We are sorry to report that we have a bug in dovecot, which merits a CVE. See details below. If you haven't configured any auth_policy_* settings you are ok. This is fixed with https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13... and https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c6...
Important vulnerability in Dovecot (CVE-2016-8562) CVSS score: 7.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H) Affected version(s): 2.2.25.1 up to 2.2.26.1 Fixed in: 2.2.27.1rc1
Short summary: Dovecot auth component can be crashed by remote user when auth-policy component is activated.
If auth-policy component has been activated in Dovecot, then remote user can use SASL authentication to crash auth component.
Workaround is to disable auth-policy component until fix is in place. This can be done by commenting out all auth_policy_* settings.
Aki Tuomi Dovecot oy