[ubuntu/precise-updates] dovecot 1:2.0.19-0ubuntu2.8 (Accepted)

[Ubuntu Archive Robot]

dovecot (1:2.0.19-0ubuntu2.8) precise-security; urgency=medium

  * SECURITY REGRESSION: updating CVE-2019-11500-3.patch with the right check

dovecot (1:2.0.19-0ubuntu2.7) precise-security; urgency=medium

  * SECURITY UPDATE: IMAP do not properly handled NULL byte - bounds
    heap memory writes
    - debian/patches/CVE-2019-11500-*.patch: doesn't accept strings with
      NULs in src/lib-imap/imap-parser.c and
      pigeonhole/src/lib-managesieve/managesieve-parser.c,
      make sure str_unescape won't be writing past allocated memory
      in src/lib-imap/imap-parser.c and
      pieonhole/src/lig-managesieve/managesieve-parser.c.
    - CVE-2019-11500

dovecot (1:2.0.19-0ubuntu2.6) precise-security; urgency=medium

  [ Marc Deslauriers ]
  * SECURITY UPDATE: incorrect client certificate validation
    - debian/patches/CVE-2019-3814-1.patch: do not import empty certificate
      username in src/auth/auth-request.c.
    - debian/patches/CVE-2019-3814-2.patch: fail authentication if
      certificate username was unexpectedly missing in
      src/auth/auth-request-handler.c.
    - debian/patches/CVE-2019-3814-3.patch: ensure we get username from
      certificate in src/login-common/sasl-server.c.
    - CVE-2019-3814

dovecot (1:2.0.19-0ubuntu2.5) precise-security; urgency=medium

  * SECURITY UPDATE: rfc822_parse_domain Information Leak Vulnerability
    - debian/patches/CVE-2017-14461/*.patch: upstream parsing fixes.
    - CVE-2017-14461
  * SECURITY UPDATE: TLS SNI config lookups DoS
    - debian/patches/CVE-2017-15130/*.patch: upstream config filtering fix.
    - CVE-2017-15130

dovecot (1:2.0.19-0ubuntu2.4) precise-security; urgency=medium

  * SECURITY UPDATE: passdb exploitable throuh checkpassword
    - debian/patches/CVE-2013-6171.patch: refuse to run checkpassword
      script insecurely by default in src/auth/checkpassword-reply.c,
      src/auth/db-checkpassword.c.
    - CVE-2013-6171
  * SECURITY UPDATE: Memory leak that can cause crash due to memory exhaustion
    - debian/patches/CVE-2017-15132.patch: fix memory leak in
      auth_client_request_abort() in src/lib-auth/auth-client-request.c.
    - debian/patches/CVE-2017-15132-additional.patch: remove request after
      abort in src/lib-auth/auth-client-request.c,
      src/lib-auth/auth-server-connection.c,
      src/lib-auth/auth-serser-connection.h.
    - CVE-2017-15132

Date: 2019-08-28 17:13:27.534455+00:00
Changed-By: leo.barbosa at canonical.com (Leonidas S. Barbosa)
Signed-By: Ubuntu Archive Robot <ubuntu-archive-robot at lists.canonical.com>
https://launchpad.net/ubuntu/+source/dovecot/1:2.0.19-0ubuntu2.8
-------------- next part --------------
Sorry, changesfile not available.