Bug 2402122
| Summary: | CVE-2025-30189 dovecot 2.4: access to other users' emails | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Stephan Verbücheln <stephan> |
| Component: | dovecot | Assignee: | Michal Hlavinka <mhlavink> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | urgent | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 43 | CC: | anon.amish, bennie.joubert, mhlavink |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | Flags: | mhlavink:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://security-tracker.debian.org/tracker/CVE-2025-30189 | ||
| Whiteboard: | |||
| Fixed In Version: | dovecot-2.4.1-6.fc44 | Doc Type: | --- |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2025-10-09 15:18:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The same bug in Ubuntu has been fixed. https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/2126984 FEDORA-2025-d5eb72768a (dovecot-2.4.1-6.fc44) has been submitted as an update to Fedora 44. https://bodhi.fedoraproject.org/updates/FEDORA-2025-d5eb72768a FEDORA-2025-d5eb72768a (dovecot-2.4.1-6.fc44) has been pushed to the Fedora 44 stable repository. If problem still persists, please make note of it in this bug report. |
A flaw in the authentication cache implementation allows users to access other users' emails in dovecot 2.4. Note that authentication cache is not enabled by default. The bug was introduced with dovecot 2.4, specifically the renaming of configuration variables (%u to %{user}), 2.3 is not affected. Reproducible: Always Steps to Reproduce: 1. Configure authentication cache. 2. Access email. Actual Results: Access to other users' emails. Expected Results: Access only to your own emails. Additional Information: CVE-2025-30189 has been assigned but not yet published. Debian has documented this in bugs and security advisories: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115474 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115964 https://security-tracker.debian.org/tracker/CVE-2025-30189 The bug was fixed on August 1, 2025, but somehow has not made it into upstream release: https://github.com/dovecot/core/commit/a70ce7d3e2f983979e971414c5892c4e30197231