On 24/12/22 01:25, Aki Tuomi wrote:
Can you confirm that CVE-2022-30550 is patched in dovecot-2.3.20? Thank
you.
We've decided to fix it for 2.4 release only, so it's not fixed in 2.3.20.
That is a surprising decision.
The bug does not, in fact, affect that many setups, and we do not consider it
to be practically that severe bug.
OpenSSL 3.0 support is also planned for 2.4.
If you're running RHEL or one of the clones then the Ghettoforge builds
have both the CVE-2022-30550 and OpenSSL 3.0 support patched in. The
packages are dovecot23 in the gf-plus repository and are available for
EL7, 8 and 9.
http://ghettoforge.org/
If you're running a different distribution then you can still get the
patches by unpacking the src.rpm file (or you can dig them up from the
dovecot github) and add them to your own build:
http://mirror.ghettoforge.org/distributions/gf/el/9/plus/SRPMS/dovecot23-2.3.20-1.gf.el9.src.rpm
Peter
