Cyrus IMAPd 2.2.13p1 & 2.3.15 Released

Dave McMurtrie dave64 at
Sat Sep 19 13:39:43 EDT 2009

Henrique de Moraes Holschuh wrote:

>> Which I'm afraid was my fault for saying "it's already been
>> committed to CVS, so it's out there" to them.  Sorry about
>> that.  *sigh*.

I already spoke with Bron off-list at great length about this.  There's 
really no need for any apology on his part.  We greatly appreciate the 
work that Bron puts into Cyrus imapd.

> The problem is not that you told us we could release, you *were* correct in
> doing so: the problem was already as good as published to the whole world by
> the public cvs commit.
> The problem is that CERT, for whatever reason, tried to embargo something
> that was already semi-public, and to make the matters worse, the correct
> people were not told about it in a timely manner.

Fair enough.  The next time an issue like this comes up, I think the 
first thing we can do better on our side is to not commit the fix to CVS 

When you say that CERT did not contact the correct people, can you be 
more specific?  Feel free to respond off-list if you feel that's 
necessary.  I have no problem getting back in touch with CERT to provide 
updated contact information for them.

As far as this not having been handled in a timely manner, I don't think 
that's a fair criticism.  This bug has existed in the code since Oct 22, 
2003.  Bron reported it to us on 09/02/2009.  I reported it to CERT on 
the evening of 09/02/2009.  CERT responded back to me on 09/03/2009 with 
a plan to contact Cyrus vendors immediately and make an announcement on 
09/10/2009 -- a total of 3 business days for any US vendors since it was 
a holiday weekend.

If you have any additional suggestions on how to better handle security 
issues in the future, please let me know.



More information about the Cyrus-devel mailing list