This update for dovecot23 fixes the following issues:
Update dovecot to version 2.3.15 (jsc#SLE-19970):
Security issues fixed:
- CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
JWT tokens. This may be used to supply attacker controlled keys to
validate tokens, if attacker has local access. (bsc#1187418)
Local attacker can login as any user and access their emails
- CVE-2021-33515: On-path attacker could have injected plaintext commands
before STARTTLS negotiation that would be executed after STARTTLS
finished with the client. (bsc#1187419)
Attacker can potentially steal user credentials and mails
- Disconnection log messages are now more standardized across services.
They also always now start with 'Disconnected' prefix.
- Dovecot now depends on libsystemd for systemd integration.
- Removed support for Lua 5.2. Use version 5.1 or 5.3 instead.
- config: Some settings are now marked as 'hidden'. It's discouraged to
change these settings. They will no longer be visible in doveconf
output, except if they have been changed or if doveconf -s parameter
is used. See https://doc.dovecot.org/settings/advanced/ for details.
- imap-compress: Compression level is now algorithm specific.
See https://doc.dovecot.org/settings/plugin/compress-plugin/
- indexer-worker: Convert 'Indexed' info logs to an event named
'indexer_worker_indexing_finished'. See
https://doc.dovecot.org/admin_manual/list_of_events/#indexer-worker-indexing-finished
- Add TSLv1.3 support to min_protocols.
- Allow configuring ssl_cipher_suites. (for TLSv1.3+)
- acl: Add acl_ignore_namespace setting which allows to entirely ignore
ACLs for the listed namespaces.
- imap: Support official RFC8970 preview/snippet syntax. Old methods of
retrieving preview information via IMAP commands ('SNIPPET and PREVIEW
with explicit algorithm selection') have been deprecated.
- imapc: Support INDEXPVT for imapc storage to enable private
message flags for cluster wide...