| Name | CVE-2025-59032 |
| Description | ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve service repeatedly, making it unavailable for other users. Control access to ManageSieve port, or disable the service if it's not needed. Alternatively upgrade to a fixed version. No publicly available exploits are known. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-6197-1 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| dovecot (PTS) | bullseye | 1:2.3.13+dfsg1-2+deb11u1 | vulnerable |
| bullseye (security) | 1:2.3.13+dfsg1-2+deb11u2 | vulnerable | |
| bookworm | 1:2.3.19.1+dfsg1-2.1+deb12u1 | vulnerable | |
| bookworm (security) | 1:2.3.19.1+dfsg1-2.1+deb12u3 | fixed | |
| trixie | 1:2.4.1+dfsg1-6+deb13u3 | vulnerable | |
| trixie (security) | 1:2.4.1+dfsg1-6+deb13u4 | fixed | |
| forky | 1:2.4.2+dfsg1-4 | vulnerable | |
| sid | 1:2.4.3+dfsg1-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| dovecot | source | bookworm | 1:2.3.19.1+dfsg1-2.1+deb12u2 | DSA-6197-1 | ||
| dovecot | source | trixie | 1:2.4.1+dfsg1-6+deb13u4 | DSA-6197-1 | ||
| dovecot | source | (unstable) | 1:2.4.3+dfsg1-1 |
https://dovecot.org/mailman3/archives/list/dovecot-news@dovecot.org/thread/IKIHZX77IPTGSP5WBIPJUOFBUQFKVPE7/
https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2025-59032-v2-4-v3-1-regression-pigeonhole-managesieve-panic-occurs-with-sieve-connect-as-a-client
Fixed by: https://github.com/dovecot/pigeonhole/commit/efb68fac3a9d2d04d38c4ab14dd570cf0c23923c (2.4.3)