Version in base suite: 2.4.1+dfsg1-6
Version in overlay suite: 2.4.1+dfsg1-6+deb13u1

Base version: dovecot_2.4.1+dfsg1-6+deb13u1
Target version: dovecot_2.4.1+dfsg1-6+deb13u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/d/dovecot/dovecot_2.4.1+dfsg1-6+deb13u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/d/dovecot/dovecot_2.4.1+dfsg1-6+deb13u2.dsc

 changelog                                                                                 |   14 +++++
 conf/conf.d/10-auth.conf                                                                  |    2 
 conf/conf.d/10-mail.conf                                                                  |    8 +--
 conf/conf.d/10-master.conf                                                                |    2 
 conf/conf.d/20-lmtp.conf                                                                  |    6 +-
 conf/conf.d/90-quota.conf                                                                 |    2 
 conf/conf.d/auth-passwdfile.conf.ext                                                      |    2 
 conf/conf.d/auth-system.conf.ext                                                          |    2 
 patches/auth__Terminate_properly_auth_oauth2_post_setting_defines.patch                   |   25 +++++++++
 patches/lib-sieve_sieve-script_c_sieve_script_create_common_Correctly_handle_errors.patch |   26 ++++++++++
 patches/series                                                                            |    2 
 11 files changed, 77 insertions(+), 14 deletions(-)

diff -Nru dovecot-2.4.1+dfsg1/debian/changelog dovecot-2.4.1+dfsg1/debian/changelog
--- dovecot-2.4.1+dfsg1/debian/changelog	2025-09-24 13:14:50.000000000 +0000
+++ dovecot-2.4.1+dfsg1/debian/changelog	2025-10-23 14:01:33.000000000 +0000
@@ -1,8 +1,20 @@
+dovecot (1:2.4.1+dfsg1-6+deb13u2) trixie; urgency=medium
+
+  * [6ac2883] Clean up a few typos in default/example config (Closes: #1112667)
+  * [7feb544] Ensure default lmtpd auth_username_format matches the global value
+    (Closes: #1111469)
+  * [216ec20] import upstream patch for improperly terminated auth_oauth2_post_setting_defines
+    (Closes: #1116328)
+  * [46eab61] lib-sieve/sieve-script.c: sieve_script_create_common: Correctly handle errors.
+    (Closes: #1116070)
+
+ -- Noah Meyerhans <noahm@debian.org>  Thu, 23 Oct 2025 10:01:33 -0400
+
 dovecot (1:2.4.1+dfsg1-6+deb13u1) trixie-security; urgency=high
 
   * Import upstream fix for an issue with authentication cache management that
     could result in users being logged in as the wrong user in certain
-    configurations. (Closes: #1115964)
+    configurations. (CVE-2025-30189) (Closes: #1115964)
 
  -- Noah Meyerhans <noahm@debian.org>  Wed, 24 Sep 2025 09:14:50 -0400
 
diff -Nru dovecot-2.4.1+dfsg1/debian/conf/conf.d/10-auth.conf dovecot-2.4.1+dfsg1/debian/conf/conf.d/10-auth.conf
--- dovecot-2.4.1+dfsg1/debian/conf/conf.d/10-auth.conf	2025-09-24 13:12:23.000000000 +0000
+++ dovecot-2.4.1+dfsg1/debian/conf/conf.d/10-auth.conf	2025-10-23 14:01:33.000000000 +0000
@@ -1,5 +1,3 @@
-#log_debug=category=auth
-#auth_debug_passwords = yes
 ##
 ## Authentication processes
 ##
diff -Nru dovecot-2.4.1+dfsg1/debian/conf/conf.d/10-mail.conf dovecot-2.4.1+dfsg1/debian/conf/conf.d/10-mail.conf
--- dovecot-2.4.1+dfsg1/debian/conf/conf.d/10-mail.conf	2025-09-24 13:12:23.000000000 +0000
+++ dovecot-2.4.1+dfsg1/debian/conf/conf.d/10-mail.conf	2025-10-23 14:01:33.000000000 +0000
@@ -32,9 +32,9 @@
 # Note that upstream considers mbox deprecated and strongly recommends
 # against its use in production environments. See further information
 # at
-# https://doc.dovecot.org/2.4.0/core/config/mailbox/formats/mbox.html
+# https://doc.dovecot.org/2.4.1/core/config/mailbox/formats/mbox.html
 mail_driver = mbox
-mail_home = /home/%{user|username}
+mail_home = /home/%{user | username}
 mail_path = %{home}/mail
 mail_inbox_path = /var/mail/%{user}
 
