|
|
Log in / Subscribe / Register

Ubuntu alert USN-8365-1 (dovecot)



From:
              noreply+usn-bot--- via ubuntu-security-announce <ubuntu-security-announce@lists.ubuntu.com>


To:
              ubuntu-security-announce@lists.ubuntu.com


Subject:
              [USN-8365-1] Dovecot vulnerabilities


Date:
              Tue, 02 Jun 2026 13:53:21 +0000


Message-ID:
              <E1wUPYX-0006OD-97@lists.ubuntu.com>


Cc:
              noreply+usn-bot@canonical.com


==========================================================================
Ubuntu Security Notice USN-8365-1
June 02, 2026

dovecot vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in Dovecot.

Software Description:
- dovecot: IMAP and POP3 email server

Details:

It was discovered that Dovecot incorrectly treated some variable expansion
pipelines as safe in authentication filters. An attacker could possibly use
this issue to perform SQL or LDAP injection attacks. This issue only
affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-27851)

It was discovered that Dovecot incorrectly verified SCRAM TLS channel
binding in certain base64 exchanges. A remote attacker could possibly use
this issue to obtain sensitive information in a machine-in-the-middle
attack. (CVE-2026-33603)

It was discovered that Dovecot incorrectly enforced Sieve script CPU
limits. An attacker could possibly use this issue to cause Dovecot to use
excessive resources, leading to a denial of service. (CVE-2026-40016)

It was discovered that Dovecot incorrectly handled certain IMAP SETACL
commands. An attacker could possibly use this issue to spam folders to
other users. (CVE-2026-40020)

It was discovered that Dovecot incorrectly handled excessive IMAP bracing.
An attacker could possibly use this issue to cause Dovecot to use excessive
resources, leading to a denial of service. (CVE-2026-42006)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
  dovecot-core                    1:2.4.2+dfsg1-3ubuntu2.1

Ubuntu 25.10
  dovecot-core                    1:2.4.1+dfsg1-5ubuntu4.2

Ubuntu 24.04 LTS
  dovecot-core                    1:2.3.21+dfsg1-2ubuntu6.5

Ubuntu 22.04 LTS
  dovecot-core                    1:2.3.16+dfsg1-3ubuntu2.9

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-8365-1
  CVE-2026-27851, CVE-2026-33603, CVE-2026-40016, CVE-2026-40020,
  CVE-2026-42006

Package Information:
  https://launchpad.net/ubuntu/+source/dovecot/1:2.4.2+dfsg...
  https://launchpad.net/ubuntu/+source/dovecot/1:2.4.1+dfsg...
  https://launchpad.net/ubuntu/+source/dovecot/1:2.3.21+dfs...
  https://launchpad.net/ubuntu/+source/dovecot/1:2.3.16+dfs...




Attachment: signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmoe4EIACgkQcpJm3tlz
hgG/Nw/+KdTMwLfLIvs/Fktj4cRaNVsP8rBP3P3RH8Es/k5HyUn32tpPHON8yW+j
IfIIZtSRK0A/0ScnFDcfx5Yqew+wm3R249fONW8C1Cxd+SU0MqLxnqsRc9tm2emQ
Q/GOk7+R/yxC2iKpm6HiM4fIkxCIa4u4YJ2Z9ZIajr1DTtwr1Y7TGRCNM1BL7XFq
iLTT2xbA7KZ3tkBtuNAA5Knx3IFsPh7JT0Xptz1+VOC37X6jQNZaFuXX4fBIACaM
XnbSio4tSTAGnn9+iTPTWF4d2bXtypxB7anAIglt5NI7zSuEhiYc4H0UVkY/BqT+
ocLy9/tGRdAnPiEWoG8AZX6l6z0CdM0hnOI8txK2ufJL33Eh4+Mmqt5pITl0rL9i
I0qUbTe0bvbjEgZf1u4J0Wpmz3HxFvulFJ+IN29b/+b4RG69Uh/RUVIkjccpAl+Y
eKqtJ2K4pBKIa5XNEtyWRcXD/wzCfUhRKaQ7u99cPkbwZ7UJ970eA4w1jDcP3X6U
Wy8cnsX8iqs15rXEKVkjthjqooVQA75rPI52HvNXfjrxJk8toxuq3REFpBm5nWvZ
ZOviWOzlZXDOY0cDqoVMpiuiuGX3Sk4NliiJFoe8mS1nEHgaTLYbeTFKZVl3FsCt
5f/OKWyZMERrYaZ7vjy7US5Kixsc/HqYX56TeOB9kqL8pTTa514=
=g9Zs
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds