diff -pruN 1:2.4.1+dfsg1-5/debian/changelog 1:2.4.1+dfsg1-5ubuntu3/debian/changelog
--- 1:2.4.1+dfsg1-5/debian/changelog	2025-05-28 19:45:52.000000000 +0000
+++ 1:2.4.1+dfsg1-5ubuntu3/debian/changelog	2025-08-28 23:32:21.000000000 +0000
@@ -1,3 +1,23 @@
+dovecot (1:2.4.1+dfsg1-5ubuntu3) questing; urgency=medium
+
+  * d/rules: switch to -O2 (from -O3) on ppc64el to fix FTBFS (LP: #2121250)
+
+ -- Andreas Hasenack <andreas@canonical.com>  Thu, 28 Aug 2025 20:32:21 -0300
+
+dovecot (1:2.4.1+dfsg1-5ubuntu2) questing; urgency=medium
+
+  * Update PBKDF2 salt length to be FIPS 140-3 compliant (LP: #2107773)
+
+ -- Eric Berry <eric.berry@canonical.com>  Mon, 21 Jul 2025 15:14:14 +0100
+
+dovecot (1:2.4.1+dfsg1-5ubuntu1) questing; urgency=medium
+
+  * Merge with Debian unstable. (LP: #2110444)  Remaining changes:
+    - d/rules: set mbranch-protection=bti to avoid ftbfs.
+      (LP #2036268)
+
+ -- Bryce Harrington <bryce@canonical.com>  Fri, 06 Jun 2025 16:48:41 -0700
+
 dovecot (1:2.4.1+dfsg1-5) unstable; urgency=medium
 
   * [e6e5ef7] Fix typo in conf.d/auth-passwdfile.conf.ext (Closes: #1106072)
@@ -120,6 +140,19 @@ dovecot (1:2.4.0+dfsg1-1~exp1) experimen
 
  -- Noah Meyerhans <noahm@debian.org>  Tue, 11 Feb 2025 12:03:31 -0500
 
+dovecot (1:2.3.21.1+dfsg1-1ubuntu2) plucky; urgency=medium
+
+  * No-change rebuild for icu soname change.
+
+ -- Matthias Klose <doko@ubuntu.com>  Tue, 07 Jan 2025 08:36:38 +0100
+
+dovecot (1:2.3.21.1+dfsg1-1ubuntu1) oracular; urgency=medium
+
+  * Merge with Debian unstable (LP: #2077324). Remaining changes:
+    - d/rules: set mbranch-protection=bti to avoid ftbfs.
+
+ -- Mitchell Dzurick <mitchell.dzurick@canonical.com>  Fri, 23 Aug 2024 17:29:44 -0700
+
 dovecot (1:2.3.21.1+dfsg1-1) unstable; urgency=medium
 
   [ Noah Meyerhans ]
@@ -143,12 +176,51 @@ dovecot (1:2.3.21.1+dfsg1-1) unstable; u
 
  -- Noah Meyerhans <noahm@debian.org>  Sat, 17 Aug 2024 13:26:24 -0400
 
+dovecot (1:2.3.21+dfsg1-3ubuntu1) oracular; urgency=medium
+
+  * Merge from Debian unstable.  Remaining changes:
+    - d/rules: set mbranch-protection=bti to avoid ftbfs.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 06 Jun 2024 09:49:28 -0700
+
 dovecot (1:2.3.21+dfsg1-3) unstable; urgency=medium
 
   * [883dc1a] Add libtirpc-dev to build-depends (Closes: #1065213)
 
  -- Noah Meyerhans <noahm@debian.org>  Sat, 09 Mar 2024 22:31:22 -0800
 
+dovecot (1:2.3.21+dfsg1-2ubuntu5) noble; urgency=medium
+
+  * No-change rebuild for CVE-2024-3094
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Sun, 31 Mar 2024 08:49:22 +0000
+
+dovecot (1:2.3.21+dfsg1-2ubuntu4) noble; urgency=medium
+
+  * No-change rebuild against libssl3t64
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 04 Mar 2024 17:46:12 +0000
+
+dovecot (1:2.3.21+dfsg1-2ubuntu3) noble; urgency=medium
+
+  * No-change rebuild against libtirpc3t64
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 29 Feb 2024 09:22:26 +0000
+
+dovecot (1:2.3.21+dfsg1-2ubuntu2) noble; urgency=medium
+
+  * No-change rebuild for ICU soname change.
+
+ -- Matthias Klose <doko@ubuntu.com>  Tue, 19 Dec 2023 18:37:56 +0100
+
+dovecot (1:2.3.21+dfsg1-2ubuntu1) noble; urgency=medium
+
+  * Merge with Debian unstable (LP: #2040378). Remaining changes:
+    - d/rules: set mbranch-protection=bti to avoid ftbfs.
+      (LP #2036268)
+
+ -- Bryce Harrington <bryce@canonical.com>  Mon, 13 Nov 2023 14:50:25 -0800
+
 dovecot (1:2.3.21+dfsg1-2) unstable; urgency=medium
 
