Dino before 2019-09-10 does not check roster push authorization in module/roster/module.vala.
CVE-2019-16236 (Candidate) is related to these bugs: