UbuntuUpdates.org

Package "dovecot-core"

Name: dovecot-core

Description:

secure POP3/IMAP server - core files
Latest version: 1:2.3.21+dfsg1-2ubuntu6.3
Release: noble (24.04)
Level: updates
Repository: main
Head package: dovecot
Homepage: https://dovecot.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "dovecot-core"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "dovecot-core" in Noble

Repository Area Version
base main 1:2.3.21+dfsg1-2ubuntu5
security main 1:2.3.21+dfsg1-2ubuntu6.3

Changelog

Version: 1:2.3.21+dfsg1-2ubuntu6.3 2026-03-31 19:08:13 UTC

  dovecot (1:2.3.21+dfsg1-2ubuntu6.3) noble-security; urgency=medium

  * SECURITY UPDATE: Exposure of Sensitive Information to an Unauthorized
    Actor
    - debian/patches/CVE-2025-59031.patch: [PATCH 02/24] fts: Remove
    decode2text.sh
    - debian/rules: Remove decode2text.sh from it.
    - debian/dovecot-core.examples: Remove decode2text.sh from it.
    - CVE-2025-59031
  * SECURITY UPDATE: Improper Input Validation
    - debian/patches/CVE-2025-59032.patch: managesieve-login: Fix crash
    when command didn't finish on the first call
    - CVE-2025-59032
  * SECURITY UPDATE: Path traversal
    - debian/patches/CVE-2026-0394-1.patch: [PATCH] auth: db-passwd-file -
    Add db_passwd_fix_path()
    - debian/patches/CVE-2026-0394-2.patch: auth: db-passwd-file -
    Normalize path with db_passwd_fix_path()
    - CVE-2026-0394
  * SECURITY UPDATE: Authentication Bypass
    - debian/patches/CVE-2026-27855-1.patch: [PATCH 21/24] auth: cache -
    Use translated username in auth_cache_remove()
    - debian/patches/CVE-2026-27855-2.patch: [PATCH 22/24] auth: Move
    passdb event lifecycle handling to
    auth_request_passdb_event_(begin|end)
    - debian/patches/CVE-2026-27855-3.patch: [PATCH 23/24] auth:
    Initialize set_credentials event properly
    - debian/patches/CVE-2026-27855-4.patch: [PATCH 24/24] auth: passdb-
    sql - Require update_query to be set when used
    - CVE-2026-27855
  * SECURITY UPDATE: Improper Authentication
    - debian/patches/CVE-2026-27856-1.patch: [PATCH 16/24] doveadm:
    client-connection - Use timing safe credential check
    - debian/patches/CVE-2026-27856-2.patch: [PATCH 17/24] doveadm: Use
    datastack for temporary b64 value
    - debian/patches/CVE-2026-27856-3.patch: [PATCH 18/24] doveadm:
    client-connection - Get API key from per-connection settings
    - CVE-2026-27856
  * SECURITY UPDATE: Uncontrolled Resource Consumption
    - debian/patches/CVE-2026-27857-1.patch: [PATCH 1/2] plugins: imap-
    filter-sieve: imap-filter-sieve - Adjust to imap_parser_create() API
    change
    - debian/patches/CVE-2026-27857-2.patch: [PATCH 12/24] lib-imap,
    global: Add params parameter to imap_parser_create()
    - debian/patches/CVE-2026-27857-3.patch: [PATCH 13/24] lib-imap: Add
    imap_parser_params.list_count_limit
    - debian/patches/CVE-2026-27857-4.patch: [PATCH 14/24] imap-login:
    Limit the number of open IMAP parser lists
    - debian/patches/CVE-2026-27857-5.patch: [PATCH 15/24] global: Use
    const for struct imap_parser_params params
    - CVE-2026-27857
  * SECURITY UPDATE: Uncontrolled Resource Consumption
    - debian/patches/CVE-2026-27858.patch: [PATCH 2/2] managesieve-
    login: Verify AUTHENTICATE initial response size isn't too large
    - CVE-2026-27858
  * SECURITY UPDATE: Uncontrolled Resource Consumption
    - debian/patches/CVE-2026-27859.patch: [PATCH 03/24] lib-mail: Limit
    the number of RFC2231 parameters that can be parsed
    - CVE-2026-27859

