diff --git a/dovecot.spec b/dovecot.spec
index 7ee0d5e..eba9723 100644
--- a/dovecot.spec
+++ b/dovecot.spec
@@ -3,7 +3,7 @@
 Summary: Secure imap and pop3 server
 Name: dovecot
 Epoch: 1
-Version: 2.3.7.1
+Version: 2.3.7.2
 %global prever %{nil}
 Release: 1%{?dist}
 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
@@ -13,7 +13,7 @@ URL: http://www.dovecot.org/
 Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz
 Source1: dovecot.init
 Source2: dovecot.pam
-%global pigeonholever 0.5.7.1
+%global pigeonholever 0.5.7.2
 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz
 Source9: dovecot.sysconfig
 Source10: dovecot.tmpfilesd
@@ -493,6 +493,12 @@ make check
 %{_libdir}/%{name}/dict/libdriver_pgsql.so
 
 %changelog
+* Thu Aug 29 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.7.2-1
+- dovecot updated to 2.3.7.2, pigeonhole 0.5.7.2
+- fixes CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
+  when scanning data in quoted strings, leading to out of bounds heap
+  memory writes
+
 * Mon Aug 19 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:1-2.3.7.1
 - dovecot updated to 2.3.7.1, pigeonhole updated to 0.5.7.1
 
diff --git a/sources b/sources
index 8b8981e..9a8ce1a 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (dovecot-2.3.7.1.tar.gz) = 9addfe2be9ae745ac9164e1658e6638df96bd611d45f172e2cd1cb2c6596e4ce534674e9eea3c1d17f497555061031916e0fb9a9fbc6de0eb6034e2fd0bed3b9
-SHA512 (dovecot-2.3-pigeonhole-0.5.7.1.tar.gz) = 121eac4ad8bc1ddc55c554d00338bb553590b6aedffcb11e34f6cba102d59bd34580cb7218bd5fe820038c004d12db73f7a27ca135c3d4a12c4449bae3216355
+SHA512 (dovecot-2.3.7.2.tar.gz) = 172f7f0edb884259e4c050607510aee67a35c3a20b7dd147e7c8a25a04921c18f7d6b5c85af2c69ae8c4d53791550970e471b033dbfae94253e331053b6a317d
+SHA512 (dovecot-2.3-pigeonhole-0.5.7.2.tar.gz) = 7fc8d89ee31c8e8c16a9aeaeffb591f4188de36fc80e3a30a9ae10bc5acd7ea5d5d91e077fda566e61d588d9221ec53044ce17a9cc0c9c219dbe6824558a1d60