[ubuntu/noble-security] dovecot 1:2.3.21+dfsg1-2ubuntu6.3 (Accepted)
Eduardo Barretto
eduardo.barretto at canonical.com
Tue Mar 31 08:24:20 UTC 2026
dovecot (1:2.3.21+dfsg1-2ubuntu6.3) noble-security; urgency=medium
* SECURITY UPDATE: Exposure of Sensitive Information to an Unauthorized
Actor
- debian/patches/CVE-2025-59031.patch: [PATCH 02/24] fts: Remove
decode2text.sh
- debian/rules: Remove decode2text.sh from it.
- debian/dovecot-core.examples: Remove decode2text.sh from it.
- CVE-2025-59031
* SECURITY UPDATE: Improper Input Validation
- debian/patches/CVE-2025-59032.patch: managesieve-login: Fix crash
when command didn't finish on the first call
- CVE-2025-59032
* SECURITY UPDATE: Path traversal
- debian/patches/CVE-2026-0394-1.patch: [PATCH] auth: db-passwd-file -
Add db_passwd_fix_path()
- debian/patches/CVE-2026-0394-2.patch: auth: db-passwd-file -
Normalize path with db_passwd_fix_path()
- CVE-2026-0394
* SECURITY UPDATE: Authentication Bypass
- debian/patches/CVE-2026-27855-1.patch: [PATCH 21/24] auth: cache -
Use translated username in auth_cache_remove()
- debian/patches/CVE-2026-27855-2.patch: [PATCH 22/24] auth: Move
passdb event lifecycle handling to
auth_request_passdb_event_(begin|end)
- debian/patches/CVE-2026-27855-3.patch: [PATCH 23/24] auth:
Initialize set_credentials event properly
- debian/patches/CVE-2026-27855-4.patch: [PATCH 24/24] auth: passdb-
sql - Require update_query to be set when used
- CVE-2026-27855
* SECURITY UPDATE: Improper Authentication
- debian/patches/CVE-2026-27856-1.patch: [PATCH 16/24] doveadm:
client-connection - Use timing safe credential check
- debian/patches/CVE-2026-27856-2.patch: [PATCH 17/24] doveadm: Use
datastack for temporary b64 value
- debian/patches/CVE-2026-27856-3.patch: [PATCH 18/24] doveadm:
client-connection - Get API key from per-connection settings
- CVE-2026-27856
* SECURITY UPDATE: Uncontrolled Resource Consumption
- debian/patches/CVE-2026-27857-1.patch: [PATCH 1/2] plugins: imap-
filter-sieve: imap-filter-sieve - Adjust to imap_parser_create() API
change
- debian/patches/CVE-2026-27857-2.patch: [PATCH 12/24] lib-imap,
global: Add params parameter to imap_parser_create()
- debian/patches/CVE-2026-27857-3.patch: [PATCH 13/24] lib-imap: Add
imap_parser_params.list_count_limit
- debian/patches/CVE-2026-27857-4.patch: [PATCH 14/24] imap-login:
Limit the number of open IMAP parser lists
- debian/patches/CVE-2026-27857-5.patch: [PATCH 15/24] global: Use
const for struct imap_parser_params params
- CVE-2026-27857
* SECURITY UPDATE: Uncontrolled Resource Consumption
- debian/patches/CVE-2026-27858.patch: [PATCH 2/2] managesieve-
login: Verify AUTHENTICATE initial response size isn't too large
- CVE-2026-27858
* SECURITY UPDATE: Uncontrolled Resource Consumption
- debian/patches/CVE-2026-27859.patch: [PATCH 03/24] lib-mail: Limit
the number of RFC2231 parameters that can be parsed
- CVE-2026-27859
dovecot (1:2.3.21+dfsg1-2ubuntu6.2) noble; urgency=medium
* Fix OAuth2 JWT validation when "aud" claim in an array (LP: #2142200)
dovecot (1:2.3.21+dfsg1-2ubuntu6.1) noble; urgency=medium
* Update PBKDF2 salt length to be FIPS 140-3 compliant (LP: #2107773).
Date: 2026-03-27 17:04:26.274530+00:00
Changed-By: Eduardo Barretto <eduardo.barretto at canonical.com>
https://launchpad.net/ubuntu/+source/dovecot/1:2.3.21+dfsg1-2ubuntu6.3
-------------- next part --------------
Sorry, changesfile not available.
More information about the noble-changes
mailing list