- CVE-2019-10691
 - CVE-2019-11494
 - CVE-2019-11499
 - CVE-2019-7524
 - avoid-double-closing-mysql.patch
 - lib-master-test-event-stats-Use-PRIu64-format.patch

Git-Dch: Full

Drop d/compat in favor debhelper-compat B-D.

Git-Dch: Full

Fixes CVE-2019-11500 for pigeonhole

Git-Dch: Full

7372921a7 Released 0.5.7.2
4a299840c lib-managesieve: Make sure str_unescape() won't be writing past allocated memory
7ce9990a5 lib-managesieve: Don't accept strings with NULs
db5c74be8 Released v0.5.7.1
fb64268ce NEWS: Add news for 0.5.7.1
1d6184483 doveadm-sieve: Shared attribute iteration shouldn't list Sieve scripts
5a4e63b50 configure: Update ABI version too
d4588dbf8 Released 0.5.7
9b6736a03 NEWS: Add news for 0.5.7
08e14e72b lib-sieve: Expand SMTP_ADDRESS_LITERAL() macro
1cd2a887e testsuite: Fix invalid compound literal use
88ee6b81a testsuite: Expand SMTP_ADDRESS_LITERAL() macro
98b44bc3d lib-sieve: storage: file: sieve-file-storage-save - Fix error message to include the intended path value rather than NULL.
9e57f0990 Adjust to changes in Dovecot SMTP submit API.
671cbb670 plugins: imap-filter-sieve: Fix accessing uninitialized variable
bf3612279 plugins: imap-filter-sieve: Send FILTERED reply only if the filter did changes
501be547e plugins: imap-filter-sieve: Cleanup - write FILTERED reply to string first
8984e2e62 plugins: imap-filter-sieve: Handle each mail in a separate data stack frame
4c5aa3f71 plugins: imap-filter-sieve: Don't delete mails if script gets aborted
c4a7978a1 lib-sieve: Add sieve_exec_status.significant_action_executed
f37b86f38 lib-sieve: Fix minor logic bug in handling duplicate keep actions
3fa5f5648 lib-sieve: sieve_message_parts_add_missing() - Fix NULL checks to make scan-build happy
263891714 doveadm-sieve: Fix script synchronization
b0bf8e051 doc: example-config: Remove recipient_delimiter
dc2c258e1 doc: draft-bosch-imap-filter-sieve-00.txt - update FILTERED replies and editheader+keep
525b8af2c lib-sieve: vacation extension: Make construction of default message subject configurable.
5bb364a11 lib-sieve: vacation extension: Move construction of default subject to separate function.
5f115852e NEWS: Add news for v0.5.6
ea20d2d98 global: hash_table_destroy(NULL) is a no-op
3733c159a lib-sieve: Prevent execution of implicit keep upon temporary failure occurring at runtime.
76a440972 lib-sieve: redirect action: Assert that dupeid is not NULL when act_redirect_get_duplicate_id() is successful.
2c5a4cb58 lib-sieve: redirect action: Fix lack of NULL checking in new X-Sieve-Redirected-From header comparisons.
049de1fc3 lib-sieve: redirect action: Implement additional protection against mail loops.
663ac718f lib-sieve: redirect action: Put msgdata->mail in local variable in act_redirect_get_duplicate_id().
c3c9a5216 lib-sieve: redirect action: Move composition of duplicate database ID to separate function.
2c52769b0 lib-sieve: redirect action: Give log messages emitted during execution a uniform prefix.
dd626dfee lib-sieve: redirect action: Report errors on original message in act_redirect_commit().
887929722 lib-sieve: redirect action: Update coding style of act_redirect_commit().
7d2d1eca6 lib-sieve: redirect action: Update coding style of act_redirect_send().
4ef89d764 lib-sieve: editheader extension: Protect the X-Sieve-Redirected-From header against modification.
73378b279 Update NEWS file for v0.5.5 release.
a9f3e78b2 configure: Stop using DOVECOT_CFLAGS and LDFLAGS
ff7d48ab6 m4: Update dovecot.m4 from upstream
08dc91cdc lib-sieve: Create empty mail_keywords structure for keywords updating when there are no keywords
b58703e22 plugins: imapsieve: Remove useless NULL check for exec_status.
1fa885a3d plugins: imap-filter-sieve: Remove useless NULL check for exec_status.
7c3063b22 plugins: sieve-extprograms: Use sieve_ prefix consistently for sieve elements visible as exported symbols.
7d3d47036 lib-sieve: Return test suite result in test-edit-mail
ee04451f4 plugins: imapsieve: Fix assert panic occurring when a COPY event is triggered on a virtual mailbox.
67f58962c test suite: enotify extension: Add tests for interaction between ":encodeurl" and variable size limits.
978169ee2 test suite: variables extension: Add tests for variable size limits.
07bbe1425 lib-sieve: enotify extension: Improve handling of variable size limit for ":encodeurl" variable modifier.
fd2bd138a lib-sieve: variables extension: Improve handling of variable size limit for ":quotewildcard" modifier.
d164dbcd0 lib-sieve: variables extension: Add pointer to variables extension to modifier instance.
73ce79534 lib-sieve: variables extension: Pass modifier to modifier's modify method.
98c0e22d6 lib-sieve: variables extension: Add sieve_variables_get_max_variable_size() to public API.
5599ef3ab lib-sieve: variables extension: Respect UTF-8 character sequence boundaries when truncating variables.
c622a3968 lib-sieve: enotify extension: Make modify method of ":encodeurl" variable modifier static.
c95bbade0 lib-sieve: variables extension: Make modify methods of pre-defined modifiers static.
dab0f6d28 plugins: imapsieve: Expunge discarded messages when imapsieve_expunge_discarded=yes.
26621c510 plugins: imap-filter-sieve: Properly discard the originally stored message when a modified version is stored by Sieve.
45d321cef plugins: imapsieve: Properly discard the originally stored message when a modified version is stored by Sieve.
5b93331c4 Update NEWS file for v0.5.4 release.
REVERT: 60b0f48dc Release v0.5.4 for Dovecot v2.3.4.
REVERT: 3ae309c08 Update NEWS file for v0.5.4 release.

