I think Eric is saying that the version in the testing repository -- which, as you said, is -- fixes the vulnerability.

The relevant part of the CVE-2019-11500 report -- which Eric quoted in his message, with the key words emphasized -- says that this vulnerability exists in versions of 2.3.x before That suggests that installing from the testing repository would fix the issue for you.

That's how I understand his answer, anyway.


On 2019-09-30 05:09, Ionut Hoza wrote:
Hi Eric,

I don't think I understand your answer :).

I'll try to upgrade to the package available in testing inventory.


On Fri, Sep 27, 2019 at 5:36 PM Eric Broch <ebr...@whitehorsetc.com>

In Dovecot before and 2.3.x _BEFORE_ (and
Pigeonhole before, protocol processing can fail for quoted
strings. This occurs because '' characters are mishandled, and can
lead to out-of-bounds writes and remote code execution.
On 9/27/2019 3:10 AM, Ionut Hoza wrote:

Hi all,

Are there any plans to address this security vulnerability and
publish a patched package in the qmt current repository ?
https://nvd.nist.gov/vuln/detail/CVE-2019-11500 [1]

Currently I'm using 2.2.35-23 (built in 2018).

I saw there is dovecot rpm package in testing repository,
does that contains the fix ? Any advices (issues) regarding
upgrading dovecot from 2.2.35 to ?

Thanks in advance,

[1] https://nvd.nist.gov/vuln/detail/CVE-2019-11500

To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Reply via email to