<div class="container">
<h1>Security update for dovecot24</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2025:21159-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-11-27T20:17:17Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1252839">bsc#1252839</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-30189.html">CVE-2025-30189</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-30189</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-30189</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.4</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-30189</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.4</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Enterprise Server 16.0</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 16.0</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves one vulnerability can now be installed.</p>
<h2>Description:</h2>
<p>This update for dovecot24 fixes the following issues:</p>
<ul>
<li>Update dovecot to 2.4.2:</li>
<li>CVE-2025-30189: Fixed users cached with same cache key when
auth cache was enabled (bsc#1252839)</li>
<li>Changes<ul>
<li>auth: Remove proxy_always field.</li>
<li>config: Change settings history parsing to use python3.</li>
<li>doveadm: Print table formatter - Print empty values as "-".</li>
<li>imapc: Propagate remote error codes properly.</li>
<li>lda: Default mail_home=$HOME environment if not using userdb
lookup</li>
<li>lib-dcrypt: Salt for new version 2 keys has been increased to
16 bytes.</li>
<li>lib-dregex: Add libpcre2 based regular expression support to
Dovecot, if the library is missing, disable all regular
expressions. This adds libpcre2-32 as build dependency.</li>
<li>lib-oauth2: jwt - Allow nbf and iat to point 1 second into
future.</li>
<li>lib: Replace libicu with our own unicode library. Removes
libicu as build dependency.</li>
<li>login-common: If proxying fails due to remote having invalid
SSL cert, don't reconnect.</li>
</ul>
</li>
<li>New features<ul>
<li>auth: Add ssl_client_cert_fp and ssl_client_cert_pubkey_fp
fields</li>
<li>config: Add support for $SET:filter/path/setting.</li>
<li>config: Improve @group includes to work with overwriting
their settings.</li>
<li>doveadm kick: Add support for kicking multiple usernames</li>
<li>doveadm mailbox status: Add support for deleted status item.</li>
<li>imap, imap-client: Add experimental partial IMAP4rev2
support.</li>
<li>imap: Implement support for UTF8=ACCEPT for APPEND</li>
<li>lib-oauth2, oauth2: Add oauth2_token_expire_grace setting.</li>
<li>lmtp: lmtp-client - Support command pipelining.</li>
<li>login-common: Support local/remote blocks better.</li>
<li>master: accept() unix/inet connections before creating child
process to handle it. This reduces timeouts when child
processes are slow to spawn themselves.</li>
</ul>
</li>
<li>Bug fixes<ul>
<li>SMTPUTF8 was accepted even when it wasn't enabled.</li>
<li>auth, *-login: Direct logging with -L parameter was not
working.</li>
<li>auth: Crash occured when OAUTH token validation failed with
oauth2_use_worker_with_mech=yes.</li>
<li>auth: Invalid field handling crashes were fixed.</li>
<li>auth: ldap - Potential crash could happen at deinit.</li>
<li>auth: mech-gssapi - Server sending empty initial response
would cause errors.</li>
<li>auth: mech-winbind - GSS-SPNEGO mechanism was erroneously
marked as</li>
<li>not accepting NUL.</li>
<li>config: Multiple issues with $SET handling has been fixed.</li>
<li>configure: Building without LDAP didn't work.</li>
<li>doveadm: If source user didn't exist, a crash would occur.</li>
<li>imap, pop3, submission, imap-urlauth: USER environment usage
was broken when running standalone.</li>
<li>imap-hibernate: Statistics would get truncated on
unhibernation.</li>
<li>imap: "SEARCH MIMEPART FILENAME ENDS" command could have
