In Dovecot before 2.2.36.4 and 2.3.x /*before*/ 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.

On 9/27/2019 3:10 AM, Ionut Hoza wrote:
Hi all,

Are there any plans to address this security vulnerability and publish a patched package in the qmt current repository ?
https://nvd.nist.gov/vuln/detail/CVE-2019-11500

Currently I'm using 2.2.35-23 (built in 2018).

I saw there is dovecot 2.3.7.2 rpm package in testing repository, does that contains the fix ? Any advices (issues) regarding upgrading dovecot from 2.2.35 to 2.3.7.2 ?

Thanks in advance,
-I.

Reply via email to