Cyrus IMAPd 2.2.13p1 & 2.3.15 Released

Dave McMurtrie dave64 at
Wed Sep 9 12:43:43 EDT 2009

Duncan Gibb wrote:
> Thomas Jarosch wrote:
> KM> I'd like to announce the releases of Cyrus IMAPd 2.2.13p1 and 2.3.15.
> KM> These releases should both be considered production quality.  These
> KM> releases are being made at this time to fix the potential buffer
> KM> overflow vulnerability described in CERT VU#336053:
> KM>
> TJ> Regarding the buffer overflow: The cert website currently outputs a
> TJ> "Lotus Notes exception". Is the overflow theoretically exploitable
> TJ> via a malicious email or does a user need to upload a malicious
> TJ> sieve script?
> Hmmm...  Still down...

Apologies for the CERT vulnerability link not existing.

We had planned, along with CERT, to make a coordinated announcement 
about this tomorrow in order to give the major Cyrus vendors a chance to 
get their distributions patched.

Unfortunately, Debian put out their DSA over the weekend so we didn't 
want to wait until tomorrow to put out our announcement.  CERT provided 
that URL for us, but since they haven't yet formally released this 
vulnerability the URL isn't active yet.


Dave McMurtrie, SPE
Email Systems Team Leader
Carnegie Mellon University,
Computing Services

More information about the Cyrus-devel mailing list