dovecot24-2.4.3-160000.1.1

- Upstream republished the source tarballs for 2.4.3 due to missing
  man pages in the tarball
- Added signature files for source tarballs

- Update to 2.4.3 (boo#1260893 boo#1260894 boo#1260895 boo#1260896
  boo#1260897 boo#1260898 boo#1260899 boo#1260900 boo#1260901
  boo#1260902)
  There are experimental features in 2.4, one is enabled with
  - -enable-experimental-mail-utf8, and another with
  - -enable-experimental-imap4rev2, and you also need to set
  mail_utf8_extensions=yes and imap4rev2_enabled=yes to enable them
  in config.
  Critical bug fixes
  - CVE-2025-59028: Invalid base64 authentication can cause DoS for
    other logins.
  - CVE-2025-59031: decode2text.sh OOXML extraction may follow
    symlinks and read unintended files during indexing. Fixed by
    dropping the script.
  - CVE-2026-24031: SQL injection possible if auth_username_chars
    is configured empty. Fixed escaping to always happen. v2.4
    regression.
  - CVE-2026-27859: Excessive RFC 2231 MIME parameters in email
    would cause excessive CPU usage. Fixed by limiting number of
    parameters to process.
  - CVE-2026-27860: LDAP query injection possible if
    auth_username_chars is configured empty. Fixed escaping to
    always happen. v2.4 regression.
  - CVE-2026-27857: Sending excessive parenthesis causes imap-login
    to use excessive memory.
  - CVE-2026-27856: Doveadm credentials were not checked using
    timing-safe checking function.
  - CVE-2026-27855: OTP driver vulnerable to replay attack.
  Changes
  - Remove default
    service/*/service_extra_groups=$SET:default_internal_group.
    They are now replaced by default
    mail_access_groups=$SET:default_internal_group.
  - The version file has been renamed as version.txt to avoid clash
    with C++ headers.
  - auth: oauth2 - Do not export token automatically, must be
    exported using fields.
  - config: Don't accept 0 as meaning unlimited anymore for
    last_valid_uid, last_valid_gid, mail_cache_max_headers_count,
    mail_cache_max_header_name_length, mail_vsize_bg_after_count,
    mail_sort_max_read_count, message_max_size,
    submission_max_recipients and quota_mail_size.
  - imap, pop3: Don't autoexpunge if Dovecot is shutting down or
    process is killed.
  - imap: LIST - Handle invalid mUTF-7 mailbox names as never
    matching anything
  - lazy-expunge: Change lazy_expunge_only_last_instance default to
    yes.
  - lda: Use EX_TEMPFAIL (75) if configuration is invalid instead
    of 89. v2.4 regression.
  - lib-master: Increase ANVIL_DEFAULT_LOOKUP_TIMEOUT_MSECS from 5s
    to 30s
  - lib: crc32 - Use zlib's built-in CRC32 function
  New features
  - Improve UTF-8 support for mail storage.
  - auth: Add default auth-token UNIX socket for token-based
    authentication.
  - doc: solr-config-9.xml - Make it compatible with Solr 9.8.0
  - doveadm: dsync - Search mails when exporting to reduce number
    of mails exported by dsync-server.
  - dovecot-sysreport: Add -D|--destdir support.
  - imap, imap-hibernate: Use DOVECOT-TOKEN authentication for
    unhibernation.
  - Default imap-master socket permissioms have been changed due to
    this.
  - imap: Add APPENDLIMIT capability when configured with
    quota_mail_size.
  - imap: Support STATUS (DELETED) for IMAP4rev2.
  - imapc: Add support for SEARCH MIMEPART
  - imapc: Improve error forwarding.
  - imapc: Support SORT and ESORT extensions.
  - imapc: Support STATUS (DELETED) for IMAP4rev2.
  - lib-sql: Support parameterized queries.
  - lib-test: Add new test-dir API for better temporary test
    directory handling.
  - lmtp: Advertize SIZE capability when configured with
    quota_mail_size.
  - lmtp: Support XCLIENT DESTADDR and DESTPORT
  - pop3-login: proxy - Add support for XCLIENT DESTIP and DESTPORT
  - submission-login: proxy - Add support for XCLIENT DESTIP and
    DESTPORT
  - Various optimizations have been made to the code.
  Bug fixes
  - Fix building dovecot with BSD, Solaris and macOS.
  - auth: Crash would occur if users were iterated but
    userdb_ldap_iterate_fields was not set.
  - auth: Fix request leak when client authenticates with
    unsupported mechanism.
  - auth: Some passdbs would default to PLAIN instead of CRYPT
    scheme.
  - config: Section and setting names could have been intermixed,
    resulting in the setting being silently ignored.
  - configure: Fix checking if BUILD_IMAP_HIBERNATE is set
  - doveadm: dsync - -e parameter was handled wrong with
    dsync-server.
  - fts-flatcurve: Mailbox leak would occur if mailbox failed to
    open.
  - imap: Fix potential issues with unhibernation and process state
    handling.
  - imapc: SEARCH failure handling was done wrong.
  - imapc: UID STORE commands included extra comma in uidset.
  - lib-auth-client: auth-master - Fix panic when reconnecting
    after handshake timeout.
  - lib-compression: Lz4 algorithm would assert-crash with
    malicious data.
  - lib-dcrypt: Fix digest algorithm handling.
  - lib-dict: Escape username paths to prevent traversal issues
    with dict-fs.
  - lib-http: Fix HTTP parsing edge cases and state handling.
  - lib-iostream: Disallow empty ssl_min_protocol.
  - lib-json: Fix incorrect character handling logic.
  - lib-ldap: Fix various TLS related bugs.
  - lib-mail: Fix charset translation and MIME parsing edge cases.
  - lib-mail: Fix multiple bounds checks and parsing issues in
    message handling.
  - lib-var-expand: Multiple fixes and improvements for expansion
    handling.
  - lib: Fix punycode decoding out-of-bounds reads.
  - lib: Fix unicode normalization edge cases causing crashes.
  - lib-http: Chunked transfer trailer size was not limited.
  - login-common: Improve logging and internal error handling.
  - login-common: login_log_format_elements was split by spaces
    naively, which could break variable expansion. Use template
    aware splitting now.
  - master: Dovecot would fail to start if listen directive was
    used and dovenull or dovecot user was missing.
  - pop3c: Connection might've hung with SSL.
  - util: Fix handling of environment variables containing control
    characters.
  - Many other bugs have been fixed.
- Update pigeonhole to 2.4.3
  Critical bug fixes
  - CVE-2026-27858: managesieve-login can allocate large amount of
    memory during authentication.
  - CVE-2025-59032: ManageSieve panic occurs with sieve-connect as a client.
  Changes
  - lib-sieve: Don't accept 0 as meaning unlimited anymore for
    sieve_quota_script_count and sieve_quota_storage_size.
  - managesieve-login: If mail_max_userip_connections is reached,
    return LIMIT/CONNECTIONS resp-code.
  - managesieve-login: proxy - Return unexpected backend failures
    as TRYLATER/NORETRY resp-code.
  - managesieve: Remove default
    service_extra_groups=$SET:default_internal_group.
  New features
  - managesieve-login: proxy - Add support for XCLIENT DESTIP and
    DESTPORT.
  Bug fixes
  - imapsieve: Fix panic occurring upon implicit flag changes.
  - lib-sieve: include-extension - Fix crash occurring when
    previous global command has no arguments.
  - lib-sieve: Fix erroneous attempt to read active script for
    non-personal storage.
  - lib-sieve: ldap: Fix linking non-shared LIBDOVECOT.
- drop patches included in update
  0001-auth-Fix-dashes-to-underscores-in-driver-names-in-fi.patch
  0001-lib-regex-Separate-maximum-capture-groups-and-match-.patch
  0002-auth-Fix-crypt-CRYPT-in-passdb_passwd-passdb_ldap-de.patch
  0002-lib-regex-Set-DREGEX_MAX_MATCHES-to-library-default.patch
  0003-auth-Make-the-default-passdb_static-passdb_default_p.patch
  0003-lib-regex-Limit-number-of-capture-groups-correctly.patch
  0004-auth-Set-CRYPT-as-default-passdb_default_password_sc.patch
  dovecot24-32bit-1.patch
  dovecot24-32bit-2.patch

