Just because SuSE is even slower than RedHat does not make this any better!
I critical security issue should not take months to be fixed!
It should rather be days instead!
I've been tracking this bug for several weeks now and it seems like redhat does not see it as a critical issue.
Maybe because its quite hard to exploit this bug without authenticating first, so only known users would pose a real threat. I am not sure what their reasoning is for delaying the fix on purpose.
As a followup question, does anyone know why RHEL 8 includes the same ancient version (2.2.36) of dovecot that RHEL 7 does? Why wouldn't they have moved to the 2.3 series?