dovecot - Debian Package Tracker

general

source: dovecot (main)
version: 1:2.4.4+dfsg1-1
maintainer: Dovecot Maintainers (DMD)
uploaders: Noah Meyerhans [DMD]
arch: any
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:2.3.13+dfsg1-2+deb11u1
o-o-sec: 1:2.3.13+dfsg1-2+deb11u3
oldstable: 1:2.3.19.1+dfsg1-2.1+deb12u5
old-sec: 1:2.3.19.1+dfsg1-2.1+deb12u4
old-bpo: 1:2.3.21.1+dfsg1-1~bpo12+1
stable: 1:2.4.1+dfsg1-6+deb13u5
stable-sec: 1:2.4.1+dfsg1-6+deb13u4
testing: 1:2.4.4+dfsg1-1
unstable: 1:2.4.4+dfsg1-1

versioned links

1:2.3.13+dfsg1-2+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.3.13+dfsg1-2+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.3.19.1+dfsg1-2.1+deb12u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.3.19.1+dfsg1-2.1+deb12u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.3.21.1+dfsg1-1~bpo12+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.4.1+dfsg1-6+deb13u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.4.1+dfsg1-6+deb13u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.4.4+dfsg1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

dovecot-auth-lua (1 bugs: 0, 1, 0, 0)
dovecot-core (48 bugs: 0, 37, 11, 0)
dovecot-dev
dovecot-flatcurve
dovecot-gssapi
dovecot-imapd (15 bugs: 0, 15, 0, 0)
dovecot-ldap (1 bugs: 0, 0, 1, 0)
dovecot-lmtpd (2 bugs: 0, 1, 1, 0)
dovecot-managesieved
dovecot-mysql
dovecot-pgsql
dovecot-pop3d (1 bugs: 0, 1, 0, 0)
dovecot-sieve (10 bugs: 0, 8, 2, 0)
dovecot-solr
dovecot-sqlite
dovecot-submissiond

action needed

5 security issues in trixie high

There are 5 open security issues in trixie.

5 important issues:

CVE-2026-27851: When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP injection attacks when used in authentication. Avoid using safe filter until on fixed version. No publicly available exploits are known.
CVE-2026-33603: Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. Install fixed version. No publicly available exploits are known.
CVE-2026-40016: Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts. Install fixed version, or alternatively prevent direct access to Sieve scripts via ManageSieve or local access. No publicly available exploits are known.
CVE-2026-40020: Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known.
CVE-2026-42006: An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass the limit. Using excessive bracing, attacker can cause memory usage up to configured memory limit. Install fixed version, or configure vsz_limit for imap process to low value. No publicly available exploits are known.

Created: 2026-05-12 Last update: 2026-05-24 12:31

5 security issues in bullseye high

There are 5 open security issues in bullseye.

4 important issues:

CVE-2026-33603: Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. Install fixed version. No publicly available exploits are known.
CVE-2026-40016: Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts. Install fixed version, or alternatively prevent direct access to Sieve scripts via ManageSieve or local access. No publicly available exploits are known.
CVE-2026-40020: Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known.
CVE-2026-42006: An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass the limit. Using excessive bracing, attacker can cause memory usage up to configured memory limit. Install fixed version, or configure vsz_limit for imap process to low value. No publicly available exploits are known.

1 issue postponed or untriaged:

CVE-2020-28200: (postponed; to be fixed through a stable update) The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension.

Created: 2026-05-12 Last update: 2026-05-24 12:31

4 security issues in bookworm high

There are 4 open security issues in bookworm.

4 important issues:

CVE-2026-33603: Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. Install fixed version. No publicly available exploits are known.
CVE-2026-40016: Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts. Install fixed version, or alternatively prevent direct access to Sieve scripts via ManageSieve or local access. No publicly available exploits are known.
CVE-2026-40020: Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known.
CVE-2026-42006: An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass the limit. Using excessive bracing, attacker can cause memory usage up to configured memory limit. Install fixed version, or configure vsz_limit for imap process to low value. No publicly available exploits are known.

Created: 2026-05-12 Last update: 2026-05-24 12:31

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2026-04-06 Last update: 2026-05-28 13:30

lintian reports 18 warnings normal

Lintian reports 18 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-05-16 Last update: 2026-05-16 12:00

2 open merge requests in Salsa normal

There are 2 open merge requests for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2025-08-19 Last update: 2026-04-03 19:02

debian/patches: 7 patches to forward upstream low

Among the 9 debian patches available in version 1:2.4.4+dfsg1-1 of the package, we noticed the following issues:

7 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-05-16 06:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.3).

