Dovecot Backport CVE Fixes (or 2.3.21.1 completely) to Alpine 3.20 stable

Package Information

Package name: dovecot
New version: 2.3.21.1 (or adapt CVE patches)
Release notes: https://github.com/dovecot/core/blob/release-2.3.21/NEWS

Summary

Dovecot fixes two CVEs with that version which one of is pretty critical:

CVE-2024-23184: A large number of address headers in email resulted in excessive CPU usage (https://www.openwall.com/lists/oss-security/2024/08/15/4) (Severity: high)

CVE-2024-23185: Abnormally large email headers are now truncated or discarded, with a limit of 10MB on a single header and 50MB for all the headers of all the parts of an email. (https://www.openwall.com/lists/oss-security/2024/08/15/3) (Severity: medium)

The best way is to upgrade dovecot to 2.3.21.1, if not appliable then patch in the CVE closing fixes:

https://github.com/dovecot/core/compare/f020e13%5E...ce88c33.patch (for CVE-2024-23184)

https://github.com/dovecot/core/compare/8e4c42d%5E...1481c04.patch (for CVE-2024-23185)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information