Fedora 44 Dovecot Moderate Info Disclosure DoS Vuln 2026-96eeb03b88

Dovecot is an IMAP server for Linux/UNIX-like systems, written with security

primarily in mind. It also contains a small POP3 server. It supports mail

in either of maildir or mbox formats.

The SQL drivers and authentication plug-ins are in their subpackages.

CVE-2026-27851: lib-var-expand: Safe filter marks all following pipelines safe. CVE-2026-33603: auth: CRAM-SHA-*-PLUS channel binding could be faked. MITM attacker with a certificate trusted by the client could have bypassed the requirement for channel binding. CVE-2026-40020: IMAP folders can be shared-spammed to everyone. CVE-2026-42006: An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete. indexer-worker, quota-status, script-login, program-client-local: Root privileges are now dropped permanently before serving requests. indexer-worker: Default restart_request_count changed to 1 to work correctly after permanent root privilege drop. lmtp: Add back service_extra_groups=$SET:default_internal_group that was incorrectly removed in v2.4.3. master: inet_listener_reuse_port has been replaced by service_reuse_port. The new setting properly pre-creates all listener sockets at startup and ...