Created: 2026-03-31 Last update: 2026-05-16 01:30

testing migrations

This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-xapian-core transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-libexttextcat transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2026-05-25] dovecot 1:2.4.4+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2026-05-15] Accepted dovecot 1:2.4.4+dfsg1-1 (source) into unstable (Noah Meyerhans)
[2026-05-07] Accepted dovecot 1:2.4.1+dfsg1-6+deb13u5 (source) into proposed-updates (Debian FTP Masters) (signed by: Noah Meyerhans)
[2026-05-07] Accepted dovecot 1:2.3.19.1+dfsg1-2.1+deb12u5 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Noah Meyerhans)
[2026-05-02] Accepted dovecot 1:2.3.19.1+dfsg1-2.1+deb12u4 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Noah Meyerhans)
[2026-05-01] Accepted dovecot 1:2.3.19.1+dfsg1-2.1+deb12u4 (source) into oldstable-security (Debian FTP Masters) (signed by: Noah Meyerhans)
[2026-05-01] Accepted dovecot 1:2.3.13+dfsg1-2+deb11u3 (source) into oldoldstable-security (Guilhem Moulin)
[2026-04-25] Accepted dovecot 1:2.3.19.1+dfsg1-2.1+deb12u3 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Noah Meyerhans)
[2026-04-17] dovecot 1:2.4.3+dfsg1-2 MIGRATED to testing (Debian testing watch)
[2026-04-14] Accepted dovecot 1:2.4.3+dfsg1-2 (source) into unstable (Noah Meyerhans)
[2026-04-06] Accepted dovecot 1:2.3.19.1+dfsg1-2.1+deb12u3 (source) into oldstable-security (Debian FTP Masters) (signed by: Noah Meyerhans)
[2026-04-06] Accepted dovecot 1:2.3.19.1+dfsg1-2.1+deb12u2 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Noah Meyerhans)
[2026-04-06] Accepted dovecot 1:2.4.1+dfsg1-6+deb13u4 (source) into proposed-updates (Debian FTP Masters) (signed by: Noah Meyerhans)
[2026-04-05] Accepted dovecot 1:2.3.19.1+dfsg1-2.1+deb12u2 (source) into oldstable-security (Debian FTP Masters) (signed by: Noah Meyerhans)
[2026-04-05] Accepted dovecot 1:2.4.1+dfsg1-6+deb13u4 (source) into stable-security (Debian FTP Masters) (signed by: Noah Meyerhans)
[2026-04-03] Accepted dovecot 1:2.4.3+dfsg1-1 (source) into unstable (Noah Meyerhans)
[2026-03-08] dovecot 1:2.4.2+dfsg1-4 MIGRATED to testing (Debian testing watch)
[2026-03-07] Accepted dovecot 1:2.4.1+dfsg1-6+deb13u3 (source) into proposed-updates (Debian FTP Masters) (signed by: Noah Meyerhans)
[2026-03-05] Accepted dovecot 1:2.4.2+dfsg1-4 (source) into unstable (Noah Meyerhans)
[2026-02-07] dovecot 1:2.4.2+dfsg1-3 MIGRATED to testing (Debian testing watch)
[2026-02-04] Accepted dovecot 1:2.4.2+dfsg1-3 (source) into unstable (Noah Meyerhans)
[2025-12-07] dovecot 1:2.4.2+dfsg1-2 MIGRATED to testing (Debian testing watch)
[2025-11-26] Accepted dovecot 1:2.4.2+dfsg1-2 (source) into unstable (Noah Meyerhans)
[2025-11-13] Accepted dovecot 1:2.4.2+dfsg1-1 (source) into unstable (Noah Meyerhans)
[2025-11-01] Accepted dovecot 1:2.4.1+dfsg1-6+deb13u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Noah Meyerhans)
[2025-10-13] Accepted dovecot 1:2.4.1+dfsg1-6+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Noah Meyerhans)
[2025-10-05] Accepted dovecot 1:2.4.1+dfsg1-6+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Noah Meyerhans)
[2025-10-04] dovecot 1:2.4.1+dfsg1-9 MIGRATED to testing (Debian testing watch)
[2025-09-30] Accepted dovecot 1:2.4.1+dfsg1-9 (source) into unstable (Noah Meyerhans)
[2025-09-30] Accepted dovecot 1:2.4.1+dfsg1-8 (source) into unstable (Noah Meyerhans)

bugs [bug history graph]

all: 88 92
RC: 0
I&N: 73 77
M&W: 15
F&P: 0
patch: 1

links

homepage
lintian (0, 18)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:2.4.2+dfsg1-3ubuntu2
8 bugs