Vulnerability Details: Mail with group address as sender will cause a signal 11 crash in push notification drivers. Group address as recipient can cause crash in some drivers. Risk: Repeated delivery attempts are made for the problematic mail, causing queueing in MTA. Fix: https://github.com/dovecot/core/compare/393a8cabf4dad893bf2ec60bf96cfde7a0c58432%5E..1307766b6f5d97341a47376657d342bcefd10f1b.patch Upstream will release 2.3.9.1 on Friday 13th of December after 10:00 UTC.
Note: This doesn't affect any stable dovecot version in Gentoo.
*** Bug 702668 has been marked as a duplicate of this bug. ***
Due to bug in the fix, we had to release 2.3.9.2 which completes the fix for this CVE. --- Aki Tuomi Open-Xchange oy
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab3881879555ecacd65c6c46f0437d4c5a7a66c8 commit ab3881879555ecacd65c6c46f0437d4c5a7a66c8 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2019-12-15 07:32:30 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2019-12-15 07:32:30 +0000 net-mail/dovecot: security bump to 2.3.9.2 Bug: https://bugs.gentoo.org/702628 Package-Manager: Portage-2.3.81, Repoman-2.3.20 Signed-off-by: Eray Aslan <eras@gentoo.org> net-mail/dovecot/Manifest | 1 + net-mail/dovecot/dovecot-2.3.9.2.ebuild | 286 ++++++++++++++++++++++++++++++++ 2 files changed, 287 insertions(+)
@maintainer(s), please advise if ready for stabilisation, or call for it yourself.
Uhm, no stable build was affected and no vulnerable version remains in the tree. So I was just going to open a regular stabilization bug beg April and not on this bug. Let me know if this is not how it supposed to work.
(In reply to Eray Aslan from comment #6) > Uhm, no stable build was affected and no vulnerable version remains in the > tree. So I was just going to open a regular stabilization bug beg April and > not on this bug. > > Let me know if this is not how it supposed to work. You are right, my apologies!
Repository is clean, all done!
