[Git][security-tracker-team/security-tracker][master] Track fixes for dovecot via unstable

Salvatore Bonaccorso (@carnil) carnil at debian.org
Sat Apr 4 11:28:02 BST 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b864b0ad by Salvatore Bonaccorso at 2026-04-04T12:27:36+02:00
Track fixes for dovecot via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3820,33 +3820,33 @@ CVE-2026-4948 (A flaw was found in firewalld. A local unprivileged user can expl
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2452086
 	TODO: check, needs checking if desktop policy authorization influencing setZoneSettings2 and setPolicySettings is RedHat specific
 CVE-2026-27855 (Dovecot OTP authentication is vulnerable to replay attack under specif ...)
-	- dovecot <unfixed>
+	- dovecot 1:2.4.3+dfsg1-1
 	NOTE: https://dovecot.org/mailman3/archives/list/dovecot-news@dovecot.org/thread/IKIHZX77IPTGSP5WBIPJUOFBUQFKVPE7/
 	NOTE: https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2026-27855-auth-otp-driver-vulnerable-to-replay-attack
 	NOTE: Fixed by: https://github.com/dovecot/core/commit/912470570dee2b4c43bb837ff333196a6c76c9a7 (2.4.3)
 CVE-2026-27856 (Doveadm credentials are verified using direct comparison which is susc ...)
-	- dovecot <unfixed>
+	- dovecot 1:2.4.3+dfsg1-1
 	NOTE: https://dovecot.org/mailman3/archives/list/dovecot-news@dovecot.org/thread/IKIHZX77IPTGSP5WBIPJUOFBUQFKVPE7/
 	NOTE: https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2026-27856-doveadm-credentials-verified-without-timing-safety
 	NOTE: Fixed by: https://github.com/dovecot/core/commit/1864d4890499bc2b29fa1b62fe04073dd2bf0c57 (2.4.3)
 CVE-2026-27858 (Attacker can send a specifically crafted message before authentication ...)
-	- dovecot <unfixed>
+	- dovecot 1:2.4.3+dfsg1-1
 	NOTE: https://dovecot.org/mailman3/archives/list/dovecot-news@dovecot.org/thread/IKIHZX77IPTGSP5WBIPJUOFBUQFKVPE7/
 	NOTE: https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2026-27858-managesieve-login-out-of-memory-dos
 CVE-2026-27857 (Sending "NOOP (((...)))" command with 4000 parenthesis open+close resu ...)
-	- dovecot <unfixed>
+	- dovecot 1:2.4.3+dfsg1-1
 	NOTE: https://dovecot.org/mailman3/archives/list/dovecot-news@dovecot.org/thread/IKIHZX77IPTGSP5WBIPJUOFBUQFKVPE7/
 	NOTE: https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2026-27857-imap-login-excessive-memory-usage-dos
 CVE-2026-27859 (A mail message containing excessive amount of RFC 2231 MIME parameters ...)
-	- dovecot <unfixed>
+	- dovecot 1:2.4.3+dfsg1-1
 	NOTE: https://dovecot.org/mailman3/archives/list/dovecot-news@dovecot.org/thread/IKIHZX77IPTGSP5WBIPJUOFBUQFKVPE7/
 	NOTE: https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2026-27859-v3-0-2-regression-message-headers-mime-parameter-parsing-can-cause-excessive-cpu-usage
 CVE-2026-24031 (Dovecot SQL based authentication can be bypassed when auth_username_ch ...)
-	- dovecot <unfixed>
+	- dovecot 1:2.4.3+dfsg1-1
 	NOTE: https://dovecot.org/mailman3/archives/list/dovecot-news@dovecot.org/thread/IKIHZX77IPTGSP5WBIPJUOFBUQFKVPE7/
 	NOTE: https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2026-24031-v2-4-v3-1-regression-sql-injection-allows-bypassing-authentication
 CVE-2026-27860 (If auth_username_chars is empty, it is possible to inject arbitrary LD ...)
-	- dovecot <unfixed>
+	- dovecot 1:2.4.3+dfsg1-1
 	NOTE: https://dovecot.org/mailman3/archives/list/dovecot-news@dovecot.org/thread/IKIHZX77IPTGSP5WBIPJUOFBUQFKVPE7/
 	NOTE: https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2026-27860-v2-4-v3-1-regression-auth-ldap-is-not-escaping-usernames
 CVE-2026-0394 (When dovecot has been configured to use per-domain passwd files, and t ...)
@@ -3855,18 +3855,18 @@ CVE-2026-0394 (When dovecot has been configured to use per-domain passwd files,
 	NOTE: Fixed by: https://github.com/dovecot/core/commit/7fb773cffa3d78b587c406ebfeaa5a1e911a1835 (2.4.1)
 	NOTE: Fixed by: https://github.com/dovecot/core/commit/c4fbf9a46ebabb7a580087033ee1b841e52d905e (2.4.1) (pre requisite)
 CVE-2025-59031 (Dovecot has provided a script to use for attachment to text conversion ...)
-	- dovecot <unfixed> (unimportant)
+	- dovecot 1:2.4.3+dfsg1-1 (unimportant)
 	NOTE: https://dovecot.org/mailman3/archives/list/dovecot-news@dovecot.org/thread/IKIHZX77IPTGSP5WBIPJUOFBUQFKVPE7/
 	NOTE: https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2025-59031-decode2text-sh-ooxml-extraction-may-follow-symlinks-and-read-unintended-files-during-indexing
 	NOTE: decode2text.sh only installed in dovecot-core/examples
 	NOTE: https://github.com/dovecot/core/commit/36a95e7fa6b913db6c03a15862628b06be66eb3e (2.4.3)
 CVE-2025-59032 (ManageSieve AUTHENTICATE command crashes when using literal as SASL in ...)
-	- dovecot <unfixed>
+	- dovecot 1:2.4.3+dfsg1-1
 	NOTE: https://dovecot.org/mailman3/archives/list/dovecot-news@dovecot.org/thread/IKIHZX77IPTGSP5WBIPJUOFBUQFKVPE7/
 	NOTE: https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2025-59032-v2-4-v3-1-regression-pigeonhole-managesieve-panic-occurs-with-sieve-connect-as-a-client
 	NOTE: Fixed by: https://github.com/dovecot/pigeonhole/commit/efb68fac3a9d2d04d38c4ab14dd570cf0c23923c (2.4.3)
 CVE-2025-59028 (When sending invalid base64 SASL data, login process is disconnected f ...)
-	- dovecot <unfixed>
+	- dovecot 1:2.4.3+dfsg1-1
 	[bookworm] - dovecot <not-affected> (Vulnerable code introduced later)
 	[bullseye] - dovecot <not-affected> (Vulnerable code introduced later)
 	NOTE: https://dovecot.org/mailman3/archives/list/dovecot-news@dovecot.org/thread/IKIHZX77IPTGSP5WBIPJUOFBUQFKVPE7/



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b864b0ad1e22274e864df1b7ed4e345ef5cb0b63

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b864b0ad1e22274e864df1b7ed4e345ef5cb0b63
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260404/244eb172/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list