dovecot-2.3.16-18.el9_8
エラータID: AXSA:2026-1023:04
リリース日:
2026/06/29 Monday - 13:44
題名:
dovecot-2.3.16-18.el9_8
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Dovecot の ManageSieve サーバーには、与えられた値の取り扱いが
不適切である問題があるため、リモートの攻撃者により、サービス拒否
攻撃を可能とする脆弱性が存在します。(CVE-2025-59032)
- Dovecot の NOOP コマンドの処理には、リソースの制限を実施して
いない問題があるため、リモートの攻撃者により、サービス拒否攻撃
(リソース枯渇) を可能とする脆弱性が存在します。(CVE-2026-27857)
- Dovecot の ManageSieve サーバーには、リソースの制限を実施して
いない問題があるため、リモートの攻撃者により、サービス拒否攻撃
(リソース枯渇) を可能とする脆弱性が存在します。(CVE-2026-27858)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-59032
ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve service repeatedly, making it unavailable for other users. Control access to ManageSieve port, or disable the service if it's not needed. Alternatively upgrade to a fixed version. No publicly available exploits are known.
ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve service repeatedly, making it unavailable for other users. Control access to ManageSieve port, or disable the service if it's not needed. Alternatively upgrade to a fixed version. No publicly available exploits are known.
CVE-2026-27857
Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Install fixed version, there is no other remediation. No publicly available exploits are known.
Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Install fixed version, there is no other remediation. No publicly available exploits are known.
CVE-2026-27858
Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory. Attacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access to managesieve protocol, or install fixed version. No publicly available exploits are known.
Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory. Attacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access to managesieve protocol, or install fixed version. No publicly available exploits are known.
追加情報:
N/A
ダウンロード:
SRPMS
- dovecot-2.3.16-18.el9_8.src.rpm
MD5: 5102edcf5f4de01cb541faac463b0087
SHA-256: b4590434be9ea1cda0777d3e7b578ae5fdfa74bf323847a89ff1b2765ac361ed
Size: 9.16 MB
Asianux Server 9 for x86_64
- dovecot-2.3.16-18.el9_8.i686.rpm
MD5: 270e1a762f52919720a5e7708e8673dd
SHA-256: 112fbba249cace1706029e342b42569e5df0a7c62e17cd4e9864da575544f68c
Size: 5.18 MB - dovecot-2.3.16-18.el9_8.x86_64.rpm
MD5: 3b116bdb6b714142043c991164e45a60
SHA-256: 3181239966633ed6862e8dfce15681182ee1a762843a0762d1286c0ce36be70e
Size: 4.83 MB - dovecot-devel-2.3.16-18.el9_8.i686.rpm
MD5: 49da9129706facd541718ca3a44b0079
SHA-256: f1e8282aa7ca3aaad70ec9ba6f50c74f634399f8e03551dcfef83a1c620a97e0
Size: 596.05 kB - dovecot-devel-2.3.16-18.el9_8.x86_64.rpm
MD5: 46d48dd260bfd32d308e185baba84a98
SHA-256: 34a6e38474dba8040cdd061288dddfe0b66073e0fb507865c064b72b0787bcde
Size: 596.08 kB - dovecot-mysql-2.3.16-18.el9_8.x86_64.rpm
MD5: cbaedb407b760e039d8bc4036b4f79b9
SHA-256: 49aa18ab07b1d46b5e83e0c735f85e1f7df4832f944f5637974009c332e6cb85
Size: 18.51 kB - dovecot-pgsql-2.3.16-18.el9_8.x86_64.rpm
MD5: 55fb9c62350f97fe2552044a552f515a
SHA-256: 136bd2ecad7efae1c75bc0c64be3642a9f625a961f5989a7459ac0c2aa66d898
Size: 22.44 kB - dovecot-pigeonhole-2.3.16-18.el9_8.x86_64.rpm
MD5: 4d150e7976355c54d6c82e3efa432a15
SHA-256: ed9c0f548a8c66f6468362b47aecc7dbeff1f36ac89de13652708a9d2bcfa53b
Size: 383.35 kB