Dovecot vulnerabilities

Hello,

Two CVE was released: CVE-2024-23184 and CVE-2024-23185

Which are fixed since 2.3.21.1 version of dovecot, the current version in Rocky Linux 9 is 2.3.16.

Do you know when the patch for this will be released public repo ?

Thanks !

Remember, Rocky just follows upstream RedHat. When RedHat releases a patch then Rocky will follow. You can follow RedHat’s status at cve-details and cve-details

Also, see this: 2305909 – (CVE-2024-23184) CVE-2024-23184 dovecot: using a large number of address headers may trigger a denial of service

The current version in Rocky is 2.3.16-11.el9
That is not the same thing. See Security Backporting Practice - Red Hat Customer Portal and What is backporting and how does it affect Red Hat Enterprise Linux? - Red Hat Customer Portal

You should be able to run

rpm -q --changelog dovecot
dnf changelog dovecot

to see what is said to have changed after the package was rebased to 2.3.16. There are probably some CVE listed too.