On 8/07/22 7:16 pm, Aki Tuomi wrote:
Not all CVEs are "that serious". CVE scores are problematic, you can have a
solid 10.0 CVE score that affects practically no one, and you can have a 3.8 CVE that
affects ~everyone using the software.
This particular bug requires a quite specific setup, and also provides a
sensible workaround for it.
It will be included in upcoming 2.4 release, we do not currently see any
pressing reason to rush out a CVE patch release for this.
I've applied the patch to the GhettoForge packages for dovecot23 (el7
and 8) and dovecot22 (el7) for those who want a patched release for the
EL platform.
Peter
