Your message dated Sun, 31 May 2026 20:32:07 +0000
with message-id <[email protected]>
and subject line Bug#1136444: fixed in dovecot 1:2.4.1+dfsg1-6+deb13u6
has caused the Debian Bug report #1136444,
regarding dovecot: CVE-2026-27851 CVE-2026-33603 CVE-2026-40016 CVE-2026-40020
CVE-2026-42006
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136444: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136444
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: dovecot
Version: 1:2.4.3+dfsg1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for dovecot.
CVE-2026-27851[0]:
| When safe filter is used with variable expansion, all following
| pipelines on the same string are incorrectly interpreted as safe
| too, enabling unsafe data to be unescaped. This can enable SQL /
| LDAP injection attacks when used in authentication. Avoid using safe
| filter until on fixed version. No publicly available exploits are
| known.
CVE-2026-33603[1]:
| Attacker can use a specially crafted base64 exchange between Dovecot
| and Client to fake SCRAM TLS channel binding. This requires that the
| attacker is able to position itself between Dovecot and the client
| connection. If successful, the attacker can eavesdrop communications
| between Dovecot and client as MITM proxy. Install fixed version. No
| publicly available exploits are known.
CVE-2026-40016[2]:
| Attacker can upload a malicious Sieve script over ManageSieve
| service (or locally) to bypass configured CPU time limits for Sieve
| up to 130 times of the configured limit. Attacker can use this to
| degrade server performance and bypass configured CPU time limits for
| Sieve scripts. Install fixed version, or alternatively prevent
| direct access to Sieve scripts via ManageSieve or local access. No
| publicly available exploits are known.
CVE-2026-40020[3]:
| Attacker can use the IMAP SETACL command to inject the anyone
| permission to user's dovecot-acl file even if
| imap_acl_allow_anyone=no. This causes folders to be spammed to all
| users. The impact is limited to being able to spam folders to other
| users, no unexpected access is gained. Install to fixed version. No
| publicly available exploits are known.
CVE-2026-42006[4]:
| An attacker can cause uncontrolled memory usage with excessive
| bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only
| blocking one way of doing this, so there was still another way left
| open. In particular, the fix was for closing braces, but you could
| still use open braces to bypass the limit. Using excessive bracing,
| attacker can cause memory usage up to configured memory limit.
| Install fixed version, or configure vsz_limit for imap process to
| low value. No publicly available exploits are known.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-27851
https://www.cve.org/CVERecord?id=CVE-2026-27851
[1] https://security-tracker.debian.org/tracker/CVE-2026-33603
https://www.cve.org/CVERecord?id=CVE-2026-33603
[2] https://security-tracker.debian.org/tracker/CVE-2026-40016
https://www.cve.org/CVERecord?id=CVE-2026-40016
[3] https://security-tracker.debian.org/tracker/CVE-2026-40020
https://www.cve.org/CVERecord?id=CVE-2026-40020
[4] https://security-tracker.debian.org/tracker/CVE-2026-42006
https://www.cve.org/CVERecord?id=CVE-2026-42006
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: dovecot
Source-Version: 1:2.4.1+dfsg1-6+deb13u6
Done: Noah Meyerhans <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dovecot, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Noah Meyerhans <[email protected]> (supplier of updated dovecot package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 18 May 2026 16:03:51 -0400
Source: dovecot
Architecture: source
Version: 1:2.4.1+dfsg1-6+deb13u6
Distribution: trixie-security
Urgency: medium
Maintainer: Dovecot Maintainers <[email protected]>
Changed-By: Noah Meyerhans <[email protected]>
Closes: 1136444
Changes:
dovecot (1:2.4.1+dfsg1-6+deb13u6) trixie-security; urgency=medium
.
