This update for dovecot24 fixes the following issues:
- Update to v2.4.3
- CVE-2025-59028: Invalid base64 authentication can cause DoS for other logins (bsc#1260894).
- CVE-2025-59031: decode2text.sh OOXML extraction may follow symlinks and read unintended files during indexing
(bsc#1260895).
- CVE-2025-59032: pigeonhole: ManageSieve panic occurs with sieve-connect as a client (bsc#1260902).
- CVE-2026-24031: SQL injection possible if auth_username_chars is configured empty. Fixed escaping to always happen.
v2.4 regression (bsc#1260896).
- CVE-2026-27855: OTP driver vulnerable to replay attack (bsc#1260900).
- CVE-2026-27856: Doveadm credentials were not checked using timing-safe checking function (bsc#1260899).
- CVE-2026-27857: sending excessive parenthesis causes imap-login to use excessive memory (bsc#1260898).
- CVE-2026-27858: pigeonhole: managesieve-login can allocate large amount of memory during authentication (bsc#1260901).
- CVE-2026-27859: excessive RFC 2231 MIME...
Read the Full Advisory- openSUSE Leap 16.0:
dovecot24-2.4.3-160000.1.1
dovecot24-backend-mysql-2.4.3-160000.1.1
dovecot24-backend-pgsql-2.4.3-160000.1.1
dovecot24-backend-sqlite-2.4.3-160000.1.1
dovecot24-devel-2.4.3-160000.1.1
dovecot24-fts-2.4.3-160000.1.1
dovecot24-fts-flatcurve-2.4.3-160000.1.1
dovecot24-fts-solr-2.4.3-160000.1.1
* bsc#1260893
* bsc#1260894
* bsc#1260895
* bsc#1260896
* bsc#1260897
* bsc#1260898
* bsc#1260899
* bsc#1260900
* bsc#1260901
* bsc#1260902
References:
* https://www.suse.com/security/cve/CVE-2025-59028.html
* https://www.suse.com/security/cve/CVE-2025-59031.html
* https://www.suse.com/security/cve/CVE-2025-59032.html
* https://www.suse.com/security/cve/CVE-2026-24031.html
* https://www.suse.com/security/cve/CVE-2026-27855.html
* https://www.suse.com/security/cve/CVE-2026-27856.html
* https://www.suse.com/security/cve/CVE-2026-27857.html
* https://www.suse.com/security/cve/CVE-2026-27858.html
* https://www.suse.com/security/cve/CVE-2026-27859.html
* https://www.suse.com/security/cve/CVE-2026-27860.html
Get the latest Linux and open source security news straight to your inbox.