Cyrus IMAPd 2.2.13p1 & 2.3.15 Released
dave64 at andrew.cmu.edu
Wed Sep 9 12:43:43 EDT 2009
Duncan Gibb wrote:
> Thomas Jarosch wrote:
> KM> I'd like to announce the releases of Cyrus IMAPd 2.2.13p1 and 2.3.15.
> KM> These releases should both be considered production quality. These
> KM> releases are being made at this time to fix the potential buffer
> KM> overflow vulnerability described in CERT VU#336053:
> KM> http://www.kb.cert.org/vuls/id/336053
> TJ> Regarding the buffer overflow: The cert website currently outputs a
> TJ> "Lotus Notes exception". Is the overflow theoretically exploitable
> TJ> via a malicious email or does a user need to upload a malicious
> TJ> sieve script?
> Hmmm... Still down...
Apologies for the CERT vulnerability link not existing.
We had planned, along with CERT, to make a coordinated announcement
about this tomorrow in order to give the major Cyrus vendors a chance to
get their distributions patched.
Unfortunately, Debian put out their DSA over the weekend so we didn't
want to wait until tomorrow to put out our announcement. CERT provided
that URL for us, but since they haven't yet formally released this
vulnerability the URL isn't active yet.
Dave McMurtrie, SPE
Email Systems Team Leader
Carnegie Mellon University,
More information about the Cyrus-devel