Alerts This Week
Warning Icon 1 449
Alerts This Week
Warning Icon 1 449

openSUSE cyrus-imapd Important Opossum Attack Risk 2026-0204-1

opensuse
Calendar Grey June 15, 2026
Dist Opensuse Esm H88
Two vulnerabilities in openSUSE's cyrus-imapd addressed with important fixes enhancing security effectiveness.
An update that solves two vulnerabilities and has two fixes is now available.

Description

This update for cyrus-imapd fixes the following issues:

- Adapt license

- cyrus-imapd don't start because of missing "Requires=var-run.mount" from

systemd (boo#1251788) Remove var-run.mount from Requires and After

- update to version 3.8.6 (bugfix release) VUL-0: CVE-2025-49812:

cyrus-imapd: Opossum Attack Application Layer Desynchronization using

Opportunistic TLS (boo#1246165) The industry is deprecating STARTTLS

(aka opportunistic TLS) in favor of implicit TLS over a dedicated port.

STARTTLS is now disabled by default.

* Fixed issue #5477: master: tighten up pidfile/etc handling

(boo#1241543) VUL-0: cyrus-imapd: privilege drop happens too late,

opening attack vectors from cyrus to root

* Fixed issue #5450: fix zoneinfo_db code for GCC 15 (thanks Yadd)

* Fixed issue #5309: deadlock on shutdown (thanks Mark Cammidge)

* Fixed issue #5424: recognise service-specific SASL options in

``cyr_info conf-lint``

...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory privilege escalation important cyrus-imapd OpenSUSE application layer desynchronization

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP7:

zypper in -t patch openSUSE-2026-204=1

Package List

- openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64):

cyradm-3.8.6-bp157.2.3.1

cyrus-imapd-3.8.6-bp157.2.3.1

cyrus-imapd-devel-3.8.6-bp157.2.3.1

cyrus-imapd-snmp-3.8.6-bp157.2.3.1

cyrus-imapd-snmp-mibs-3.8.6-bp157.2.3.1

cyrus-imapd-utils-3.8.6-bp157.2.3.1

libcyrus0-3.8.6-bp157.2.3.1

perl-Cyrus-Annotator-3.8.6-bp157.2.3.1

perl-Cyrus-IMAP-3.8.6-bp157.2.3.1

perl-Cyrus-SIEVE-managesieve-3.8.6-bp157.2.3.1

References

https://www.suse.com/security/cve/CVE-2025-23394.html

https://www.suse.com/security/cve/CVE-2025-49812.html

https://bugzilla.suse.com/1241536

https://bugzilla.suse.com/1241543

https://bugzilla.suse.com/1246165

https://bugzilla.suse.com/1251788

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2026:0204-1
Rating: important
Affected Products: openSUSE Backports SLE-15-SP7 le.

Topics%20covered

Topics Covered

security advisory privilege escalation important cyrus-imapd OpenSUSE application layer desynchronization

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here