dovecot-2.3.16-15.el9_7.1

エラータID: AXSA:2026-567:01

リリース日: 
2026/05/08 Friday - 16:20
題名: 
dovecot-2.3.16-15.el9_7.1
影響のあるチャネル: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages.

Security Fix(es):

* dovecot: ManageSieve: Denial of Service via crafted SASL initial response in AUTHENTICATE command (CVE-2025-59032)
* dovecot: denial of service via crafted message before authentication (CVE-2026-27858)
* dovecot: denial of service via specially crafted NOOP command (CVE-2026-27857)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-59032
ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve service repeatedly, making it unavailable for other users. Control access to ManageSieve port, or disable the service if it's not needed. Alternatively upgrade to a fixed version. No publicly available exploits are known.
CVE-2026-27857
Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Install fixed version, there is no other remediation. No publicly available exploits are known.
CVE-2026-27858
Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory. Attacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access to managesieve protocol, or install fixed version. No publicly available exploits are known.

解決策: 

Update packages.

CVE: 
CVE-2025-59032
ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve service repeatedly, making it unavailable for other users. Control access to ManageSieve port, or disable the service if it's not needed. Alternatively upgrade to a fixed version. No publicly available exploits are known.
CVE-2026-27857
Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Install fixed version, there is no other remediation. No publicly available exploits are known.
CVE-2026-27858
Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory. Attacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access to managesieve protocol, or install fixed version. No publicly available exploits are known.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. dovecot-2.3.16-15.el9_7.1.src.rpm
    MD5: 01fe48a8cb35317009ffd122bd0e3717
    SHA-256: 6d9680f83b7fa222404217a1f140d6aa2292fc89e026fe967b9c7f8c795f496d
    Size: 9.16 MB

Asianux Server 9 for x86_64
  1. dovecot-2.3.16-15.el9_7.1.i686.rpm
    MD5: 7610f84e2aa2cfe351b15d3a0e07d7eb
    SHA-256: 4430724b762bcd5e4e1515854a1032f29819919cfc87dbb1f85db0625c51c9c9
    Size: 5.18 MB
  2. dovecot-2.3.16-15.el9_7.1.x86_64.rpm
    MD5: 48563f8c5512337137a4cad7afd5e870
    SHA-256: 3e2482f91a47c647931fe9400fe4899757e53dea2cd321f50f8c8c8c301cd5e2
    Size: 4.83 MB
  3. dovecot-devel-2.3.16-15.el9_7.1.i686.rpm
    MD5: acc624945bfd9ffed5649704b803635f
    SHA-256: cdf0d72617536c1cbdd6176baa992feb2ee5a3bd81bb027af0e8bd743b421e96
    Size: 595.82 kB
  4. dovecot-devel-2.3.16-15.el9_7.1.x86_64.rpm
    MD5: abd7f9b3d0f9f1902f42abb294fb11b4
    SHA-256: 692b0883dda81ddb0a2b08b42dacc917c9dc4052fd22889a017777793a0c76a4
    Size: 595.96 kB
  5. dovecot-mysql-2.3.16-15.el9_7.1.x86_64.rpm
    MD5: 2193c905a1e949581134f5cba9f5c612
    SHA-256: d3f735427747516693c085bd43afb63a4455ad8f190b19d2fbb9b7009d2efe30
    Size: 18.39 kB
  6. dovecot-pgsql-2.3.16-15.el9_7.1.x86_64.rpm
    MD5: 5d6f95f0c9dafa90efc492d31a5877b5
    SHA-256: ef156f1829c8e6f1073db621081ada4960a66e0b9f082036754bb8c6ad92f1ab
    Size: 22.33 kB
  7. dovecot-pigeonhole-2.3.16-15.el9_7.1.x86_64.rpm
    MD5: 2c2402c8d141dd283125f231c6053cef
    SHA-256: 39f0eebbae99eb520a0c8bc0f7346fff42683f073d607026ec617a31cedebc4c
    Size: 383.38 kB