git-subtree-dir: pigeonhole
git-subtree-split: 239ac2b47ac744979161be5bde285e147dc2e0ff

Upstream version 2.3.7.2

# gpg: Signature made Πεμ 29 Αυγ 2019 09:45:57 πμ EEST
# gpg:                using RSA key 3E02FD6656295952110BAB99F51B18C720248224
# gpg:                issuer "apoikos@debian.org"
# gpg: Good signature from "Apollon Oikonomopoulos <apoikos@dmesg.gr>" [ultimate]
# gpg:                 aka "Apollon Oikonomopoulos <apoikos@gmail.com>" [ultimate]
# gpg:                 aka "Apollon Oikonomopoulos <apoikos@debian.org>" [ultimate]

 - submission-login: fix null pointer dereference when client
   disconnects during authentication (CVE-2019-11494)
 - submission-login: fix assert-crash when receiving an invalid
   authentication message over TLS (CVE-2019-11499)

Git-Dch: Full

From the original CVE report:

 JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering
 invalid UTF-8 characters. This can be used to crash dovecot in two ways.
 Attacker can repeatedly crash Dovecot authentication process by logging
 in using invalid UTF-8 sequence in username. This requires that auth
 policy is enabled.
 Crash can also occur if OX push notification driver is enabled and an
 email is delivered with invalid UTF-8 sequence in From or Subject header.
 In 2.2, malformed UTF-8 sequences are forwarded "as-is", and thus do not
 cause problems in Dovecot itself. Target systems should be checked for
 possible problems in dealing with such sequences.
 See https://wiki.dovecot.org/Authentication/Policy for details on auth
 policy support.

 Risk:
 Determined attacker can prevent authentication process from staying up
 by keeping on attempting to log in with username containing invalid
 UTF-8 sequence.

 Steps to reproduce:
 ??- Configure dovecot with auth_policy_server_url and
 auth_policy_hash_nonce set.
 ??- Attempt to log in with username containing an invalid UTF-8 sequence
 ??- Observe assert-crash in dovecot logs.

Fix two buffer overflows when reading oversized FTS headers and/or
oversized POP3-UIDL headers (CVE-2019-7524).

