Your message dated Sun, 31 May 2026 20:33:06 +0000
with message-id <[email protected]>
and subject line Bug#1136444: fixed in dovecot 1:2.3.19.1+dfsg1-2.1+deb12u6
has caused the Debian Bug report #1136444,
regarding dovecot: CVE-2026-27851 CVE-2026-33603 CVE-2026-40016 CVE-2026-40020
CVE-2026-42006
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136444: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136444
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: dovecot
Version: 1:2.4.3+dfsg1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for dovecot.
CVE-2026-27851[0]:
| When safe filter is used with variable expansion, all following
| pipelines on the same string are incorrectly interpreted as safe
| too, enabling unsafe data to be unescaped. This can enable SQL /
| LDAP injection attacks when used in authentication. Avoid using safe
| filter until on fixed version. No publicly available exploits are
| known.
CVE-2026-33603[1]:
| Attacker can use a specially crafted base64 exchange between Dovecot
| and Client to fake SCRAM TLS channel binding. This requires that the
| attacker is able to position itself between Dovecot and the client
| connection. If successful, the attacker can eavesdrop communications
| between Dovecot and client as MITM proxy. Install fixed version. No
| publicly available exploits are known.
CVE-2026-40016[2]:
| Attacker can upload a malicious Sieve script over ManageSieve
| service (or locally) to bypass configured CPU time limits for Sieve
| up to 130 times of the configured limit. Attacker can use this to
| degrade server performance and bypass configured CPU time limits for
| Sieve scripts. Install fixed version, or alternatively prevent
| direct access to Sieve scripts via ManageSieve or local access. No
| publicly available exploits are known.
CVE-2026-40020[3]:
| Attacker can use the IMAP SETACL command to inject the anyone
| permission to user's dovecot-acl file even if
| imap_acl_allow_anyone=no. This causes folders to be spammed to all
| users. The impact is limited to being able to spam folders to other
| users, no unexpected access is gained. Install to fixed version. No
| publicly available exploits are known.
CVE-2026-42006[4]:
| An attacker can cause uncontrolled memory usage with excessive
| bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only
| blocking one way of doing this, so there was still another way left
| open. In particular, the fix was for closing braces, but you could
| still use open braces to bypass the limit. Using excessive bracing,
| attacker can cause memory usage up to configured memory limit.
| Install fixed version, or configure vsz_limit for imap process to
| low value. No publicly available exploits are known.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-27851
https://www.cve.org/CVERecord?id=CVE-2026-27851
[1] https://security-tracker.debian.org/tracker/CVE-2026-33603
https://www.cve.org/CVERecord?id=CVE-2026-33603
[2] https://security-tracker.debian.org/tracker/CVE-2026-40016
https://www.cve.org/CVERecord?id=CVE-2026-40016
[3] https://security-tracker.debian.org/tracker/CVE-2026-40020
https://www.cve.org/CVERecord?id=CVE-2026-40020
[4] https://security-tracker.debian.org/tracker/CVE-2026-42006
https://www.cve.org/CVERecord?id=CVE-2026-42006
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: dovecot
Source-Version: 1:2.3.19.1+dfsg1-2.1+deb12u6
Done: Noah Meyerhans <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dovecot, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Noah Meyerhans <[email protected]> (supplier of updated dovecot package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 18 May 2026 14:11:58 -0400
Source: dovecot
Architecture: source
Version: 1:2.3.19.1+dfsg1-2.1+deb12u6
Distribution: bookworm-security
Urgency: medium
Maintainer: Dovecot Maintainers <[email protected]>
Changed-By: Noah Meyerhans <[email protected]>
Closes: 1136444
Changes:
dovecot (1:2.3.19.1+dfsg1-2.1+deb12u6) bookworm-security; urgency=medium
.