   [ Christian Göttsche ]
@@ -175,6 +247,27 @@ dovecot (1:2.3.21+dfsg1-1) unstable; urg
 
  -- Noah Meyerhans <noahm@debian.org>  Sat, 14 Oct 2023 08:52:10 -0700
 
+dovecot (1:2.3.20+dfsg1-1ubuntu3) mantic; urgency=medium
+
+  * d/rules: -mbranch-protection=bti for arm64 architectures
+   (LP: #2036268).
+
+ -- Miriam España Acebal <miriam.espana@canonical.com>  Wed, 04 Oct 2023 16:33:20 +0200
+
+dovecot (1:2.3.20+dfsg1-1ubuntu2) mantic; urgency=medium
+
+  * d/control: Upgrade lua build dependency to 5.4
+
+ -- Lena Voytek <lena.voytek@canonical.com>  Thu, 17 Aug 2023 09:45:33 -0700
+
+dovecot (1:2.3.20+dfsg1-1ubuntu1) mantic; urgency=medium
+
+  * Merge with Debian unstable (LP: #2029440). Remaining changes:
+    - d/control: Build against Lua 5.3 rather than 5.4.
+      (LP #1909665)
+
+ -- Bryce Harrington <bryce@canonical.com>  Fri, 04 Aug 2023 10:46:40 -0700
+
 dovecot (1:2.3.20+dfsg1-1) unstable; urgency=medium
 
   [ Christian Göttsche ]
@@ -187,6 +280,21 @@ dovecot (1:2.3.20+dfsg1-1) unstable; urg
 
  -- Noah Meyerhans <noahm@debian.org>  Sun, 25 Jun 2023 16:17:56 -0700
 
+dovecot (1:2.3.19.1+dfsg1-2.1ubuntu1) mantic; urgency=medium
+
+  * Merge with Debian unstable (LP: #2018068). Remaining changes:
+    - d/control: Build against Lua 5.3 rather than 5.4.
+      (LP #1909665)
+  * Dropped:
+    - d/rules: Package references hidden symbols during an LTO link.
+      This needs further investigation.  Until then, disable LTO.
+      Disable Debian's recent enablement of LTO as well,
+      as it FTBFS when building with gcc 11.
+      (LP #1951325)
+      [Fixed in upstream commit f0c1cf42]
+
+ -- Bryce Harrington <bryce@canonical.com>  Fri, 19 May 2023 01:47:09 +0000
+
 dovecot (1:2.3.19.1+dfsg1-2.1) unstable; urgency=medium
 
   * Non-maintainer upload.
@@ -195,6 +303,46 @@ dovecot (1:2.3.19.1+dfsg1-2.1) unstable;
 
  -- Bas Couwenberg <sebastic@debian.org>  Fri, 20 Jan 2023 07:01:26 +0100
 
+dovecot (1:2.3.19.1+dfsg1-2ubuntu4) lunar; urgency=medium
+
+  * Rebuild against latest icu
+
+ -- Jeremy Bicha <jbicha@ubuntu.com>  Mon, 06 Feb 2023 07:33:52 -0500
+
+dovecot (1:2.3.19.1+dfsg1-2ubuntu3) lunar; urgency=medium
+
+  * No-change rebuild against libldap-2
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 15 Dec 2022 19:46:57 +0000
+
+dovecot (1:2.3.19.1+dfsg1-2ubuntu2) kinetic; urgency=medium
+
+  * d/control: Build against Lua 5.3 rather than 5.4 for kinetic
+
+ -- Bryce Harrington <bryce@canonical.com>  Fri, 12 Aug 2022 01:08:37 +0000
+
+dovecot (1:2.3.19.1+dfsg1-2ubuntu1) kinetic; urgency=medium
+
+  * Merge with Debian unstable (LP: #1971273). Remaining changes:
+    - d/rules: Package references hidden symbols during an LTO link.
+      This needs further investigation.  Until then, disable LTO.
+      Disable Debian's recent enablement of LTO as well,
+      as it FTBFS when building with gcc 11.
+      (LP #1951325)
+  * Dropped:
+    - d/p/OpenSSL3.patch: Workaround to fix EC key handling when building
+      with OpenSSL 3.0.
+      (LP: #1945763)
+      [Fixed in Debian release 1:2.3.19+dfsg1-1]
+    - privilege escalation via multiple passdbs
+      + d/p/CVE-2022-30550.patch: fix handling passdbs with
+        identical driver/args but different mechanisms/username_filter in
+        src/auth/auth-request.c, src/auth/auth.c, src/auth/auth.h,
+        src/auth/passdb.c, src/auth/passdb.h.
+      [Fixed in Debian release 1:2.3.19.1+dfsg1-2]
+
+ -- Bryce Harrington <bryce@canonical.com>  Tue, 09 Aug 2022 23:02:29 -0700
+
 dovecot (1:2.3.19.1+dfsg1-2) unstable; urgency=medium
 
