dovecot is vulnerable to remote code execution (RCE). The vulnerability exists due to an improper NULL byte handling in IMAP and ManageSieve protocol parsers leads to out of bounds writes.
www.openwall.com/lists/oss-security/2019/08/28/3
access.redhat.com/errata/RHSA-2019:2836
access.redhat.com/security/updates/classification/#important
dovecot.org/pipermail/dovecot-news/2019-August/000417.html
lists.debian.org/debian-lts-announce/2019/08/msg00035.html
lists.fedoraproject.org/archives/list/[email protected]/message/3GYTZLLDNIFWT7D7JSB25ERJNMOR4CQ3/
lists.fedoraproject.org/archives/list/[email protected]/message/KVHY3MU2OK2EWZJFGNDSAOMD42L7DFPX/
lists.fedoraproject.org/archives/list/[email protected]/message/YSJVVVRAE3SITC2ZLGCPMFDN3WVYZBWF/
security.gentoo.org/glsa/201908-29
www.dovecot.org/security.html