Cyrus IMAPd 2.2.13p1 & 2.3.15 Released

Bron Gondwana brong at fastmail.fm
Thu Sep 10 00:41:33 EDT 2009


On Wed, Sep 09, 2009 at 12:43:43PM -0400, Dave McMurtrie wrote:
> Duncan Gibb wrote:
> >Thomas Jarosch wrote:
> >
> >KM> I'd like to announce the releases of Cyrus IMAPd 2.2.13p1 and 2.3.15.
> >KM> These releases should both be considered production quality.  These
> >KM> releases are being made at this time to fix the potential buffer
> >KM> overflow vulnerability described in CERT VU#336053:
> >KM> http://www.kb.cert.org/vuls/id/336053
> >
> >TJ> Regarding the buffer overflow: The cert website currently outputs a
> >TJ> "Lotus Notes exception". Is the overflow theoretically exploitable
> >TJ> via a malicious email or does a user need to upload a malicious
> >TJ> sieve script?
> >
> >Hmmm...  Still down...
> 
> Apologies for the CERT vulnerability link not existing.
> 
> We had planned, along with CERT, to make a coordinated announcement
> about this tomorrow in order to give the major Cyrus vendors a
> chance to get their distributions patched.
> 
> Unfortunately, Debian put out their DSA over the weekend so we
> didn't want to wait until tomorrow to put out our announcement.
> CERT provided that URL for us, but since they haven't yet formally
> released this vulnerability the URL isn't active yet.

Which I'm afraid was my fault for saying "it's already been
committed to CVS, so it's out there" to them.  Sorry about
that.  *sigh*.

Bron.


More information about the Cyrus-devel mailing list