Hi Noah, [Adding security team alias as otherwise the team does not get the reply]
On Thu, May 14, 2026 at 03:08:10PM -0400, Noah Meyerhans wrote: > Control: tags -1 + patch > > On Wed, May 13, 2026 at 10:37:16PM +0200, Salvatore Bonaccorso wrote: > > > > CVE-2026-27851[0]: > *snip* > > CVE-2026-33603[1]: > *snip* > > CVE-2026-40016[2]: > *snip* > > CVE-2026-40020[3]: > *snip* > > CVE-2026-42006[4]: > > Upstream has fixed these issues with 2.4.4, which I am preparing for > upload now. Changes at > https://salsa.debian.org/noahm/dovecot/-/commits/master > > These issues also impact trixie and most likely bookworm in at least > some cases. > > I have a targeted fix for trixie staged at > https://salsa.debian.org/noahm/dovecot/-/commits/trixie-security-wip. > I'd love some additional eyes on it. > > Does the security team want to release this with a DSA, or wait for a > point release? We've just missed 13.5, so the next point release is ~3 > months away. TBH, not sure yet; I would say to work top-down first fixing things in unstable and get those exposed and migrating to testing. Then decide on either DSA or point release update. But you are correct that the next 13.6 trixie point release will be on 11th july. Regards, Salvatore
