Branches for Intrepid

Author: Mathias Gug
Revision Date: 2008-10-10 16:05:33 UTC

* New upstream release (LP: #281423):
  - Fix message parser.
  - Fix maildirlock utility.
  - Fix bzip2 support in zlib plugin.
  - mbox: Several bugfixes causing errors and crashes.
  - Many error handling fixes and log message improvements.
  - SORT: Fix assert-crashes.
* Update dovecot-managesieve patch for 1.1.4.
* debian/control:
  - Update Vcs-* headers.
* Merge from debian experimental, remaining changes:
  - Use Snakeoil SSL certificates by default.
    + debian/control: Depend on ssl-cert
    + debian/paptches/ssl-cert-snakeoil.dpatch: Change default SSL cert
      paths to snakeoil.
    + debian/dovecot-common.postinst: Relax grep for SSL_* a bit.
  - Add autopkgtest in debian/tests/*.
  - Don't fail in postinst if dovecot-{sql,ldap} is missing. (LP: #153161)
  - debian/dovecot-common.init: Check to see if there is an /etc/inetd.conf.
    (LP: #208411)
  - debian/patches/login-max-process-count-warning.dpatch: Tell the user
    that they have reached the maximum number of processes count.
    (LP: #189616)
  - Fast TearDown: Update lsb init header to not stop in level 6.
  - Add status action to the init script:
    + debian/control: Depend on lsb >= 3.2.12ubuntu3.
    + debian/dovecot-common-init: Add the 'status' action (LP: #247096).
  - debian/rules:
    - Copy config.{guess,sub} after running libtoolize.
    - Clean dovecot-managesieve directory.
  - debian/patches/fix-dovecot-sieve.dpatch: Fixes assertion error
    when a header string ends with a LF (LP: #264306)
  - Add ufw integration:
    - Created debian/dovecot-common.ufw.profile
    - debian/rules:
      + install profile
    - debian/control
      + Suggest ufw
  - debian/{control,rules}: enable PIE hardening
  - Updated dovecot.common.README.Debian with information on what has changed
    between 1.0 and 1.1.1. Fixes (LP: #257625)
  - dovecot-imapd, dovecot-pop3: Replaces dovecot-common (<< 1:1.1). LP: #254721.
* Dropped:
  - debian/dovecot-common.postinst: Remove stop script symlinks fom rc0
    and rc6 on upgrades. Need to be kept until next LTS release.
  - Fast TearDown:
    + debian/rules: Call dh_installinit in 'multiuser' mode.
    + debian/control: Depend on new sysv-rc for this.
  - Include dovecot-sieve-1.1.5: available in Debian.

Author: Mathias Gug
Revision Date: 2008-11-05 15:30:16 UTC

debian/patches/fix-message-parser.dpatch: Parsing an invalid message
address like "From: (" caused an assert-crash. (LP: #290901).

Author: Marc Deslauriers
Revision Date: 2009-09-24 08:28:12 UTC

* SECURITY UPDATE: directory traversal vulnerability in the the
  ManageSieve implementation (LP: #307291)
  - debian/patches/security-CVE-2008-5301.dpatch: filter out slashes in
    script names in dovecot-managesieve/src/lib-sievestorage/
    {sieve-storage-save.c,sieve-storage-script.c}.
  - CVE-2008-5301
* SECURITY UPDATE: arbitrary code execution via buffer overlows in
  the Sieve plugin
  - debian/patches/security-CVE-2009-3235.dpatch: increase scount size in
    dovecot-sieve/src/libsieve/bc_eval.c, use snprintf in
    dovecot-sieve/src/libsieve/sieve.y, use snprintf and calculate the
    right length in dovecot-sieve/src/libsieve/script.c.
  - CVE-2009-2632
  - CVE-2009-3235

Author: Marc Deslauriers
Revision Date: 2009-09-24 08:28:12 UTC

* SECURITY UPDATE: directory traversal vulnerability in the the
  ManageSieve implementation (LP: #307291)
  - debian/patches/security-CVE-2008-5301.dpatch: filter out slashes in
    script names in dovecot-managesieve/src/lib-sievestorage/
    {sieve-storage-save.c,sieve-storage-script.c}.
  - CVE-2008-5301
* SECURITY UPDATE: arbitrary code execution via buffer overlows in
  the Sieve plugin
  - debian/patches/security-CVE-2009-3235.dpatch: increase scount size in
    dovecot-sieve/src/libsieve/bc_eval.c, use snprintf in
    dovecot-sieve/src/libsieve/sieve.y, use snprintf and calculate the
    right length in dovecot-sieve/src/libsieve/script.c.
  - CVE-2009-2632
  - CVE-2009-3235