The author of Dovecot recently discovered a number of holes in the libsieve implementation of the Sieve protocol: http://www.dovecot.org/list/dovecot-news/2009-September/000135.html The versions of Sieve distributed with the 1.1.x releases of Dovecot on Gentoo are vulnerable. This includes the only stable version. Suggested fix: address bug #285211. http://bugs.gentoo.org/show_bug.cgi?id=285211 Alternately, it might be safe to just bump the version of Sieve from within the ebuilds.
Yes, our "sieve" wasn't patched.
+ 05 Oct 2009; Patrick Lauer <patrick@gentoo.org> +dovecot-1.1.19.ebuild: + Bump for 1.1 series
Arches, please test and mark stable: =net-mail/dovecot-1.1.19 Target keywords : "alpha amd64 ppc sparc x86" patrick, can you remove older ebuilds, when 1.1.19 is stable?
x86 stable
Stable on alpha.
amd64 stable
sparc stable
Marked ppc stable.
GLSA request filed.
glsa request filed
waiting for 314533 wrt glsa...
I think it's safe to close this now?
No, it is not. The gentoo security team will close this bug after the GLSA was sent.
This issue was resolved and addressed in GLSA 201110-04 at http://security.gentoo.org/glsa/glsa-201110-04.xml by GLSA coordinator Stefan Behte (craig).