   [ Christian Göttsche ]
@@ -264,6 +412,58 @@ dovecot (1:2.3.17.1+dfsg1-1) unstable; u
 
  -- Noah Meyerhans <noahm@debian.org>  Tue, 14 Dec 2021 09:24:23 -0800
 
+dovecot (1:2.3.16+dfsg1-3ubuntu4) kinetic; urgency=medium
+
+  * SECURITY UPDATE: privilege escalation via multiple passdbs
+    - debian/patches/CVE-2022-30550.patch: fix handling passdbs with
+      identical driver/args but different mechanisms/username_filter in
+      src/auth/auth-request.c, src/auth/auth.c, src/auth/auth.h,
+      src/auth/passdb.c, src/auth/passdb.h.
+    - CVE-2022-30550
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 11 Jul 2022 10:21:41 -0400
+
+dovecot (1:2.3.16+dfsg1-3ubuntu3) kinetic; urgency=medium
+
+  * No-change rebuild against libicu71
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Sat, 30 Apr 2022 01:54:59 +0000
+
+dovecot (1:2.3.16+dfsg1-3ubuntu2) jammy; urgency=medium
+
+  * No-change rebuild for icu soname change.
+
+ -- Matthias Klose <doko@ubuntu.com>  Wed, 09 Feb 2022 09:13:08 +0100
+
+dovecot (1:2.3.16+dfsg1-3ubuntu1) jammy; urgency=medium
+
+  [ Bryce Harrington ]
+  * Merge with Debian unstable. (LP: #1946855)
+    Remaining changes:
+    - Package references hidden symbols during an LTO link.  This needs further
+      investigation.  Until then, disable LTO.
+  * Dropped:
+    - SECURITY UPDATE: incorrectly escapes kid and azp fields in JWT tokens
+      + debian/patches/CVE-2021-29157.patch: improve escaping in
+        src/lib-dict-extra/dict-fs.c, src/lib-oauth2/oauth2-jwt.c,
+        src/lib-oauth2/test-oauth2-jwt.c.
+      [Included in Debian 1:2.3.13+dfsg1-2]
+    - SECURITY UPDATE: plaintext command injection before STARTTLS
+      + debian/patches/CVE-2021-33515.patch: properly handle command queue in
+        src/lib-smtp/smtp-server-cmd-starttls.c,
+        src/lib-smtp/smtp-server-connection.c.
+      [Included in Debian 1:2.3.13+dfsg1-2]
+  * d/rules: Disable Debian's recent enablement of LTO as well, as it
+    FTBFS when building with gcc 11.
+    (LP: #1951325)
+
+  [ Simon Chopin ]
+  * d/p/OpenSSL3.patch: Workaround to fix EC key handling when building
+    with OpenSSL 3.0.
+    (LP: #1945763)
+
+ -- Bryce Harrington <bryce@canonical.com>  Wed, 17 Nov 2021 13:46:08 -0800
+
 dovecot (1:2.3.16+dfsg1-3) unstable; urgency=medium
 
   * [7b858b6] Fix FTBFS on mips(64)el.  Stacktrace generation on these
@@ -315,6 +515,40 @@ dovecot (1:2.3.13+dfsg1-2) unstable; urg
 