@@ -120,7 +120,7 @@
 #mail_uid =
 #mail_gid =
 
-#  Group to enable temporarily for privileged operations. Currently this is
+# Group to enable temporarily for privileged operations. Currently this is
 # used only with INBOX when either its initial creation or dotlocking fails.
 # Typically this is set to "mail" to give access to /var/mail.
 mail_privileged_group = mail
@@ -211,7 +211,7 @@
 # settings. If this setting is empty, "/./" in home dirs are ignored.
 # WARNING: Never add directories here which local users can modify, that
 # may lead to root exploit. Usually this should be done only if you don't
-# allow shell access for users. <doc/wiki/Chrooting.txt>
+# allow shell access for users. <https://doc.dovecot.org/latest/core/config/chrooting.html>
 #valid_chroot_dirs = 
 
 # Default chroot directory for mail processes. This can be overridden for
diff -Nru dovecot-2.4.1+dfsg1/debian/conf/conf.d/10-master.conf dovecot-2.4.1+dfsg1/debian/conf/conf.d/10-master.conf
--- dovecot-2.4.1+dfsg1/debian/conf/conf.d/10-master.conf	2025-09-24 13:12:23.000000000 +0000
+++ dovecot-2.4.1+dfsg1/debian/conf/conf.d/10-master.conf	2025-10-23 14:01:33.000000000 +0000
@@ -25,7 +25,7 @@
 
   # Number of connections to handle before starting a new process. Typically
   # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
-  # is faster. <d>
+  # is faster. <https://doc.dovecot.org/2.4.1/core/config/service.html#service_restart_request_count>
   #service_restart_request_count = 1
 
   # Number of processes to always keep waiting for more connections.
diff -Nru dovecot-2.4.1+dfsg1/debian/conf/conf.d/20-lmtp.conf dovecot-2.4.1+dfsg1/debian/conf/conf.d/20-lmtp.conf
--- dovecot-2.4.1+dfsg1/debian/conf/conf.d/20-lmtp.conf	2025-09-24 13:12:23.000000000 +0000
+++ dovecot-2.4.1+dfsg1/debian/conf/conf.d/20-lmtp.conf	2025-10-23 14:01:33.000000000 +0000
@@ -45,7 +45,7 @@
   # userdb in Debian is /etc/passwd, which doesn't include domain
   # names in the user.  If you're using a different userdb backend
   # that does include domain names, you may wish to remove this.  See
-  # https://doc.dovecot.org/2.4.0/howto/lmtp/exim.html and
-  # https://doc.dovecot.org/2.4.0/core/summaries/settings.html#auth_username_format
-  auth_username_format = %{user | username}
+  # https://doc.dovecot.org/2.4.1/howto/lmtp/exim.html and
+  # https://doc.dovecot.org/2.4.1/core/summaries/settings.html#auth_username_format
+  auth_username_format = %{user | username | lower}
 }
diff -Nru dovecot-2.4.1+dfsg1/debian/conf/conf.d/90-quota.conf dovecot-2.4.1+dfsg1/debian/conf/conf.d/90-quota.conf
--- dovecot-2.4.1+dfsg1/debian/conf/conf.d/90-quota.conf	2025-09-24 13:12:23.000000000 +0000
+++ dovecot-2.4.1+dfsg1/debian/conf/conf.d/90-quota.conf	2025-10-23 14:01:33.000000000 +0000
@@ -34,7 +34,7 @@
 
 # You can execute a given command when user exceeds a specified quota limit.
 # Each quota root has separate limits. Only the command for the first
-# exceeded limit is excecuted, so put the highest limit first.
+# exceeded limit is executed, so put the highest limit first.
 # The commands are executed via script service by connecting to the named
 # UNIX socket (quota-warning below).
 # Note that % needs to be escaped as %%, otherwise "% " expands to empty.
diff -Nru dovecot-2.4.1+dfsg1/debian/conf/conf.d/auth-passwdfile.conf.ext dovecot-2.4.1+dfsg1/debian/conf/conf.d/auth-passwdfile.conf.ext
--- dovecot-2.4.1+dfsg1/debian/conf/conf.d/auth-passwdfile.conf.ext	2025-09-24 13:12:23.000000000 +0000
+++ dovecot-2.4.1+dfsg1/debian/conf/conf.d/auth-passwdfile.conf.ext	2025-10-23 14:01:33.000000000 +0000
@@ -10,7 +10,7 @@
 #}
 
 #userdb passwd-file {
-#  auth_username_format=%{user}
+#  auth_username_format = %{user}
 #  passwd_file_path = /etc/dovecot/users
 
 #  fields {
diff -Nru dovecot-2.4.1+dfsg1/debian/conf/conf.d/auth-system.conf.ext dovecot-2.4.1+dfsg1/debian/conf/conf.d/auth-system.conf.ext
--- dovecot-2.4.1+dfsg1/debian/conf/conf.d/auth-system.conf.ext	2025-09-24 13:12:23.000000000 +0000
+++ dovecot-2.4.1+dfsg1/debian/conf/conf.d/auth-system.conf.ext	2025-10-23 14:01:33.000000000 +0000
@@ -24,7 +24,7 @@
 userdb passwd {
 }
 
