## This update for dovecot24 fixes the following issues: * Update to v2.4.3 * CVE-2025-59028: Invalid base64 authentication can cause DoS for other logins (bsc#1260894). * CVE-2025-59031: decode2text.sh OOXML extraction may follow symlinks and read unintended files during indexing (bsc#1260895). * CVE-2025-59032: pigeonhole: ManageSieve panic occurs with sieve-connect as a client (bsc#1260902). * CVE-2026-24031: SQL injection possible if auth_username_chars is configured empty. Fixed escaping to always happen. v2.4 regression (bsc#1260896). * CVE-2026-27855: OTP driver vulnerable to replay attack (bsc#1260900). * CVE-2026-27856: Doveadm credentials were not checked using timing-safe checking function (bsc#1260899). * CVE-2026-27857: sending excessive parenthesis causes imap-login to use
* bsc#1260893
* bsc#1260894
* bsc#1260895
* bsc#1260896
* bsc#1260897
* bsc#1260898
* bsc#1260899
* bsc#1260900
* bsc#1260901
* bsc#1260902
Cross-
* CVE-2025-59028
* CVE-2025-59031
* CVE-2025-59032
* CVE-2026-24031
* CVE-2026-27855
* CVE-2026-27856
* CVE-2026-27857
* CVE-2026-27858
* CVE-2026-27859
* CVE-2026-27860
CVSS scores:
* CVE-2025-59028 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-59028 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-59031 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2025-59031 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
* CVE-2025-59031 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
* CVE-2025-59032 ( SUSE ): 8.7
Get the latest Linux and open source security news straight to your inbox.