Where is the Dovecot security fix????

[SpaceAce]

It's unbelievable: There is a known and severe vulnerability in all Dovecot versions prior to versions 2.3.7.2 / 2.2.36.4
CentOS 7.6.1810 still contains the unfixed version 2.2.36.3

https://www.openwall.com/lists/oss-secu ... 19/08/28/3

Vulnerable version: All versions prior to 2.3.7.2 and 2.2.36.4
Vulnerable component: IMAP and ManageSieve protocol parsers (before and
after login)
Solution status: Fixed by Vendor
Fixed version: 2.3.7.2, 2.2.36.4
Vendor notification: 2019-04-13
Solution date: 2019-06-05
Public disclosure: 2019-08-28
CVE reference: CVE-2019-11500

So CentOS knows about this since 2019-04-13 (!!!) and the fix was provided on 2019-06-05 (!!!) and until today (2 days after public disclosure of the vulnerability) there is NO fix for CentOS 7.

[TrevorH]

So CentOS knows about this since 2019-04-13 (!!!) and the fix was provided on 2019-06-05 (!!!) and until today (2 days after public disclosure of the vulnerability) there is NO fix for CentOS 7.

No. "CentOS" did not know of this vulnerability as "CentOS" is not notified of such things. As we only rebuild RHEL packages, it is Redhat that is notified about problems and are under an NDA (which means that can't tell anyone until the NDA expires). The first time that CentOS gets to know about problems like this is when the NDA expires and the vulnerability is publicly announced - which happened the day before yesterday which you can see from the "Public date: 2019-08-28" date on the Redhat CVE page https://access.redhat.com/security/cve/cve-2019-11500 for this.

In addition, from the date listed on the Redhat CVE page for this, the bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=1741141 was not created until 2019-08-14 which most likely is when Redhat were notified.

You'll also notice from those two Redhat web pages that there is no fix for RHEL either. And since CentOS is a rebuild of RHEL, we have to wait for them to patch it, build the new package and release both it and the SRPM before we can even see the source.

[peteroverethernet]

It´s really ridiculous that there is still no fix out, yet and hundred thousands of CentOS/Redhat servers running dovecot are still vulnerable.

If you don´t want to wait longer for the official fix you may want to install the packages from the official dovecot repo directly? You may install it from there and stick to it or switch back as soon as a fixed version within CentOS is available. You get the latest dovecot version 2.3.7.2 for CentOS 7 as well as on CentOS 6.

Create /etc/yum.repos.d/dovecot.repo

[dovecot-2.3-latest]
name=Dovecot 2.3 CentOS $releasever - $basearch
baseurl=http://repo.dovecot.org/ce-2.3-latest/c ... /$basearch
gpgkey=https://repo.dovecot.org/DOVECOT-REPO-GPG
gpgcheck=1
enabled=1

If you are upgrading an existing installation

yum makecache
yum update

Source: https://repo.dovecot.org/

[TrevorH]

You can complain all you like here but it's not going to do any good. Redhat have not released the fixed package for RHEL yet so it's not possible for CentOS to rebuild it and release it. To my knowledge, no-one from Redhat reads these forums and no-one on the moderation team works for them. If you want to complain about the lack of fixes then the place to complain is to the Redhat. It would probably help if you had Redhat licenses and support agreements...

The third party repo "ghettoforge" has provided replacement dovcecot packages for a long time and they already have packages with this bug fixed. They are in the ghettoforge "plus" repo as they replace distro packages. They supply both dovecot22 and dovecot23 packages. Since CentOS ships dovecot 2.2 I would be tempted to go with the dovecot22 packages from there as it should be easier to go back to the distro version once RH finally get off their *** to fix it.

[peteroverethernet]

Was not meant as complaint but more to provide a workaround/alternative as soon as the official fix is ready. Thank you for the info about the ghettoforge repo as this may help people who want to secure their servers quickly.

[SpaceAce]

So apparently IBM/RedHat have STILL NOT fixed this a week later.

[fmouse]

Still waiting, is there any ETA?

[TrevorH]

The fix is still not published by Redhat for RHEL so there is nothing for CentOS to rebuild.

https://access.redhat.com/security/cve/cve-2019-11500

[avij]

The CentOS Project does not get any advance notifications about upcoming updates. We rely on the same public pages as you do, linked above. If they don't specify an ETA (and very rarely they do), we don't know the ETA.

[SpaceAce]

It's published on 2019-09-20 and took RedHat over a month to provide this critical security fix...
So for any future Linux deployment RedHat (and its offsprings) has disqualified itself...