[Dovecot-news] CVE-2022-30550: Privilege escalation possible in dovecot when similar master and non-master passdbs are used

Peter peter at pajamian.dhs.org
Sun Jul 10 06:53:45 UTC 2022


On 8/07/22 7:16 pm, Aki Tuomi wrote:
> Not all CVEs are "that serious". CVE scores are problematic, you can have a solid 10.0 CVE score that affects practically no one, and you can have a 3.8 CVE that affects ~everyone using the software.
> 
> This particular bug requires a quite specific setup, and also provides a sensible workaround for it.
> 
> It will be included in upcoming 2.4 release, we do not currently see any pressing reason to rush out a CVE patch release for this.

I've applied the patch to the GhettoForge packages for dovecot23 (el7 
and 8) and dovecot22 (el7) for those who want a patched release for the 
EL platform.


Peter


More information about the dovecot mailing list