Stay Secure with the Latest Linux Advisories

security advisorydenial of servicefedora

Fedora 43 Dovecot Suffering from Moderate DoS Info Disclosure Issues

CVE-2026-27851: lib-var-expand: Safe filter marks all following pipelines safe. CVE-2026-33603: auth: CRAM-SHA-*-PLUS channel binding could be faked. MITM attacker with a certificate trusted by the client could have bypassed the requirement for channel binding. CVE-2026-40020: IMAP folders can be shared-spammed to everyone.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-693373747f 2026-06-02 01:10:43.197425+00:00 -------------------------------------------------------------------------------- Name : dovecot Product : Fedora 43 Version : 2.4.4 Release : 1.fc43 URL : https://www.dovecot.org/ Summary : Secure imap and pop3 server Description : Dovecot is an IMAP server for Linux/UNIX-like systems, written with security primarily in mind. It also contains a small POP3 server. It supports mail in either of maildir or mbox formats. The SQL drivers and authentication plug-ins are in their subpackages. -------------------------------------------------------------------------------- Update Information: CVE-2026-27851: lib-var-expand: Safe filter marks all following pipelines safe. CVE-2026-33603: auth: CRAM-SHA-*-PLUS channel binding could be faked. MITM attacker with a certificate trusted by the client could have bypassed the requirement for channel binding. CVE-2026-40020: IMAP folders can be shared-spammed to everyone. CVE-2026-42006: An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete. indexer-worker, quota-status, script-login, program-client-local: Root privileges are now dropped permanently before serving requests. indexer-worker: Default restart_request_count changed to 1 to work correctly after permanent root privilege drop. lmtp: Add back service_extra_groups=$SET:default_internal_group that was incorrectly removed in v2.4.3. master: inet_listener_reuse_port has been replaced byservice_reuse_port. The new setting properly pre-creates all listener sockets at startup and assigns one unique socket per process. Using this allows evenly distributing incoming connections to login processes. -------------------------------------------------------------------------------- ChangeLog: * Fri May 15 2026 Michal Hlavinka - 1:2.4.4-1 - updated to 2.4.4 (#2476459) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2479583 - CVE-2026-33603 dovecot: Dovecot: Information disclosure via SCRAM TLS channel binding bypass [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2479583 [ 2 ] Bug #2479588 - CVE-2026-40020 dovecot: dovecot: Denial of Service via IMAP SETACL command injection [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2479588 [ 3 ] Bug #2481123 - CVE-2026-40016 dovecot: Dovecot: Denial of Service due to Sieve script CPU limit bypass [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2481123 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-693373747f' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines ListArchives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it. Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new . Dovecot update for Fedora 43 addresses critical information disclosure and DoS issues from multiple CVEs.. Dovecot Fedora update IMAP security issues. . Severity: Important. LinuxSecurity.com Team

Jun 02, 2026 •Important Fedora