-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 18 May 2020 22:09:08 +0200 Source: dovecot Architecture: source Version: 1:2.3.4.1-5+deb10u2 Distribution: buster-security Urgency: high Maintainer: Dovecot Maintainers <dovecot@packages.debian.org> Changed-By: Salvatore Bonaccorso <carnil@debian.org> Closes: 960963 Changes: dovecot (1:2.3.4.1-5+deb10u2) buster-security; urgency=high . * Non-maintainer upload by the Security Team. * Apply upstream fixes for CVE-2020-10957, CVE-2020-10958 and CVE-2020-10967 (Closes: #960963) - lib-smtp: smtp-server-cmd-vrfy - Restructure parameter parsing. - lib-smtp: smtp-syntax - Do not allow NULL return parameters for smtp_string_parse(). - lib-smtp: smtp-syntax - Do not allow NULL return parameters for smtp_xtext_parse(). - lib-smtp: syntax: Fix smtp_ehlo_line_parse() to also record the last parameter. - lib-smtp: smtp-syntax - Do not allow NULL return parameters for smtp_ehlo_line_parse(). - lib-smtp: smtp-syntax - Return 0 for smtp_string_parse() with empty input. - lib-smtp: Add tests for smtp_string_parse() and smtp_string_write(). - lib-smtp: test-smtp-server-errors - Add tests for VRFY and NOOP commands with invalid parameters. - lib-smtp: server: command: Move core of smtp_server_command_submit_reply() into a separate function. - lib-smtp: smtp-server-command - Assign cmd->reg immediately. - lib-smtp: smtp-server-command - Guarantee that non-destroy hooks aren't called for an ended command. - lib-smtp: smtp-server-command - Perform initial command execution in separate function. - lib-smtp: smtp-server-connection - Hold a command reference while executing a command. - lib-smtp: test-smtp-server-errors - Add tests for large series of empty and bad commands. - lib-smtp: smtp-address - Don't return NULL from smtp_address_clone*() unless the input is NULL. - lib-smtp: smtp-address - Don't recognize an address with empty localpart as <>. - lmtp: lmtp-commands - Explicity prohibit empty RCPT path. Checksums-Sha1: 230c2d5e6f076e2e996da0f5a4fc583de25598b7 3495 dovecot_2.3.4.1-5+deb10u2.dsc ec2650b2bb22a52e3bcb0df4db03f5ecc6470599 542620 dovecot_2.3.4.1-5+deb10u2.debian.tar.xz Checksums-Sha256: 5de6378355c8a3a009f7427ed536bc96e531ed09d4575bd3047a7f471e703d43 3495 dovecot_2.3.4.1-5+deb10u2.dsc 3ac89b81095e4719909559b6a74c141f68cb41ccb2176212e93182a7882a5f65 542620 dovecot_2.3.4.1-5+deb10u2.debian.tar.xz Files: ef25418b915cee60d039a457c6ac0cb2 3495 mail optional dovecot_2.3.4.1-5+deb10u2.dsc 16cbf3291de9d16c6f5d8ebd9a7dcedf 542620 mail optional dovecot_2.3.4.1-5+deb10u2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl7C8UhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EftkP/2Ub1SF2KIMpXJw2vCT/ToPf6i1pGyMw mcahAu6kpyDCOCXKeO69wJI5I/0cPJ77rxRrrlpBEsxGQKBvPKHC7Ya1dOYGIiE3 BMjw6/2UXR7t1FxydL0jz40/pABQ+ZOsp4SQOiswCz8xK6aoZjFFY/EuJw4Hv/pp 8nPBrscaGJbIqWl9WmfJQhwOBBRyQHeVmkFsMN1se050hL2Z/8P8B1E8kH5bV9Jc 9isVNu2aJAC+kD+QEO/zgzR/XX+Wp/OXXEbakxde97HranQ0EE1XmhmjCeFipFYk 2yf2TbR1Deh4TRee7OFTkaxBYulAT4OrG240++ckePSplt6EsOgg8xQa4muANSqF n89P2t3etUeG1W1DORe1UsH4Zk1S4JyrrVl3ZMdkgpIoGnOayLQb4SxDruBzkXjP ntBfcff449u2n9+cHsbRAhhfLaKmMwhvcPC9bifqSzDk1HAFMqKAONUWrIi8WbAd wTZSb4je6gZ3YECp/SGPTl+Se8mRMKWMwXxwNQFVB3NhHL7kJH8QQ2SDLWI+Rped IV/n97mZXteR3zMKS1sPm8CQNbJ+JQBXmz6d/BbDpF/Xw5XB+S6TCL5CWOcTjHZA C8QF7dGaQFlZ61tv2MMms6k646dTF+PGYpPuOerW3cqt1LTuhoZNPQ0zfzwsJxNU g2uqAqoVp+hw =V+Pb -----END PGP SIGNATURE-----