Backport upstream commit 9a0f8c1066956ea7450ca82b57f904332006a502
to fix CVE-2026-42006. The IMAP parser's list_count_limit was
incorrectly checking the limit in imap_parser_close_list() (on
')') instead of imap_parser_open_list() (on '('). This patch
moves the check so it correctly limits the number of open
braces, preventing potential abuse via deeply nested lists.
CVE: CVE-2026-42006
Upstream patches:
- 9a0f8c1066.patch
Resolves: RHEL-188480
This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent.
Assisted-by: Ymir
fix CVE-2025-59032: ManageSieve: Denial of Service via crafted SASL initial response in AUTHENTICATE command (RHEL-162282)
fix CVE-2026-27857: denial of service via specially crafted NOOP command (RHEL-161669)
Resolves: RHEL-161630