Control: tags -1 + patch On Mon, Apr 06, 2026 at 02:42:38PM +0200, Kim Alvefur wrote: > Since recently, when trying to use `sieve-connect` authentication fails > with "Error in MANAGESIEVE command received by server." each time, with > or without correct credentials.
This should be fixed with the attached debdiff. Security team, with your approval I'd like to upload this to security-master in support of a followup to bookworm's DSA 6197. Trixie is not impacted. Apologies for the inconvenience. noah
diff -Nru dovecot-2.3.19.1+dfsg1/debian/changelog dovecot-2.3.19.1+dfsg1/debian/changelog --- dovecot-2.3.19.1+dfsg1/debian/changelog 2026-04-03 13:58:21.000000000 -0400 +++ dovecot-2.3.19.1+dfsg1/debian/changelog 2026-04-06 11:23:26.000000000 -0400 @@ -1,3 +1,11 @@ +dovecot (1:2.3.19.1+dfsg1-2.1+deb12u3) bookworm-security; urgency=medium + + * [4c6afb0] autopkgtests: Add managesieved authentication test + * [edc0243] Fix CVE-2025-59032 regression impacting managesieved auth + (Closes: #1132861) + + -- Noah Meyerhans <[email protected]> Mon, 06 Apr 2026 11:23:26 -0400 + dovecot (1:2.3.19.1+dfsg1-2.1+deb12u2) bookworm-security; urgency=medium * [34fb460] import upstream fixes for several CVEs diff -Nru dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2025-59032.patch dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2025-59032.patch --- dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2025-59032.patch 2026-04-03 13:58:21.000000000 -0400 +++ dovecot-2.3.19.1+dfsg1/debian/patches/CVE-2025-59032.patch 2026-04-06 11:09:21.000000000 -0400 @@ -8,26 +8,21 @@ src/managesieve-login/client.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) -Index: dovecot/pigeonhole/src/managesieve-login/client.c -=================================================================== ---- dovecot.orig/pigeonhole/src/managesieve-login/client.c -+++ dovecot/pigeonhole/src/managesieve-login/client.c -@@ -330,10 +330,14 @@ static bool managesieve_client_input_nex +--- dovecot-2.3.21+dfsg1.orig/pigeonhole/src/managesieve-login/client.c ++++ dovecot-2.3.21+dfsg1/pigeonhole/src/managesieve-login/client.c +@@ -330,10 +330,12 @@ static bool managesieve_client_input_nex if (args[0].type != MANAGESIEVE_ARG_EOL) ret = -1; } - } - if (ret > 0) { -- i_assert(client->cmd != NULL); -- ret = client->cmd->func(client, args); -+ if (ret > 0) { -+ i_assert(client->cmd != NULL); ++ if (ret > 0) + ret = client->cmd->func(client, args); -+ } else { -+ /* Continue unfinished command */ -+ i_assert(client->cmd != NULL); -+ ret = client->cmd->func(client, NULL); -+ } ++ } else { ++ /* Continue unfinished command */ + i_assert(client->cmd != NULL); +- ret = client->cmd->func(client, args); ++ ret = client->cmd->func(client, NULL); } if (ret != 0) diff -Nru dovecot-2.3.19.1+dfsg1/debian/tests/control dovecot-2.3.19.1+dfsg1/debian/tests/control --- dovecot-2.3.19.1+dfsg1/debian/tests/control 2026-04-03 13:58:21.000000000 -0400 +++ dovecot-2.3.19.1+dfsg1/debian/tests/control 2026-04-06 11:01:29.000000000 -0400 @@ -6,7 +6,7 @@ Depends: dovecot-core, systemd-sysv Test-Command: run-parts --report --exit-on-error debian/tests/usage -Depends: dovecot-imapd, dovecot-pop3d, python3 +Depends: dovecot-imapd, dovecot-pop3d, dovecot-managesieved, sieve-connect, python3 Restrictions: needs-root, breaks-testbed, allow-stderr Tests: testmails diff -Nru dovecot-2.3.19.1+dfsg1/debian/tests/usage/sieve dovecot-2.3.19.1+dfsg1/debian/tests/usage/sieve --- dovecot-2.3.19.1+dfsg1/debian/tests/usage/sieve 1969-12-31 19:00:00.000000000 -0500 +++ dovecot-2.3.19.1+dfsg1/debian/tests/usage/sieve 2026-04-06 10:52:26.000000000 -0400 @@ -0,0 +1,8 @@ +#!/usr/bin/bash +# Validate managesieved authentication + +user=dep8 +pass=test + +sieve-connect --notlsverify --debug -s localhost \ + -p 4190 -u "$user" --list --passwordfd 3 3< <(echo "$pass")
