diff -Nru dovecot-2.2.22/debian/changelog dovecot-2.2.22/debian/changelog
--- dovecot-2.2.22/debian/changelog	2019-03-29 12:02:40.000000000 +0000
+++ dovecot-2.2.22/debian/changelog	2019-08-14 16:20:37.000000000 +0000
@@ -1,3 +1,17 @@
+dovecot (1:2.2.22-1ubuntu2.11) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: IMAP do not properly handled NULL byte - bounds
+    heap memory writes
+    - debian/patches/CVE-2019-11500-*.patch: doesn't accept strings with
+      NULs in src/lib-imap/imap-parser.c and
+      pigeonhole/src/lib-managesieve/managesieve-parser.c,
+      make sure str_unescape won't be writing past allocated memory
+      in src/lib-imap/imap-parser.c and
+      pieonhole/src/lig-managesieve/managesieve-parser.c.
+    - CVE-2019-11500
+
+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Wed, 14 Aug 2019 13:19:55 -0300
+
 dovecot (1:2.2.22-1ubuntu2.10) xenial-security; urgency=medium
 
   * SECURITY UPDATE: stack overflow when reading FTS or POP3-UIDL header
diff -Nru dovecot-2.2.22/debian/patches/CVE-2019-11500-1.patch dovecot-2.2.22/debian/patches/CVE-2019-11500-1.patch
--- dovecot-2.2.22/debian/patches/CVE-2019-11500-1.patch	1970-01-01 00:00:00.000000000 +0000
+++ dovecot-2.2.22/debian/patches/CVE-2019-11500-1.patch	2019-08-14 16:19:05.000000000 +0000
@@ -0,0 +1,32 @@
+Backported of:
+
+From 58ffd3e8a02e54fc98b6be78e02b0511ee9263eb Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Fri, 10 May 2019 19:24:51 +0300
+Subject: [PATCH 1/2] lib-imap: Don't accept strings with NULs
+
+IMAP doesn't allow NULs except in binary literals. We'll still allow them
+in regular literals as well, but just not in strings.
+
+This fixes a bug with unescaping a string with NULs: str_unescape() could
+have been called for memory that points outside the allocated string,
+causing heap corruption. This could cause crashes or theoretically even
+result in remote code execution exploit.
+
+Found by Nick Roessler and Rafi Rubin
+Index: dovecot-2.2.22/src/lib-imap/imap-parser.c
+===================================================================
+--- dovecot-2.2.22.orig/src/lib-imap/imap-parser.c
++++ dovecot-2.2.22/src/lib-imap/imap-parser.c
+@@ -348,6 +348,11 @@ static int imap_parser_read_string(struc
+ 			break;
+ 		}
+ 
++		if (data[i] == '\0') {
++			parser->error = "NULs not allowed in strings";
++			return FALSE;
++		}
++
+ 		if (data[i] == '\\') {
+ 			if (i+1 == data_size) {
+ 				/* known data ends with '\' - leave it to
diff -Nru dovecot-2.2.22/debian/patches/CVE-2019-11500-2.patch dovecot-2.2.22/debian/patches/CVE-2019-11500-2.patch
--- dovecot-2.2.22/debian/patches/CVE-2019-11500-2.patch	1970-01-01 00:00:00.000000000 +0000
+++ dovecot-2.2.22/debian/patches/CVE-2019-11500-2.patch	2019-08-14 16:19:20.000000000 +0000
@@ -0,0 +1,30 @@
+From a56b0636b1bf9c7677c6fca9681f48752af700a1 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Fri, 17 May 2019 10:33:53 +0300
+Subject: [PATCH 2/2] lib-imap: Make sure str_unescape() won't be writing past
+ allocated memory
+
+The previous commit should already prevent this, but this makes sure it
+can't become broken in the future either. It makes the performance a tiny
+bit worse, but that's not practically noticeable.
