CVE-2019-11500 Critical Dovecot and Pigeonhole vulnerability

lorio

Well-Known Member
Feb 25, 2004
298
14
168
Visit site
cPanel Access Level
Root Administrator
CVE-2019-11500

In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.
IMHO cPanel is currently using Dovecot v2.3.5 on all branches.
 

lorio

Well-Known Member
Feb 25, 2004
298
14
168
Visit site
cPanel Access Level
Root Administrator
Really disturbing is the timeline for the issue.
Vendor notification: 2019-04-13
Solution date: 2019-06-05
Public disclosure: 2019-08-28
CVE reference: CVE-2019-11500
The solution seems to be available since June 2019. They seems to have reconsidered the complexity of the attack needed. It seem much easier then they first thought to execute the attack.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
7,090
559
263
Houston
cPanel Access Level
DataCenter Provider
Hello,

We are currently aware of the recent critical Dovecot and Pigeonhole vulnerability. Additional details concerning these vulnerabilities and the updated version of Dovecot can be found at below URLs.

-- Seclist

oss-sec: Critical Dovecot and Pigeonhole vulnerability

-- Dovecot News mailing list

[Dovecot-news] Dovecot release v2.3.7.2

cPanel has pushed an update to Dovecot to protect servers from this vulnerability. The internal case tracking this issue is case ID CPANEL-29060. To address the issue cPanel updated Dovecot RPMs to version 2.3.7.2.

These updates will first be available in version 82.0.12 which is currently in CURRENT and then shortly after backported to version 78.

You can verify when the updates have been released in the changelogs.

Change Logs - Change Logs - cPanel Documentation


Please do let us know if you have any questions regarding this issue.
 
Last edited:

lorio

Well-Known Member
Feb 25, 2004
298
14
168
Visit site
cPanel Access Level
Root Administrator
Thanks for pointing out.

Update Delivery Network:httpupdate.cpanel.net
CURRENT is on 82.0.12.
Release and Stable are on 82.0.11.
 
  • Like
Reactions: Paul Shultz

Paul Shultz

Member
Jun 5, 2018
19
8
3
Malebourne
cPanel Access Level
Root Administrator
This was fixed in 82.0.12:

When will 82.0.12 be pushed out?

=> Log opened from /usr/local/cpanel/scripts/updatenow (3416574) at Mon Sep 2 01:11:23 2019
[2019-09-02 01:11:23 +1000] Running version '11.82.0.11' of updatenow.
[2019-09-02 01:11:23 +1000] Detected version '11.82.0.11' from version file.
[2019-09-02 01:11:23 +1000] Target version set to '11.82.0.11'
[2019-09-02 01:11:23 +1000] Up to date (11.82.0.11)
=> Log closed Mon Sep 2 01:11:23 2019
=> Log closed Mon Sep 2 01:11:23 2019
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
7,090
559
263
Houston
cPanel Access Level
DataCenter Provider
82.0.12 just went to CURRENT on Thursday, August 29th (a few days ago) - While this fix is present in that build if you're waiting to update to that build I would not expect it to be pushed to RELEASE immediately in any circumstance. I can tell you I was just notified that 82.0.12 is expected to go to RELEASE today.
 
Last edited: