SB20260428234 - SUSE update for dovecot22

Description

This security bulletin contains information about 7 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2025-59031)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper input validation in decode2text.sh script when parsing OOXML attachments during indexing. A remote attacker can send a specially crafted OOXML document containing symlinks to disclose sensitive information.

The attacker must be able to upload email attachments that are processed by the indexing system.

2) Improper input validation (CVE-ID: CVE-2025-59032)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in Pigeonhole ManageSieve service when processing SASL AUTHENTICATE command. A remote attacker can send a specially crafted request using literal as SASL initial response to cause a denial of service.

The ManageSieve service crashes and becomes unavailable for other users.

3) Authentication Bypass by Capture-replay (CVE-ID: CVE-2026-27855)

The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to authentication bypass by capture-replay in OTP authentication driver when caching credentials. A remote attacker can capture and replay OTP credentials to bypass authentication.

User interaction is required to trigger the initial authentication, and auth cache must be enabled with username alteration in passdb.

4) Improper Authentication (CVE-ID: CVE-2026-27856)

The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to improper authentication in doveadm credentials verification when comparing provided credentials. A remote attacker can perform timing oracle attack to bypass authentication.

5) Resource exhaustion (CVE-ID: CVE-2026-27857)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in imap-login process when handling malformed NOOP commands. A remote user can send a specially crafted command with excessive parentheses to cause a denial of service.

6) Resource exhaustion (CVE-ID: CVE-2026-27858)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in managesieve-login service when processing pre-authentication data. A remote attacker can send a specially crafted message before authentication to cause a denial of service.

7) Resource exhaustion (CVE-ID: CVE-2026-27859)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in MIME parameter parsing when processing message headers. A remote attacker can send a specially crafted email message with excessive RFC 2231 MIME parameters to cause a denial of service of the LMTP mail delivery process.

Remediation

Install update from vendor's website.

References

• https://www.suse.com/support/update/announcement/2026/suse-su-20261641-1/