AlmaLinux 9 — dovecot — multiple vulnerabilities (6 CVEs) — patch and remediation guide

📖 ~4 min read  •  Source: AlmaLinux ALSA ALSA-2026:13857

Related CVEs: CVE-2025-59032 CVE-2026-27857 CVE-2026-27858 CVE-2024-23184 CVE-2024-23185 CVE-2022-30550

Upstream summary: Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages.

Security Fix(es):

* dovecot: ManageSieve: Denial of Service via crafted SASL initial response in AUTHENTICATE command (CVE-2025-59032)
* dovecot: denial of service via crafted message before aut

Table of contents

1. Symptom & Impact
2. Environment & Reproduction
3. Root Cause Analysis
4. Quick Triage
5. Step-by-Step Diagnosis
6. Solution – Primary Fix
7. Solution – Alternative Approaches
8. Verification & Acceptance Criteria
9. Rollback Plan
10. Prevention & Hardening
11. Related Errors & Cross-Refs
12. References & Further Reading

Symptom & Impact

On AlmaLinux 9 hosts that have dovecot installed, operators report behaviour consistent with AlmaLinux ALSA ALSA-2026:13857: dnf refuses to install or restart affected services, SELinux AVC denials appear in /var/log/audit/audit.log, and — for security-rated advisories — the host is exposed to the vulnerability set above. Impact ranges from a single service-restart loop to wider availability incidents whenever dovecot sits on the serving path.

Environment & Reproduction

Reproduction targets AlmaLinux 9. Confirm release and the installed package:

cat /etc/almalinux-release
cat /etc/os-release
rpm -q dovecot
dnf info dovecot | head -20

Trigger the workflow that exposes dovecot — multiple vulnerabilities (6 CVEs) — patch and remediation guide while collecting:

sudo journalctl -u dovecot -b --no-pager | tail -200
sudo journalctl -xe --no-pager | tail -200
sudo tail -200 /var/log/dnf.log
sudo tail -200 /var/log/audit/audit.log
# For an evidence bundle bundle with sosreport:
sudo sosreport --batch

Root Cause Analysis

Root cause is documented in AlmaLinux ALSA ALSA-2026:13857. AlmaLinux / Red Hat maintainers shipped fixes in the corresponding dovecot update for AlmaLinux 9; running an outdated build leaves the host exposed to the failure modes described in the advisory. Correlate dnf history with system logs:

sudo dnf history | head
sudo dnf history list dovecot
sudo dnf history info <id>
sudo ausearch -m AVC,USER_AVC -ts today | tail -100
cat /proc/sys/kernel/tainted   # non-zero = tainted kernel / out-of-tree modules

Quick Triage

Run these on AlmaLinux 9 to capture the current state of dovecot:

rpm -q dovecot                              # installed NVR
rpm -V dovecot                              # verify shipped files
sudo dnf check-update --security
sudo dnf updateinfo list cves
systemctl --failed --no-pager
sudo firewall-cmd --list-all
getenforce && sestatus
# If dovecot ships a systemd unit (unit name may differ from pkg name, e.g.
# bind→named, postgresql-server→postgresql, php-fpm→php-fpm):
systemctl list-unit-files | grep -i dovecot | head

Step-by-Step Diagnosis

1. List failed systemd units.

   systemctl --failed --no-pager

2. Tail the journal for dovecot and the system bus.

   sudo journalctl -u dovecot -f --no-pager
   sudo journalctl -xe -f --no-pager

3. Inspect firewall posture.

   sudo firewall-cmd --list-all-zones --permanent
   sudo nft list ruleset 2>/dev/null | head -50

4. Surface SELinux denials and author a local policy module if needed.

   sudo ausearch -m AVC,USER_AVC -ts today
   sudo ausearch -m AVC -ts today | audit2allow -a -M /tmp/local-fix
   sudo semodule -i /tmp/local-fix.pp

5. Verify dovecot integrity and reinstall if anything is altered.

   sudo rpm -V dovecot
   sudo dnf reinstall dovecot

6. Correlate findings with /var/log/dnf.log, dnf history, and AlmaLinux ALSA ALSA-2026:13857 to pin the change that introduced dovecot — multiple vulnerabilities (6 CVEs) — patch and remediation guide.

Solution – Primary Fix

Apply the corrective dnf transaction referenced by AlmaLinux ALSA ALSA-2026:13857, then reload affected systemd units:

sudo dnf -y makecache
sudo dnf -y upgrade --security              # apply ALL security errata (recommended)
# Or target a single package:
sudo dnf -y upgrade dovecot
sudo systemctl daemon-reload
# Unit name may differ from pkg name; check first:
systemctl list-unit-files | grep -i dovecot | head
sudo systemctl restart dovecot
rpm -q dovecot                                # confirm new NVR
systemctl is-active dovecot 2>/dev/null       # confirm running (if a unit exists)

For kernel / glibc / systemd / openssl advisories a reboot is required (or kpatch where licensed):

sudo needs-restarting -r                    # report whether reboot needed
sudo systemctl reboot                       # or: sudo shutdown -r now
# kpatch (Red Hat / Oracle) avoids reboot for many kernel CVEs:
sudo dnf install -y kpatch kpatch-dnf
sudo dnf kpatch auto                        # enable auto-patching
sudo kpatch list

Solution – Alternative Approaches

If the primary patch is not viable, choose from these:

• Roll back the offending dnf transaction:

  sudo dnf history list | head
  sudo dnf history info <id>
  sudo dnf history undo <id>

• Version-lock the package so dnf cannot upgrade it:

  sudo dnf install -y python3-dnf-plugin-versionlock
  sudo dnf versionlock add dovecot
  sudo dnf versionlock list
  sudo dnf versionlock delete dovecot      # remove the lock

• Install an older NVR if a regression is suspected:

  dnf --showduplicates list dovecot | tac | head
  sudo dnf install -y --allowerasing dovecot-<older-NVR>

• Switch SELinux to permissive briefly to confirm policy is the cause, then re-enforce:

  sudo setenforce 0
  # reproduce, capture denials, author a custom module:
  sudo ausearch -m AVC -ts recent | audit2allow -a -M mylocal
  sudo semodule -i mylocal.pp
  sudo setenforce 1

• Take an LVM snapshot before kernel / glibc upgrades for fast rollback:

  sudo lvs
  sudo lvcreate -s -n preupgrade -L 4G /dev/<vg>/<lv>
  # revert later via:
  sudo lvconvert --merge /dev/<vg>/preupgrade && sudo systemctl reboot

• Where kpatch is licensed, apply kernel fixes without reboot:

  sudo kpatch list
  sudo kpatch load /usr/lib/modules/$(uname -r)/extra/kpatch/*.ko

Verification & Acceptance Criteria

All of these should pass after the fix:

rpm -q dovecot                                            # expected fixed NVR
sudo dnf updateinfo list cves --installed               # CVEs above no longer listed
systemctl is-active dovecot 2>/dev/null
sudo journalctl -u dovecot --since "5 minutes ago" --no-pager | grep -iE "error|fail" || echo OK
sudo firewall-cmd --list-services
getenforce
sudo needs-restarting -r

The original reproduction for dovecot — multiple vulnerabilities (6 CVEs) — patch and remediation guide must not trigger across two consecutive runs.

Rollback Plan

Capture state before any change:

rpm -qa > /root/rpm-pre.txt
sudo dnf history list > /root/dnf-history-pre.txt
# Optional LVM snapshot of the root LV:
sudo lvcreate -s -n preupgrade -L 4G /dev/<vg>/<lv>

To revert if the patch is bad:

sudo dnf history undo <id>
# Or downgrade just the package:
sudo dnf install -y --allowerasing dovecot-<older-NVR>
sudo systemctl daemon-reload
sudo systemctl restart dovecot
# Or merge the LVM snapshot and reboot:
sudo lvconvert --merge /dev/<vg>/preupgrade && sudo systemctl reboot
# Custom SELinux policy cleanup:
sudo semodule -r mylocal

Prevention & Hardening

Reduce the chance of this recurring on AlmaLinux 9:

• Enable automatic security patching:

  sudo dnf install -y dnf-automatic
  sudo sed -i 's/^upgrade_type.*/upgrade_type = security/' /etc/dnf/automatic.conf
  sudo sed -i 's/^apply_updates.*/apply_updates = yes/' /etc/dnf/automatic.conf
  sudo systemctl enable --now dnf-automatic.timer

• Subscribe to almalinux-announce and watch Red Hat security updates for upstream changes.

• Mirror through a local Pulp / Foreman / Spacewalk-style repo for controlled rollouts:

  sudo dnf install -y dnf-utils createrepo_c
  sudo reposync --download-metadata --downloadcomps -p /srv/mirror -- repoid=baseos
  sudo createrepo_c /srv/mirror/baseos

• Version-lock sensitive packages so they cannot be auto-upgraded:

  sudo dnf install -y python3-dnf-plugin-versionlock
  sudo dnf versionlock add dovecot

• Monitor file integrity with AIDE:

  sudo dnf install -y aide
  sudo aide --init && sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
  sudo aide --check

• Enable kpatch so kernel CVEs can be remediated without reboot:

  sudo dnf install -y kpatch kpatch-dnf
  sudo dnf kpatch auto
  sudo kpatch list

• Keep SELinux in enforcing mode and review custom modules in /etc/selinux/targeted/ after every package upgrade.

• Apply CIS AlmaLinux 9 Benchmark hardening and remove unused packages.

Related Errors & Cross-Refs

Issues that commonly surface alongside dovecot — multiple vulnerabilities (6 CVEs) — patch and remediation guide: dnf lock contention, systemd unit ordering cycles, SELinux AVC bursts, firewalld zone drift, and kernel taint flags. Useful triage:

sudo dnf check
systemd-analyze critical-chain
sudo ausearch -m AVC -ts today | tail
sudo firewall-cmd --get-active-zones
cat /proc/sys/kernel/tainted
sudo needs-restarting -r

View all almalinux-9 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Primary reference: AlmaLinux ALSA ALSA-2026:13857. Manual pages useful on AlmaLinux 9:

man dnf
man dnf.conf
man systemctl
man journalctl
man firewall-cmd
man semanage
man audit2allow
man kpatch
man sosreport

Other resources: wiki.almalinux.org, Red Hat CVE database, AlmaLinux errata, and per-package notes in /usr/share/doc/dovecot/ for components implicated in dovecot — multiple vulnerabilities (6 CVEs) — patch and remediation guide.

View all AlmaLinux 9 tutorials on the Tutorials Hub →