Git-Dch: Full

Laurent Bigonville authored Mar 14, 2019 and Apollon Oikonomopoulos committed Mar 14, 2019

Fix double closing of the connection in the mysql driver, this should
fix the crash in the dovecot auth process, taken from upstream.

Git-Dch: Full
Closes: #918339

Upstream version 2.3.4.1

# gpg: Signature made Τρι 05 Φεβ 2019 04:18:19 μμ EET
# gpg:                using RSA key 3E02FD6656295952110BAB99F51B18C720248224
# gpg:                issuer "apoikos@debian.org"
# gpg: Good signature from "Apollon Oikonomopoulos <apoikos@dmesg.gr>" [ultimate]
# gpg:                 aka "Apollon Oikonomopoulos <apoikos@gmail.com>" [ultimate]
# gpg:                 aka "Apollon Oikonomopoulos <apoikos@debian.org>" [ultimate]

Cherry-pick upstream commit de42b54, fixing the event-stats test on
32-bit platforms.

Git-Dch: Full

60b0f48dc Release v0.5.4 for Dovecot v2.3.4.
3ae309c08 Update NEWS file for v0.5.4 release.
762e55edc plugins: imap-filter-sieve: Add assertion on attempting to execute at least one script.
740cbc78d plugins: imap-filter-sieve: Fix segfault occurring in recently added debug message.
436c45ac7 plugins: imap-filter-sieve: Fix assertion panic occurring after script compile error.
803055b11 plugins: imap-filter-sieve: Ignore secondary scripts that failed to compile.
8efeb6a1a lib-sieve: Adjust to changes in Dovecot regarding the postmaster_address setting.
14aa08459 Don't try to send stats from Sieve command line tools (which includes testsuite).
628cf966e global: Don't try to send stats from unit tests.
198cfa793 managesieve: Don't enable stats when dumping capability
df99d64ed Adjust to changes in Dovecot message_address_parse() API.
875049742 managesieve: Free sieve instance when performing dump-capability
7ef8af978 doveadm sieve plugin: Fix memory leak for "sieve get" command
5472e286d ldap - fix stupid typo
fd43ce96d global: replace verbose strncmp()s with simpler str_begin()s
d9966fa87 lib-sieve: util: Add tests for rfc2822_header_write().
3564cc307 lib-sieve: util: rfc2822: Prevent writing header lines with trailing whitespace in rfc2822_header_append().
ed170e17d lib-sieve: util: rfc2822: Fix assert panic occurring in rfc2822_header_append().
8647d31f1 global: Replace str_append_n() with str_append_data().
e07b3957a plugins: imap-filter-sieve: Fix FILTER SIEVE SCRIPT command parsing.
REVERT: f018bbab Release v0.5.3 for Dovecot v2.3.3.
REVERT: b29d6a24 managesieve: Free sieve instance when performing dump-capability
REVERT: 7c166b0e doveadm sieve plugin: Fix memory leak for "sieve get" command
REVERT: 716b1b49 Release v0.5.3.rc1 for Dovecot v2.3.3.rc1.
REVERT: dbf75439 ldap - fix stupid typo
REVERT: d3ea6203 global: replace verbose strncmp()s with simpler str_begin()s
REVERT: 1a21c640 lib-sieve: util: Add tests for rfc2822_header_write().
REVERT: b2f04060 lib-sieve: util: rfc2822: Prevent writing header lines with trailing whitespace in rfc2822_header_append().
REVERT: 708989e7 lib-sieve: util: rfc2822: Fix assert panic occurring in rfc2822_header_append().
REVERT: 13896b2b global: Replace str_append_n() with str_append_data().
REVERT: a10af5b2 plugins: imap-filter-sieve: Fix FILTER SIEVE SCRIPT command parsing.

git-subtree-dir: pigeonhole
git-subtree-split: e947d381f714c8b9b9bae6311a36cae3a7e79742

