-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 18 May 2026 16:03:51 -0400 Source: dovecot Architecture: source Version: 1:2.4.1+dfsg1-6+deb13u6 Distribution: trixie-security Urgency: medium Maintainer: Dovecot Maintainers Changed-By: Noah Meyerhans Closes: 1136444 Changes: dovecot (1:2.4.1+dfsg1-6+deb13u6) trixie-security; urgency=medium . * Security update (Closes: #1136444) * [76ceed4] CVE-2026-27851: lib-var-expand: Reset safe state when transfer is unset * [4af6fb3] CVE-2026-40016: lib-sieve: Enforce CPU time limit within :contains and :matches matcher loops * [366ef61] CVE-2026-33603: login-common: Only accept base64 in sasl * [26bd41e] CVE-2026-40020: IMAP folders can be shared-spammed to everyone. * [b6f5bac] CVE-2026-42006: imap-login: Excessive memory usage DoS Checksums-Sha1: 3f9539f86a154de530d1a9fdfbfb26b65c869e93 3992 dovecot_2.4.1+dfsg1-6+deb13u6.dsc de4c45c0816946128950233246b8feb4dbf76f59 105120 dovecot_2.4.1+dfsg1-6+deb13u6.debian.tar.xz 003e7c6b709baa966fc77eb263679f4faab1a670 7573 dovecot_2.4.1+dfsg1-6+deb13u6_source.buildinfo Checksums-Sha256: 3a787c1cb9ba73de6dd2f83f4a71c3ebf4b5eca3354f78294ac311936fa4be37 3992 dovecot_2.4.1+dfsg1-6+deb13u6.dsc 69296d0696b6563949139f964f2f12318dc4fefd07f3be82dcf93a1357d1ffe8 105120 dovecot_2.4.1+dfsg1-6+deb13u6.debian.tar.xz e5abe42716a211e24db38fa422c36e641a58a2fffd60d43fbc96e943d8f83fb7 7573 dovecot_2.4.1+dfsg1-6+deb13u6_source.buildinfo Files: a5faaa953b4b3b351db75799d9ecb177 3992 mail optional dovecot_2.4.1+dfsg1-6+deb13u6.dsc fef65f7eefad37e8ceddb1318ce3ec46 105120 mail optional dovecot_2.4.1+dfsg1-6+deb13u6.debian.tar.xz 1b111a3eea67d059fa25b557e5d2bf64 7573 mail optional dovecot_2.4.1+dfsg1-6+deb13u6_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE5G+E0xEKhJuZ7RJ34+c1IpshdTUFAmoZ6NkACgkQ4+c1Ipsh dTWb2Q/+MBqPBlYVOm0QRg9yyw24MqQyov2I8yRXWqVf4i+IAFuc4BcTF9nwaHni PME6Q0mZwx2o7l/J7WkLojeoCVBgcliDj6ER5qsrT7AJsOv4ROwPVUv2MxgNxP+O OEnkI5zW2GG+YgzCOseKFa8lww8nCx+oN+Dchh7dyH0/KH7fMY3dInEBW8/W9xLv mZnjb2qYoT7PN4hEB8H+RFc0zvNbTTidR0t/yFnQJ53VhpmGunB/YozwzGHEfjTs 3QO3OSjm1AnSLpAdqQ5Whl6LNeRgxjdm7sc1B2vdSinwUJJOIVnOi33H/rRDpiJC mE1ExaJLRDNof9TvyUvqXm973XAbVELFhoPHjG+ucgRbBAeoDVaUZv8+tYVf/12f k5q2inKhQWQiH8WMGG0CkKJyjOy3PZAy1fh7+VcWoOq3eYPKhYhK4Xew7usKr/bB T5nFAwRlC7JApHA16b6YKBobZONsx2itcbtw97DZSkZmkp+xBuNpFXdCxzc7FVsl JwWodXK4bwMK2bP6/zBwIdxYRmUa2O09O9F8ldDi9SUM0tbGZ5OR0zxcSFsp/2wd 0us1qMEau9x7WseLAsNhRTp7LhrvACXVST8O1Ez8oB+WtTO/j0Ls2Ipeq/VWVxmj JihML2qlhkKATXEuTr/k2hHigC9AV7EQGgSw4CrwlWIqVTT/nLE= =2fF4 -----END PGP SIGNATURE-----