UbuntuUpdates.org

Package "dovecot"

Name: dovecot

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • secure POP3/IMAP server - Lua authentication plugin
  • secure POP3/IMAP server - Flatcurve support
  • secure POP3/IMAP server - GSSAPI support
  • secure POP3/IMAP server - LDAP support
Latest version: 1:2.4.2+dfsg1-3ubuntu2.1
Release: resolute (26.04)
Level: updates
Repository: universe

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Other versions of "dovecot" in Resolute

Repository Area Version
base main 1:2.4.2+dfsg1-3ubuntu2
base universe 1:2.4.2+dfsg1-3ubuntu2
security main 1:2.4.2+dfsg1-3ubuntu2.1
security universe 1:2.4.2+dfsg1-3ubuntu2.1
updates main 1:2.4.2+dfsg1-3ubuntu2.1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1:2.4.2+dfsg1-3ubuntu2.1 2026-06-02 20:07:38 UTC

  dovecot (1:2.4.2+dfsg1-3ubuntu2.1) resolute-security; urgency=medium

  * SECURITY UPDATE: safe filter issue when used with variable expansion
    - debian/patches/CVE-2026-27851.patch: lib-var-expand: Reset safe state when
      transfer is unset in src/lib-var-expand/test-var-expand.c, src/lib-var-
      expand/var-expand.c.
    - CVE-2026-27851
  * SECURITY UPDATE: fake SCRAM TLS channel binding via crafted base64
    - debian/patches/CVE-2026-33603.patch: login-common: Only accept base64 in
      sasl in src/login-common/client-common-auth.c.
    - CVE-2026-33603
  * SECURITY UPDATE: CPU time limits bypass via sieve script
    - debian/patches/CVE-2026-40016.patch: lib-sieve: Enforce CPU time limit
      within :contains and :matches matcher loops in pigeonhole/src/lib-
      sieve/mcht-contains.c, pigeonhole/src/lib-sieve/mcht-matches.c,
      pigeonhole/src/lib-sieve/sieve-interpreter.c, pigeonhole/src/lib-
      sieve/sieve-interpreter.h.
    - CVE-2026-40016
  * SECURITY UPDATE: permission injection via IMAP SETACL command
    - debian/patches/CVE-2026-40020-pre1.patch: acl: Add acl_id_is_valid() in
      src/plugins/acl/acl-rights.c, src/plugins/acl/acl-rights.h.
    - debian/patches/CVE-2026-40020.patch: imap-acl: Fail if ACL identifier is
      invalid in src/plugins/imap-acl/imap-acl-plugin.c.
    - CVE-2026-40020
  * SECURITY UPDATE: memory consumption via excessive bracing over IMAP
    - debian/patches/CVE-2026-42006.patch: lib-imap: Fix
      imap_parser_params.list_count_limit to actually work in src/lib-imap/imap-
      parser.c, src/lib-imap/test-imap-parser.c.
    - CVE-2026-42006

 -- Marc Deslauriers <email address hidden> Thu, 28 May 2026 15:37:54 -0400
CVE-2026-27851 When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe
CVE-2026-33603 Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is
CVE-2026-40016 Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of
CVE-2026-40020 Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes fol
CVE-2026-42006 An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of


About   -   Send Feedback to @ubuntu_updates