Really disturbing is the timeline for the issue.
The solution seems to be available since June 2019. They seems to have reconsidered the complexity of the attack needed. It seem much easier then they first thought to execute the attack.
This was fixed in 82.0.12:
documentation.cpanel.net
82 Change Log - Change Logs - cPanel Documentation
Hello,
We are currently aware of the recent critical Dovecot and Pigeonhole vulnerability. Additional details concerning these vulnerabilities and the updated version of Dovecot can be found at below URLs.
-- Seclist
oss-sec: Critical Dovecot and Pigeonhole vulnerability
-- Dovecot News mailing list
[Dovecot-news] Dovecot release v2.3.7.2
cPanel has pushed an update to Dovecot to protect servers from this vulnerability. The internal case tracking this issue is case ID CPANEL-29060. To address the issue cPanel updated Dovecot RPMs to version 2.3.7.2.
These updates will first be available in version 82.0.12 which is currently in CURRENT and then shortly after backported to version 78.
You can verify when the updates have been released in the changelogs.
Change Logs - Change Logs - cPanel Documentation
Please do let us know if you have any questions regarding this issue.
We are currently aware of the recent critical Dovecot and Pigeonhole vulnerability. Additional details concerning these vulnerabilities and the updated version of Dovecot can be found at below URLs.
-- Seclist
oss-sec: Critical Dovecot and Pigeonhole vulnerability
-- Dovecot News mailing list
[Dovecot-news] Dovecot release v2.3.7.2
cPanel has pushed an update to Dovecot to protect servers from this vulnerability. The internal case tracking this issue is case ID CPANEL-29060. To address the issue cPanel updated Dovecot RPMs to version 2.3.7.2.
These updates will first be available in version 82.0.12 which is currently in CURRENT and then shortly after backported to version 78.
You can verify when the updates have been released in the changelogs.
Change Logs - Change Logs - cPanel Documentation
Please do let us know if you have any questions regarding this issue.
Last edited:
Thanks for pointing out.
Update Delivery Network:httpupdate.cpanel.net
CURRENT is on 82.0.12.
Release and Stable are on 82.0.11.
Update Delivery Network:httpupdate.cpanel.net
CURRENT is on 82.0.12.
Release and Stable are on 82.0.11.
When will 82.0.12 be pushed out?This was fixed in 82.0.12:
82 Change Log - Change Logs - cPanel Documentation
=> Log opened from /usr/local/cpanel/scripts/updatenow (3416574) at Mon Sep 2 01:11:23 2019
[2019-09-02 01:11:23 +1000] Running version '11.82.0.11' of updatenow.
[2019-09-02 01:11:23 +1000] Detected version '11.82.0.11' from version file.
[2019-09-02 01:11:23 +1000] Target version set to '11.82.0.11'
[2019-09-02 01:11:23 +1000] Up to date (11.82.0.11)
=> Log closed Mon Sep 2 01:11:23 2019
=> Log closed Mon Sep 2 01:11:23 2019
Looks to me like there is no urgency in getting this update to RELEASE, the recommended tier.
82.0.12 just went to CURRENT on Thursday, August 29th (a few days ago) - While this fix is present in that build if you're waiting to update to that build I would not expect it to be pushed to RELEASE immediately in any circumstance. I can tell you I was just notified that 82.0.12 is expected to go to RELEASE today.
Last edited:
