Re: Fwd: Request to update dovecot to release v2.3.10.1

To: debian-backports@lists.debian.org
Subject: Re: Fwd: Request to update dovecot to release v2.3.10.1
From: Jim Popovitch <jimpop@domainmail.org>
Date: Tue, 19 May 2020 10:26:40 -0400
Message-id: <[🔎] 744e011669e210a6f02d64970b0f127c120aa22b.camel@domainmail.org>
In-reply-to: <[🔎] 3c6b1906d765420d726aa41236bbd1dd5eec9ac3.camel@debian.org>
References: <f511a028b1bcd133b3a8bc194508a6ae@electric-spoon.com> <[🔎] fb8c8c0d508a11fbd7de7c3c61d9bb91@electric-spoon.com> <[🔎] 3c6b1906d765420d726aa41236bbd1dd5eec9ac3.camel@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tue, 2020-05-19 at 09:55 -0400, Boyuan Yang wrote:
> Hi David,
> 
> 在 2020-05-19星期二的 09:42 +0100，David Pottage写道：
> > I am not sure if this should be here or in the security list:
> > 
> > Over on the dovecot-news mailing list they have announced three 
> > vulnerabilities,
> > 
> >   - CVE-2020-10957
> >   - CVE-2020-10958
> >   - CVE-2020-10967
> > 
> > https://dovecot.org/pipermail/dovecot-news/2020-May/000438.html
> > 
> > I am no expert, but it looks like in each case a remote attacker could 
> > cause a vulnerable server to crash by sending a malformed email.
> > 
> > Dovecot have released v2.3.10.1 to fix these issues, but that version 
> > has not appeared in Debian, and as far as I can tell the fixes to the 
> > above issues have not been backported to an older release.
> > 
> > Could we have an updated release please?
> 
> It is a pity that Debian's dovecot is having many open security issues and is
> not properly maintained. However, the criteria on making a backport is to
> properly fix those issues in Testing and Unstable/Sid first.
> 
> As you can see in https://tracker.debian.org/pkg/dovecot , Debian's dovecot
> package maintainer did not make any update in the last 9 months. It would be
> better if you could help and push forward the package maintenance in
> Testing/Sid first before considering backports.
> 
> I'm also sending mail copies to dovecot package maintainers in hope that they
> would put their hands on the package again.

Dovecot maintains their own repos, you can always add their sources and
have the latest releases maintained by the dovecot pros.

https://repo.dovecot.org/

- -Jim P.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3RmV4WutJ2KyCS2zPcxbabkKGJ8FAl7D7KAACgkQPcxbabkK
GJ+6cQ//Rn2j6gPwetEGWgVfsDBw40xXASKY+5UF7tU4pJUGD07oW4PpVaBPk3rM
ttKwmdF43oXkBrpSblU+VcoAHwPcczYP4rcSG/YE17BrSbief6z+tC95ovC3WGGC
90L0aRAVH5xJNELxBTq0I2wvr74Zcb7mU5Xu1WFG+JNqcwtOkpHbU1OPQBl/SWkr
vS46IgrAhkHJ3iwMOHn3oUtVJsf71nPeP/6gSdjJJExAfc0VOQg3+mysDMeCmFR4
30kaRXhaPHAX47pgulBeywOPWJJAh+HDkw3c2Lmr3jlWHXzTVIeu7rP6F+9DrPyY
N/f3x2yYc0nH1bqQA7PmflQKl9rs8kUK5uf7rLgNfhYRCAOVLS/8v6oKHHszuH+U
7XFFm5stzI3TrqxD/lNAVQxkwSgsgpgaovfb02V/iR7jdT4DLfwkA+1zGFZQFJ3L
PhOG4EJvddlIShRIjwA3m6znzN52dNnKeThJOJifrfeRn4y+3GIP1AXexWF3jIlS
oVtWX9OKUVP4s3j2E/PHEmnswT6G0sySbSqUDE1cUGyuCcwd/F4Op9cx0uHkr0Tb
hVU9a6zsw/f3ACgJFrjcFHY4lJiByFkm9+ZuePfAAwsDprTqscaxv7Y0A0E1thVC
Eem0Wa2wnxSXbCpD4tvpfHIyXMnXaqcomHdBvC8xwmo1BcoqYJM=
=/Wl1
-----END PGP SIGNATURE-----

Reply to:

References:
- Fwd: Request to update dovecot to release v2.3.10.1
  - From: David Pottage <david@electric-spoon.com>
- Re: Fwd: Request to update dovecot to release v2.3.10.1
  - From: Boyuan Yang <byang@debian.org>

Prev by Date: Re: Plan for backporting Inkscape 1.0 in buster?
Next by Date: Re: Plan for backporting Inkscape 1.0 in buster?
Previous by thread: Re: Fwd: Request to update dovecot to release v2.3.10.1
Next by thread: Request to Backport : Powertop v. 2.11-1 from testing
Index(es):
- Date
- Thread