[Git][security-tracker-team/security-tracker][master] dovecot DSA

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a334c28f by Moritz Mühlenhoff at 2026-04-05T17:15:03+02:00
dovecot DSA

- - - - -


3 changed files:

- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -4042,6 +4042,7 @@ CVE-2026-27859 (A mail message containing excessive amount of RFC 2231 MIME para
 	NOTE: Fixed by: https://github.com/dovecot/core/commit/6dcf39ca18993f3e84b93b5ea13048bded00f981 (2.4.3)
 CVE-2026-24031 (Dovecot SQL based authentication can be bypassed when auth_username_ch ...)
 	- dovecot 1:2.4.3+dfsg1-1
+	[trixie] - dovecot 1:2.4.1+dfsg1-6+deb13u4
 	[bookworm] - dovecot <not-affected> (Specific to 2.4.x)
 	[bullseye] - dovecot <not-affected> (Specific to 2.4.x)
 	NOTE: https://dovecot.org/mailman3/archives/list/dovecot-news@dovecot.org/thread/IKIHZX77IPTGSP5WBIPJUOFBUQFKVPE7/
@@ -4056,6 +4057,7 @@ CVE-2026-24031 (Dovecot SQL based authentication can be bypassed when auth_usern
 	NOTE: Fixed by: https://github.com/dovecot/core/commit/4049b0a8d5b6ca5c2cbcaadb9b5e81c3cce25044 (2.4.3)
 CVE-2026-27860 (If auth_username_chars is empty, it is possible to inject arbitrary LD ...)
 	- dovecot 1:2.4.3+dfsg1-1
+	[trixie] - dovecot 1:2.4.1+dfsg1-6+deb13u4
 	[bookworm] - dovecot <not-affected> (Specific to 2.4.x)
 	[bullseye] - dovecot <not-affected> (Specific to 2.4.x)
 	NOTE: https://dovecot.org/mailman3/archives/list/dovecot-news@dovecot.org/thread/IKIHZX77IPTGSP5WBIPJUOFBUQFKVPE7/
@@ -4070,6 +4072,7 @@ CVE-2026-27860 (If auth_username_chars is empty, it is possible to inject arbitr
 	NOTE: Fixed by: https://github.com/dovecot/core/commit/4049b0a8d5b6ca5c2cbcaadb9b5e81c3cce25044 (2.4.3)
 CVE-2026-0394 (When dovecot has been configured to use per-domain passwd files, and t ...)
 	- dovecot 1:2.4.1+dfsg1-1
+	[bookworm] - dovecot 1:2.3.19.1+dfsg1-2.1+deb12u2
 	NOTE: https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2026-0394-auth-path-traversal-in-passwd-file-passdb-using-d-domain-escapes-base-directory-and-opens-etc-passwdpre-auth-path-traversal-in-passwd-file-passdb-using-d-domain-escapes-base-directory-and-opens-etc-passwd
 	NOTE: Fixed by: https://github.com/dovecot/core/commit/7fb773cffa3d78b587c406ebfeaa5a1e911a1835 (2.4.1)
 	NOTE: Fixed by: https://github.com/dovecot/core/commit/c4fbf9a46ebabb7a580087033ee1b841e52d905e (2.4.1) (pre requisite)
@@ -4086,6 +4089,7 @@ CVE-2025-59032 (ManageSieve AUTHENTICATE command crashes when using literal as S
 	NOTE: Fixed by: https://github.com/dovecot/pigeonhole/commit/efb68fac3a9d2d04d38c4ab14dd570cf0c23923c (2.4.3)
 CVE-2025-59028 (When sending invalid base64 SASL data, login process is disconnected f ...)
 	- dovecot 1:2.4.3+dfsg1-1
+	[trixie] - dovecot 1:2.4.1+dfsg1-6+deb13u4
 	[bookworm] - dovecot <not-affected> (Vulnerable code introduced later)
 	[bullseye] - dovecot <not-affected> (Vulnerable code introduced later)
 	NOTE: https://dovecot.org/mailman3/archives/list/dovecot-news@dovecot.org/thread/IKIHZX77IPTGSP5WBIPJUOFBUQFKVPE7/


=====================================
data/DSA/list
=====================================
@@ -1,3 +1,7 @@
+[05 Apr 2026] DSA-6197-1 dovecot - security update
+	{CVE-2025-59031 CVE-2025-59032 CVE-2026-27855 CVE-2026-27856 CVE-2026-27857 CVE-2026-27858 CVE-2026-27859}
+	[bookworm] - dovecot 1:2.3.19.1+dfsg1-2.1+deb12u2
+	[trixie] - dovecot 1:2.4.1+dfsg1-6+deb13u4
 [04 Apr 2026] DSA-6196-1 roundcube - security update
 	{CVE-2026-35537 CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35543 CVE-2026-35544 CVE-2026-35545}
 	[bookworm] - roundcube 1.6.5+dfsg-1+deb12u8


=====================================
data/dsa-needed.txt
=====================================
@@ -21,9 +21,6 @@ ceph
 cpp-httplib (jmm)
   Maintainer preparing updates, waiting for feedback on bookworm status
 --
-dovecot (jmm)
-  Noah Meyerhans working on updates
---
 frr
 --
 gdk-pixbuf (carnil)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a334c28f2224e977dd539e649cdd9ad488c11474

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a334c28f2224e977dd539e649cdd9ad488c11474
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260405/f2a36072/attachment-0001.htm>