dovecot-2.3.16-7.el8_10

エラータID: AXSA:2026-611:02

Release date: 
Wednesday, May 13, 2026 - 10:08
Subject: 
dovecot-2.3.16-7.el8_10
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages.

Security Fix(es):

* dovecot: ManageSieve: Denial of Service via crafted SASL initial response in AUTHENTICATE command (CVE-2025-59032)
* dovecot: denial of service via crafted message before authentication (CVE-2026-27858)
* dovecot: denial of service via specially crafted NOOP command (CVE-2026-27857)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-59032
ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve service repeatedly, making it unavailable for other users. Control access to ManageSieve port, or disable the service if it's not needed. Alternatively upgrade to a fixed version. No publicly available exploits are known.
CVE-2026-27857
Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Install fixed version, there is no other remediation. No publicly available exploits are known.
CVE-2026-27858
Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory. Attacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access to managesieve protocol, or install fixed version. No publicly available exploits are known.

Solution: 

Update packages.

CVEs: 
CVE-2025-59032
ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve service repeatedly, making it unavailable for other users. Control access to ManageSieve port, or disable the service if it's not needed. Alternatively upgrade to a fixed version. No publicly available exploits are known.
CVE-2026-27857
Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Install fixed version, there is no other remediation. No publicly available exploits are known.
CVE-2026-27858
Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory. Attacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access to managesieve protocol, or install fixed version. No publicly available exploits are known.
Additional Info: 

N/A

Download: 

SRPMS
  1. dovecot-2.3.16-7.el8_10.src.rpm
    MD5: 8fdc15354401aa234827156290c8d1e9
    SHA-256: 32111c075ca4381b741006984a8849ac46e6a49a0059e06630e93ac73483fa46
    Size: 9.23 MB

Asianux Server 8 for x86_64
  1. dovecot-2.3.16-7.el8_10.i686.rpm
    MD5: e2eb6fc84582b7a5547850f82cd36d2e
    SHA-256: 3bc09f55ea96466663868d260f33a0a17fdd868a2bbb233a0ae943b3bf5142d7
    Size: 5.62 MB
  2. dovecot-2.3.16-7.el8_10.x86_64.rpm
    MD5: 9d36fc0f8b00338784a759b442bede39
    SHA-256: 2c37429d0551ccd0abea69c3b36da868543951b9e49603f72b2f91b44524bd10
    Size: 5.22 MB
  3. dovecot-devel-2.3.16-7.el8_10.i686.rpm
    MD5: 527ab42ac44eb286caa9c3ca66aa3233
    SHA-256: a77ddaf57825c9fb146524c215197efcaa0c389bdbda58d7f91f6ea0139a93d0
    Size: 582.69 kB
  4. dovecot-devel-2.3.16-7.el8_10.x86_64.rpm
    MD5: 1e5501d982db394ad20f7aafd9ad42cc
    SHA-256: 437751be3a54ef8444de83e00c615e721a3d0d1380d565395e2fa5ac466c608a
    Size: 582.71 kB
  5. dovecot-mysql-2.3.16-7.el8_10.x86_64.rpm
    MD5: 6b81e961b8917fc258140b81d4f96c88
    SHA-256: 4ac76ea5f2723bfdb2ef91a5900ebf014f0fbf6f8de86dd179096ce19bfe8e3e
    Size: 101.45 kB
  6. dovecot-pgsql-2.3.16-7.el8_10.x86_64.rpm
    MD5: 67d59fef2fc25cf28fe570bde31e7047
    SHA-256: 9149abaea69b3908c25c96e442af4b2d34c37cdb646c0bcb0709dd006394b60a
    Size: 104.72 kB
  7. dovecot-pigeonhole-2.3.16-7.el8_10.x86_64.rpm
    MD5: 43609819c1a8b33838938616a2ea945d
    SHA-256: 6db1f5e5cb9d5dc7b1159cf88db42ed64fd5b11da532836b416181c3078bf99f
    Size: 484.41 kB