CentOS 7.6.1810 still contains the unfixed version 2.2.36.3
https://www.openwall.com/lists/oss-secu ... 19/08/28/3
Vulnerable version: All versions prior to 2.3.7.2 and 2.2.36.4
Vulnerable component: IMAP and ManageSieve protocol parsers (before and
after login)
Solution status: Fixed by Vendor
Fixed version: 2.3.7.2, 2.2.36.4
Vendor notification: 2019-04-13
Solution date: 2019-06-05
Public disclosure: 2019-08-28
CVE reference: CVE-2019-11500
So CentOS knows about this since 2019-04-13 (!!!) and the fix was provided on 2019-06-05 (!!!) and until today (2 days after public disclosure of the vulnerability) there is NO fix for CentOS 7.


