Dovecot vulnerabilities

Hello,

Two CVE was released: CVE-2024-23184 and CVE-2024-23185

Which are fixed since 2.3.21.1 version of dovecot, the current version in Rocky Linux 9 is 2.3.16.

Do you know when the patch for this will be released public repo ?

Thanks !

Remember, Rocky just follows upstream RedHat. When RedHat releases a patch then Rocky will follow. You can follow RedHat’s status at cve-details and cve-details

Also, see this: 2305909 – (CVE-2024-23184) CVE-2024-23184 dovecot: using a large number of address headers may trigger a denial of service

The current version in Rocky is 2.3.16-11.el9
That is not the same thing. See Security Backporting Practice - Red Hat Customer Portal and What is backporting and how does it affect Red Hat Enterprise Linux? - Red Hat Customer Portal

You should be able to run

rpm -q --changelog dovecot
dnf changelog dovecot

to see what is said to have changed after the package was rebased to 2.3.16. There are probably some CVE listed too.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.