The author of Dovecot recently discovered a number of holes in the libsieve implementation of the Sieve protocol:
The versions of Sieve distributed with the 1.1.x releases of Dovecot on Gentoo are vulnerable. This includes the only stable version.
Suggested fix: address bug #285211.
Alternately, it might be safe to just bump the version of Sieve from within the ebuilds.
Yes, our "sieve" wasn't patched.
+ 05 Oct 2009; Patrick Lauer <firstname.lastname@example.org> +dovecot-1.1.19.ebuild:
+ Bump for 1.1 series
Arches, please test and mark stable:
Target keywords : "alpha amd64 ppc sparc x86"
patrick, can you remove older ebuilds, when 1.1.19 is stable?
Stable on alpha.
Marked ppc stable.
GLSA request filed.
glsa request filed
waiting for 314533 wrt glsa...
I think it's safe to close this now?
No, it is not. The gentoo security team will close this bug after the GLSA was sent.
This issue was resolved and addressed in
GLSA 201110-04 at http://security.gentoo.org/glsa/glsa-201110-04.xml
by GLSA coordinator Stefan Behte (craig).