Cyrus IMAPd 2.2.13p1 & 2.3.15 Released

Thomas Jarosch thomas.jarosch at intra2net.com
Tue Sep 15 07:59:07 EDT 2009


On Wednesday, 9. September 2009 18:43:43 Dave McMurtrie wrote:
> > TJ> Regarding the buffer overflow: The cert website currently outputs a
> > TJ> "Lotus Notes exception". Is the overflow theoretically exploitable
> > TJ> via a malicious email or does a user need to upload a malicious
> > TJ> sieve script?
> >
> > Hmmm...  Still down...
>
> Apologies for the CERT vulnerability link not existing.
>
> We had planned, along with CERT, to make a coordinated announcement
> about this tomorrow in order to give the major Cyrus vendors a chance to
> get their distributions patched.
>
> Unfortunately, Debian put out their DSA over the weekend so we didn't
> want to wait until tomorrow to put out our announcement.  CERT provided
> that URL for us, but since they haven't yet formally released this
> vulnerability the URL isn't active yet.

Thanks for clearing this up!

I'm very happy this is not triggerable via a malicious email :)

Thomas



More information about the Cyrus-devel mailing list