Guilhem Moulin pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
48da335d by Guilhem Moulin at 2026-06-05T13:50:26+02:00
CVE-2020-28200/dovecot: Mark as ignored/too disruptive for bullseye
Required API for limiting CPU usage was added in dovecot 2.3.15,
the fix requires extensive changes to both pigeonhole and dovecot.
- - - - -
63da12e8 by Guilhem Moulin at 2026-06-05T13:50:38+02:00
CVE-2026-40016/dovecot: Triage for bullseye
The issue is a bypass of the fix for CVE-2020-28200 from 2.3.15.
Doesn't make sense to fix it unless the earlier CVE is also fixed, and
both need extensive changes on both dovecot and pigeonhole (API for
limiting CPU usage was added in dovecot 2.3.15.)
- - - - -
2ee164e0 by Guilhem Moulin at 2026-06-05T14:14:38+02:00
Reserve DLA-4617-1 for dovecot
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -14922,6 +14922,7 @@ CVE-2026-40020 (Attacker can use the IMAP SETACL
command to inject the anyone pe
CVE-2026-40016 (Attacker can upload a malicious Sieve script over ManageSieve
service ...)
{DSA-6313-1}
- dovecot 1:2.4.4+dfsg1-1 (bug #1136444)
+ [bullseye] - dovecot <ignored> (Minor issue, backport is too disruptive)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/12/6
NOTE: Fixed by:
https://github.com/dovecot/pigeonhole/commit/5b0ed9d1034c023d3daf218b6b8656f0cdd383dc
(2.4.4)
CVE-2026-3604 (The WP SEO Structured Data Schema plugin for WordPress is
vulnerable t ...)
@@ -534662,7 +534663,7 @@ CVE-2020-28201
RESERVED
CVE-2020-28200 (The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled
Resource ...)
- dovecot 1:2.3.16+dfsg1-1 (bug #990566; bug #991323)
- [bullseye] - dovecot <postponed> (Minor issue, fix along with next
update)
+ [bullseye] - dovecot <ignored> (Minor issue, backport is too disruptive)
[buster] - dovecot <ignored> (Minor issue, backport is too disruptive)
[stretch] - dovecot <no-dsa> (Minor issue)
NOTE: https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[05 Jun 2026] DLA-4617-1 dovecot - security update
+ {CVE-2026-33603 CVE-2026-40020 CVE-2026-42006}
+ [bullseye] - dovecot 1:2.3.13+dfsg1-2+deb11u4
[05 Jun 2026] DLA-4616-1 haveged - security update
{CVE-2026-41054}
[bullseye] - haveged 1.9.14-1+deb11u1
=====================================
data/dla-needed.txt
=====================================
@@ -107,9 +107,6 @@ docker-registry/bullseye
docker.io/bullseye
NOTE: 20250805: Added by Front-Desk (rouca)
--
-dovecot/bullseye (guilhem)
- NOTE: 20260517: Added by Front-Desk (pochu)
---
dpkg/bullseye
NOTE: 20260522: Added by Front-Desk (Beuc)
NOTE: 20260522: See CVE and non-CVE security fixes from OSPU
https://bugs.debian.org/1132553 (Beuc/front-desk)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/79319cb60e0a53eed4edf907eca9c7d07aaa7c25...2ee164e0cd03204b25cbf5b8d4d11c449916ff4c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/79319cb60e0a53eed4edf907eca9c7d07aaa7c25...2ee164e0cd03204b25cbf5b8d4d11c449916ff4c
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
