diff --git a/dovecot.spec b/dovecot.spec
index 4f642b7..05c6aa2 100644
--- a/dovecot.spec
+++ b/dovecot.spec
@@ -3,7 +3,7 @@
 Summary: Secure imap and pop3 server
 Name: dovecot
 Epoch: 1
-Version: 2.3.5.1
+Version: 2.3.5.2
 %global prever %{nil}
 Release: 1%{?dist}
 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
@@ -493,6 +493,11 @@ make check
 %{_libdir}/%{name}/dict/libdriver_pgsql.so
 
 %changelog
+* Thu Apr 18 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.5.2-1
+- dovecot updated to 2.3.5.2
+- fixes CVE-2019-10691: Trying to login with 8bit username containing
+  invalid UTF8 input causes auth process to crash if auth policy is enabled.
+
 * Thu Mar 28 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.5.1-1
 - dovecot updated to 2.3.5.1
 - CVE-2019-7524: Missing input buffer size validation leads into
diff --git a/sources b/sources
index 1a5e4f7..2af39ad 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (dovecot-2.3.5.1.tar.gz) = e87754461fb0b065acd0ff10dc955000a2fe5baffed69efaf328ce9268f90140e9de444bc68e0bd48b565c7622885a79b1f90ff3dd2335c0c2362d05d9e73e8a
+SHA512 (dovecot-2.3.5.2.tar.gz) = 041ec1c33c6accb5c89d96d7ab2f7dd59795f496c17faea1906e7977983e4a387aa855a238376515c09532731634d9d42e6d6be22659062855241847ea0213d5
 SHA512 (dovecot-2.3-pigeonhole-0.5.5.tar.gz) = 21519fc9b1152a947b64ce4251e1a4bdbe003b48233b1856a32696f9c1e29f730268c56eb38f9431bbfac345e6cd42e8c78c87d0702f39ebf20c6d326dcdbb94