- dovecot will not compile with older gcc's. Force a newer one.

- While we are at it backport some fixes for the authentication
  stack, after recommendation from upstream:
  0001-auth-Fix-dashes-to-underscores-in-driver-names-in-fi.patch
  0002-auth-Fix-crypt-CRYPT-in-passdb_passwd-passdb_ldap-de.patch
  0003-auth-Make-the-default-passdb_static-passdb_default_p.patch
  0004-auth-Set-CRYPT-as-default-passdb_default_password_sc.patch

- backport patches to fix sieve regex support after the switch to
  pcre2
  0001-lib-regex-Separate-maximum-capture-groups-and-match-.patch
  0002-lib-regex-Set-DREGEX_MAX_MATCHES-to-library-default.patch
  0003-lib-regex-Limit-number-of-capture-groups-correctly.patch
- ------------------------------------------------------------------

- Add patches to fix the 32bit build failures:
  dovecot24-32bit-1.patch
  dovecot24-32bit-2.patch

- drop dovecot-fix-gssapi.patch

- Update dovecot to 2.4.2 (boo#1252839 CVE-2025-30189)
  - Critical bug fixes
  - CVE-2025-30189: Passdb oauth2 (not oauth2 mechanism), passdb
    passwd, passdb bsdauth, and userdb passwd drivers would cause
    users to be cached with same cache key when auth cache was
    enabled.
  - Changes
  - auth: Remove proxy_always field.
  - config: Change settings history parsing to use python3.
  - doveadm: Print table formatter - Print empty values as "-".
  - imapc: Propagate remote error codes properly.
  - lda: Default mail_home=$HOME environment if not using userdb
    lookup
  - lib-dcrypt: Salt for new version 2 keys has been increased to
    16 bytes.
  - lib-dregex: Add libpcre2 based regular expression support to
    Dovecot, if the library is missing, disable all regular
    expressions. This adds libpcre2-32 as build dependency.
  - lib-oauth2: jwt - Allow nbf and iat to point 1 second into
    future.
  - lib: Replace libicu with our own unicode library. Removes
    libicu as build dependency.
  - login-common: If proxying fails due to remote having invalid
    SSL cert, don't reconnect.
  - New features
  - auth: Add ssl_client_cert_fp and ssl_client_cert_pubkey_fp
    fields, see
    https://doc.dovecot.org/latest/core/summaries/settings.html#ssl_peer_certificate_fingerprint_hash
    for more information.
  - config: Add support for $SET:filter/path/setting.
  - config: Improve @group includes to work with overwriting
    their settings.
  - doveadm kick: Add support for kicking multiple usernames
  - doveadm mailbox status: Add support for deleted status item.
  - imap, imap-client: Add experimental partial IMAP4rev2
    support.
  - imap: Implement support for UTF8=ACCEPT for APPEND
  - lib-oauth2, oauth2: Add oauth2_token_expire_grace setting.
  - lmtp: lmtp-client - Support command pipelining.
  - login-common: Support local/remote blocks better.
  - master: accept() unix/inet connections before creating child
    process to handle it. This reduces timeouts when child
    processes are slow to spawn themselves.
  - Bug fixes
  - SMTPUTF8 was accepted even when it wasn't enabled.
  - auth, *-login: Direct logging with -L parameter was not
    working.
  - auth: Crash occured when OAUTH token validation failed with
    oauth2_use_worker_with_mech=yes.
  - auth: Invalid field handling crashes were fixed.
  - auth: ldap - Potential crash could happen at deinit.
  - auth: mech-gssapi - Server sending empty initial response
    would cause errors.
  - auth: mech-winbind - GSS-SPNEGO mechanism was erroneously
    marked as
  - not accepting NUL.
  - config: Multiple issues with $SET handling has been fixed.
  - configure: Building without LDAP didn't work.
  - doveadm: If source user didn't exist, a crash would occur.
  - imap, pop3, submission, imap-urlauth: USER environment usage
    was broken when running standalone.
  - imap-hibernate: Statistics would get truncated on
    unhibernation.
  - imap: "SEARCH MIMEPART FILENAME ENDS" command could have
    accessed memory outside allocated buffer, resulting in a
    crash.
  - imapc: Fetching partial headers would cause other cached
    headers to be cached empty, breaking e.g. imap envelope
    responses when caching to disk.
  - imapc: Shared namespace's INBOX mailbox was not always
    uppercased.
  - imapc: imapc_features=guid-forced GUID generation was not
    working correctly.
  - lda: USER environment was not accepted if -d hasn't been
    specified.
  - lib-http: http-url - Significant path percent encoding
    through parse and create was not preserved. This is mainly
    important for Dovecot's Lua bindings for lib-http.
  - lib-settings: Crash would occur when using %variables in
    SET_FILE type settings.
  - lib-storage: Attachment flags were attempted to be added for
    readonly mailboxes with mail_attachment_flags=add-flags.
  - lib-storage: Root directory for unusable shared namespaces
    was unnecessarily attempted to be created.
  - lib: Crash would occur when config was reloaded and logging
    to syslog.
  - login-common: Crash might have occured when login proxy was
    destroyed.
  - sqlite: The sqlite_journal_mode=wal setting didn't actually
    do anything.
  - Many other bugs have been fixed.
- Update pigeonhole to 2.4.2
  - Changes
  - lib-sieve: Use new regular expression library in core.
  - managesieve: Add default
    service_extra_groups=$SET:default_internal_group.
  - New features
  - lib-sieve: Add support for "extlists" extension.
  - lib-sieve: regex - Allow unicode comparator.
  - Bug fixes
  - lib-sieve-tool: sieve-tool - All sieve_script settings were
    overriden.
  - lib-sieve: storage: dict: sieve_script_dict filter was
    missing from settings.
  - sieve-ldap-storage: Fix compile without LDAP.

