Debian Patches
Status for dovecot/1:2.4.1+dfsg1-6+deb13u4
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| skip-rfc-subdir.patch | Don't try to build doc/rfc subdir components | Noah Meyerhans <noahm@debian.org> | not-needed | 2020-05-21 | ||
| 0001-lda-Fix-using-USER-environment-if-d-hasn-t-been-spec.patch | lda: Fix using USER environment if -d hasn't been specified This became broken at some point. |
Timo Sirainen <timo.sirainen@open-xchange.com> | no | 2025-05-26 | ||
| 0002-lda-Default-mail_home-HOME-environment-if-not-using-.patch | lda: Default mail_home=$HOME environment if not using userdb lookup The previous code to do this was removed by e57d5b9002f910c095ee5b55821395fcf1da016a |
Timo Sirainen <timo.sirainen@open-xchange.com> | no | 2025-05-26 | ||
| Use-_FORTIFY_SOURCE-level-3.patch | Use _FORTIFY_SOURCE level 3 | Christian Göttsche <cgzones@googlemail.com> | not-needed | 2022-12-22 | ||
| fit-32-bit-test-integers.patch | =================================================================== | no | ||||
| bug1104549-gssapi-regression.patch | Fix GSSAPI regression Dovecot 2.4 introduced a regression that broke GSSAPI authentication for some clients. This patch contains a fix provided by the upstream maintainers. |
no | debian | https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/message/O54EAGLIXXHMOH7BQCCKHHB3Z32HDWVR/ | 2025-05-02 | |
| fix-man-errors.patch | Fix groff errors in upstream manpages | Noah Meyerhans <noahm@debian.org> | no | 2025-05-02 | ||
| bug1106784_Fix-LDAP-SASL-auth-support.patch | Fix LDAP SASL auth support 961275fdb54878fdfa4ee1b9f1a4f00e82bf4a83 moved code without creating a way to have HAVE_LDAP_SASL defined there. Copy the preprocessor block from src/auth/db-ldap.c to fix this. |
Jakob Haufe <sur5r@sur5r.net> | no | 2025-05-25 | ||
| auth__Use_AUTH_CACHE_KEY_USER_instead_of_per-database.patch | auth: Use AUTH_CACHE_KEY_USER instead of per-database constants Fixes cache key issue where users would end up overwriting each other in cache due to cache key being essentially static string because we no longer support %u. Forgotten in 2e298e7ee98b6df61cf85117f000290d60a473b8 |
Aki Tuomi <aki.tuomi@open-xchange.com> | no | 2025-07-25 | ||
| auth__Terminate_properly_auth_oauth2_post_setting_defines.patch | auth: Terminate properly auth_oauth2_post_setting_defines list Fixes: |
Timo Sirainen <timo.sirainen@open-xchange.com> | no | 2025-05-15 | ||
| lib-sieve_sieve-script_c_sieve_script_create_common_Correctly_handle_errors.patch | lib-sieve/sieve-script.c: sieve_script_create_common: Correctly handle errors. Fixes null pointer deref (e.g. in case of absent file). |
Alexander Gerasiov <a@gerasiov.net> | no | 2025-09-23 | ||
| bug1121000_dovecot-ldap_Crash_if_iterate_filter_is_set_but_iterate_fields_is_not_set.patch | auth: ldap - Fix crash if users are iterated, but userdb_ldap_iterate_fields is not set | Timo Sirainen <timo.sirainen@open-xchange.com> | no | debian | 2025-11-06 | |
| 0001-trash-Use-mailbox-event-in-trash_try_mailbox-for-set.patch | trash: Use mailbox event in trash_try_mailbox() for settings | Aki Tuomi <aki.tuomi@open-xchange.com> | no | debian | 2026-01-09 | |
| acl-Fix-crash-when-group-ACLs-are-used-but-user-s-ac.patch | acl: Fix crash when group ACLs are used, but user's acl_groups is empty | Marco Bettini <marco.bettini@open-xchange.com> | no | debian | 2025-08-28 | |
| CVE-2025-59028.patch | [PATCH 01/24] auth: Don't disconnect auth client when invalid base64 SASL input is received The base64 input comes from untrusted client. It shouldn't cause the auth client to disconnect, which causes other concurrent logins to be aborted. Broken by 1486c30e191ff079bfa78e7950173bb33d8073d9 |
Timo Sirainen <timo.sirainen@open-xchange.com> | no | 2025-11-04 | ||
| CVE-2025-59031.patch | [PATCH 02/24] fts: Remove decode2text.sh The script is flawed and not fit for production use, should recommend writing your own script, or using Apache Tika. |
Aki Tuomi <aki.tuomi@open-xchange.com> | no | 2026-01-08 | ||
| CVE-2025-59032.patch | managesieve-login: Fix crash when command didn't finish on the first call | Timo Sirainen <timo.sirainen@open-xchange.com> | no | 2025-12-22 | ||
| CVE-2026-24031-27860-1.patch | [PATCH 04/24] auth: Make struct settings_get_params params const | Timo Sirainen <timo.sirainen@open-xchange.com> | no | 2026-02-25 | ||
| CVE-2026-24031-27860-2.patch | [PATCH 05/24] auth: passdb/userdb ldap - Fix escaping ldap filter, base and bind_userdn Broken by c2ccdab8d09dec65753ee42366f48d53d7f47cfd |
Timo Sirainen <timo.sirainen@open-xchange.com> | no | 2026-02-20 | ||
