Package "dovecot-sqlite"

Name:	dovecot-sqlite
Description:	secure POP3/IMAP server - SQLite support
Latest version:	1:2.3.16+dfsg1-3ubuntu2.7
Release:	jammy (22.04)
Level:	security
Repository:	universe
Head package:	dovecot
Homepage:	https://dovecot.org/

Links

Raw Package Information

All versions of this package

Bug fixes

List of files in package

Repository home page

Download "dovecot-sqlite"

32-bit deb package

64-bit deb package

APT INSTALL

Other versions of "dovecot-sqlite" in Jammy

Repository	Area	Version
base	universe	1:2.3.16+dfsg1-3ubuntu2
updates	universe	1:2.3.16+dfsg1-3ubuntu2.7

Changelog

Version: 1:2.3.16+dfsg1-3ubuntu2.7 2026-03-31 13:08:04 UTC

dovecot (1:2.3.16+dfsg1-3ubuntu2.7) jammy-security; urgency=medium * SECURITY UPDATE: Exposure of Sensitive Information to an Unauthorized Actor - debian/patches/CVE-2025-59031.patch: [PATCH 02/24] fts: Remove decode2text.sh - debian/rules: Remove decode2text.sh from it. - debian/dovecot-core.examples: Remove decode2text.sh from it. - CVE-2025-59031 * SECURITY UPDATE: Improper Input Validation - debian/patches/CVE-2025-59032.patch: managesieve-login: Fix crash when command didn't finish on the first call - CVE-2025-59032 * SECURITY UPDATE: Path Traversal - debian/patches/CVE-2026-0394-1.patch: [PATCH] auth: db-passwd-file - Add db_passwd_fix_path() - debian/patches/CVE-2026-0394-2.patch: auth: db-passwd-file - Normalize path with db_passwd_fix_path() - CVE-2026-0394 * SECURITY UPDATE: Authentication Bypass - debian/patches/CVE-2026-27855-1.patch: [PATCH 21/24] auth: cache - Use translated username in auth_cache_remove() - debian/patches/CVE-2026-27855-2.patch: [PATCH 22/24] auth: Move passdb event lifecycle handling to auth_request_passdb_event_(begin|end) - debian/patches/CVE-2026-27855-3.patch: [PATCH 23/24] auth: Initialize set_credentials event properly - debian/patches/CVE-2026-27855-4.patch: [PATCH 24/24] auth: passdb- sql - Require update_query to be set when used - CVE-2026-27855 * SECURITY UPDATE: Improper Authentication - debian/patches/CVE-2026-27856-1.patch: [PATCH 16/24] doveadm: client-connection - Use timing safe credential check - debian/patches/CVE-2026-27856-2.patch: [PATCH 17/24] doveadm: Use datastack for temporary b64 value - debian/patches/CVE-2026-27856-3.patch: [PATCH 18/24] doveadm: client-connection - Get API key from per-connection settings - CVE-2026-27856 * SECURITY UPDATE: Uncontrolled Resource Consumption - debian/patches/CVE-2026-27857-1.patch: [PATCH 1/2] plugins: imap- filter-sieve: imap-filter-sieve - Adjust to imap_parser_create() API change - debian/patches/CVE-2026-27857-2.patch: [PATCH 12/24] lib-imap, global: Add params parameter to imap_parser_create() - debian/patches/CVE-2026-27857-3.patch: [PATCH 13/24] lib-imap: Add imap_parser_params.list_count_limit - debian/patches/CVE-2026-27857-4.patch: [PATCH 14/24] imap-login: Limit the number of open IMAP parser lists - debian/patches/CVE-2026-27857-5.patch: [PATCH 15/24] global: Use const for struct imap_parser_params params - CVE-2026-27857 * SECURITY UPDATE: Uncontrolled Resource Consumption - debian/patches/CVE-2026-27858.patch: [PATCH 2/2] managesieve- login: Verify AUTHENTICATE initial response size isn't too large - CVE-2026-27858 * SECURITY UPDATE: Uncontrolled Resource Consumption - debian/patches/CVE-2026-27859.patch: [PATCH 03/24] lib-mail: Limit the number of RFC2231 parameters that can be parsed - CVE-2026-27859 -- Eduardo Barretto <email address hidden> Fri, 27 Mar 2026 10:08:32 +0100

