Cyrus IMAPd 2.2.13p1 & 2.3.15 Released

Henrique de Moraes Holschuh hmh at
Sat Sep 19 12:42:20 EDT 2009

On Thu, 10 Sep 2009, Bron Gondwana wrote:
> On Wed, Sep 09, 2009 at 12:43:43PM -0400, Dave McMurtrie wrote:
> > Duncan Gibb wrote:
> > >Thomas Jarosch wrote:
> > >KM> I'd like to announce the releases of Cyrus IMAPd 2.2.13p1 and 2.3.15.
> > >KM> These releases should both be considered production quality.  These
> > >KM> releases are being made at this time to fix the potential buffer
> > >KM> overflow vulnerability described in CERT VU#336053:
> > >KM>
> > >
> > >TJ> Regarding the buffer overflow: The cert website currently outputs a
> > >TJ> "Lotus Notes exception". Is the overflow theoretically exploitable
> > >TJ> via a malicious email or does a user need to upload a malicious
> > >TJ> sieve script?
> > >
> > >Hmmm...  Still down...
> > 
> > Apologies for the CERT vulnerability link not existing.
> > 
> > We had planned, along with CERT, to make a coordinated announcement
> > about this tomorrow in order to give the major Cyrus vendors a
> > chance to get their distributions patched.
> > 
> > Unfortunately, Debian put out their DSA over the weekend so we
> > didn't want to wait until tomorrow to put out our announcement.
> > CERT provided that URL for us, but since they haven't yet formally
> > released this vulnerability the URL isn't active yet.
> Which I'm afraid was my fault for saying "it's already been
> committed to CVS, so it's out there" to them.  Sorry about
> that.  *sigh*.

The problem is not that you told us we could release, you *were* correct in
doing so: the problem was already as good as published to the whole world by
the public cvs commit.

The problem is that CERT, for whatever reason, tried to embargo something
that was already semi-public, and to make the matters worse, the correct
people were not told about it in a timely manner.

  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

More information about the Cyrus-devel mailing list