| CVE-2026-24031-27860-3.patch | [PATCH 06/24] lib-settings: settings_get_params() - Fix using provided escape_func This fixes auth-sql and auth-ldap to actually do escaping. |
Timo Sirainen <timo.sirainen@open-xchange.com> | no | 2026-02-23 | ||
| CVE-2026-24031-27860-4.patch | [PATCH 07/24] auth: test-auth - Run Lua unit tests even when building Lua as plugin | Timo Sirainen <timo.sirainen@open-xchange.com> | no | 2026-02-23 | ||
| CVE-2026-24031-27860-5.patch | [PATCH 08/24] auth: Rewrite ldap_escape() with a unit test | Timo Sirainen <timo.sirainen@open-xchange.com> | no | 2026-02-23 | ||
| CVE-2026-24031-27860-6.patch | [PATCH 09/24] auth: passdb sql - Fix escaping for set_credentials() This was only used by OTP SASL mechanism after successful authentication, so it practically couldn't be used for SQL injections. Broken by ef0c63b690e6ef9fbd53cb815dfab50d1667ba3a |
Timo Sirainen <timo.sirainen@open-xchange.com> | no | 2026-02-24 | ||
| CVE-2026-24031-27860-7.patch | [PATCH 10/24] auth: userdb sql - Fix escaping for user iteration This is mostly a non-issue, since userdb iteration doesn't take any untrusted input. Broken by ef0c63b690e6ef9fbd53cb815dfab50d1667ba3a |
Timo Sirainen <timo.sirainen@open-xchange.com> | no | 2026-02-24 | ||
| CVE-2026-24031-27860-8.patch | [PATCH 11/24] lib-var-expand: Add "safe" filter to prevent escaping output For example ldap_base = %{passdb:next_dn | safe} to avoid escaping the DN. |
Timo Sirainen <timo.sirainen@open-xchange.com> | no | 2026-02-25 | ||
| CVE-2026-27855-1.patch | [PATCH 21/24] auth: cache - Use translated username in auth_cache_remove() | Aki Tuomi <aki.tuomi@open-xchange.com> | no | 2026-03-09 | ||
| CVE-2026-27855-2.patch | [PATCH 22/24] auth: Move passdb event lifecycle handling to auth_request_passdb_event_(begin|end) | Aki Tuomi <aki.tuomi@open-xchange.com> | no | 2026-03-11 | ||
| CVE-2026-27855-3.patch | [PATCH 23/24] auth: Initialize set_credentials event properly Fixes update_query |
Aki Tuomi <aki.tuomi@open-xchange.com> | no | 2026-03-09 | ||
| CVE-2026-27855-4.patch | [PATCH 24/24] auth: passdb-sql - Require update_query to be set when used | Aki Tuomi <aki.tuomi@open-xchange.com> | no | 2026-03-11 | ||
| CVE-2026-27856-1.patch | [PATCH 16/24] doveadm: client-connection - Use timing safe credential check | Aki Tuomi <aki.tuomi@open-xchange.com> | no | 2026-03-04 | ||
| CVE-2026-27856-2.patch | [PATCH 17/24] doveadm: Use datastack for temporary b64 value There is no need to allocate it from connection pool. |
Aki Tuomi <aki.tuomi@open-xchange.com> | no | 2026-03-04 | ||
| CVE-2026-27856-3.patch | [PATCH 18/24] doveadm: client-connection - Get API key from per-connection settings | Aki Tuomi <aki.tuomi@open-xchange.com> | no | 2026-03-04 | ||
| CVE-2026-27857-1.patch | [PATCH 1/2] plugins: imap-filter-sieve: imap-filter-sieve - Adjust to imap_parser_create() API change | Timo Sirainen <timo.sirainen@open-xchange.com> | no | 2026-03-06 | ||
| CVE-2026-27857-2.patch | [PATCH 12/24] lib-imap, global: Add params parameter to imap_parser_create() | Timo Sirainen <timo.sirainen@open-xchange.com> | no | 2026-03-06 | ||
| CVE-2026-27857-3.patch | [PATCH 13/24] lib-imap: Add imap_parser_params.list_count_limit | Timo Sirainen <timo.sirainen@open-xchange.com> | no | 2026-03-06 | ||
| CVE-2026-27857-4.patch | [PATCH 14/24] imap-login: Limit the number of open IMAP parser lists This prevents attackers from using a large number of '(' in a command to grow memory usage excessively. |
Timo Sirainen <timo.sirainen@open-xchange.com> | no | 2026-03-06 | ||
| CVE-2026-27857-5.patch | [PATCH 15/24] global: Use const for struct imap_parser_params params | Timo Sirainen <timo.sirainen@open-xchange.com> | no | 2026-03-02 | ||
| CVE-2026-27858.patch | [PATCH 2/2] managesieve-login: Verify AUTHENTICATE initial response size isn't too large This prevents DoSing the managesieve-login by sending an excessively large initial response size, which causes a huge memory allocation. |
Timo Sirainen <timo.sirainen@open-xchange.com> | no | 2026-03-02 | ||
| CVE-2026-27859.patch | [PATCH 03/24] lib-mail: Limit the number of RFC2231 parameters that can be parsed This avoids excessive CPU usage especially in result_append(). |
Timo Sirainen <timo.sirainen@open-xchange.com> | no | 2026-02-24 |
All known versions for source package 'dovecot'
- 1:2.4.3+dfsg1-1 (sid)
- 1:2.4.2+dfsg1-4 (forky)
- 1:2.4.1+dfsg1-6+deb13u4 (trixie-proposed-updates, trixie-security)
- 1:2.4.1+dfsg1-6+deb13u3 (trixie)
- 1:2.3.21.1+dfsg1-1~bpo12+1 (bookworm-backports)
- 1:2.3.19.1+dfsg1-2.1+deb12u3 (bookworm-security)
- 1:2.3.19.1+dfsg1-2.1+deb12u2 (bookworm-proposed-updates)
- 1:2.3.19.1+dfsg1-2.1+deb12u1 (bookworm)