  -- Noah Meyerhans <noahm@debian.org>  Tue, 20 Jul 2021 08:05:19 -0700
 
+dovecot (1:2.3.13+dfsg1-1ubuntu3) impish; urgency=medium
+
+  * No-change rebuild due to OpenLDAP soname bump.
+
+ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Mon, 21 Jun 2021 17:46:46 -0400
+
+dovecot (1:2.3.13+dfsg1-1ubuntu2) impish; urgency=medium
+
+  * SECURITY UPDATE: incorrectly escapes kid and azp fields in JWT tokens
+    - debian/patches/CVE-2021-29157.patch: improve escaping in
+      src/lib-dict-extra/dict-fs.c, src/lib-oauth2/oauth2-jwt.c,
+      src/lib-oauth2/test-oauth2-jwt.c.
+    - CVE-2021-29157
+  * SECURITY UPDATE: plaintext command injection before STARTTLS
+    - debian/patches/CVE-2021-33515.patch: properly handle command queue in
+      src/lib-smtp/smtp-server-cmd-starttls.c,
+      src/lib-smtp/smtp-server-connection.c.
+    - CVE-2021-33515
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 16 Jun 2021 09:02:15 -0400
+
+dovecot (1:2.3.13+dfsg1-1ubuntu1) hirsute; urgency=medium
+
+  * Package references hidden symbols during an LTO link.  This needs further
+    investigation.  Until then, disable LTO.
+
+ -- Matthias Klose <doko@ubuntu.com>  Tue, 30 Mar 2021 17:23:55 +0200
+
+dovecot (1:2.3.13+dfsg1-1build1) hirsute; urgency=high
+
+  * No change rebuild against clucene-core
+
+ -- Balint Reczey <rbalint@ubuntu.com>  Thu, 18 Feb 2021 18:19:47 +0100
+
 dovecot (1:2.3.13+dfsg1-1) unstable; urgency=medium
 
   [ Christian Göttsche ]
diff -pruN 1:2.4.1+dfsg1-5/debian/control 1:2.4.1+dfsg1-5ubuntu3/debian/control
--- 1:2.4.1+dfsg1-5/debian/control	2025-05-28 19:45:52.000000000 +0000
+++ 1:2.4.1+dfsg1-5ubuntu3/debian/control	2025-08-22 19:55:56.000000000 +0000
@@ -1,7 +1,8 @@
 Source: dovecot
 Section: mail
 Priority: optional
-Maintainer: Dovecot Maintainers <dovecot@packages.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Dovecot Maintainers <dovecot@packages.debian.org>
 Uploaders: Jaldhar H. Vyas <jaldhar@debian.org>,
            Jelmer Vernooij <jelmer@debian.org>,
            Apollon Oikonomopoulos <apoikos@debian.org>,
diff -pruN 1:2.4.1+dfsg1-5/debian/patches/fips-pbkdf2-fix-invalid-salt-length.patch 1:2.4.1+dfsg1-5ubuntu3/debian/patches/fips-pbkdf2-fix-invalid-salt-length.patch
--- 1:2.4.1+dfsg1-5/debian/patches/fips-pbkdf2-fix-invalid-salt-length.patch	1970-01-01 00:00:00.000000000 +0000
+++ 1:2.4.1+dfsg1-5ubuntu3/debian/patches/fips-pbkdf2-fix-invalid-salt-length.patch	2025-08-22 19:55:56.000000000 +0000
@@ -0,0 +1,133 @@
+Description: When one enables FIPS mode on a Jammy system and then
+ attempts to use Dovecot to create an encrypted mailbox, the module
+ returns a invalid salt length error. FIPS mode requires a 16 byte
+ salt for PBEKDF2 and Dovecot is only requesting 8 bytes of salt.
+ The solution is to modify Dovecot to request 16 bytes of salt.
+Author: Aki Tuomi <aki.tuomi@open-xchange.com>
+Origin: upstream, https://github.com/dovecot/core/compare/5ebc1e3e56024ea2a0925de99edd7fb1e7b652a7%5E...dab49bf12228f382f646329974350cf829fcdfcb
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2107773
+
+--- a/src/lib-dcrypt/test-crypto.c
++++ b/src/lib-dcrypt/test-crypto.c
+@@ -483,7 +483,13 @@ static void test_load_v2_key(void)
+ 		"7d945aa6492275a02881071eceec5749caf2485da8c64fb601"
+ 		"229098:ab13d251976dedab546b67354e7678821740dd534b7"
+ 		"49c2857f66bf62bbaddfd:ab13d251976dedab546b67354e76"
+-		"78821740dd534b749c2857f66bf62bbaddfd"
++		"78821740dd534b749c2857f66bf62bbaddfd",
++		"2:1.3.132.0.35:2:aes-256-ctr:cf9951243f5e609a5e20d"
++		"353e4011f62:sha256:2048:0c056337f221f5fd287eb3ef48"
++		"86e596ef3b92e7d33c01a79579b35c8595f8e13cf4bccdb7f5"
++		"409b095be5179bd94668ad88050ff828617ef3415b9e167d22"
++		"e7fd95a3f80b3b:15286fe2a53773c64efa2b8fa79d4cd5b46"
++		"3d422d30bf9103ca97999636e864f",
+ 	};
+ 
+ 	test_begin("test_load_v2_key");
+@@ -527,6 +533,24 @@ static void test_load_v2_key(void)
+ 	dcrypt_key_unref_private(&priv);
+ 	dcrypt_key_unref_public(&pub);
+ 
++	/* Matches the encrypted private key in index 4 */
++	static const char *pem_key_4 =
++"-----BEGIN PRIVATE KEY-----\n"
++"MIGqAgEAMBAGByqGSM49AgEGBSuBBAAjBIGSMIGPAgEBBEIBoC5EFaNm/mWOH9Dp\n"
++"juTNIuRRyKVEFZ0o1R9gPbeza2VvvKYZaIPck2HWEmJGoHOwo+Kc/Fq0Z7ka3Irg\n"
++"o9CfYlihRgNEAAMBTSCA2WUdwGM4Q7Frxvbd785xLALRGfY454bOH6Esn5CrKgo+\n"
++"/gmOCWVYR346VqT0OFxUamc3cglQsk3oFcTjQqY=\n"
++"-----END PRIVATE KEY-----\n";
++
++	test_assert_idx(dcrypt_key_load_private(&priv,
++		keys[4], "password", NULL, &error), 4);
++	test_assert_idx(dcrypt_key_store_private(priv,
++		DCRYPT_FORMAT_PEM, NULL, tmp,
++		NULL, NULL, &error), 4);
++	test_assert_strcmp_idx(str_c(tmp), pem_key_4, 4);
++	buffer_set_used_size(tmp, 0);
++	dcrypt_key_unref_private(&priv);
++
+ 	buffer_free(&tmp);
+ 
+ 	if (error != NULL) error = NULL;
+@@ -540,24 +564,35 @@ static void test_load_v2_public_key(void
+ 	const char *error;
+ 
+ 	test_begin("test_load_v2_public_key");
+-	const char *key =
++	const char *keys[] = {
+ 		"2:3058301006072a8648ce3d020106052b810400230344000"
+ 		"301c50954e734dd8b410a607764a7057065a45510da52f2c6"
+ 		"e28e0cb353b9c389fa8cb786943ae991fce9befed78fb162f"
+ 		"bbc615415f06af06c8cc80c37f4e94ff6c7:185a721254278"
+ 		"2e239111f9c19d126ad55b18ddaf4883d66afe8d9627c3607"