* Security update (Closes: #1136444)
* [1d0162a] autopkgtest: test cram-md5 authentication
* [d4eed2a] CVE-2026-40016: Sieve :contains/:matches O(N×M) Substring
Match Bypasses sieve_max_cpu_time Limit (130× Overrun)
* [898776c] CVE-2026-33603: login: Base64 input can contain tabs that
bypass IPC protection
* [fe76a7b] CVE-2026-40020: IMAP folders can be shared-spammed to everyone
* [ce379ba] CVE-2026-42006: imap-login: Excessive memory usage DoS
Checksums-Sha1:
bb212f22536e4f62144694966fb5ae906a4c920c 4213
dovecot_2.3.19.1+dfsg1-2.1+deb12u6.dsc
5ff9a57972681b9060160ea56fcfa9433e790c5d 90824
dovecot_2.3.19.1+dfsg1-2.1+deb12u6.debian.tar.xz
e037a72ab6b8bde3bf095abd8f8cefcbc1289aab 7618
dovecot_2.3.19.1+dfsg1-2.1+deb12u6_source.buildinfo
Checksums-Sha256:
ed6fd39b0b9d77e0fc64bad8efce071ecb90817b3f306b7e47b578354ed1c8e3 4213
dovecot_2.3.19.1+dfsg1-2.1+deb12u6.dsc
c3be22486cfde860e6a62f4d7548fa3ab39795f4aabb259d5a5a3d64e9f9e797 90824
dovecot_2.3.19.1+dfsg1-2.1+deb12u6.debian.tar.xz
e5ecfb63bf74b0ff77ce24ae18020a91744b90baae79c5fa444b959bbffd71bc 7618
dovecot_2.3.19.1+dfsg1-2.1+deb12u6_source.buildinfo
Files:
db5a1f754a0832cd3a22e7cefb5f461d 4213 mail optional
dovecot_2.3.19.1+dfsg1-2.1+deb12u6.dsc
a86b6dabfe0ffa54df31c31cd7f1a776 90824 mail optional
dovecot_2.3.19.1+dfsg1-2.1+deb12u6.debian.tar.xz
ca01ae7a300d1d5e52fcc8773198b37a 7618 mail optional
dovecot_2.3.19.1+dfsg1-2.1+deb12u6_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE5G+E0xEKhJuZ7RJ34+c1IpshdTUFAmoZ5/QACgkQ4+c1Ipsh
dTU+eRAAjS6f4p/VL2uhuWuWed3XkGtjbQhRhmSEe79TQ8aq8M/ehpdoFwg6PeaI
Wu3IFxeOQD/vJktigibex90NWsjg0tKOyUeavRS2GQP26v4mLoHsr/vE7bmLXGD/
DvxhRi6IYikwRb2MgO9aHdw6CbdS0UAnDm8nYlaYFLVcTh/YpK/xGkpwyM5cyZc+
PYV/A+1D5ATMqStboA/6qJ9v5Pm1ldNgXjn/5sWKUi2Vm4DDcVqOufgalm9Fgcz7
MlNQYiXDRfH1O7y7ZxYALy+1yoAPiGJwKkesGRPHzOOi6s/WTUIkyEgP5JFgdAJs
hpk1rIOKYM3jUyuIRdqVG1oQZyYGGhxNpew08SL+CuaEkZhDfleigTwF3Cv69UbT
M4ayVmYyk9kvKpI/1LGWFIKqk0+cFeE11xegf6lTELtxN4PTI4h9ERi5V0qE/Wwf
Tk886fTPt/mV0QON4J6SW1wgO4mw/74DMpIWTU+ezstqNWdMumQ588088H+N3T/E
TibKz5I8iOGzr0O7PpKW7RRj+1vWVkw7mFhpcgbfolGcX5sAije06SJxA/hWfqpt
O0ODWCVCY+882p+2W3bjwW/AxPfKTqFW+mA/ohT6N3mjVZRHcBVFWOIOhFXY49nA
Rc4mxc37kCyoQX0UNupHbJTYQV8ovwOuLwyr58E81QnBoNvbq7U=
=Oyjd
-----END PGP SIGNATURE-----
pgp4KTPR6eP73.pgp
Description: PGP signature
--- End Message ---
