Package "dovecot-auth-lua"
| Name: |
dovecot-auth-lua
|
Description: |
secure POP3/IMAP server - Lua authentication plugin
|
| Latest version: |
1:2.3.21+dfsg1-2ubuntu6.5 |
| Release: |
noble (24.04) |
| Level: |
updates |
| Repository: |
universe |
| Head package: |
dovecot |
| Homepage: |
https://dovecot.org/ |
Links
Download "dovecot-auth-lua"
Other versions of "dovecot-auth-lua" in Noble
Changelog
|
dovecot (1:2.3.21+dfsg1-2ubuntu6.5) noble-security; urgency=medium
* SECURITY UPDATE: fake SCRAM TLS channel binding via crafted base64
- debian/patches/CVE-2026-33603.patch: login-common: Only accept base64 in
sasl in src/login-common/client-common-auth.c.
- CVE-2026-33603
* SECURITY UPDATE: CPU time limits bypass via sieve script
- debian/patches/CVE-2026-40016.patch: lib-sieve: Enforce CPU time limit
within :contains and :matches matcher loops in pigeonhole/src/lib-
sieve/mcht-contains.c, pigeonhole/src/lib-sieve/mcht-matches.c,
pigeonhole/src/lib-sieve/sieve-interpreter.c, pigeonhole/src/lib-
sieve/sieve-interpreter.h.
- CVE-2026-40016
* SECURITY UPDATE: permission injection via IMAP SETACL command
- debian/patches/CVE-2026-40020-pre1.patch: acl: Add acl_id_is_valid() in
src/plugins/acl/acl-api.c, src/plugins/acl/acl-api.h.
- debian/patches/CVE-2026-40020.patch: imap-acl: Fail if ACL identifier is
invalid in src/plugins/imap-acl/imap-acl-plugin.c.
- CVE-2026-40020
* SECURITY UPDATE: memory consumption via excessive bracing over IMAP
- debian/patches/CVE-2026-42006.patch: lib-imap: Fix
imap_parser_params.list_count_limit to actually work in src/lib-imap/imap-
parser.c, src/lib-imap/test-imap-parser.c.
- CVE-2026-42006
-- Marc Deslauriers <email address hidden> Thu, 28 May 2026 17:23:32 -0400
|
| Source diff to previous version |
| CVE-2026-33603 |
Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is |
| CVE-2026-40016 |
Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of |
| CVE-2026-40020 |
Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes fol |
| CVE-2026-42006 |
An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of |
|
|
dovecot (1:2.3.21+dfsg1-2ubuntu6.4) noble-security; urgency=medium
* SECURITY REGRESSION: passdb path normalization broken (LP: #2150116)
- debian/patches/CVE-2026-0394-1.patch: updated to fix strchr call.
- CVE-2026-0394
-- Eduardo Barretto <email address hidden> Thu, 23 Apr 2026 16:58:09 +0200
|
| Source diff to previous version |
| 2150116 |
dovecot-core: passdb path normalization broken |
| CVE-2026-0394 |
When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added to allowe |
|
|
dovecot (1:2.3.21+dfsg1-2ubuntu6.3) noble-security; urgency=medium
* SECURITY UPDATE: Exposure of Sensitive Information to an Unauthorized
Actor
- debian/patches/CVE-2025-59031.patch: [PATCH 02/24] fts: Remove
decode2text.sh
- debian/rules: Remove decode2text.sh from it.
- debian/dovecot-core.examples: Remove decode2text.sh from it.
