-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 30 Apr 2026 19:52:03 +0200 Source: dovecot Architecture: source Version: 1:2.3.13+dfsg1-2+deb11u3 Distribution: bullseye-security Urgency: high Maintainer: Dovecot Maintainers <dovecot@packages.debian.org> Changed-By: Guilhem Moulin <guilhem@debian.org> Changes: dovecot (1:2.3.13+dfsg1-2+deb11u3) bullseye-security; urgency=high . * Non-maintainer upload by the LTS Team. * Fix CVE-2025-59031: No longer install decode2text.sh into dovecot-core/ examples as the script unsafely handles zip-style attachments. OOXML extraction may follow symlinks and read unintended files during indexing. * Fix CVE-2025-59032: ManageSieve panic occurs with sieve-connect as a client. * Fix CVE-2026-0394: Path traversal in passwd-file passdb using %d. * Fix CVE-2026-27855: OTP driver is vulnerable to replay attack. * Fix CVE-2026-27856: Doveadm credentials were not checked using timing-safe checking function. * Fix CVE-2026-27857: Sending excessive parenthesis caused imap-login to use excessive memory. * Fix CVE-2026-27858: managesieve-login can allocate large amount of memory during authentication. * Fix CVE-2026-27859: Excessive RFC 2231 MIME parameters in email would cause excessive CPU usage. Dovecot now limits the number of parameters to process. Checksums-Sha1: e09f7c383f2def8b4937b4265316fe6b255f1b79 3998 dovecot_2.3.13+dfsg1-2+deb11u3.dsc 5e7f9a892fe9fbf5108bf521b045bcbca3077168 1591484 dovecot_2.3.13+dfsg1.orig-pigeonhole.tar.gz 252dc597e8c4b4b0c016916415fec0f80be2facb 7456073 dovecot_2.3.13+dfsg1.orig.tar.gz f3e4b27f65b3facc51098ff25b9f29a3cc7ff71f 866 dovecot_2.3.13+dfsg1.orig.tar.gz.asc dfecc37068d071980401587fe020057fbb8ae62f 89272 dovecot_2.3.13+dfsg1-2+deb11u3.debian.tar.xz fb408d65b796980cf8e73d5435edbf0aa5d846b4 6222 dovecot_2.3.13+dfsg1-2+deb11u3_source.buildinfo Checksums-Sha256: 98091032e1645d9d01da69185fa22943033950445049dd398b86ff688703ee56 3998 dovecot_2.3.13+dfsg1-2+deb11u3.dsc 9bbd31b3d0b3ae75060b961b6a8911f7371b0938630913f12604d97d05c912ff 1591484 dovecot_2.3.13+dfsg1.orig-pigeonhole.tar.gz a3f875b80ec11a452480690108660030978c94fa8e796ad6d943a874b496f1c4 7456073 dovecot_2.3.13+dfsg1.orig.tar.gz ef7653e5b866759bd94a94e758080025007bd502052705144ad8eae10e898f94 866 dovecot_2.3.13+dfsg1.orig.tar.gz.asc cba9d892d2bbd29cd2a29f3195b5249a1085ff987901c18328b9966f4736bf81 89272 dovecot_2.3.13+dfsg1-2+deb11u3.debian.tar.xz 3ea9ce8bec47ca2a441b6da833c14ffaafb5a9fbc14d2fa6e694aa3ed548bb78 6222 dovecot_2.3.13+dfsg1-2+deb11u3_source.buildinfo Files: 87c85851736147745e20d4f1bd841110 3998 mail optional dovecot_2.3.13+dfsg1-2+deb11u3.dsc 06c2a85ac954d975d55dd559267f5277 1591484 mail optional dovecot_2.3.13+dfsg1.orig-pigeonhole.tar.gz f512bf1a4dac9ac994fddfb6bc5068ff 7456073 mail optional dovecot_2.3.13+dfsg1.orig.tar.gz 6b2ac5dcaf0c24d3541077cd773cd498 866 mail optional dovecot_2.3.13+dfsg1.orig.tar.gz.asc 8b91f04ada2a5fe961174cb385027a99 89272 mail optional dovecot_2.3.13+dfsg1-2+deb11u3.debian.tar.xz 2eb28b88ca19f25a32484b3cc68b75d9 6222 mail optional dovecot_2.3.13+dfsg1-2+deb11u3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmn0IhoACgkQ05pJnDwh pVJjrQ//QNHH//eVjuaKvk2GqSnE1v2EOeecjZh2rt6hnfzE3oMZA2PvxMhE3UOS nIU5erzLYNU0C4MrWZlolSzn+Dg48RjwQLNufCsYSbVCer4BsDtEadbECWTzaBwL kHBLmoV0yipek7qzcwz8lH6pTU7v/xkQ8NeDg8SBPuVnxsjbac5g1ih4ozCqkUkW BPVoxmTWmT6DAjQjaYgqp4xxsi3ouMHQevT05sKjzEfWxa0zw+OzT4OhNHXZHpIv WWX7FvykIvpkaj0co4Ft8bAXsk0dWJHVq7mf6OTWW0ZzqHMgfL3eKRF4n2mEEmss 15jAZLs3TccCmMoC7kc8KugFdHa7k7m2+lqY7WEruI24BIhkxj+OtPibGwxmhK3V qrRTMQo78ACAcp6rovnx+/q9cOA3aGqYuXM7dJy9RWmW5G7mE2ZZwO8vKf3ncqwX +U9bJyIHaPuqAuvgZEl5+hAQqTEKHi//ECxHngKxtCABpEw3bjoOPJtSq75Hq5MW 7rVoCTQ/ZOIBOWj7jmZGNFLbo3E8Uvsn7f1NshrefhhzzNKJjDwUD72LQAI9kSG1 jF76TkI6DvxBAC/0GBIjCZVVqSWBmc38zN4ulUCqlLlaXLnlzyunRHCMoRklx8Bd SGkfT+NQFW59CDsMbOHhU3znCoitpW+RN2XtXi6Xq0bvYdh6Wyg= =YUxA -----END PGP SIGNATURE-----
