Dovecot CVE security

I know it should be updated by your OS package but some info’s

https://dovecot.org/pipermail/dovecot-news/2022-July/000478.html

Two small corrections to this CVE notice… The service impacted is of course ‘auth’ not ‘submission’, and the version impacted is from 2.2 to 2.3.19.1.

FWIW, Virtualmin does not enable the master user feature of Dovecot. It is not enabled by default on RHEL8 derived systems, and I’m pretty confident it is not enabled by default on any of our supported systems.

I believe this means Virtualmin systems are not subject to this CVE, unless the user has modified their Dovecot config to enable master user support. But, no harm in updating, either.

1 Like