On 24/12/22 01:25, Aki Tuomi wrote:
Can you confirm that CVE-2022-30550 is patched in dovecot-2.3.20? Thank you.
We've decided to fix it for 2.4 release only, so it's not fixed in 2.3.20.
That is a surprising decision.
The bug does not, in fact, affect that many setups, and we do not consider it to be practically that severe bug.
OpenSSL 3.0 support is also planned for 2.4.
If you're running RHEL or one of the clones then the Ghettoforge builds have both the CVE-2022-30550 and OpenSSL 3.0 support patched in. The packages are dovecot23 in the gf-plus repository and are available for EL7, 8 and 9.
If you're running a different distribution then you can still get the patches by unpacking the src.rpm file (or you can dig them up from the dovecot github) and add them to your own build:
http://mirror.ghettoforge.org/distributions/gf/el/9/plus/SRPMS/dovecot23-2.3...
Peter