Source: dovecot Version: 1:2.4.3+dfsg1-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for dovecot. CVE-2026-27851[0]: | When safe filter is used with variable expansion, all following | pipelines on the same string are incorrectly interpreted as safe | too, enabling unsafe data to be unescaped. This can enable SQL / | LDAP injection attacks when used in authentication. Avoid using safe | filter until on fixed version. No publicly available exploits are | known. CVE-2026-33603[1]: | Attacker can use a specially crafted base64 exchange between Dovecot | and Client to fake SCRAM TLS channel binding. This requires that the | attacker is able to position itself between Dovecot and the client | connection. If successful, the attacker can eavesdrop communications | between Dovecot and client as MITM proxy. Install fixed version. No | publicly available exploits are known. CVE-2026-40016[2]: | Attacker can upload a malicious Sieve script over ManageSieve | service (or locally) to bypass configured CPU time limits for Sieve | up to 130 times of the configured limit. Attacker can use this to | degrade server performance and bypass configured CPU time limits for | Sieve scripts. Install fixed version, or alternatively prevent | direct access to Sieve scripts via ManageSieve or local access. No | publicly available exploits are known. CVE-2026-40020[3]: | Attacker can use the IMAP SETACL command to inject the anyone | permission to user's dovecot-acl file even if | imap_acl_allow_anyone=no. This causes folders to be spammed to all | users. The impact is limited to being able to spam folders to other | users, no unexpected access is gained. Install to fixed version. No | publicly available exploits are known. CVE-2026-42006[4]: | An attacker can cause uncontrolled memory usage with excessive | bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only | blocking one way of doing this, so there was still another way left | open. In particular, the fix was for closing braces, but you could | still use open braces to bypass the limit. Using excessive bracing, | attacker can cause memory usage up to configured memory limit. | Install fixed version, or configure vsz_limit for imap process to | low value. No publicly available exploits are known. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-27851 https://www.cve.org/CVERecord?id=CVE-2026-27851 [1] https://security-tracker.debian.org/tracker/CVE-2026-33603 https://www.cve.org/CVERecord?id=CVE-2026-33603 [2] https://security-tracker.debian.org/tracker/CVE-2026-40016 https://www.cve.org/CVERecord?id=CVE-2026-40016 [3] https://security-tracker.debian.org/tracker/CVE-2026-40020 https://www.cve.org/CVERecord?id=CVE-2026-40020 [4] https://security-tracker.debian.org/tracker/CVE-2026-42006 https://www.cve.org/CVERecord?id=CVE-2026-42006 Regards, Salvatore
