Question dovecot update when?

[mow]

Moin,

dovecot has released 2.3.13 to fix e.g. NVD - CVE-2020-24386.
plesk-dovecot is still 2.3.7.2-debian9.0.20032110.
"leading to access to other users' email messages" is especially relevant in a shared hosting environment, which many plesk users are reselling.

When can we expect an update?

While we're at it, it would be nice if disable_plaintext_auth = of /etc/dovecot/conf.d/10-plesk-security.conf could be set via Tools->Security Policy, just like Allow only secure FTPS connections, and switched to yes by default because unencrypted connections are regularly being sniffed for passwords nowadays.

Best regards
mow

 

[Bitpalast]

Out of curiosity: Are you actually using imap-hibernation?

 

[mow]

Not right now, but it looks like something I might actually use when I get more users.

 

[mr-wolf]

so, it's not even an issue in its default configuration?

imap_hibernate_timeout = 0

 

[Bitpalast]

If hibernation is not used (default configuration), there is no security issue. It is only an issue if hibernation is used.

 

[mr-wolf]

So, to summarize:

Dovecot introduced vulnerabilities when they added a feature (imap_hibernate).
Plesk never chose to use those new features and kept dovecot in a standard configuration.

Now a problem was found with that feature and you're more or less blaming Plesk to be conservative by not upgrading immediately to the newest release which has a fix for that unused feature.
I would understand if they're not in a hurry to do that.

dovecot --version
2.3.10.1 (a3d0e1171)

 

[mow]

But wait, there's more! 2.3.13 also contains a fix for the fix for CVE-2020-12100, which in turn was fixed in 2.3.11.3 and backported by debian for stretch and buster in August 2020.
The binary delivered by plesk for stretch is from March 21, 2020. So it apparently doesn't even contain the fix for CVE-2020-10967.
And there are several other not-so-nice things fixed in 2.3.13.