- Enable build for all arches again. The build failure on 32bit has
  been addressed upstream.

- Allow for %is_opensuse to be unset, following up to
  https://src.suse.de/products/SLFO/pulls/204 (bsc#1248485).

- [SLFO:Main] [SLES16.0] Please lower the libldap2 dependency for dovecot24
  (bsc#1247601)

- Update to actual version (Fri May 30 17:05:02 2025) in main branch to fix bsc#1245075
  [sle16][ppc64le][dovecot] dovecot service failed to start and coredump on ppc64le
  Turn off tests.
  * lib-auth: Fix linking due to duplicate symbols
  * lib-settings: test-settings - Refactor initialization of params3
  * lib-var-expand: Test hierarchical SETTINGS_EVENT_VAR_EXPAND_PARAMS
  * lib-settings: Pad initial var expand context with empty tables and providers when needed
  * Panic: file settings.c: line 1560 (settings_var_expand_init_add): assertion failed: (I_MAX(num_tables, num_provs) == num_ctx)
  * auth: db-oauth2 - Don't mix table and providers_arr
  * lib: test-file-cache - Ignore RLIMIT_AS enforcement failure
  * If the OS does not respect RLIMIT_AS here, lets skip all the rest of the tests.
  * auth: Fix using passdb_fields with passdb_ldap_bind_userdn=yes

- dovecot gssapi authentication fails when starting with empty auth data
  (bsc#1243489)
  dovecot-fix-gssapi.patch applied to fix gssapi

- Dovecot: /etc/dovecot/conf.d/ doesn't exist after installing dovecot
  (bsc#1242774)
  Dovecot misses many configuration files (bsc#1242687)
  Remove list of not delivered files
- dovecot fails to build (bsc#1242418)
  Do not use libunwind on s390x

- Fix bsc#1240399 dovecot24 has incomplete config.
  Ignore the broken config in the sources and deliver a minimal
  configuration for the system users.

- update to 2.4.1
  * auth: Change unix_listener/auth-userdb/group = $SET:default_internal_group
    This change needs dovecot_config_version=2.4.1.
  * auth: lua - Remove support for single string result.
  * imap: Unconditionally advertise SPECIAL-USE capability.
  * lib-dcrypt: Install dcrypt_openssl.so into dovecot modules directory.
  * lib-master: For glibc, default MALLOC_MMAP_THRESHOLD_=131072.
  * lib-storage: Change default mail_cache_fields to:
    hdr.date hdr.subject hdr.from hdr.sender hdr.reply-to hdr.to
    hdr.cc hdr.bcc hdr.in-reply-to hdr.message-id
    date.received size.virtual imap.bodystructure mime.parts hdr.references
    hdr.importance hdr.x-priority hdr.x-open-xchange-share-url
    pop3.uidl pop3.order. This change needs dovecot_config_version=2.4.1.
  * lib-var-expand: Use moduledir instead of pkglibdir for crypt.
  * lmtp: Change the default lmtp_user_concurrency_limit to 10.
    This change needs dovecot_config_version=2.4.1.
  * lmtp: Change the default service_restart_request_count to 1.
    This change needs dovecot_config_version=2.4.1.
  + auth: Allow configuring passdb/userdb sql to use auth-workers.
  + config: Add default group @mailbox_defaults = english.
  + config: Improve "Unknown setting" error with more details and
    suggestions.
  + doveconf: Add -U parameter to ignore unknown settings in config file.
  + fts-flatcurve: Support lock files in VOLATILEDIR.
  + imap-acl: Add support for the IMAP LIST-MYRIGHTS capability (RFC 8440).
  + imap-client: Support ANONYMOUS authentication.
  + imap: Implement support for the REPLACE capability.
  - Many bugs have been fixed.

- Adapt dependency for SLES.

- Remove not used macro

- make apparmor conditional more readable