This update for dovecot24 fixes the following issues
- CVE-2026-27851: lib-var-expand: safe filter leaks to all following pipelines (bsc#1265146).
- CVE-2026-33603: login: base64 input can contain tabs that bypass IPC protection (bsc#1265147).
- CVE-2026-40016: Sieve: contains/: matches O(NxM) substring match bypasses sieve_max_cpu_time limit (bsc#1265148).
- CVE-2026-40020: IMAP folders can be shared-spammed to everyone (bsc#1265149).
- CVE-2026-42006: imap-login: uncontrolled memory usage with excessive bracing over IMAP (bsc#1265150).
Changes for dovecot24:
- Update to 2.4.4
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-974=1
- openSUSE Leap 16.0:
dovecot24-2.4.4-160000.1.1
dovecot24-backend-mysql-2.4.4-160000.1.1
dovecot24-backend-pgsql-2.4.4-160000.1.1
dovecot24-backend-sqlite-2.4.4-160000.1.1
dovecot24-devel-2.4.4-160000.1.1
dovecot24-fts-2.4.4-160000.1.1
dovecot24-fts-flatcurve-2.4.4-160000.1.1
dovecot24-fts-solr-2.4.4-160000.1.1
* bsc#1265146
* bsc#1265147
* bsc#1265148
* bsc#1265149
* bsc#1265150
References:
* https://www.suse.com/security/cve/CVE-2026-27851.html
* https://www.suse.com/security/cve/CVE-2026-33603.html
* https://www.suse.com/security/cve/CVE-2026-40016.html
* https://www.suse.com/security/cve/CVE-2026-40020.html
* https://www.suse.com/security/cve/CVE-2026-42006.html
Get the latest Linux and open source security news straight to your inbox.