accessed memory outside allocated buffer, resulting in a
crash.</li>
<li>imapc: Fetching partial headers would cause other cached
headers to be cached empty, breaking e.g. imap envelope
responses when caching to disk.</li>
<li>imapc: Shared namespace's INBOX mailbox was not always
uppercased.</li>
<li>imapc: imapc_features=guid-forced GUID generation was not
working correctly.</li>
<li>lda: USER environment was not accepted if -d hasn't been
specified.</li>
<li>lib-http: http-url - Significant path percent encoding
through parse and create was not preserved. This is mainly
important for Dovecot's Lua bindings for lib-http.</li>
<li>lib-settings: Crash would occur when using %variables in
SET_FILE type settings.</li>
<li>lib-storage: Attachment flags were attempted to be added for
readonly mailboxes with mail_attachment_flags=add-flags.</li>
<li>lib-storage: Root directory for unusable shared namespaces
was unnecessarily attempted to be created.</li>
<li>lib: Crash would occur when config was reloaded and logging
to syslog.</li>
<li>login-common: Crash might have occured when login proxy was
destroyed.</li>
<li>sqlite: The sqlite_journal_mode=wal setting didn't actually
do anything.</li>
<li>Many other bugs have been fixed.</li>
</ul>
</li>
<li>Update pigeonhole to 2.4.2</li>
<li>Changes<ul>
<li>lib-sieve: Use new regular expression library in core.</li>
<li>managesieve: Add default
service_extra_groups=$SET:default_internal_group.</li>
</ul>
</li>
<li>New features<ul>
<li>lib-sieve: Add support for "extlists" extension.</li>
<li>lib-sieve: regex - Allow unicode comparator.</li>
</ul>
</li>
<li>Bug fixes<ul>
<li>lib-sieve-tool: sieve-tool - All sieve_script settings were
overriden.</li>
<li>lib-sieve: storage: dict: sieve_script_dict filter was
missing from settings.</li>
<li>sieve-ldap-storage: Fix compile without LDAP.</li>
</ul>
</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Enterprise Server 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-79=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-79=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64)
<ul>
<li>dovecot24-devel-2.4.2-160000.1.1</li>
<li>dovecot24-backend-sqlite-2.4.2-160000.1.1</li>
<li>dovecot24-backend-mysql-2.4.2-160000.1.1</li>
<li>dovecot24-fts-solr-2.4.2-160000.1.1</li>
<li>dovecot24-backend-pgsql-2.4.2-160000.1.1</li>
<li>dovecot24-backend-pgsql-debuginfo-2.4.2-160000.1.1</li>
<li>dovecot24-fts-debuginfo-2.4.2-160000.1.1</li>
<li>dovecot24-backend-sqlite-debuginfo-2.4.2-160000.1.1</li>
<li>dovecot24-fts-2.4.2-160000.1.1</li>
<li>dovecot24-fts-solr-debuginfo-2.4.2-160000.1.1</li>
<li>dovecot24-debuginfo-2.4.2-160000.1.1</li>
<li>dovecot24-backend-mysql-debuginfo-2.4.2-160000.1.1</li>
<li>dovecot24-2.4.2-160000.1.1</li>
<li>dovecot24-debugsource-2.4.2-160000.1.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 16.0 (ppc64le x86_64)
<ul>
<li>dovecot24-devel-2.4.2-160000.1.1</li>
<li>dovecot24-backend-sqlite-2.4.2-160000.1.1</li>
<li>dovecot24-backend-mysql-2.4.2-160000.1.1</li>
<li>dovecot24-fts-solr-2.4.2-160000.1.1</li>
<li>dovecot24-backend-pgsql-2.4.2-160000.1.1</li>
<li>dovecot24-backend-pgsql-debuginfo-2.4.2-160000.1.1</li>
<li>dovecot24-fts-debuginfo-2.4.2-160000.1.1</li>
<li>dovecot24-backend-sqlite-debuginfo-2.4.2-160000.1.1</li>
<li>dovecot24-fts-2.4.2-160000.1.1</li>
<li>dovecot24-fts-solr-debuginfo-2.4.2-160000.1.1</li>
<li>dovecot24-debuginfo-2.4.2-160000.1.1</li>
<li>dovecot24-backend-mysql-debuginfo-2.4.2-160000.1.1</li>
<li>dovecot24-2.4.2-160000.1.1</li>
<li>dovecot24-debugsource-2.4.2-160000.1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-30189.html">https://www.suse.com/security/cve/CVE-2025-30189.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1252839">https://bugzilla.suse.com/show_bug.cgi?id=1252839</a>
</li>
</ul>
</div>