dovecot - Debian Package Tracker

general

source: dovecot (main)
version: 1:2.4.4+dfsg1-1
maintainer: Dovecot Maintainers (DMD)
uploaders: Noah Meyerhans [DMD]
arch: any
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:2.3.13+dfsg1-2+deb11u1
o-o-sec: 1:2.3.13+dfsg1-2+deb11u3
oldstable: 1:2.3.19.1+dfsg1-2.1+deb12u5
old-sec: 1:2.3.19.1+dfsg1-2.1+deb12u4
old-bpo: 1:2.3.21.1+dfsg1-1~bpo12+1
stable: 1:2.4.1+dfsg1-6+deb13u5
stable-sec: 1:2.4.1+dfsg1-6+deb13u4
testing: 1:2.4.3+dfsg1-2
unstable: 1:2.4.4+dfsg1-1

versioned links

1:2.3.13+dfsg1-2+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.3.13+dfsg1-2+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.3.19.1+dfsg1-2.1+deb12u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.3.19.1+dfsg1-2.1+deb12u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.3.21.1+dfsg1-1~bpo12+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.4.1+dfsg1-6+deb13u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.4.1+dfsg1-6+deb13u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.4.3+dfsg1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.4.4+dfsg1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

dovecot-auth-lua (1 bugs: 0, 1, 0, 0)
dovecot-core (48 bugs: 0, 37, 11, 0)
dovecot-dev
dovecot-flatcurve
dovecot-gssapi
dovecot-imapd (15 bugs: 0, 15, 0, 0)
dovecot-ldap (1 bugs: 0, 0, 1, 0)
dovecot-lmtpd (2 bugs: 0, 1, 1, 0)
dovecot-managesieved
dovecot-mysql
dovecot-pgsql
dovecot-pop3d (1 bugs: 0, 1, 0, 0)
dovecot-sieve (10 bugs: 0, 8, 2, 0)
dovecot-solr
dovecot-sqlite
dovecot-submissiond

action needed

5 security issues in trixie high

There are 5 open security issues in trixie.

5 important issues:

CVE-2026-27851: When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP injection attacks when used in authentication. Avoid using safe filter until on fixed version. No publicly available exploits are known.
CVE-2026-33603: Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. Install fixed version. No publicly available exploits are known.
CVE-2026-40016: Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts. Install fixed version, or alternatively prevent direct access to Sieve scripts via ManageSieve or local access. No publicly available exploits are known.
CVE-2026-40020: Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known.
CVE-2026-42006: An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass the limit. Using excessive bracing, attacker can cause memory usage up to configured memory limit. Install fixed version, or configure vsz_limit for imap process to low value. No publicly available exploits are known.

Created: 2026-05-12 Last update: 2026-05-16 15:30

5 security issues in forky high

There are 5 open security issues in forky.

5 important issues:

CVE-2026-27851: When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP injection attacks when used in authentication. Avoid using safe filter until on fixed version. No publicly available exploits are known.
CVE-2026-33603: Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. Install fixed version. No publicly available exploits are known.
CVE-2026-40016: Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts. Install fixed version, or alternatively prevent direct access to Sieve scripts via ManageSieve or local access. No publicly available exploits are known.
CVE-2026-40020: Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known.
CVE-2026-42006: An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass the limit. Using excessive bracing, attacker can cause memory usage up to configured memory limit. Install fixed version, or configure vsz_limit for imap process to low value. No publicly available exploits are known.

Created: 2026-05-12 Last update: 2026-05-16 15:30

5 security issues in bullseye high

There are 5 open security issues in bullseye.

4 important issues:

CVE-2026-33603: Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. Install fixed version. No publicly available exploits are known.
CVE-2026-40016: Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts. Install fixed version, or alternatively prevent direct access to Sieve scripts via ManageSieve or local access. No publicly available exploits are known.
CVE-2026-40020: Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known.
CVE-2026-42006: An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass the limit. Using excessive bracing, attacker can cause memory usage up to configured memory limit. Install fixed version, or configure vsz_limit for imap process to low value. No publicly available exploits are known.