* Security update (Closes: #1136444)
* [76ceed4] CVE-2026-27851: lib-var-expand: Reset safe state when
transfer is unset
* [4af6fb3] CVE-2026-40016: lib-sieve: Enforce CPU time limit within
:contains and :matches matcher loops
* [366ef61] CVE-2026-33603: login-common: Only accept base64 in sasl
* [26bd41e] CVE-2026-40020: IMAP folders can be shared-spammed to
everyone.
* [b6f5bac] CVE-2026-42006: imap-login: Excessive memory usage DoS
Checksums-Sha1:
3f9539f86a154de530d1a9fdfbfb26b65c869e93 3992 dovecot_2.4.1+dfsg1-6+deb13u6.dsc
de4c45c0816946128950233246b8feb4dbf76f59 105120
dovecot_2.4.1+dfsg1-6+deb13u6.debian.tar.xz
003e7c6b709baa966fc77eb263679f4faab1a670 7573
dovecot_2.4.1+dfsg1-6+deb13u6_source.buildinfo
Checksums-Sha256:
3a787c1cb9ba73de6dd2f83f4a71c3ebf4b5eca3354f78294ac311936fa4be37 3992
dovecot_2.4.1+dfsg1-6+deb13u6.dsc
69296d0696b6563949139f964f2f12318dc4fefd07f3be82dcf93a1357d1ffe8 105120
dovecot_2.4.1+dfsg1-6+deb13u6.debian.tar.xz
e5abe42716a211e24db38fa422c36e641a58a2fffd60d43fbc96e943d8f83fb7 7573
dovecot_2.4.1+dfsg1-6+deb13u6_source.buildinfo
Files:
a5faaa953b4b3b351db75799d9ecb177 3992 mail optional
dovecot_2.4.1+dfsg1-6+deb13u6.dsc
fef65f7eefad37e8ceddb1318ce3ec46 105120 mail optional
dovecot_2.4.1+dfsg1-6+deb13u6.debian.tar.xz
1b111a3eea67d059fa25b557e5d2bf64 7573 mail optional
dovecot_2.4.1+dfsg1-6+deb13u6_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE5G+E0xEKhJuZ7RJ34+c1IpshdTUFAmoZ6NkACgkQ4+c1Ipsh
dTWb2Q/+MBqPBlYVOm0QRg9yyw24MqQyov2I8yRXWqVf4i+IAFuc4BcTF9nwaHni
PME6Q0mZwx2o7l/J7WkLojeoCVBgcliDj6ER5qsrT7AJsOv4ROwPVUv2MxgNxP+O
OEnkI5zW2GG+YgzCOseKFa8lww8nCx+oN+Dchh7dyH0/KH7fMY3dInEBW8/W9xLv
mZnjb2qYoT7PN4hEB8H+RFc0zvNbTTidR0t/yFnQJ53VhpmGunB/YozwzGHEfjTs
3QO3OSjm1AnSLpAdqQ5Whl6LNeRgxjdm7sc1B2vdSinwUJJOIVnOi33H/rRDpiJC
mE1ExaJLRDNof9TvyUvqXm973XAbVELFhoPHjG+ucgRbBAeoDVaUZv8+tYVf/12f
k5q2inKhQWQiH8WMGG0CkKJyjOy3PZAy1fh7+VcWoOq3eYPKhYhK4Xew7usKr/bB
T5nFAwRlC7JApHA16b6YKBobZONsx2itcbtw97DZSkZmkp+xBuNpFXdCxzc7FVsl
JwWodXK4bwMK2bP6/zBwIdxYRmUa2O09O9F8ldDi9SUM0tbGZ5OR0zxcSFsp/2wd
0us1qMEau9x7WseLAsNhRTp7LhrvACXVST8O1Ez8oB+WtTO/j0Ls2Ipeq/VWVxmj
JihML2qlhkKATXEuTr/k2hHigC9AV7EQGgSw4CrwlWIqVTT/nLE=
=2fF4
-----END PGP SIGNATURE-----
pgp56HjY3JadD.pgp
Description: PGP signature
--- End Message ---