+---
+ src/lib-imap/imap-parser.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+Index: dovecot-2.2.22/src/lib-imap/imap-parser.c
+===================================================================
+--- dovecot-2.2.22.orig/src/lib-imap/imap-parser.c
++++ dovecot-2.2.22/src/lib-imap/imap-parser.c
+@@ -254,10 +254,8 @@ static void imap_parser_save_arg(struct
+ 
+ 		/* remove the escapes */
+ 		if (parser->str_first_escape >= 0 &&
+-		    (parser->flags & IMAP_PARSE_FLAG_NO_UNESCAPE) == 0) {
+-			/* -1 because we skipped the '"' prefix */
+-			(void)str_unescape(str + parser->str_first_escape-1);
+-		}
++		    (parser->flags & IMAP_PARSE_FLAG_NO_UNESCAPE) == 0)
++			(void)str_unescape(str);
+ 		arg->_data.str = str;
+ 		arg->str_len = strlen(str);
+ 		break;
diff -Nru dovecot-2.2.22/debian/patches/CVE-2019-11500-3.patch dovecot-2.2.22/debian/patches/CVE-2019-11500-3.patch
--- dovecot-2.2.22/debian/patches/CVE-2019-11500-3.patch	1970-01-01 00:00:00.000000000 +0000
+++ dovecot-2.2.22/debian/patches/CVE-2019-11500-3.patch	2019-08-14 16:19:32.000000000 +0000
@@ -0,0 +1,33 @@
+From 3280e97580bd095aff7b43a3ae0d3baa5585af7a Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Fri, 10 May 2019 19:43:55 +0300
+Subject: [PATCH 1/2] lib-managesieve: Don't accept strings with NULs
+
+ManageSieve doesn't allow NULs in strings.
+
+This fixes a bug with unescaping a string with NULs: str_unescape() could
+have been called for memory that points outside the allocated string,
+causing heap corruption. This could cause crashes or theoretically even
+result in remote code execution exploit.
+
+Found by Nick Roessler and Rafi Rubin
+---
+ src/lib-managesieve/managesieve-parser.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+Index: dovecot-2.2.22/pigeonhole/src/lib-managesieve/managesieve-parser.c
+===================================================================
+--- dovecot-2.2.22.orig/pigeonhole/src/lib-managesieve/managesieve-parser.c
++++ dovecot-2.2.22/pigeonhole/src/lib-managesieve/managesieve-parser.c
+@@ -257,6 +257,11 @@ static int managesieve_parser_read_strin
+ 			break;
+ 		}
+ 
++		if (data[0] == '\0') {
++			parser->error = "NULs not allowed in strings";
++			return FALSE;
++		}
++
+ 		if (data[i] == '\\') {
+ 			if (i+1 == data_size) {
+ 				/* known data ends with '\' - leave it to
diff -Nru dovecot-2.2.22/debian/patches/CVE-2019-11500-4.patch dovecot-2.2.22/debian/patches/CVE-2019-11500-4.patch
--- dovecot-2.2.22/debian/patches/CVE-2019-11500-4.patch	1970-01-01 00:00:00.000000000 +0000
+++ dovecot-2.2.22/debian/patches/CVE-2019-11500-4.patch	2019-08-14 16:19:48.000000000 +0000
@@ -0,0 +1,30 @@
+From d4f3b8e19d0bd71a4b24d7c0a3230ba46c93ab23 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Fri, 17 May 2019 10:39:25 +0300
+Subject: [PATCH 2/2] lib-managesieve: Make sure str_unescape() won't be
+ writing past allocated memory
+
+The previous commit should already prevent this, but this makes sure it
+can't become broken in the future either. It makes the performance a tiny
+bit worse, but that's not practically noticeable.
+---
+ src/lib-managesieve/managesieve-parser.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+Index: dovecot-2.2.22/pigeonhole/src/lib-managesieve/managesieve-parser.c
+===================================================================
+--- dovecot-2.2.22.orig/pigeonhole/src/lib-managesieve/managesieve-parser.c
++++ dovecot-2.2.22/pigeonhole/src/lib-managesieve/managesieve-parser.c
+@@ -171,10 +171,8 @@ static void managesieve_parser_save_arg(
+ 
+ 			/* remove the escapes */
+ 			if (parser->str_first_escape >= 0 &&
+-				  (parser->flags & MANAGESIEVE_PARSE_FLAG_NO_UNESCAPE) == 0) {
+-				/* -1 because we skipped the '"' prefix */
+-				str_unescape(str + parser->str_first_escape-1);
+-			}
++				  (parser->flags & MANAGESIEVE_PARSE_FLAG_NO_UNESCAPE) == 0)
++				(void)str_unescape(str);
+ 
+ 			arg->_data.str = str;
+ 			arg->str_len = strlen(str);
diff -Nru dovecot-2.2.22/debian/patches/series dovecot-2.2.22/debian/patches/series
--- dovecot-2.2.22/debian/patches/series	2019-03-29 12:02:03.000000000 +0000
+++ dovecot-2.2.22/debian/patches/series	2019-08-14 16:19:44.000000000 +0000
@@ -27,3 +27,7 @@
 CVE-2019-3814-2.patch
 CVE-2019-3814-3.patch
 CVE-2019-7524-2.patch
+CVE-2019-11500-1.patch
+CVE-2019-11500-2.patch
+CVE-2019-11500-3.patch
+CVE-2019-11500-4.patch