 -- Eduardo Barretto <email address hidden> Thu, 26 Mar 2026 16:17:02 +0100
Source diff to previous version
CVE-2025-59031 Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use speciall
CVE-2025-59032 ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve service repeatedly, makin
CVE-2026-0394 When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added to allowe
CVE-2026-27855 Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, the
CVE-2026-27856 Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use this to determine the conf
CVE-2026-27857 Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnec
CVE-2026-27858 Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory. Attacker can for
CVE-2026-27859 A mail message containing excessive amount of RFC 2231 MIME parameters causes LMTP to use too much CPU. A suitably formatted mail message causes mail

Version: 1:2.3.21+dfsg1-2ubuntu6.2 2026-03-11 23:08:01 UTC

  dovecot (1:2.3.21+dfsg1-2ubuntu6.2) noble; urgency=medium

  * Fix OAuth2 JWT validation when "aud" claim in an array (LP: #2142200)

 -- Guilherme Puida Moreira <email address hidden> Wed, 25 Feb 2026 15:44:17 -0300
Source diff to previous version
2142200 dovecot-core: OAuth2 JWT validation fails with client_id set but aud is missing when aud claim is an array

Version: 1:2.3.21+dfsg1-2ubuntu6.1 2025-11-13 20:07:46 UTC

  dovecot (1:2.3.21+dfsg1-2ubuntu6.1) noble; urgency=medium

  * Update PBKDF2 salt length to be FIPS 140-3 compliant (LP: #2107773).

 -- Eric Berry <email address hidden> Fri, 03 Oct 2025 15:37:20 -0700
Source diff to previous version

Version: 1:2.3.21+dfsg1-2ubuntu6 2024-09-02 06:07:13 UTC

  dovecot (1:2.3.21+dfsg1-2ubuntu6) noble-security; urgency=medium

  * Patches for CVE-2024-23184, CVE-2024-23185 (LP: #2077324).
    - CVE-2024-23184: A large number of address headers in email resulted
      in excessive CPU usage.
      + d/p/CVE-2024-23184-1-lib-test-llist-Fix-dllist2-test-name.patch
      + d/p/CVE-2024-23184-2-lib-Add-DLLIST2_JOIN.patch
      + d/p/CVE-2024-23184-3-lib-mail-test-imap-envelope-Use-test_assert_idx-where-pos.patch
      + d/p/CVE-2024-23184-4-lib-mail-Change-message_address-to-be-doubly-linked-list.patch
      + d/p/CVE-2024-23184-5-lib-mail-Add-message_address_parse_full-and-struct-messag.patch
      + d/p/CVE-2024-23184-6-lib-mail-lib-imap-Optimize-parsing-large-number-of-addres.patch
    - CVE-2024-23185: Abnormally large email headers are now truncated or
      discarded, with a limit of 10MB on a single header and 50MB for all
      the headers of all the parts of an email.
      + d/p/CVE-2024-23185-1-lib-mail-message-header-parser-Limit-header-block-to-10MB.patch
      + d/p/CVE-2024-23185-2-lib-mail-message-parser-Limit-headers-total-count-to-50MB.patch
    For more information see the following articles:
    CVE-2024-23184 - https://www.openwall.com/lists/oss-security/2024/08/15/3
    CVE-2024-23185 - https://www.openwall.com/lists/oss-security/2024/08/15/4

 -- Mitchell Dzurick <email address hidden> Mon, 26 Aug 2024 08:52:27 -0700
2077324 [FFE] CVE-2024-23184/CVE-2024-23185


About   -   Send Feedback to @ubuntu_updates