CVE-2016-8562 in dovecot

Aki Tuomi aki.tuomi at dovecot.fi
Mon Dec 5 08:48:04 UTC 2016



On 05.12.2016 09:53, Marc Schiffbauer wrote:
> * Aki Tuomi schrieb am 02.12.16 um 08:00 Uhr:
>
> Hi Aki,
>
>> We are sorry to report that we have a bug in dovecot, which merits a
>> CVE. See details below. If you haven't configured any auth_policy_*
>> settings you are ok. This is fixed with
>> https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13a5a725ae
>> and
>> https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c67a8612fc
>>
>> Important vulnerability in Dovecot (CVE-2016-8562)
>> CVSS score: 7.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H)
>> Affected version(s): 2.2.25.1 up to 2.2.26.1
>> Fixed in: 2.2.27.1rc1
> I think either it should read "up to 2.2.27"
> or
> "Fixed in: 2.2.27"
>
> Or how about version 2.2.27? (without .1)
>
> TIA
> -Marc
>

I guess so, we'll take note of this.

Aki




More information about the dovecot mailing list