{"affected":[{"ecosystem_specific":{"binaries":[{"dovecot24":"2.4.2-160000.1.1","dovecot24-backend-mysql":"2.4.2-160000.1.1","dovecot24-backend-pgsql":"2.4.2-160000.1.1","dovecot24-backend-sqlite":"2.4.2-160000.1.1","dovecot24-devel":"2.4.2-160000.1.1","dovecot24-fts":"2.4.2-160000.1.1","dovecot24-fts-flatcurve":"2.4.2-160000.1.1","dovecot24-fts-solr":"2.4.2-160000.1.1"}]},"package":{"ecosystem":"openSUSE:Leap 16.0","name":"dovecot24","purl":"pkg:rpm/opensuse/dovecot24&distro=openSUSE%20Leap%2016.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.4.2-160000.1.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for dovecot24 fixes the following issues:\n\n- Update dovecot to 2.4.2:\n  - CVE-2025-30189: Fixed users cached with same cache key when\n    auth cache was enabled (bsc#1252839)\n  - Changes\n    - auth: Remove proxy_always field.\n    - config: Change settings history parsing to use python3.\n    - doveadm: Print table formatter - Print empty values as \"-\".\n    - imapc: Propagate remote error codes properly.\n    - lda: Default mail_home=$HOME environment if not using userdb\n      lookup\n    - lib-dcrypt: Salt for new version 2 keys has been increased to\n      16 bytes.\n    - lib-dregex: Add libpcre2 based regular expression support to\n      Dovecot, if the library is missing, disable all regular\n      expressions. This adds libpcre2-32 as build dependency.\n    - lib-oauth2: jwt - Allow nbf and iat to point 1 second into\n      future.\n    - lib: Replace libicu with our own unicode library. Removes\n      libicu as build dependency.\n    - login-common: If proxying fails due to remote having invalid\n      SSL cert, don't reconnect.\n  - New features\n    - auth: Add ssl_client_cert_fp and ssl_client_cert_pubkey_fp\n      fields\n    - config: Add support for $SET:filter/path/setting.\n    - config: Improve @group includes to work with overwriting\n      their settings.\n    - doveadm kick: Add support for kicking multiple usernames\n    - doveadm mailbox status: Add support for deleted status item.\n    - imap, imap-client: Add experimental partial IMAP4rev2\n      support.\n    - imap: Implement support for UTF8=ACCEPT for APPEND\n    - lib-oauth2, oauth2: Add oauth2_token_expire_grace setting.\n    - lmtp: lmtp-client - Support command pipelining.\n    - login-common: Support local/remote blocks better.\n    - master: accept() unix/inet connections before creating child\n      process to handle it. This reduces timeouts when child\n      processes are slow to spawn themselves.\n  - Bug fixes\n    - SMTPUTF8 was accepted even when it wasn't enabled.\n    - auth, *-login: Direct logging with -L parameter was not\n      working.\n    - auth: Crash occured when OAUTH token validation failed with\n      oauth2_use_worker_with_mech=yes.\n    - auth: Invalid field handling crashes were fixed.\n    - auth: ldap - Potential crash could happen at deinit.\n    - auth: mech-gssapi - Server sending empty initial response\n      would cause errors.\n    - auth: mech-winbind - GSS-SPNEGO mechanism was erroneously\n      marked as\n    - not accepting NUL.\n    - config: Multiple issues with $SET handling has been fixed.\n    - configure: Building without LDAP didn't work.\n    - doveadm: If source user didn't exist, a crash would occur.\n    - imap, pop3, submission, imap-urlauth: USER environment usage\n      was broken when running standalone.\n    - imap-hibernate: Statistics would get truncated on\n      unhibernation.\n    - imap: \"SEARCH MIMEPART FILENAME ENDS\" command could have\n      accessed memory outside allocated buffer, resulting in a\n      crash.\n    - imapc: Fetching partial headers would cause other cached\n      headers to be cached empty, breaking e.g. imap envelope\n      responses when caching to disk.\n    - imapc: Shared namespace's INBOX mailbox was not always\n      uppercased.\n    - imapc: imapc_features=guid-forced GUID generation was not\n      working correctly.\n    - lda: USER environment was not accepted if -d hasn't been\n      specified.\n    - lib-http: http-url - Significant path percent encoding\n      through parse and create was not preserved. This is mainly\n      important for Dovecot's Lua bindings for lib-http.\n    - lib-settings: Crash would occur when using %variables in\n      SET_FILE type settings.\n    - lib-storage: Attachment flags were attempted to be added for\n      readonly mailboxes with mail_attachment_flags=add-flags.\n    - lib-storage: Root directory for unusable shared namespaces\n      was unnecessarily attempted to be created.\n    - lib: Crash would occur when config was reloaded and logging\n      to syslog.\n    - login-common: Crash might have occured when login proxy was\n      destroyed.\n    - sqlite: The sqlite_journal_mode=wal setting didn't actually\n      do anything.\n    - Many other bugs have been fixed.\n- Update pigeonhole to 2.4.2\n  - Changes\n    - lib-sieve: Use new regular expression library in core.\n    - managesieve: Add default\n      service_extra_groups=$SET:default_internal_group.\n  - New features\n    - lib-sieve: Add support for \"extlists\" extension.\n    - lib-sieve: regex - Allow unicode comparator.\n  - Bug fixes\n    - lib-sieve-tool: sieve-tool - All sieve_script settings were\n      overriden.\n    - lib-sieve: storage: dict: sieve_script_dict filter was\n      missing from settings.\n    - sieve-ldap-storage: Fix compile without LDAP.\n","id":"openSUSE-SU-2025-20113-1","modified":"2025-11-27T20:17:17Z","published":"2025-11-27T20:17:17Z","references":[{"type":"ADVISORY","url":null},{"type":"REPORT","url":"https://bugzilla.suse.com/1252839"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-30189"}],"related":["CVE-2025-30189"],"summary":"Security update for dovecot24","upstream":["CVE-2025-30189"]}