In Dovecot before 2.2.36.4 and 2.3.x /*before*/ 2.3.7.2 (and Pigeonhole
before 0.5.7.2), protocol processing can fail for quoted strings. This
occurs because '\0' characters are mishandled, and can lead to
out-of-bounds writes and remote code execution.
On 9/27/2019 3:10 AM, Ionut Hoza wrote:
Hi all,
Are there any plans to address this security vulnerability and publish
a patched package in the qmt current repository ?
https://nvd.nist.gov/vuln/detail/CVE-2019-11500
Currently I'm using 2.2.35-23 (built in 2018).
I saw there is dovecot 2.3.7.2 rpm package in testing repository, does
that contains the fix ? Any advices (issues) regarding upgrading
dovecot from 2.2.35 to 2.3.7.2 ?
Thanks in advance,
-I.
