A security issue has been fixed in Dovecot 2.3.9.1 today (December 13): https://dovecot.org/pipermail/dovecot-news/2019-December/000426.html https://dovecot.org/pipermail/dovecot-news/2019-December/000425.html If only 2.3.9 is affected, then we are not affected. If older versions are affected, then we are and Mageia 7 is also affected. The 2.3.9 announcement says a couple of things about push notifications, so it's possible that's where the issue was introduced: https://dovecot.org/pipermail/dovecot-news/2019-December/000423.html
2.3.9.1 pushed to Cauldron. Can't find any info if older versions are affected or not. If wanted, I can push 2.3.9.1 to Mageia 7 to be on the safe side. Cheers, Stig
CC: (none) => smelrorAssignee: bugsquad => smelrorCVE: (none) => CVE-2019-19722
I guess we can wait and see what other distros do.
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
You'll need to update again to 2.3.9.2 though: https://www.openwall.com/lists/oss-security/2019/12/13/3 https://dovecot.org/pipermail/dovecot/2019-December/117893.html
One more reference: https://dovecot.org/pipermail/dovecot/2019-December/117894.html
2.3.9.2 pushed to Cauldron.
Fedora has issued an advisory for this on January 8: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4OZCJ3RBA4WIYGN7SOV4TW2AIHXPZATK/ Still doesn't clearly indicate that older versions are affected though.
Severity: normal => major