-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 04 Jun 2026 14:59:53 +0200 Source: dovecot Architecture: source Version: 1:2.3.13+dfsg1-2+deb11u4 Distribution: bullseye-security Urgency: high Maintainer: Dovecot Maintainers <dovecot@packages.debian.org> Changed-By: Guilhem Moulin <guilhem@debian.org> Closes: 1136444 Changes: dovecot (1:2.3.13+dfsg1-2+deb11u4) bullseye-security; urgency=high . * Non-maintainer upload by the LTS Team. * Fix CVE-2026-33603: Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. (Closes: #1136444) * Fix CVE-2026-40020: Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if `imap_acl_allow_anyone=no`, allowing folders to be spammed to all users. (Closes: #1136444) * Fix CVE-2026-42006: An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. This stems from an incomplete fix for CVE-2026-27857. (Closes: #1136444) Checksums-Sha1: 976867b28e14205126edc05f006052e40ccab0e7 3998 dovecot_2.3.13+dfsg1-2+deb11u4.dsc 5e7f9a892fe9fbf5108bf521b045bcbca3077168 1591484 dovecot_2.3.13+dfsg1.orig-pigeonhole.tar.gz 252dc597e8c4b4b0c016916415fec0f80be2facb 7456073 dovecot_2.3.13+dfsg1.orig.tar.gz f3e4b27f65b3facc51098ff25b9f29a3cc7ff71f 866 dovecot_2.3.13+dfsg1.orig.tar.gz.asc 32072dc74a4bc08d89654df2eca912f604639cd4 91700 dovecot_2.3.13+dfsg1-2+deb11u4.debian.tar.xz 39fad3cb1827476ba19c605651a72781021582b0 6153 dovecot_2.3.13+dfsg1-2+deb11u4_source.buildinfo Checksums-Sha256: 97f3aa0f156fa7273dfe38b15c7c04b861598a50f209fe14191e2a689010d181 3998 dovecot_2.3.13+dfsg1-2+deb11u4.dsc 9bbd31b3d0b3ae75060b961b6a8911f7371b0938630913f12604d97d05c912ff 1591484 dovecot_2.3.13+dfsg1.orig-pigeonhole.tar.gz a3f875b80ec11a452480690108660030978c94fa8e796ad6d943a874b496f1c4 7456073 dovecot_2.3.13+dfsg1.orig.tar.gz ef7653e5b866759bd94a94e758080025007bd502052705144ad8eae10e898f94 866 dovecot_2.3.13+dfsg1.orig.tar.gz.asc 1180d93aefde651a3f0951f21541ef6da562c57de7b38f71016ae8b727d5644c 91700 dovecot_2.3.13+dfsg1-2+deb11u4.debian.tar.xz 0ff87d321b17255910fc3d2df9bc8a4176e9e247c510215704e60ffbc6644adf 6153 dovecot_2.3.13+dfsg1-2+deb11u4_source.buildinfo Files: f21e964987c9caf38cd2f87dcffff875 3998 mail optional dovecot_2.3.13+dfsg1-2+deb11u4.dsc 06c2a85ac954d975d55dd559267f5277 1591484 mail optional dovecot_2.3.13+dfsg1.orig-pigeonhole.tar.gz f512bf1a4dac9ac994fddfb6bc5068ff 7456073 mail optional dovecot_2.3.13+dfsg1.orig.tar.gz 6b2ac5dcaf0c24d3541077cd773cd498 866 mail optional dovecot_2.3.13+dfsg1.orig.tar.gz.asc c62d9103bb20863a96f3e22ca3f729c1 91700 mail optional dovecot_2.3.13+dfsg1-2+deb11u4.debian.tar.xz 9abb551d273963ca3acbdd9e4d845fa0 6153 mail optional dovecot_2.3.13+dfsg1-2+deb11u4_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmois28ACgkQ05pJnDwh pVJe0w/9EmxkYXbVa/JxdFd45iVAwFANteJqJotqYm05SEQj2LyHdI3EbV7MBcQC VPuKb4xtVtNMq1D42ZvYI6A3DPLd7i24tRKDXqE5SRP7wvOqovuVhC84rzU9NEen yAK9EYyHmrpK5R63uV5gpTmcvAuwzgxsyqoqDx7XnegRuf/x+36IigamXUo8w+ri jWzz/HOx5Q31oooShICkabypL9y6GRhchact52DKWLFNC+h971oyinm4R+/61169 vZ2gZL+x62YtmPK8/WHS9E8WkWdi+PeIv31P3NxOa+QNNGAKxntwFXGbUTgWLhdb HDkx//eZFzk4aoq0F7uR1eRO1yPejE33Za8j5ewULuP18eOGuDRxHC9vfO/vVN37 s1+KC+nGRVJzexHOyy9pHPjskVPKSh2gwm7mZadMPiYFOnctVKXWYLQ7FoEO4U/Z kEDYLXrjosHVoKmqooVPYCr7cW1moYcXVFASbTz5/csEHmLSLyXbAVHUCRl8byd1 DtMY3LuIzs9FLn/oIvJGyn09/7RLArBP4JWRVmEfCbRc8ySuWHS79zPIN2qpIQFl 6Ey/49XWojYU5266ptes+MZuar3ZnaFtPPx3ooG8MIMdFB+5/kwWTh/XwC8ASX15 hqx3E4mfsNnlTGWill4g3Y60+dvh2PyRTrDrcu37eiy/PseghOE= =2iXH -----END PGP SIGNATURE-----
