I think Eric is saying that the version in the testing repository -- which, as you said, is 2.3.7.2 -- fixes the vulnerability.

The relevant part of the CVE-2019-11500 report -- which Eric quoted in his message, with the key words emphasized -- says that this vulnerability exists in versions of 2.3.x before 2.3.7.2. That suggests that installing 2.3.7.2 from the testing repository would fix the issue for you.

That's how I understand his answer, anyway.

Angus



On 2019-09-30 05:09, Ionut Hoza wrote:
Hi Eric,

I don't think I understand your answer :).

I'll try to upgrade to the package available in testing inventory.

Thanks,
I.

On Fri, Sep 27, 2019 at 5:36 PM Eric Broch <ebr...@whitehorsetc.com>
wrote:

In Dovecot before 2.2.36.4 and 2.3.x _BEFORE_ 2.3.7.2 (and
Pigeonhole before 0.5.7.2), protocol processing can fail for quoted
strings. This occurs because '' characters are mishandled, and can
lead to out-of-bounds writes and remote code execution.
On 9/27/2019 3:10 AM, Ionut Hoza wrote:

Hi all,

Are there any plans to address this security vulnerability and
publish a patched package in the qmt current repository ?
https://nvd.nist.gov/vuln/detail/CVE-2019-11500 [1]

Currently I'm using 2.2.35-23 (built in 2018).

I saw there is dovecot 2.3.7.2 rpm package in testing repository,
does that contains the fix ? Any advices (issues) regarding
upgrading dovecot from 2.2.35 to 2.3.7.2 ?

Thanks in advance,
-I.


Links:
------
[1] https://nvd.nist.gov/vuln/detail/CVE-2019-11500

---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Reply via email to