Security release for 2.4 series?
Tim Champ
champ at umbc.edu
Mon Dec 14 11:36:59 EST 2015
Hello all. Sorry about following up to my own email, but I think I
understand the changes now to 2.4.18 in order to make it CVE compliant. As
best I can understand, if I apply the two commits from Ellie Timoney on
10/26/2015, 2.4.18 would be "secure" once recompiled. These two commits
appear to be these:
https://cyrus.foundation/cyrus-imapd/commit/?h=cyrus-imapd-2.4&id=538359e5a7c978e2f27c80124c8bd1282c7661a9
https://cyrus.foundation/cyrus-imapd/commit/?h=cyrus-imapd-2.4&id=0142e98fa90f02a030f93469523ac64f91ae7a9f
If someone can confirm that I'm correct on this, it would be very
appreciated! Thanks in advance.
Tim
On Mon, Dec 14, 2015 at 11:04 AM, Tim Champ <champ at umbc.edu> wrote:
> Hello all.
>
> We're trying to sort through our path here with patching for the
> CVE/commits that were released in 2.5.7, but also relevant to 2.4.18.
> We're currently on 2.4 series, and I was wondering what the plans were for
> a 2.4 release to address these security fixes. While moving to 2.5 is in
> the plans, I always despise a quick upgrade of anything before major
> holiday periods!
>
> My other concern was that, honestly, I'm not all that sure what the true
> risk and capability to exploit is for these bugs. I've read the CVE's, and
> associated discussions on the a few lists - but it hasn't enlightened me as
> much as I've hoped.
>
> Any help, or answers, for either issue is appreciated. Thanks!
>
> Tim
>
> --
> Tim Champ
> Coordinator of Unix Infrastructure
> UMBC - Division of Information Technology
>
--
Tim Champ
Coordinator of Unix Infrastructure
UMBC - Division of Information Technology
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20151214/c2e92efd/attachment.html>
More information about the Info-cyrus
mailing list