SUSE Package Hub - SUSE-PackageHub-16.0-577

Update Info

SUSE-PackageHub-16.0-577

Security update for dovecot24

Type: security

Severity: important

Issued: 2026-04-16

Description:

This update for dovecot24 fixes the following issues:

- Update to v2.4.3
- CVE-2025-59028: Invalid base64 authentication can cause DoS for other logins (bsc#1260894).
- CVE-2025-59031: decode2text.sh OOXML extraction may follow symlinks and read unintended files during indexing
  (bsc#1260895).
- CVE-2025-59032: pigeonhole: ManageSieve panic occurs with sieve-connect as a client (bsc#1260902).
- CVE-2026-24031: SQL injection possible if auth_username_chars is configured empty. Fixed escaping to always happen.
  v2.4 regression (bsc#1260896).
- CVE-2026-27855: OTP driver vulnerable to replay attack (bsc#1260900).
- CVE-2026-27856: Doveadm credentials were not checked using timing-safe checking function (bsc#1260899).
- CVE-2026-27857: sending excessive parenthesis causes imap-login to use excessive memory (bsc#1260898).
- CVE-2026-27858: pigeonhole: managesieve-login can allocate large amount of memory during authentication (bsc#1260901).
- CVE-2026-27859: excessive RFC 2231 MIME parameters in email would can excessive CPU usage (bsc#1260897).
- CVE-2026-27860: LDAP query injection possible if auth_username_chars is configured empty. Fixed escaping to always
  happen. v2.4 regression (bsc#1260893).

References

Packages

dovecot24-2.4.3-160000.1.1