Upstream version 2.3.4

# gpg: Signature made Παρ 23 Νοε 2018 09:58:10 μμ EET
# gpg:                using RSA key 3E02FD6656295952110BAB99F51B18C720248224
# gpg:                issuer "apoikos@debian.org"
# gpg: Good signature from "Apollon Oikonomopoulos <apoikos@dmesg.gr>" [ultimate]
# gpg:                 aka "Apollon Oikonomopoulos <apoikos@gmail.com>" [ultimate]
# gpg:                 aka "Apollon Oikonomopoulos <apoikos@debian.org>" [ultimate]

f018bbab Release v0.5.3 for Dovecot v2.3.3.
b29d6a24 managesieve: Free sieve instance when performing dump-capability
7c166b0e doveadm sieve plugin: Fix memory leak for "sieve get" command
716b1b49 Release v0.5.3.rc1 for Dovecot v2.3.3.rc1.
dbf75439 ldap - fix stupid typo
d3ea6203 global: replace verbose strncmp()s with simpler str_begin()s
1a21c640 lib-sieve: util: Add tests for rfc2822_header_write().
b2f04060 lib-sieve: util: rfc2822: Prevent writing header lines with trailing whitespace in rfc2822_header_append().
708989e7 lib-sieve: util: rfc2822: Fix assert panic occurring in rfc2822_header_append().
13896b2b global: Replace str_append_n() with str_append_data().
a10af5b2 plugins: imap-filter-sieve: Fix FILTER SIEVE SCRIPT command parsing.
190fe396 Add v0.5.2 to NEWS.
e9779f25 lib-sieve: script storage: Fix leaking mailbox if opening INBOX fails
e9ac5535 doc: Add documentation and specification for the IMAP FILTER=SIEVE plugin to distribution.
e5a584c6 plugins: imap_filter_sieve: Put more effort in reconstructing a valid rcpt address for the envelope.
0601c10f plugins: imap_filter_sieve: Implement the UID FILTER command.
237dbf93 doc: imap_filter_sieve plugin specification: Updated Dovecot Oy office address.
0eab68c7 imap-filter-sieve: Fix FILTER to work correctly with pipelining
REVERT: 7704de5eb Released v0.5.2 for Dovecot v2.3.2.
REVERT: ae50bb51f Released v0.5.2.rc1 for Dovecot v2.3.2.
REVERT: a1f967d87 ldap - fix stupid typo
REVERT: 479c5e570 global: replace verbose strncmp()s with simpler str_begin()s
REVERT: d868a14e1 plugins: imap_filter_sieve: Put more effort in reconstructing a valid rcpt address for the envelope.
REVERT: 2a4b4a6b7 plugins: imap_filter_sieve: Implement the UID FILTER command.
REVERT: d102be6ee doc: imap_filter_sieve plugin specification: Updated Dovecot Oy office address.
REVERT: b50dd29b4 imap-filter-sieve: Fix FILTER to work correctly with pipelining

git-subtree-dir: pigeonhole
git-subtree-split: fbd86b9850e5ecd2b40dd3af03222cc4a69e4e61

Upstream version 2.3.3

# gpg: Signature made Πεμ 04 Οκτ 2018 05:23:37 μμ EEST
# gpg:                using RSA key 3E02FD6656295952110BAB99F51B18C720248224
# gpg:                issuer "apoikos@debian.org"
# gpg: Good signature from "Apollon Oikonomopoulos <apoikos@dmesg.gr>" [ultimate]
# gpg:                 aka "Apollon Oikonomopoulos <apoikos@gmail.com>" [ultimate]
# gpg:                 aka "Apollon Oikonomopoulos <apoikos@debian.org>" [ultimate]

Fixes lintian: file-contains-trailing-whitespace
See https://lintian.debian.org/tags/file-contains-trailing-whitespace.html for more details.

Merged upstream

Upstream version 2.3.2.1

# gpg: Signature made Τρι 10 Ιουλ 2018 05:50:40 μμ EEST
# gpg:                using RSA key 3E02FD6656295952110BAB99F51B18C720248224
# gpg:                issuer "apoikos@debian.org"
# gpg: Good signature from "Apollon Oikonomopoulos <apoikos@dmesg.gr>" [ultimate]
# gpg:                 aka "Apollon Oikonomopoulos <apoikos@gmail.com>" [ultimate]
# gpg:                 aka "Apollon Oikonomopoulos <apoikos@debian.org>" [ultimate]