-# System users (NSS, /etc/passwd, or similiar).
+# System users (NSS, /etc/passwd, or similar).
 # In many systems nowadays this uses Name Service Switch, which is
 # configured in /etc/nsswitch.conf. <https://doc.dovecot.org/latest/core/config/auth/databases/passwd.html>
 #passdb passwb {
diff -Nru dovecot-2.4.1+dfsg1/debian/patches/auth__Terminate_properly_auth_oauth2_post_setting_defines.patch dovecot-2.4.1+dfsg1/debian/patches/auth__Terminate_properly_auth_oauth2_post_setting_defines.patch
--- dovecot-2.4.1+dfsg1/debian/patches/auth__Terminate_properly_auth_oauth2_post_setting_defines.patch	1970-01-01 00:00:00.000000000 +0000
+++ dovecot-2.4.1+dfsg1/debian/patches/auth__Terminate_properly_auth_oauth2_post_setting_defines.patch	2025-10-23 14:01:33.000000000 +0000
@@ -0,0 +1,25 @@
+From e546239af593dfd0722bea9ff169b60006e219f9 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Thu, 15 May 2025 13:06:56 +0300
+Subject: [PATCH] auth: Terminate properly auth_oauth2_post_setting_defines
+ list
+
+Fixes:
+Error: xoauth2: oauth2 failed: Local validation failed: auth_oauth2_fields settings: Failed to parse configuration: settings struct auth_oauth2_fields #1 key mismatch
+---
+ src/auth/db-oauth2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/auth/db-oauth2.c b/src/auth/db-oauth2.c
+index bd807e30b55..230c6cf7678 100644
+--- a/src/auth/db-oauth2.c
++++ b/src/auth/db-oauth2.c
+@@ -134,6 +134,8 @@ const struct setting_parser_info auth_oauth2_setting_parser_info = {
+ static const struct setting_define auth_oauth2_post_setting_defines[] = {
+ 	{ .type = SET_STRLIST, .key = "oauth2_fields",
+ 	  .offset = offsetof(struct auth_oauth2_post_settings, fields) },
++
++	SETTING_DEFINE_LIST_END
+ };
+ 
+ static const struct auth_oauth2_post_settings auth_oauth2_post_default_settings = {
diff -Nru dovecot-2.4.1+dfsg1/debian/patches/lib-sieve_sieve-script_c_sieve_script_create_common_Correctly_handle_errors.patch dovecot-2.4.1+dfsg1/debian/patches/lib-sieve_sieve-script_c_sieve_script_create_common_Correctly_handle_errors.patch
--- dovecot-2.4.1+dfsg1/debian/patches/lib-sieve_sieve-script_c_sieve_script_create_common_Correctly_handle_errors.patch	1970-01-01 00:00:00.000000000 +0000
+++ dovecot-2.4.1+dfsg1/debian/patches/lib-sieve_sieve-script_c_sieve_script_create_common_Correctly_handle_errors.patch	2025-10-23 14:01:33.000000000 +0000
@@ -0,0 +1,26 @@
+From 2b9a4e85bc4547fcff84398b2bda00d0ced09fae Mon Sep 17 00:00:00 2001
+From: Alexander Gerasiov <a@gerasiov.net>
+Date: Tue, 23 Sep 2025 13:50:43 +0300
+Subject: [PATCH] lib-sieve/sieve-script.c: sieve_script_create_common:
+ Correctly handle errors.
+
+Fixes null pointer deref (e.g. in case of absent file).
+---
+ src/lib-sieve/sieve-script.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: dovecot/pigeonhole/src/lib-sieve/sieve-script.c
+===================================================================
+--- dovecot.orig/pigeonhole/src/lib-sieve/sieve-script.c
++++ dovecot/pigeonhole/src/lib-sieve/sieve-script.c
+@@ -166,8 +166,8 @@ sieve_script_create_common(struct sieve_
+ 		sieve_storage_unref(&storage);
+ 		if (ret > 0 && open &&
+ 		    sieve_script_open(script, error_code_r) < 0) {
+-			*error_r = sieve_storage_get_last_error(
+-				storage, error_code_r);
++			*error_r = sieve_script_get_last_error(
++				script, error_code_r);
+ 			sieve_script_unref(&script);
+ 			if (*error_code_r == SIEVE_ERROR_NOT_FOUND)
+ 				continue;
diff -Nru dovecot-2.4.1+dfsg1/debian/patches/series dovecot-2.4.1+dfsg1/debian/patches/series
--- dovecot-2.4.1+dfsg1/debian/patches/series	2025-09-24 13:14:50.000000000 +0000
+++ dovecot-2.4.1+dfsg1/debian/patches/series	2025-10-23 14:01:33.000000000 +0000
@@ -27,3 +27,5 @@
 fix-man-errors.patch
 bug1106784_Fix-LDAP-SASL-auth-support.patch
 auth__Use_AUTH_CACHE_KEY_USER_instead_of_per-database.patch
+auth__Terminate_properly_auth_oauth2_post_setting_defines.patch
+lib-sieve_sieve-script_c_sieve_script_create_common_Correctly_handle_errors.patch