- CVE-2025-59031
* SECURITY UPDATE: Improper Input Validation
- debian/patches/CVE-2025-59032.patch: managesieve-login: Fix crash
when command didn't finish on the first call
- CVE-2025-59032
* SECURITY UPDATE: Path traversal
- debian/patches/CVE-2026-0394-1.patch: [PATCH] auth: db-passwd-file -
Add db_passwd_fix_path()
- debian/patches/CVE-2026-0394-2.patch: auth: db-passwd-file -
Normalize path with db_passwd_fix_path()
- CVE-2026-0394
* SECURITY UPDATE: Authentication Bypass
- debian/patches/CVE-2026-27855-1.patch: [PATCH 21/24] auth: cache -
Use translated username in auth_cache_remove()
- debian/patches/CVE-2026-27855-2.patch: [PATCH 22/24] auth: Move
passdb event lifecycle handling to
auth_request_passdb_event_(begin|end)
- debian/patches/CVE-2026-27855-3.patch: [PATCH 23/24] auth:
Initialize set_credentials event properly
- debian/patches/CVE-2026-27855-4.patch: [PATCH 24/24] auth: passdb-
sql - Require update_query to be set when used
- CVE-2026-27855
* SECURITY UPDATE: Improper Authentication
- debian/patches/CVE-2026-27856-1.patch: [PATCH 16/24] doveadm:
client-connection - Use timing safe credential check
- debian/patches/CVE-2026-27856-2.patch: [PATCH 17/24] doveadm: Use
datastack for temporary b64 value
- debian/patches/CVE-2026-27856-3.patch: [PATCH 18/24] doveadm:
client-connection - Get API key from per-connection settings
- CVE-2026-27856
* SECURITY UPDATE: Uncontrolled Resource Consumption
- debian/patches/CVE-2026-27857-1.patch: [PATCH 1/2] plugins: imap-
filter-sieve: imap-filter-sieve - Adjust to imap_parser_create() API
change
- debian/patches/CVE-2026-27857-2.patch: [PATCH 12/24] lib-imap,
global: Add params parameter to imap_parser_create()
- debian/patches/CVE-2026-27857-3.patch: [PATCH 13/24] lib-imap: Add
imap_parser_params.list_count_limit
- debian/patches/CVE-2026-27857-4.patch: [PATCH 14/24] imap-login:
Limit the number of open IMAP parser lists
- debian/patches/CVE-2026-27857-5.patch: [PATCH 15/24] global: Use
const for struct imap_parser_params params
- CVE-2026-27857
* SECURITY UPDATE: Uncontrolled Resource Consumption
- debian/patches/CVE-2026-27858.patch: [PATCH 2/2] managesieve-
login: Verify AUTHENTICATE initial response size isn't too large
- CVE-2026-27858
* SECURITY UPDATE: Uncontrolled Resource Consumption
- debian/patches/CVE-2026-27859.patch: [PATCH 03/24] lib-mail: Limit
the number of RFC2231 parameters that can be parsed
- CVE-2026-27859
-- Eduardo Barretto <email address hidden> Thu, 26 Mar 2026 16:17:02 +0100
|
| Source diff to previous version |
| CVE-2025-59031 |
Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use speciall |
| CVE-2025-59032 |
ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve service repeatedly, makin |
| CVE-2026-0394 |
When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added to allowe |
| CVE-2026-27855 |
Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, the |
| CVE-2026-27856 |
Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use this to determine the conf |
| CVE-2026-27857 |
Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnec |
| CVE-2026-27858 |
Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory.
Attacker can for |
| CVE-2026-27859 |
A mail message containing excessive amount of RFC 2231 MIME parameters causes LMTP to use too much CPU. A suitably formatted mail message causes mail |
|
|
dovecot (1:2.3.21+dfsg1-2ubuntu6.2) noble; urgency=medium
* Fix OAuth2 JWT validation when "aud" claim in an array (LP: #2142200)
-- Guilherme Puida Moreira <email address hidden> Wed, 25 Feb 2026 15:44:17 -0300
|
| Source diff to previous version |
| 2142200 |
dovecot-core: OAuth2 JWT validation fails with client_id set but aud is missing when aud claim is an array |
|
|
dovecot (1:2.3.21+dfsg1-2ubuntu6.1) noble; urgency=medium
* Update PBKDF2 salt length to be FIPS 140-3 compliant (LP: #2107773).
-- Eric Berry <email address hidden> Fri, 03 Oct 2025 15:37:20 -0700
|
About
-
Send Feedback to @ubuntu_updates
