10 Jul
2022
10 Jul
'22
9:53 a.m.
On 8/07/22 7:16 pm, Aki Tuomi wrote:
Not all CVEs are "that serious". CVE scores are problematic, you can have a solid 10.0 CVE score that affects practically no one, and you can have a 3.8 CVE that affects ~everyone using the software.
This particular bug requires a quite specific setup, and also provides a sensible workaround for it.
It will be included in upcoming 2.4 release, we do not currently see any pressing reason to rush out a CVE patch release for this.
I've applied the patch to the GhettoForge packages for dovecot23 (el7 and 8) and dovecot22 (el7) for those who want a patched release for the EL platform.
Peter