Hi David, 在 2020-05-19星期二的 09:42 +0100,David Pottage写道: > I am not sure if this should be here or in the security list: > > Over on the dovecot-news mailing list they have announced three > vulnerabilities, > > - CVE-2020-10957 > - CVE-2020-10958 > - CVE-2020-10967 > > https://dovecot.org/pipermail/dovecot-news/2020-May/000438.html > > I am no expert, but it looks like in each case a remote attacker could > cause a vulnerable server to crash by sending a malformed email. > > Dovecot have released v2.3.10.1 to fix these issues, but that version > has not appeared in Debian, and as far as I can tell the fixes to the > above issues have not been backported to an older release. > > Could we have an updated release please? It is a pity that Debian's dovecot is having many open security issues and is not properly maintained. However, the criteria on making a backport is to properly fix those issues in Testing and Unstable/Sid first. As you can see in https://tracker.debian.org/pkg/dovecot , Debian's dovecot package maintainer did not make any update in the last 9 months. It would be better if you could help and push forward the package maintenance in Testing/Sid first before considering backports. I'm also sending mail copies to dovecot package maintainers in hope that they would put their hands on the package again. -- Best Regards, Boyuan Yang
Attachment:
signature.asc
Description: This is a digitally signed message part