1 issue postponed or untriaged:

CVE-2020-28200: (postponed; to be fixed through a stable update) The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension.

Created: 2026-05-12 Last update: 2026-05-16 15:30

4 security issues in bookworm high

There are 4 open security issues in bookworm.

4 important issues:

CVE-2026-33603: Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. Install fixed version. No publicly available exploits are known.
CVE-2026-40016: Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts. Install fixed version, or alternatively prevent direct access to Sieve scripts via ManageSieve or local access. No publicly available exploits are known.
CVE-2026-40020: Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known.
CVE-2026-42006: An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass the limit. Using excessive bracing, attacker can cause memory usage up to configured memory limit. Install fixed version, or configure vsz_limit for imap process to low value. No publicly available exploits are known.

Created: 2026-05-12 Last update: 2026-05-16 15:30

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2026-04-06 Last update: 2026-05-19 20:30

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2026-04-17 Last update: 2026-05-19 18:00

lintian reports 18 warnings normal

Lintian reports 18 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-05-16 Last update: 2026-05-16 12:00

2 open merge requests in Salsa normal

There are 2 open merge requests for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2025-08-19 Last update: 2026-04-03 19:02

debian/patches: 7 patches to forward upstream low

Among the 9 debian patches available in version 1:2.4.4+dfsg1-1 of the package, we noticed the following issues:

7 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-05-16 06:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.3).

Created: 2026-03-31 Last update: 2026-05-16 01:30

testing migrations

This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-xapian-core transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
excuses:
- Migration status for dovecot (1:2.4.3+dfsg1-2 to 1:2.4.4+dfsg1-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ migrating dovecot-core/1:2.4.4+dfsg1-1/amd64 to testing makes dovecot-fts-xapian/1.9.3-1+b2/amd64 uninstallable
- ∙ ∙ migrating dovecot-core/1:2.4.4+dfsg1-1/arm64 to testing makes dovecot-fts-xapian/1.9.3-1+b2/arm64 uninstallable
- ∙ ∙ migrating dovecot-core/1:2.4.4+dfsg1-1/armhf to testing makes dovecot-fts-xapian/1.9.3-1+b2/armhf uninstallable
- ∙ ∙ migrating dovecot-core/1:2.4.4+dfsg1-1/i386 to testing makes dovecot-fts-xapian/1.9.3-1+b2/i386 uninstallable
- ∙ ∙ migrating dovecot-core/1:2.4.4+dfsg1-1/ppc64el to testing makes dovecot-fts-xapian/1.9.3-1+b2/ppc64el uninstallable
- ∙ ∙ migrating dovecot-core/1:2.4.4+dfsg1-1/riscv64 to testing makes dovecot-fts-xapian/1.9.3-1+b2/riscv64 uninstallable
- ∙ ∙ migrating dovecot-core/1:2.4.4+dfsg1-1/s390x to testing makes dovecot-fts-xapian/1.9.3-1+b2/s390x uninstallable
- ∙ ∙ Autopkgtest for dovecot/1:2.4.4+dfsg1-1: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for dovecot-fts-xapian: amd64: Test deferred, arm64: Test deferred, i386: Test deferred, ppc64el: Test deferred, riscv64: Test deferred, s390x: Test deferred
- ∙ ∙ Autopkgtest for getmail6/6.19.12-1: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for gsasl/2.2.2-4: amd64: Pass, arm64: Pass, i386: Test triggered (will not be considered a regression) ♻ (reference ♻), ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for interimap/0.5.8-2: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for libgssglue/0.9-2: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for php-net-smtp/1.12.2-1: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-imaplib2/3.6-2: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Too young, only 2 of 5 days old
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/d/dovecot.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- Not considered

news

[rss feed]

