Control: tags -1 + patch On Wed, May 13, 2026 at 10:37:16PM +0200, Salvatore Bonaccorso wrote: > > CVE-2026-27851[0]: *snip* > CVE-2026-33603[1]: *snip* > CVE-2026-40016[2]: *snip* > CVE-2026-40020[3]: *snip* > CVE-2026-42006[4]:
Upstream has fixed these issues with 2.4.4, which I am preparing for upload now. Changes at https://salsa.debian.org/noahm/dovecot/-/commits/master These issues also impact trixie and most likely bookworm in at least some cases. I have a targeted fix for trixie staged at https://salsa.debian.org/noahm/dovecot/-/commits/trixie-security-wip. I'd love some additional eyes on it. Does the security team want to release this with a DSA, or wait for a point release? We've just missed 13.5, so the next point release is ~3 months away. noah
