On Tue, Sep 23, 2025 at 10:53:08PM +0200, Salvatore Bonaccorso wrote: > > > > I've published a trixie build based on the just uploaded > > > > 1:2.4.1+dfsg1-7. You can install it from my people.debian.org > > > > repository. See https://people.debian.org/~noahm/repo/ for details, and > > > > use the following sources file: > > > > > > > > Types: deb deb-src > > > > URIs: https://people.debian.org/~noahm/repo > > > > Suites: trixie-backports > > > > Components: main > > > > Signed-By: /etc/apt/noahm.gpg > > > > > > > > Let me know if this resolves the issue. Similar packages will likely > > > > ship in a forthcoming trixie point release. > > > > > > Shouldn't these be shipped through stable-security? > > > > > > > Possibly. Let's see what the security team thinks. Multiple people > > have encountered this issue since the trixie release, and the impact is > > a significant breach of privacy. It doesn't impact the default > > configuration, but it only takes uncommenting and adjusting one line to > > trigger it. > > > > Since we just released 13.1, there won't be another trixie point release > > for a few months, which argues in favor of a DSA IMO. > > As the next point release is on 15 November only and given the impact, > yes tend to agree to release a DSA for this issue. Can you prepare the > trixie-security debdiff?
See attached. The diffstat is changelog | 8 ++ patches/auth__Use_AUTH_CACHE_KEY_USER_instead_of_per-database.patch | 124 ++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 133 insertions(+) Note that there's no CVE referenced in the changelog, as we don't seem to have one for this issue yet. noah
dovecot_2.4.1+dfsg1-6+deb13u1.debdiff.gz
Description: application/gzip
