Dovecot v2.3.20 released
Peter
peter at pajamian.dhs.org
Wed Dec 28 01:33:06 UTC 2022
On 24/12/22 01:25, Aki Tuomi wrote:
>>>> Can you confirm that CVE-2022-30550 is patched in dovecot-2.3.20? Thank
>>>> you.
>>>
>>> We've decided to fix it for 2.4 release only, so it's not fixed in 2.3.20.
>>
>> That is a surprising decision.
>
> The bug does not, in fact, affect that many setups, and we do not consider it to be practically that severe bug.
>
> OpenSSL 3.0 support is also planned for 2.4.
If you're running RHEL or one of the clones then the Ghettoforge builds
have both the CVE-2022-30550 and OpenSSL 3.0 support patched in. The
packages are dovecot23 in the gf-plus repository and are available for
EL7, 8 and 9.
http://ghettoforge.org/
If you're running a different distribution then you can still get the
patches by unpacking the src.rpm file (or you can dig them up from the
dovecot github) and add them to your own build:
http://mirror.ghettoforge.org/distributions/gf/el/9/plus/SRPMS/dovecot23-2.3.20-1.gf.el9.src.rpm
Peter
More information about the dovecot
mailing list