Mailu: CVE-2019-11500

Just read about it, I will try to confirm if Mailu is directly vulnerable or not really soon. Then we might want to patch and backport at least to 1.6 and 1.7, the schedule depending on exploitability.

It does not seem like Mailu is easily exploitable thanks to the front nginx. There are probably exploitation cases however, once authenticated. I will now see that we update dovecot asap.

Dovecot is now updated in master, 1.7 should get updated with today's backport of Rainloop update. We will close then.

It seems to be upgraded in current image - can this ticket get closed?
bash-5.0# dovecot --version
2.3.7.2 (3c910f64b)

Needs to be checked for 1.6 as well, though it should be OK.

:heavy_check_mark:

$ docker run --rm mailu/dovecot:1.6 dovecot --version Unable to find image 'mailu/dovecot:1.6' locally 1.6: Pulling from mailu/dovecot c87736221ed0: Pull complete a1c9b6fc100f: Pull complete d48a25f5d439: Pull complete debbe44d4442: Pull complete ad6083978593: Pull complete 744f46e964cb: Pull complete fc33eef7d816: Pull complete Digest: sha256:68b0da78dd581a55ae9be46fdcd2c8911f1c5b84e089a3fce89e9361e1f1d2ec Status: Downloaded newer image for mailu/dovecot:1.6 2.3.7.2 (3c910f64b)

Announcement:
All users are advised to update to the latest images their versions. Currently Mailu versions 1.6, 1.7 and master are still supported and contain the latest version of Dovecot.

No need for configuration changes are needed for this update. Just:

docker-compose pull docker-compose up -d

Verify the current running version of Dovecot:

docker-compose exec imap dovecot --version
Should give 2.3.7.2 or higher.

Pinned for announcement. Can be closed after a reasonable time for users to update.

Closing now.