On 23/12/2022 14:23 EET Eray Aslan eraya@a21an.org wrote:
On Fri, Dec 23, 2022 at 11:59:54AM +0200, Aki Tuomi wrote:
On 23/12/2022 11:47 EET Eray Aslan eraya@a21an.org wrote: On Thu, Dec 22, 2022 at 10:06:16AM +0200, Aki Tuomi wrote:
We are pleased to release v2.3.20 of Dovecot.
Can you confirm that CVE-2022-30550 is patched in dovecot-2.3.20? Thank you.
We've decided to fix it for 2.4 release only, so it's not fixed in 2.3.20.
That is a surprising decision.
The bug does not, in fact, affect that many setups, and we do not consider it to be practically that severe bug.
One more question regarding openssl. I am getting test failures when building against openssl-3 but not when building against openssl-1.1.1s. Can you confirm if openssl-3 is supported?
[...] test-crypto.c:827: Assert failed: ret == TRUE Panic: file dcrypt-openssl.c: line 2639 (dcrypt_openssl_private_to_public_key): assertion failed: (priv_key != NULL && pub_key_r != NULL) Error: Raw backtrace: ./test-crypto(backtrace_append+0x42) [0x560ff72000b2] -> ./test-crypto(backtrace_get+0x1e) [0x560ff72001fe] -> ./test-crypto(+0x26952) [0x560ff71dd952] -> ./test-crypto(+0x26991) [0x560ff71dd991] -> ./test-crypto(+0x14e03) [0x560ff71cbe03] -> .libs/libdcrypt_openssl.so(+0x5f25) [0x7f5b1b499f25] -> ./test-crypto(+0x1f071) [0x560ff71d6071] -> ./test-crypto(+0x227cf) [0x560ff71d97cf] -> ./test-crypto(test_run+0x4a) [0x560ff71da2da] -> ./test-crypto(main+0x4f) [0x560ff71d032f] -> /lib64/libc.so.6(+0x232ca) [0x7f5b1b5322ca] -> /lib64/libc.so.6(__libc_start_main+0x85) [0x7f5b1b532385] -> ./test-crypto(_start+0x21) [0x560ff71d0451] make[3]: *** [Makefile:1137: check-local] Error 1 [...] $ openssl version OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
Thank you
Eray
OpenSSL 3.0 support is also planned for 2.4.
Aki