-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 18 May 2026 14:11:58 -0400 Source: dovecot Architecture: source Version: 1:2.3.19.1+dfsg1-2.1+deb12u6 Distribution: bookworm-security Urgency: medium Maintainer: Dovecot Maintainers Changed-By: Noah Meyerhans Closes: 1136444 Changes: dovecot (1:2.3.19.1+dfsg1-2.1+deb12u6) bookworm-security; urgency=medium . * Security update (Closes: #1136444) * [1d0162a] autopkgtest: test cram-md5 authentication * [d4eed2a] CVE-2026-40016: Sieve :contains/:matches O(N×M) Substring Match Bypasses sieve_max_cpu_time Limit (130× Overrun) * [898776c] CVE-2026-33603: login: Base64 input can contain tabs that bypass IPC protection * [fe76a7b] CVE-2026-40020: IMAP folders can be shared-spammed to everyone * [ce379ba] CVE-2026-42006: imap-login: Excessive memory usage DoS Checksums-Sha1: bb212f22536e4f62144694966fb5ae906a4c920c 4213 dovecot_2.3.19.1+dfsg1-2.1+deb12u6.dsc 5ff9a57972681b9060160ea56fcfa9433e790c5d 90824 dovecot_2.3.19.1+dfsg1-2.1+deb12u6.debian.tar.xz e037a72ab6b8bde3bf095abd8f8cefcbc1289aab 7618 dovecot_2.3.19.1+dfsg1-2.1+deb12u6_source.buildinfo Checksums-Sha256: ed6fd39b0b9d77e0fc64bad8efce071ecb90817b3f306b7e47b578354ed1c8e3 4213 dovecot_2.3.19.1+dfsg1-2.1+deb12u6.dsc c3be22486cfde860e6a62f4d7548fa3ab39795f4aabb259d5a5a3d64e9f9e797 90824 dovecot_2.3.19.1+dfsg1-2.1+deb12u6.debian.tar.xz e5ecfb63bf74b0ff77ce24ae18020a91744b90baae79c5fa444b959bbffd71bc 7618 dovecot_2.3.19.1+dfsg1-2.1+deb12u6_source.buildinfo Files: db5a1f754a0832cd3a22e7cefb5f461d 4213 mail optional dovecot_2.3.19.1+dfsg1-2.1+deb12u6.dsc a86b6dabfe0ffa54df31c31cd7f1a776 90824 mail optional dovecot_2.3.19.1+dfsg1-2.1+deb12u6.debian.tar.xz ca01ae7a300d1d5e52fcc8773198b37a 7618 mail optional dovecot_2.3.19.1+dfsg1-2.1+deb12u6_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE5G+E0xEKhJuZ7RJ34+c1IpshdTUFAmoZ5/QACgkQ4+c1Ipsh dTU+eRAAjS6f4p/VL2uhuWuWed3XkGtjbQhRhmSEe79TQ8aq8M/ehpdoFwg6PeaI Wu3IFxeOQD/vJktigibex90NWsjg0tKOyUeavRS2GQP26v4mLoHsr/vE7bmLXGD/ DvxhRi6IYikwRb2MgO9aHdw6CbdS0UAnDm8nYlaYFLVcTh/YpK/xGkpwyM5cyZc+ PYV/A+1D5ATMqStboA/6qJ9v5Pm1ldNgXjn/5sWKUi2Vm4DDcVqOufgalm9Fgcz7 MlNQYiXDRfH1O7y7ZxYALy+1yoAPiGJwKkesGRPHzOOi6s/WTUIkyEgP5JFgdAJs hpk1rIOKYM3jUyuIRdqVG1oQZyYGGhxNpew08SL+CuaEkZhDfleigTwF3Cv69UbT M4ayVmYyk9kvKpI/1LGWFIKqk0+cFeE11xegf6lTELtxN4PTI4h9ERi5V0qE/Wwf Tk886fTPt/mV0QON4J6SW1wgO4mw/74DMpIWTU+ezstqNWdMumQ588088H+N3T/E TibKz5I8iOGzr0O7PpKW7RRj+1vWVkw7mFhpcgbfolGcX5sAije06SJxA/hWfqpt O0ODWCVCY+882p+2W3bjwW/AxPfKTqFW+mA/ohT6N3mjVZRHcBVFWOIOhFXY49nA Rc4mxc37kCyoQX0UNupHbJTYQV8ovwOuLwyr58E81QnBoNvbq7U= =Oyjd -----END PGP SIGNATURE-----