Lucene search
K

Debian dla-4556 : dovecot-auth-lua - security update

🗓️ 15 Jun 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 8 Views

Dovecot security update fixes multiple flaws causing denial of service, information leak, and authentication bypass.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2026-27856
27 Mar 202608:10
attackerkb
ATTACKERKB
CVE-2026-27857
27 Mar 202608:10
attackerkb
ATTACKERKB
CVE-2026-27855
27 Mar 202608:10
attackerkb
ATTACKERKB
CVE-2025-59032
27 Mar 202608:10
attackerkb
ATTACKERKB
CVE-2025-59031
27 Mar 202608:10
attackerkb
ATTACKERKB
CVE-2026-27859
27 Mar 202608:10
attackerkb
ATTACKERKB
CVE-2026-0394
27 Mar 202608:10
attackerkb
ATTACKERKB
CVE-2026-27858
27 Mar 202608:10
attackerkb
ATTACKERKB
CVE-2026-42006
12 May 202613:28
attackerkb
Tenable Nessus
Amazon Linux 2023 : dovecot, dovecot-devel, dovecot-mysql (ALAS2023-2026-1570)
13 Apr 202600:00
nessus
Rows per page
#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dla-4556. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('compat.inc');

if (description)
{
  script_id(321107);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/15");

  script_cve_id(
    "CVE-2025-59031",
    "CVE-2025-59032",
    "CVE-2026-0394",
    "CVE-2026-27855",
    "CVE-2026-27856",
    "CVE-2026-27857",
    "CVE-2026-27858",
    "CVE-2026-27859"
  );

  script_name(english:"Debian dla-4556 : dovecot-auth-lua - security update");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
  script_set_attribute(attribute:"description", value:
"The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dla-4556 advisory.

    -------------------------------------------------------------------------
    Debian LTS Advisory DLA-4556-1                [email protected]
    https://www.debian.org/lts/security/                       Guilhem Moulin
    May 01, 2026                                  https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : dovecot
    Version        : 1:2.3.13+dfsg1-2+deb11u3
    CVE ID         : CVE-2025-59031 CVE-2025-59032 CVE-2026-0394 CVE-2026-27855
                     CVE-2026-27856 CVE-2026-27857 CVE-2026-27858 CVE-2026-27859

    Multiple vulnerabilities were discovered in dovecot, a POP3/IMAP server,
    which could lead to Denial of Service, information leak, path traversal,
    authentication bypass, replay attacks or timing side channel attacks.

    CVE-2025-59031

        The decode2text.sh example script, which was installed into
        dovecot-core/examples, was found handle zip-style attachment in an
        unsafe manner.  In particular, OOXML extraction may follow symlinks
        and read unintended files during indexing.  The script is no longer
        installed.

    CVE-2025-59032

        It was found that the ManageSieve AUTHENTICATE command crashes the
        ManageSieve service when using literal as SASL initial response,
        leading to Denial of Service.

    CVE-2026-0394

        A pass traversal vulnerability was discovered in the passwd-file
        passdb/userdb when dovecot has been configured to use per-domain
        passwd files, allowing inadvertently reading /etc/passwd in some
        situations.  If this file contains passwords, it can be used to
        authenticate wrongly, or if this is userdb, it can incorrectly make
        system users appear valid users.

    CVE-2026-27855

        The OTP authentication driver was found to be vulnerable to replay
        attack if auth cache is enabled the and username is altered in
        passdb.  An attacker able to observe an OTP exchange is therefore
        able to impersonate the user.

    CVE-2026-27856

        Doveadm credentials were not checked using timing-safe checking
        functions.  An attacker can exploit this issue to discover configured
        credentials, leading into full access to the affected component.

    CVE-2026-27857

        It was discovered that sending excessive parenthesis caused the
        imap-login process to use excessive memory, leading to Denial of
        Service.

    CVE-2026-27858

        It was discovered that the managesieve-login process could allocate
        large amount of memory during authentication via specifically crafted
        message, leading to Denial of Service.

