[Git][security-tracker-team/security-tracker][master] more dovecot references

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
cddc57ee by Moritz Muehlenhoff at 2026-04-05T15:45:26+02:00
more dovecot references

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -4031,14 +4031,35 @@ CVE-2026-27859 (A mail message containing excessive amount of RFC 2231 MIME para
 	- dovecot 1:2.4.3+dfsg1-1
 	NOTE: https://dovecot.org/mailman3/archives/list/dovecot-news@dovecot.org/thread/IKIHZX77IPTGSP5WBIPJUOFBUQFKVPE7/
 	NOTE: https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2026-27859-v3-0-2-regression-message-headers-mime-parameter-parsing-can-cause-excessive-cpu-usage
+	NOTE: Fixed by: https://github.com/dovecot/core/commit/6dcf39ca18993f3e84b93b5ea13048bded00f981 (2.4.3)
 CVE-2026-24031 (Dovecot SQL based authentication can be bypassed when auth_username_ch ...)
 	- dovecot 1:2.4.3+dfsg1-1
+	[bookworm] - dovecot <not-affected> (Specific to 2.4.x)
+	[bullseye] - dovecot <not-affected> (Specific to 2.4.x)
 	NOTE: https://dovecot.org/mailman3/archives/list/dovecot-news@dovecot.org/thread/IKIHZX77IPTGSP5WBIPJUOFBUQFKVPE7/
 	NOTE: https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2026-24031-v2-4-v3-1-regression-sql-injection-allows-bypassing-authentication
+	NOTE: Fixed by: https://github.com/dovecot/core/commit/e2d8ef1ee04662e391e06ae76da1e7216c3a1fd3 (2.4.3)
+	NOTE: Fixed by: https://github.com/dovecot/core/commit/6a8f2daf15727a36488252efc184dacaa7652cd2 (2.4.3)
+	NOTE: Fixed by: https://github.com/dovecot/core/commit/34fbd3956db7f0ab1aefccb7750b4ec984681fa8 (2.4.3)
+	NOTE: Fixed by: https://github.com/dovecot/core/commit/0e1f5abbbb27d7f8a485cd1c6a5673be995025a4 (2.4.3)
+	NOTE: Fixed by: https://github.com/dovecot/core/commit/74a6f1612e7732026e69e8d8489291842df68589 (2.4.3)
+	NOTE: Fixed by: https://github.com/dovecot/core/commit/25c34e50848155786d9a00eef6c310502f94e70f (2.4.3)
+	NOTE: Fixed by: https://github.com/dovecot/core/commit/4049b0a8d5b6ca5c2cbcaadb9b5e81c3cce25044 (2.4.3)
+	NOTE: Fixed by: https://github.com/dovecot/core/commit/4049b0a8d5b6ca5c2cbcaadb9b5e81c3cce25044 (2.4.3)
 CVE-2026-27860 (If auth_username_chars is empty, it is possible to inject arbitrary LD ...)
 	- dovecot 1:2.4.3+dfsg1-1
+	[bookworm] - dovecot <not-affected> (Specific to 2.4.x)
+	[bullseye] - dovecot <not-affected> (Specific to 2.4.x)
 	NOTE: https://dovecot.org/mailman3/archives/list/dovecot-news@dovecot.org/thread/IKIHZX77IPTGSP5WBIPJUOFBUQFKVPE7/
 	NOTE: https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2026-27860-v2-4-v3-1-regression-auth-ldap-is-not-escaping-usernames
+	NOTE: Fixed by: https://github.com/dovecot/core/commit/e2d8ef1ee04662e391e06ae76da1e7216c3a1fd3 (2.4.3)
+	NOTE: Fixed by: https://github.com/dovecot/core/commit/6a8f2daf15727a36488252efc184dacaa7652cd2 (2.4.3)
+	NOTE: Fixed by: https://github.com/dovecot/core/commit/34fbd3956db7f0ab1aefccb7750b4ec984681fa8 (2.4.3)
+	NOTE: Fixed by: https://github.com/dovecot/core/commit/0e1f5abbbb27d7f8a485cd1c6a5673be995025a4 (2.4.3)
+	NOTE: Fixed by: https://github.com/dovecot/core/commit/74a6f1612e7732026e69e8d8489291842df68589 (2.4.3)
+	NOTE: Fixed by: https://github.com/dovecot/core/commit/25c34e50848155786d9a00eef6c310502f94e70f (2.4.3)
+	NOTE: Fixed by: https://github.com/dovecot/core/commit/4049b0a8d5b6ca5c2cbcaadb9b5e81c3cce25044 (2.4.3)
+	NOTE: Fixed by: https://github.com/dovecot/core/commit/4049b0a8d5b6ca5c2cbcaadb9b5e81c3cce25044 (2.4.3)
 CVE-2026-0394 (When dovecot has been configured to use per-domain passwd files, and t ...)
 	- dovecot 1:2.4.1+dfsg1-1
 	NOTE: https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2026-0394-auth-path-traversal-in-passwd-file-passdb-using-d-domain-escapes-base-directory-and-opens-etc-passwdpre-auth-path-traversal-in-passwd-file-passdb-using-d-domain-escapes-base-directory-and-opens-etc-passwd


=====================================
data/dsa-needed.txt
=====================================
@@ -100,7 +100,7 @@ tor (jmm)
 --
 trafficserver/oldstable (jmm)
 --
-valkey
+valkey (jmm)
   NMU proposed for review by Peter Wienemann, but should ideally get some commit from maintainers and
   fix in unstable.
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cddc57ee3b9393f1f01e4e8829ed6e427bb5c2db

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cddc57ee3b9393f1f01e4e8829ed6e427bb5c2db
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260405/7c57e95d/attachment-0001.htm>