Source diff to previous version

CVE-2025-59031	Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use speciall
CVE-2025-59032	ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve service repeatedly, makin
CVE-2026-0394	When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added to allowe
CVE-2026-27855	Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, the
CVE-2026-27856	Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use this to determine the conf
CVE-2026-27857	Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnec
CVE-2026-27858	Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory. Attacker can for
CVE-2026-27859	A mail message containing excessive amount of RFC 2231 MIME parameters causes LMTP to use too much CPU. A suitably formatted mail message causes mail

Version: 1:2.3.16+dfsg1-3ubuntu2.4 2024-09-16 15:07:08 UTC

dovecot (1:2.3.16+dfsg1-3ubuntu2.4) jammy-security; urgency=medium * SECURITY UPDATE: Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive - debian/patches/CVE-2024-23184-1.patch: fix dllist2 test name in src/lib/test-llist.c. - debian/patches/CVE-2024-23184-2.patch: add DLLIST2_JOIN() in src/lib/llist.h, src/lib/test-llist.c. - debian/patches/CVE-2024-23184-3.patch: use test_assert_idx() where possible in src/lib-imap/test-imap-envelope.c. - debian/patches/CVE-2024-23184-4.patch: change message_address to be doubly linked list in src/lib-imap/imap-envelope.c, src/lib-mail/message-address.c, src/lib-mail/message-address.h, src/lib-mail/test-message-address.c. - debian/patches/CVE-2024-23184-5.patch: add message_address_parse_full() and struct message_address_list in src/lib-mail/message-address.c, src/lib-mail/message-address.h, src/lib-mail/test-message-address.c. - debian/patches/CVE-2024-23184-6.patch: optimize parsing large number of address headers in src/lib-imap/imap-envelope.c, src/lib-mail/message-part-data.c, src/lib-mail/message-part-data.h, src/lib-storage/index/index-search-mime.c. - CVE-2024-23184 * SECURITY UPDATE: Very large headers can cause resource exhaustion when parsing message - debian/patches/CVE-2024-23185-1.patch: limit header block to 10MB by default in src/lib-mail/message-header-parser.c, src/lib-mail/message-header-parser.h, src/lib-mail/test-message-header-parser.c. - debian/patches/CVE-2024-23185-2.patch: limit headers total count to 50MB by default in src/lib-mail/message-parser-private.h, src/lib-mail/message-parser.c, src/lib-mail/message-parser.h, src/lib-mail/test-message-parser.c. - CVE-2024-23185 * Note: This package does _not_ contain the changes from 1:2.3.16+dfsg1-3ubuntu2.3 in jammy-proposed. -- Marc Deslauriers <email address hidden> Wed, 11 Sep 2024 07:54:46 -0400

Source diff to previous version

CVE-2024-23184	Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12
CVE-2024-23185	Very large headers can cause resource exhaustion when parsing message. The message-parser normally reads reasonably sized chunks of the message. Howe

Version: 1:2.3.16+dfsg1-3ubuntu2.1 2022-07-11 15:06:48 UTC

dovecot (1:2.3.16+dfsg1-3ubuntu2.1) jammy-security; urgency=medium * SECURITY UPDATE: privilege escalation via multiple passdbs - debian/patches/CVE-2022-30550.patch: fix handling passdbs with identical driver/args but different mechanisms/username_filter in src/auth/auth-request.c, src/auth/auth.c, src/auth/auth.h, src/auth/passdb.c, src/auth/passdb.h. - CVE-2022-30550 -- Marc Deslauriers <email address hidden> Thu, 07 Jul 2022 13:13:40 -0400

CVE-2022-30550

Privilege escalation possible in dovecot when imilar master and non-master passdbs are used

About - Send Feedback to @ubuntu_updates

Package "dovecot-sqlite"

Links

Download "dovecot-sqlite"

Other versions of "dovecot-sqlite" in Jammy

Changelog

Share this page

Bookmarks

Latest updates

updates

security

PPA updates