diff --git a/dovecot.spec b/dovecot.spec
index 2bae171..5d6c3c3 100644
--- a/dovecot.spec
+++ b/dovecot.spec
@@ -3,7 +3,7 @@
 Summary: Secure imap and pop3 server
 Name: dovecot
 Epoch: 1
-Version: 2.3.9
+Version: 2.3.9.2
 %global prever %{nil}
 Release: 1%{?dist}
 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
@@ -496,6 +496,10 @@ make check
 %{_libdir}/%{name}/dict/libdriver_pgsql.so
 
 %changelog
+* Thu Dec 19 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.9.2-1
+- CVE-2019-19722: Mails with group addresses in From or To fields
+  caused crash in push notification drivers.
+
 * Wed Dec 04 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.9-1
 - dovecot updated to 2.3.9, pigeonhole updated to 0.5.9 
 
diff --git a/sources b/sources
index 42fbb78..c3d0413 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (dovecot-2.3.9.tar.gz) = 6f7cfebb0d89709d971a6cd623375805dc018c6d8c4cdaa5f274a5a5b0830c2b135c9cf6c90d0983c70ca76e3def855c501ea32aeb7a67b104cb6676bb9d37db
+SHA512 (dovecot-2.3.9.2.tar.gz) = 36e8270bfa33e2bd6aa89017e65c7d1650c494c79ff297759a4b01c026aebcfdf5b1b542d4357e1f9dc2bb8169ef67064f0699b17ca36d658deb70b4c800b253
 SHA512 (dovecot-2.3-pigeonhole-0.5.9.tar.gz) = 1b8d2ac8d3985dde035fc45df519788a924ba971f3e39717f5196ea56a982d4156226586d0a964473525d086967883ea52f2e624e81f7035cb0952b76f2414d8