Ubuntu Security Notice 567-1 - It was discovered that in very rare configurations using LDAP, Dovecot may reuse cached connections for users with the same password. As a result, a user may be able to login as another if the connection is reused. The default Ubuntu configuration of Dovecot was not vulnerable.
10edd7dfa552e081a9efdf0456b8b2e790f1e5e3ae9656b8eb5ae5af1f8914cb
Debian Security Advisory 1457-1 - It was discovered that Dovecot, a POP3 and IMAP server, only when used with LDAP authentication and a base that contains variables, could allow a user to log in to the account of another user with the same password.
112e1de8c1082065a7f25ae830b7ba30d10d2c10292413a7403e80e2a765f372