This bug was fixed in the package dovecot - 1:2.2.35-2ubuntu1

---------------
dovecot (1:2.2.35-2ubuntu1) cosmic; urgency=medium

  * Merge with Debian unstable (LP: #1771816). Remaining changes:
    - Add updated autopkgtest to debian/tests/* (these tests got simplified
      and streamlined to use the packages default configuration which solves
      LP: #1638865)
  * Dropped Changes (now upstream)
    - SECURITY UPDATE: rfc822_parse_domain Information Leak Vulnerability
    - SECURITY UPDATE: TLS SNI config lookups DoS
    - SECURITY UPDATE: Memory leak that can cause crash due to memory exhaustion
  * Dropped Changes (no more needed after 18.04)
    - handle conffile removal of /etc/init/dovecot.conf (due to dropping
      upstart).
  * Dropped Changes (no more needed)
    - Drop build dependency on libstemmer-dev (universe) - this is now in main
    - Disable dovecot-lucene plugin as it had various issues and is deprecated
      in favor of solr anyway (LP 1524526) - no more failing in Cosmic.
  * Dropped Changes (mail-stack-delivery)
    It was decided to no more carry mail-stack-delivery as a package in favor
    to out-of-package solutions. It became less useful due to one of the
    biggest benefit (auto-ssl setup) being part of the base setup now.
    - Add mail-stack-delivery
      - add package in d/rules, d/control
      - add d/*mail-stack-delivery* maintainer scripts and default conf
      - d/mail-stack-delivery.preinst: Move previously installed backups and
        config files to a new package namespace.
      - d/mail-stack-delivery.README.Debian clarified use of configuration files
    - d/mail-stack-delivery.postinst: Use ssl key/cert paths now set up by
      dovecot-core; transition for such configs formerly set up by
      mail-stack-delivery to use the new default ssl config (if user had no
      conffile change or choses new defaults).
    - d/mail-stack-delivery.postinst: if moving dovecot to the new defaults on
      upgrade, also move the related postfix key/cert entries.
    - debian/99-mail-stack-delivery.conf: do not explicitly enable protocols
      as all installed are auto-included from the base config now.
    - adapt autopkgtests to match new version.
    - d/control: for the ssl transition to work we need to ensure dovecot-core
      is complete before upgrading mail-stack-delivery, so add a Pre-Depends.
    - d/mail-stack-delivery.postinst: add SSL_CERT/SSL_KEY detection to
      postconf section (was formerly initialized at the now dropped key setup)
    - d/mail-stack-delivery.postinst: fix SSL_CERT/SSL_KEY detection to only
      read non-comments from the right keywords and to strip common bad-chars
    - d/mail-stack-delivery.postinst: stop modifying mandatory tls config,
      recent upstream has sane defaults now
    - debian/99-mail-stack-delivery.conf: drop explicit ssl_cipher_list,
      recent upstream has sane defaults now
  * Added Changes:
    - carry mail-stack-delivery as empty transitional package
      (can be dropped >20.04)

dovecot (1:2.2.35-2) unstable; urgency=medium

  * [7665652] Use git-subtree to generate pigeonhole patch from git; add
    single-debian-patch to d/source/local-options
  * [bfa0f10] d/rules: specify libdir manually; previous upload moved modules
    under /usr/lib/<triplet>, which was bound to break existing setups
  * [982e826] d/copyright: adjust pigeonhole path and bump years

dovecot (1:2.2.35-1) unstable; urgency=medium

  * [8108cba] New upstream version 2.2.35
  * [6cbbaa1] Update pigeonhole to 0.4.23 (Closes: #892137)
  * [9ace5f2] Switch Vcs-* URLs to salsa.d.o
  * [ef40625] d/rules: call configure via dh_auto_configure.
    Thanks to Helmut Grohne (Closes: #885854)
  * [a459455] Drop B-D on libcurl4-gnutls-dev; removed upstream since 2.2
  * [235af9d] Update upstream signing key

dovecot (1:2.2.34-2) unstable; urgency=high

  * [868dc65] Update pigeonhole to 0.4.22
  * Set urgency to high due to the security fixes in 2.2.34-1

dovecot (1:2.2.34-1) unstable; urgency=medium

  * [f53dc9a] New upstream version 2.2.34
    Fixes the following security issues:
     + CVE-2017-15130: TLS SNI config lookups may lead to excessive memory
       usage (Closes: #891820)
     + CVE-2017-14461: rfc822_parse_domain information leak vulnerability
       (Closes: #891819)
     + CVE-2017-15132: auth client leaks memory if SASL authentication is
       aborted (Closes: #888432)
  * [0dc98c6] Do not patch all-settings.c; regenerate it at build time
    instead. Thanks to Aki Tuomi!
  * [e678e3b] Bump dh compat to 11
     + B-D on debhelper (>= 11~)
     + Use dh_installsystemd instead of dh_systemd_enable
  * [271b290] Bump Standards-Version to 4.1.3; no changes needed
  * [3cd6715] d/copyright: bump upstream and debian years
  * [380d1ac] Drop the ENABLED flag from /etc/default/dovecot (but let the
    initscript handle it if it exists)
  * [97d6fae] d/watch: switch upstream URL to https://

 -- Christian Ehrhardt <email address hidden>  Wed, 16 May 2018 14:40:19 +0200