• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question dovecot update when?

M

mow

Silver Pleskian
Moin,

dovecot has released 2.3.13 to fix e.g. NVD - CVE-2020-24386.
plesk-dovecot is still 2.3.7.2-debian9.0.20032110.
"leading to access to other users' email messages" is especially relevant in a shared hosting environment, which many plesk users are reselling.

When can we expect an update?

While we're at it, it would be nice if disable_plaintext_auth = of /etc/dovecot/conf.d/10-plesk-security.conf could be set via Tools->Security Policy, just like Allow only secure FTPS connections, and switched to yes by default because unencrypted connections are regularly being sniffed for passwords nowadays.

Best regards
mow
 
Not right now, but it looks like something I might actually use when I get more users.
 
If hibernation is not used (default configuration), there is no security issue. It is only an issue if hibernation is used.
 
So, to summarize:

Dovecot introduced vulnerabilities when they added a feature (imap_hibernate).
Plesk never chose to use those new features and kept dovecot in a standard configuration.

Now a problem was found with that feature and you're more or less blaming Plesk to be conservative by not upgrading immediately to the newest release which has a fix for that unused feature.
I would understand if they're not in a hurry to do that.

dovecot --version
2.3.10.1 (a3d0e1171)
Click to expand...
 
But wait, there's more! 2.3.13 also contains a fix for the fix for CVE-2020-12100, which in turn was fixed in 2.3.11.3 and backported by debian for stretch and buster in August 2020.
The binary delivered by plesk for stretch is from March 21, 2020. So it apparently doesn't even contain the fix for CVE-2020-10967.
And there are several other not-so-nice things fixed in 2.3.13.
 
You must log in or register to reply here.

Similar threads

B
Dovecot CVE-2020-24386
Replies
1
Views
770
Bitpalast
Bitpalast
learning_curve
Resolved Updating Plesk Onyx, But Without Waiting For Plesk Updates
Replies
5
Views
2K
learning_curve
learning_curve
V
Google PageSpeed Insights – How to optimize your site to rank higher
Replies
1
Views
4K
Andrew Roy
Andrew Roy
Back
Top