[2026-05-15] Accepted dovecot 1:2.4.4+dfsg1-1 (source) into unstable (Noah Meyerhans)
[2026-05-07] Accepted dovecot 1:2.4.1+dfsg1-6+deb13u5 (source) into proposed-updates (Debian FTP Masters) (signed by: Noah Meyerhans)
[2026-05-07] Accepted dovecot 1:2.3.19.1+dfsg1-2.1+deb12u5 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Noah Meyerhans)
[2026-05-02] Accepted dovecot 1:2.3.19.1+dfsg1-2.1+deb12u4 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Noah Meyerhans)
[2026-05-01] Accepted dovecot 1:2.3.19.1+dfsg1-2.1+deb12u4 (source) into oldstable-security (Debian FTP Masters) (signed by: Noah Meyerhans)
[2026-05-01] Accepted dovecot 1:2.3.13+dfsg1-2+deb11u3 (source) into oldoldstable-security (Guilhem Moulin)
[2026-04-25] Accepted dovecot 1:2.3.19.1+dfsg1-2.1+deb12u3 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Noah Meyerhans)
[2026-04-17] dovecot 1:2.4.3+dfsg1-2 MIGRATED to testing (Debian testing watch)
[2026-04-14] Accepted dovecot 1:2.4.3+dfsg1-2 (source) into unstable (Noah Meyerhans)
[2026-04-06] Accepted dovecot 1:2.3.19.1+dfsg1-2.1+deb12u3 (source) into oldstable-security (Debian FTP Masters) (signed by: Noah Meyerhans)
[2026-04-06] Accepted dovecot 1:2.3.19.1+dfsg1-2.1+deb12u2 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Noah Meyerhans)
[2026-04-06] Accepted dovecot 1:2.4.1+dfsg1-6+deb13u4 (source) into proposed-updates (Debian FTP Masters) (signed by: Noah Meyerhans)
[2026-04-05] Accepted dovecot 1:2.3.19.1+dfsg1-2.1+deb12u2 (source) into oldstable-security (Debian FTP Masters) (signed by: Noah Meyerhans)
[2026-04-05] Accepted dovecot 1:2.4.1+dfsg1-6+deb13u4 (source) into stable-security (Debian FTP Masters) (signed by: Noah Meyerhans)
[2026-04-03] Accepted dovecot 1:2.4.3+dfsg1-1 (source) into unstable (Noah Meyerhans)
[2026-03-08] dovecot 1:2.4.2+dfsg1-4 MIGRATED to testing (Debian testing watch)
[2026-03-07] Accepted dovecot 1:2.4.1+dfsg1-6+deb13u3 (source) into proposed-updates (Debian FTP Masters) (signed by: Noah Meyerhans)
[2026-03-05] Accepted dovecot 1:2.4.2+dfsg1-4 (source) into unstable (Noah Meyerhans)
[2026-02-07] dovecot 1:2.4.2+dfsg1-3 MIGRATED to testing (Debian testing watch)
[2026-02-04] Accepted dovecot 1:2.4.2+dfsg1-3 (source) into unstable (Noah Meyerhans)
[2025-12-07] dovecot 1:2.4.2+dfsg1-2 MIGRATED to testing (Debian testing watch)
[2025-11-26] Accepted dovecot 1:2.4.2+dfsg1-2 (source) into unstable (Noah Meyerhans)
[2025-11-13] Accepted dovecot 1:2.4.2+dfsg1-1 (source) into unstable (Noah Meyerhans)
[2025-11-01] Accepted dovecot 1:2.4.1+dfsg1-6+deb13u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Noah Meyerhans)
[2025-10-13] Accepted dovecot 1:2.4.1+dfsg1-6+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Noah Meyerhans)
[2025-10-05] Accepted dovecot 1:2.4.1+dfsg1-6+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Noah Meyerhans)
[2025-10-04] dovecot 1:2.4.1+dfsg1-9 MIGRATED to testing (Debian testing watch)
[2025-09-30] Accepted dovecot 1:2.4.1+dfsg1-9 (source) into unstable (Noah Meyerhans)
[2025-09-30] Accepted dovecot 1:2.4.1+dfsg1-8 (source) into unstable (Noah Meyerhans)
[2025-09-22] Accepted dovecot 1:2.4.1+dfsg1-7 (source) into unstable (Noah Meyerhans)

bugs [bug history graph]

all: 87 90
RC: 0
I&N: 72 75
M&W: 15
F&P: 0
patch: 1

links

homepage
lintian (0, 18)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:2.4.2+dfsg1-3ubuntu2
8 bugs