CVE reported for Cyrus 3.0.0 - 3.0.3

Bron Gondwana brong at
Sun Sep 10 06:37:05 EDT 2017

Hi All,

I have obtained CVE-2017-14230 for the crasher in Cyrus up to
3.0.3 where:
tag FIND "" "Other Users"

Would cause uninitialised memory to be written to a buffer which was
then interpreted as an unbounded C string.  This bug is fixed in 3.0.4,
and we recommend everybody upgrade.


  Bron Gondwana, CEO, FastMail Pty Ltd
  brong at

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Info-cyrus mailing list