    CVE-2026-27859

        It was discovered that excessive RFC 2231 MIME parameters in email
        would cause excessive CPU usage, which could lead to Denial of
        Service.  Dovecot now limits the number of parameters to process.

    For Debian 11 bullseye, these problems have been fixed in version
    1:2.3.13+dfsg1-2+deb11u3.

    We recommend that you upgrade your dovecot packages.

    For the detailed security status of dovecot please refer to
    its security tracker page at:
    https://security-tracker.debian.org/tracker/dovecot

    Further information about Debian LTS security advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://wiki.debian.org/LTS
    Attachment:
    signature.asc
    Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/dovecot");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2025-59031");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2025-59032");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2026-0394");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2026-27855");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2026-27856");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2026-27857");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2026-27858");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2026-27859");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bullseye/dovecot");
  script_set_attribute(attribute:"solution", value:
"Upgrade the dovecot-auth-lua packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-27856");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/03/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/05/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:dovecot-auth-lua");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:dovecot-core");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:dovecot-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:dovecot-gssapi");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:dovecot-imapd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:dovecot-ldap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:dovecot-lmtpd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:dovecot-lucene");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:dovecot-managesieved");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:dovecot-mysql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:dovecot-pgsql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:dovecot-pop3d");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:dovecot-sieve");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:dovecot-solr");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:dovecot-sqlite");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:dovecot-submissiond");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);

var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(11)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 11.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);

var pkgs = [
    {'release': '11.0', 'prefix': 'dovecot-auth-lua', 'reference': '1:2.3.13+dfsg1-2+deb11u3'},
    {'release': '11.0', 'prefix': 'dovecot-core', 'reference': '1:2.3.13+dfsg1-2+deb11u3'},
    {'release': '11.0', 'prefix': 'dovecot-dev', 'reference': '1:2.3.13+dfsg1-2+deb11u3'},
    {'release': '11.0', 'prefix': 'dovecot-gssapi', 'reference': '1:2.3.13+dfsg1-2+deb11u3'},
    {'release': '11.0', 'prefix': 'dovecot-imapd', 'reference': '1:2.3.13+dfsg1-2+deb11u3'},
    {'release': '11.0', 'prefix': 'dovecot-ldap', 'reference': '1:2.3.13+dfsg1-2+deb11u3'},
    {'release': '11.0', 'prefix': 'dovecot-lmtpd', 'reference': '1:2.3.13+dfsg1-2+deb11u3'},
    {'release': '11.0', 'prefix': 'dovecot-lucene', 'reference': '1:2.3.13+dfsg1-2+deb11u3'},
    {'release': '11.0', 'prefix': 'dovecot-managesieved', 'reference': '1:2.3.13+dfsg1-2+deb11u3'},
    {'release': '11.0', 'prefix': 'dovecot-mysql', 'reference': '1:2.3.13+dfsg1-2+deb11u3'},
    {'release': '11.0', 'prefix': 'dovecot-pgsql', 'reference': '1:2.3.13+dfsg1-2+deb11u3'},
    {'release': '11.0', 'prefix': 'dovecot-pop3d', 'reference': '1:2.3.13+dfsg1-2+deb11u3'},
    {'release': '11.0', 'prefix': 'dovecot-sieve', 'reference': '1:2.3.13+dfsg1-2+deb11u3'},
    {'release': '11.0', 'prefix': 'dovecot-solr', 'reference': '1:2.3.13+dfsg1-2+deb11u3'},
    {'release': '11.0', 'prefix': 'dovecot-sqlite', 'reference': '1:2.3.13+dfsg1-2+deb11u3'},
    {'release': '11.0', 'prefix': 'dovecot-submissiond', 'reference': '1:2.3.13+dfsg1-2+deb11u3'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var _release = NULL;
  var prefix = NULL;
  var reference = NULL;
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (_release && prefix && reference) {
    if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : deb_report_get()
  );
  exit(0);
}
else
{
  var tested = deb_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dovecot-auth-lua / dovecot-core / dovecot-dev / dovecot-gssapi / etc');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation