Your message dated Fri, 15 May 2026 16:21:34 +0000
with message-id <[email protected]>
and subject line Bug#1136444: fixed in dovecot 1:2.4.4+dfsg1-1
has caused the Debian Bug report #1136444,
regarding dovecot: CVE-2026-27851 CVE-2026-33603 CVE-2026-40016 CVE-2026-40020
CVE-2026-42006
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136444: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136444
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: dovecot
Version: 1:2.4.3+dfsg1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for dovecot.
CVE-2026-27851[0]:
| When safe filter is used with variable expansion, all following
| pipelines on the same string are incorrectly interpreted as safe
| too, enabling unsafe data to be unescaped. This can enable SQL /
| LDAP injection attacks when used in authentication. Avoid using safe
| filter until on fixed version. No publicly available exploits are
| known.
CVE-2026-33603[1]:
| Attacker can use a specially crafted base64 exchange between Dovecot
| and Client to fake SCRAM TLS channel binding. This requires that the
| attacker is able to position itself between Dovecot and the client
| connection. If successful, the attacker can eavesdrop communications
| between Dovecot and client as MITM proxy. Install fixed version. No
| publicly available exploits are known.
CVE-2026-40016[2]:
| Attacker can upload a malicious Sieve script over ManageSieve
| service (or locally) to bypass configured CPU time limits for Sieve
| up to 130 times of the configured limit. Attacker can use this to
| degrade server performance and bypass configured CPU time limits for
| Sieve scripts. Install fixed version, or alternatively prevent
| direct access to Sieve scripts via ManageSieve or local access. No
| publicly available exploits are known.
CVE-2026-40020[3]:
| Attacker can use the IMAP SETACL command to inject the anyone
| permission to user's dovecot-acl file even if
| imap_acl_allow_anyone=no. This causes folders to be spammed to all
| users. The impact is limited to being able to spam folders to other
| users, no unexpected access is gained. Install to fixed version. No
| publicly available exploits are known.
CVE-2026-42006[4]:
| An attacker can cause uncontrolled memory usage with excessive
| bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only
| blocking one way of doing this, so there was still another way left
| open. In particular, the fix was for closing braces, but you could
| still use open braces to bypass the limit. Using excessive bracing,
| attacker can cause memory usage up to configured memory limit.
| Install fixed version, or configure vsz_limit for imap process to
| low value. No publicly available exploits are known.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-27851
https://www.cve.org/CVERecord?id=CVE-2026-27851
[1] https://security-tracker.debian.org/tracker/CVE-2026-33603
https://www.cve.org/CVERecord?id=CVE-2026-33603
[2] https://security-tracker.debian.org/tracker/CVE-2026-40016
https://www.cve.org/CVERecord?id=CVE-2026-40016
[3] https://security-tracker.debian.org/tracker/CVE-2026-40020
https://www.cve.org/CVERecord?id=CVE-2026-40020
[4] https://security-tracker.debian.org/tracker/CVE-2026-42006
https://www.cve.org/CVERecord?id=CVE-2026-42006
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: dovecot
Source-Version: 1:2.4.4+dfsg1-1
Done: Noah Meyerhans <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dovecot, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Noah Meyerhans <[email protected]> (supplier of updated dovecot package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 14 May 2026 13:29:38 -0400
Source: dovecot
Architecture: source
Version: 1:2.4.4+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Dovecot Maintainers <[email protected]>
Changed-By: Noah Meyerhans <[email protected]>
Closes: 1136444
Changes:
dovecot (1:2.4.4+dfsg1-1) unstable; urgency=medium
.
[ Luca Boccassi ]
* [6261bfd] Install and use sysusers.d config file
.
[ Noah Meyerhans ]
* [9a7a738] Add tests for bug 1134464 regression
* [6f1a08b] remove unreproducible TEST_DIR in dovecot-config
* [185a225] New upstream version 2.4.4+dfsg1
- CVE-2026-27851: lib-var-expand: Safe filter leaks to all following
pipelines
- CVE-2026-40016: Sieve :contains/:matches O(N×M) Substring Match Bypasses
sieve_max_cpu_time Limit (130× Overrun)
- CVE-2026-33603: login: Base64 input can contain tabs that bypass IPC
protection
- CVE-2026-40020: IMAP folders can be shared-spammed to everyone
- CVE-2026-42006: imap-login: Excessive memory usage DoS
(Closes: #1136444)
* [a6c0328] settings: Use correct symbol STORAGE_LDAP in settings-get.pl
* [874cea7] refresh patches
* [a4af2a3] Fix test failures on 32-bit systems
Checksums-Sha1:
8bdc35fb13ea58441d19ef13429df50173b33d85 4066 dovecot_2.4.4+dfsg1-1.dsc
26809d561ac52a37dcfcb2b4691d64a1bf3b86a0 1882495
dovecot_2.4.4+dfsg1.orig-pigeonhole.tar.gz
edc64893e07963a6537ed36ab3dc51a22a146326 8250124
dovecot_2.4.4+dfsg1.orig.tar.gz
e4c1d8d48db29d8a4ae3eaf04d101f2869fd5324 228
dovecot_2.4.4+dfsg1.orig.tar.gz.asc
e5a2d7077296522c09ce31469e9f156837b09a05 87832
dovecot_2.4.4+dfsg1-1.debian.tar.xz
150f3223efebeb46d76d89dcfd481e1d9c11f61e 8012
dovecot_2.4.4+dfsg1-1_source.buildinfo
Checksums-Sha256:
f555a338653c4eacbe3e18f7ede481f88317660791a7f5175696c5574d48fde8 4066
dovecot_2.4.4+dfsg1-1.dsc
57cd7cbde02561622de42f281e52be8c31c50be49dd9a057a05718fc24b64e2d 1882495
dovecot_2.4.4+dfsg1.orig-pigeonhole.tar.gz
670f98d55a29b02ae6a97281e51374e553b94496480ab0a07439571ab30ca8c3 8250124
dovecot_2.4.4+dfsg1.orig.tar.gz
243d1fa56d12e99fd9c62fcc59f3271326082076c22e0fa091efe7effd52ba52 228
dovecot_2.4.4+dfsg1.orig.tar.gz.asc
e78c0ad0f822e1db58bc58c6d3db01d53ba04c96dca404ae69fe265fb4c3db2c 87832
dovecot_2.4.4+dfsg1-1.debian.tar.xz
406f24fe2d5f0bbbf487882b9c5ec5241229ccd39aa7548e2cb2e7765463711d 8012
dovecot_2.4.4+dfsg1-1_source.buildinfo
Files:
daceaa6840140fd337cd0887c43e9aa9 4066 mail optional dovecot_2.4.4+dfsg1-1.dsc
2c72bf32b9bf6678afbc1d6cdf568d9d 1882495 mail optional
dovecot_2.4.4+dfsg1.orig-pigeonhole.tar.gz
1cfdb796f726dff687b6431a3b6012c3 8250124 mail optional
dovecot_2.4.4+dfsg1.orig.tar.gz
b2529ec59b0e2c0412b1da91088b6e7d 228 mail optional
dovecot_2.4.4+dfsg1.orig.tar.gz.asc
0684fe509d31af9cbbbcc5982c8fbe7f 87832 mail optional
dovecot_2.4.4+dfsg1-1.debian.tar.xz
435e51200ab3d73ff21917be0f7bfc00 8012 mail optional
dovecot_2.4.4+dfsg1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE5G+E0xEKhJuZ7RJ34+c1IpshdTUFAmoHQ30ACgkQ4+c1Ipsh
dTVjHQ/9EffGaC4p8/9KliRf3nt2TEGz8Jmgbh//fRWcJq4Xb4+ZfCO/R7mrs5O5
rdbhh9LtKW6IZnPVcMjTLTYt/UZqAdsmHgmJDPqXU8jDCxJcSUm5hU0jJqlrWeiI
a3whuApNMbmIOel9gZAxSe6294RyQR9MD+aNpswOk2bTXIImHkUt1vLFp5tI2C/9
VcuEMvpe6oAoz4vBeSrmo58fSmo8r3Xmb0R/MSloYLXyT61ltblLfJE3gKIlK3MV
RDB1mCBqyIM/iQCuXb0qKJp3fjeNA2Kajemp1VC0Xa1koDp60g42ZjMTiLQYVXue
qLNsk/WMMYyb5GodN/1ocUPweid2vzZnYd0ivEO1W7b9LFGuu1tZYdY/7Vf2wYc/
2Po3r8OA+5Kack/PHBuUk2hHUxe32MshqIP6gh3J30Ky78aQcl3Zfd98wKrNzdN1
0yrGzsHvqZOxZ7vNqoRgaSyOiQ1tvaVOF6iS7vQ0WNWje3/5FSMST//suydcYY50
qbpzKWITy8CgJI456UBO05FrFURKSsB8hdMdfg6G2Iy6qMHBMHeRGbcddL45A9aA
AbNslA64mj4yFPgh9qL0D7uysIwMFBtCeRnX2a411IuXNIHD5gVZRW+N8IwtN5Nu
6Xrj2LtpF/6WHNkgA++A5z+MplqvBuTwGrHlMSK1cKzNEEPMNmo=
=pSev
-----END PGP SIGNATURE-----
pgpxJhqSFBpqF.pgp
Description: PGP signature
--- End Message ---
