UBUNTU-CVE-2025-59028

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2025-59028

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-59028.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-59028

Upstream

CVE-2025-59028

Downstream

USN-8136-1

Related

USN-8136-1

Published

2026-03-27T00:00:00Z

Modified

2026-04-22T16:06:38.136015Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all active authentication sessions to fail. Invalid BASE64 data can be used to DoS a vulnerable server to break concurrent logins. Install fixed version or disable concurrency in login processes (heavy perfomance penalty on large deployments). No publicly available exploits are known.

References

Affected packages

Ubuntu:25.10 / dovecot

Package

Name: dovecot
Purl: pkg:deb/ubuntu/dovecot@1:2.4.1+dfsg1-5ubuntu4.1?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:2.4.1+dfsg1-5ubuntu4.1

Affected versions

1:2.*

1:2.3.21.1+dfsg1-1ubuntu2

1:2.4.1+dfsg1-5ubuntu1

1:2.4.1+dfsg1-5ubuntu3

1:2.4.1+dfsg1-5ubuntu4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "dovecot-auth-lua",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-core",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-flatcurve",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-gssapi",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-imapd",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-ldap",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-lmtpd",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-managesieved",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-mysql",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-pgsql",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-pop3d",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-sieve",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-solr",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-sqlite",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-submissiond",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        }
    ],
    "availability": "No subscription required"
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-59028.json"