[BlueOnyx:23168] Re: dovecot CVE-2019-11500 - YUM updates released
Michael Stauber
mstauber at blueonyx.it
Sun Sep 1 13:03:10 -05 2019
Hi all,
>> Just a little heads-up as I didn't see this mentionned here, there seems
>> to be a new vulnerability in dovecot:
>>
>> https://access.redhat.com/security/cve/cve-2019-11500
>>
>> https://dovecot.org/pipermail/dovecot-news/2019-August/000418.html
I just published dovecot-2.2.36.4 for BlueOnyx 5207R, 5208R and 5209R.
Updates for Aventurin{e} 6108R and 6109R have also been released.
Earlier I wrote:
> As we might want to go directly from 2.2.30 to 2.3.7.2 it'll be a bit
> more complicated than usual, though.
I looked at the sources and changes of the latest Dovecot 2.3.7.2 and
there are just too many small nitpicking differences between the 2.2 and
the 2.3 branch of Dovecot to make a rushed update. The config files of
Dovecot have several deprecated and some new configuration directives.
So during an update from 2.2 to 2.3 we need to rewrite the Dovecot
configuration, create a new DH *.pem file (or convert the old *.dat
file) and that means base-email also needs to be updated as well to
incorporate these changes.
This is possible and will be done eventually. But it is exactly the type
of update that needs a lot of thorough testing, as it could cause email
outages or longer than unusual dovecot restarts as the Diffie-Hellman
calculation or conversion from *.dat to *.pem takes time.
So I'd rather leave that for another day and meanwhile we just use the
fixed v2.2.36.4 instead.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list