5) unstable; urgency=medium
 .
   * [bd00402] Fix CVE-2019-11494 and CVE-2019-11499 (Closes: #928235)
      - submission-login: fix null pointer dereference when client
        disconnects during authentication (CVE-2019-11494)
      - submission-login: fix assert-crash when receiving an invalid
        authentication message over TLS (CVE-2019-11499)
 .
 dovecot (1:2.3.4.1-4) unstable; urgency=high
 .
   * [d04d4ba] Fix assert-crash in JSON encoder (CVE-2019-10691)
 .
 dovecot (1:2.3.4.1-3) unstable; urgency=high
 .
   * [07c9212] Fix two buffer overflows when reading oversized FTS headers
     and/or oversized POP3-UIDL headers (CVE-2019-7524).
 .
 dovecot (1:2.3.4.1-2) unstable; urgency=medium
 .
   [ Laurent Bigonville ]
   * [ac99918] Fix double-free crash in mysql driver
     Fix double closing of the connection in the mysql driver, this should
     fix the crash in the dovecot auth process, taken from upstream.
     (Closes: #918339)
 .
   [ Apollon Oikonomopoulos ]
   * [8a30446] Bump Standards-Version to 4.3.0; no changes needed
Checksums-Sha1:
 a00cecc692daea88e9110e91d9f0a8f7c932f0f1 3491 dovecot_2.3.4.1-5ubuntu1.dsc
 742c8d3c043723c5da9e07944214068689a89556 6925073 dovecot_2.3.4.1.orig.tar.gz
 21b29b6178fdfedb3b289e4eb8329937225978ff 539012 dovecot_2.3.4.1-5ubuntu1.debian.tar.xz
 e8e95b3bb4bc9d2fa7463d0b8ed9f1ff21908859 8655 dovecot_2.3.4.1-5ubuntu1_source.buildinfo
Checksums-Sha256:
 443940f9b36c067df84cf4d8cbde03d17b47c36d7a0bf1d06c4664cf8f60894e 3491 dovecot_2.3.4.1-5ubuntu1.dsc
 b8873e2ce5c33e58963bb7a8d2ff8427c09dbfdd63e13a0b0f4502864043aa07 6925073 dovecot_2.3.4.1.orig.tar.gz
 20741c727d64061c942ca09596ae9c8698ff77acd8df59f2c964480d51eed1cf 539012 dovecot_2.3.4.1-5ubuntu1.debian.tar.xz
 cd8180bed9be52b55f2476bdadcee71e31bf5b0794f569a5c7f4136235464c6f 8655 dovecot_2.3.4.1-5ubuntu1_source.buildinfo
Files:
 8a4878a27a3f5140718b932cbbb236a9 3491 mail optional dovecot_2.3.4.1-5ubuntu1.dsc
 b5144d8a7e81833428320a2c32a265d2 6925073 mail optional dovecot_2.3.4.1.orig.tar.gz
 9a7b6e5fc18e0c8b7ffd4ca7e2a1af85 539012 mail optional dovecot_2.3.4.1-5ubuntu1.debian.tar.xz
 bef8cb69e5648f2e41a9572d1b147235 8655 mail optional dovecot_2.3.4.1-5ubuntu1_source.buildinfo
Original-Maintainer: Dovecot Maintainers <dovecot at packages.debian.org>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEpmEQCz2sHU8srYpU5gOyV4+48PsFAlzUgWQACgkQ5gOyV4+4
8PuSKg/+KCI8XGogugY3vYqVVevt+MZHmeoGpGq/VV/0E2bFJ09pAz4VHsjFK+z3
hyw8+Iqrv0kY0rGLnBLhm+jE9hDiRG1pUfSem2c9MpvyQTkGxvaD2pW6MmdII2Hl
RyeFp138OvCAPm3zQ53t9QpVOTwImaAg+MKAsjfxPxIXBXJL8Oqo7j6OpCQfT4Kl
xYQlY643CzQ8/zagpkNxKmmEDc4jlQM5hsiX/M0ErlP2s9y6/85ciQ118Da51OLC
lUKrtchn6JO4760KM6M3Eer5VyS7crQWQxAk4DOSPEfZqiM+xfVpbxSrdcyYpJQZ
5nWdCY/S1mVzP4zMDm9CterPHMzA/VSrikzSRfapKAtWa6p6PSo6/tvmXTJH9OnX
Ng0kBVAkrNshxvqKJAr/KTYgkMR2bLzywEUXJ7Z/DCaydS2tLE+OofYvbxtB1RoV
fhtkv/ZklUHhChHsrfCnU92gtL8Yx+BVH8AZjTD50MJ/AJfOsjkuEErZe9ex9yb7
0S8YwzGoQf2xVlu3YRHruRFdbnzab2SPBikJGsXrhiTxbwe07yRjH/NaHpRSxUvP
m4WL3dJU+7F+VbKuFhaozf9S2jdHvD+Ts8S6EV57FHIkLKzWybzFLsyN6OsTVy9l
yh9JJnswQpHaDn0bxXGQfvlx08Z9LkiGy1jKt/lbm9inkW+EZU4=
=rcvR
-----END PGP SIGNATURE-----