+-		"d8";
+-
+-	test_assert(dcrypt_key_load_public(&pub, key, &error));
+-
+-	buffer_t *tmp = buffer_create_dynamic(default_pool, 256);
++		"d8",
++		"2:3058301006072a8648ce3d020106052b810400230344000"
++		"301897d80b69ed3eccda4c5a5edc67e9a11ef76c4894710af"
++		"b3deb52e5d996f23b6252d93ab349d1931a234eda9ff7cc40"
++		"095b2b084b86e066839c7de8a08bf5bf46b:0a955323b7c00"
++		"ef44581122c510cbfacfc503aea291b3a3fa2a811356df5be"
++		"cd",
++	};
+ 
+-	if (pub != NULL) {
+-		test_assert(dcrypt_key_store_public(pub,
+-			DCRYPT_FORMAT_DOVECOT, tmp, &error));
+-		test_assert(strcmp(key, str_c(tmp))==0);
+-		buffer_free(&tmp);
+-		dcrypt_key_unref_public(&pub);
++	for (size_t i = 0; i < N_ELEMENTS(keys); i++) {
++		const char *key = keys[i];
++		test_assert_idx(dcrypt_key_load_public(&pub, key, &error), i);
++		test_assert_idx(pub != NULL, i);
++
++		buffer_t *tmp = buffer_create_dynamic(default_pool, 256);
++
++		if (pub != NULL) {
++			test_assert_idx(dcrypt_key_store_public(pub,
++					DCRYPT_FORMAT_DOVECOT, tmp, &error), i);
++			test_assert_strcmp_idx(key, str_c(tmp), i);
++			buffer_free(&tmp);
++			dcrypt_key_unref_public(&pub);
++		}
+ 	}
+ 
+ 	test_end();
+--- a/src/lib-dcrypt/dcrypt-openssl1.c
++++ b/src/lib-dcrypt/dcrypt-openssl1.c
+@@ -2663,7 +2663,7 @@ dcrypt_openssl_encrypt_private_key_dovec
+ 	bool res;
+ 	unsigned char *ptr;
+ 
+-	unsigned char salt[8];
++	unsigned char salt[DCRYPT_DOVECOT_SALT_LEN];
+ 	buffer_t *peer_key = t_buffer_create(128);
+ 	buffer_t *secret = t_buffer_create(128);
+ 	cipher = t_str_lcase(cipher);
+--- a/src/lib-dcrypt/dcrypt-openssl3.c
++++ b/src/lib-dcrypt/dcrypt-openssl3.c
+@@ -2679,7 +2679,7 @@ dcrypt_openssl_encrypt_private_key_dovec
+ 	bool res;
+ 	unsigned char *ptr;
+ 
+-	unsigned char salt[8];
++	unsigned char salt[DCRYPT_DOVECOT_SALT_LEN];
+ 	buffer_t *peer_key = t_buffer_create(128);
+ 	buffer_t *secret = t_buffer_create(128);
+ 	cipher = t_str_lcase(cipher);
+--- a/src/lib-dcrypt/dcrypt-private.h
++++ b/src/lib-dcrypt/dcrypt-private.h
+@@ -12,6 +12,9 @@ struct module;
+ #define DCRYPT_DOVECOT_KEY_ENCRYPT_PK 1
+ #define DCRYPT_DOVECOT_KEY_ENCRYPT_PASSWORD 2
+ 
++/* Fips requires 16 byte salt */
++#define DCRYPT_DOVECOT_SALT_LEN 16
++
+ struct dcrypt_vfs {
+ 	bool (*initialize)(const struct dcrypt_settings *set,
+ 			   const char **error_r);
diff -pruN 1:2.4.1+dfsg1-5/debian/patches/series 1:2.4.1+dfsg1-5ubuntu3/debian/patches/series
--- 1:2.4.1+dfsg1-5/debian/patches/series	2025-05-28 19:45:52.000000000 +0000
+++ 1:2.4.1+dfsg1-5ubuntu3/debian/patches/series	2025-08-22 19:55:56.000000000 +0000
@@ -25,3 +25,4 @@ Use-_FORTIFY_SOURCE-level-3.patch
 fit-32-bit-test-integers.patch
 bug1104549-gssapi-regression.patch
 fix-man-errors.patch
+fips-pbkdf2-fix-invalid-salt-length.patch
diff -pruN 1:2.4.1+dfsg1-5/debian/rules 1:2.4.1+dfsg1-5ubuntu3/debian/rules
--- 1:2.4.1+dfsg1-5/debian/rules	2025-05-28 19:45:52.000000000 +0000
+++ 1:2.4.1+dfsg1-5ubuntu3/debian/rules	2025-08-28 23:32:12.000000000 +0000
@@ -35,6 +35,21 @@ export DEB_CFLAGS_MAINT_APPEND = $(DOV_D
 export DEB_CXXFLAGS_MAINT_APPEND = $(DOV_DEB_CXXFLAGS)
 export DEB_LDFLAGS_MAINT_APPEND = $(DOV_DEB_LDFLAGS)
 
+ifeq ($(DEB_HOST_ARCH), arm64)
+  export DEB_CFLAGS_MAINT_STRIP = -mbranch-protection=standard
+  export DEB_CXXFLAGS_MAINT_STRIP = -mbranch-protection=standard
+
+  export DEB_CFLAGS_MAINT_APPEND += -mbranch-protection=bti
+  export DEB_CXXFLAGS_MAINT_APPEND += -mbranch-protection=bti
+endif
+
+# LP: #2121250
+ifeq ($(DEB_HOST_ARCH),ppc64el)
+  export DEB_CFLAGS_MAINT_STRIP += -O3
+  export DEB_CXXFLAGS_MAINT_STRIP += -O3
+  export DEB_CFLAGS_MAINT_APPEND += -O2
+  export DEB_CXXFLAGS_MAINT_APPEND += -O2
+endif
 
 ifeq ($(DEB_HOST_ARCH_OS),linux)
   CONFIGURE_APPARMOR = --with-apparmor